Apologies for the poor links earlier.
http://cr.openjdk.java.net/~jlaskey/8159393/webrev/index.html
https://bugs.openjdk.java.net/browse/JDK-8159393
> On Nov 7, 2016, at 9:26 AM, Jim Laskey (Oracle) <james.las...@oracle.com>
> wrote:
>
> Revising to
>
> String name = entry.name().toUpperCase(Locale.ENGLISH);
>
> return name.startsWith("META-INF/") && name.indexOf('/',
> 9) == -1 && (
> name.endsWith(".SF") ||
> name.endsWith(".DSA") ||
> name.endsWith(".RSA") ||
> name.endsWith(".EC") ||
> name.startsWith("META-INF/SIG-")
> );
>
>
>> On Nov 7, 2016, at 9:17 AM, Jim Laskey (Oracle) <james.las...@oracle.com>
>> wrote:
>>
>> Right. From SignatureFileVerifier.java
>>
>>
>> /**
>> * Utility method used by JarVerifier and JarSigner
>> * to determine the signature file names and PKCS7 block
>> * files names that are supported
>> *
>> * @param s file name
>> * @return true if the input file name is a supported
>> * Signature File or PKCS7 block file name
>> */
>> public static boolean isBlockOrSF(String s) {
>> // we currently only support DSA and RSA PKCS7 blocks
>> return s.endsWith(".SF")
>> || s.endsWith(".DSA")
>> || s.endsWith(".RSA")
>> || s.endsWith(".EC");
>> }
>>
>> /**
>> * Yet another utility method used by JarVerifier and JarSigner
>> * to determine what files are signature related, which includes
>> * the MANIFEST, SF files, known signature block files, and other
>> * unknown signature related files (those starting with SIG- with
>> * an optional [A-Z0-9]{1,3} extension right inside META-INF).
>> *
>> * @param name file name
>> * @return true if the input file name is signature related
>> */
>> public static boolean isSigningRelated(String name) {
>> name = name.toUpperCase(Locale.ENGLISH);
>> if (!name.startsWith("META-INF/")) {
>> return false;
>> }
>> name = name.substring(9);
>> if (name.indexOf('/') != -1) {
>> return false;
>> }
>> if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) {
>> return true;
>> } else if (name.startsWith("SIG-")) {
>> // check filename extension
>> // see
>> http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
>> // for what filename extensions are legal
>> int extIndex = name.lastIndexOf('.');
>> if (extIndex != -1) {
>> String ext = name.substring(extIndex + 1);
>> // validate length first
>> if (ext.length() > 3 || ext.length() < 1) {
>> return false;
>> }
>> // then check chars, must be in [a-zA-Z0-9] per the jar spec
>> for (int index = 0; index < ext.length(); index++) {
>> char cc = ext.charAt(index);
>> // chars are promoted to uppercase so skip lowercase checks
>> if ((cc < 'A' || cc > 'Z') && (cc < '0' || cc > '9')) {
>> return false;
>> }
>> }
>> }
>> return true; // no extension is OK
>> }
>> return false;
>> }
>>
>>
>>
>>
>>
>>> On Nov 7, 2016, at 9:16 AM, Alan Bateman <alan.bate...@oracle.com> wrote:
>>>
>>> On 07/11/2016 13:09, Jim Laskey (Oracle) wrote:
>>>
>>>> Thank you. Regarding SIG- I was just followed the spec.
>>>>
>>> I hope Sean or Max can jump in on this, the other question is .EC as I
>>> believe the JDK allows this when signing too.
>>>
>>> -Alan
>>
>
