On Thu, 12 Jan 2023 18:44:26 GMT, Eirik Bjorsnos <d...@openjdk.org> wrote:
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that > files reside in META-INF directly, and not in a subdirectory of META-INF. > > The mentioned call sites needs updates to check and ignore such files. > > A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, > *.RSA] files in META-INF/ subdirectories are indeed ignored. Just some comments before the end of week. src/java.base/share/classes/java/util/zip/ZipFile.java line 1748: > 1746: .isBlockOrSF(new String(name, off, len, UTF_8.INSTANCE) > 1747: .toUpperCase(Locale.ENGLISH))); > 1748: How about updating `SignatureFileVerifier.isBlockOrSF` so that it only returns true for files inside `META-INF/`. This way it's consistent to this method. src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980: > 978: * Returns true iff the entry resides directly in the META-INF/ > directory > 979: */ > 980: private boolean isInMetaInf(ZipEntry ze) { Maybe move this method and the one in `JarVerifier` to a common place like `sun.security.util.SignatureFileVerifier`? test/jdk/java/util/jar/JarFile/VerifyUnrelatedSignatureFiles.java line 61: > 59: File j = createJarFile(); > 60: File s = signJarFile(j, "signed"); > 61: File m = moveSignatureRelated(s); Try sign it again to a different file. Let's see if the moved files are also signed. ------------- PR: https://git.openjdk.org/jdk/pull/11976