Hi,
ZipFile.isSignatureRelated currently returns true for paths such as the
following:
META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA
While this path does start with "META-INF/" and ends with ".DSA", the file
does not live in the META-INF/ directory _directly_,
>
> ZipFile.isSignatureRelated currently returns true for paths such as the
> following:
>
>
> META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.70/META-INF/BC2048KE.DSA
>
I found a couple more call sites of SignatureFileVerifier.isBlockOrSF which
incorrectly treat [SF,DSA,RSA,EC] files as
Forwarding to security-dev as that is where issues around signed JARs
are usually discussed.
-Alan.
On 10/01/2023 17:00, Eirik Bjørsnøs wrote:
Hi,
ZipFile.isSignatureRelated currently returns true for paths such as
the following:
META-INF/libraries/org.bouncycastle:bcprov-jdk15on:jar-1.
Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files
reside in META-INF directly, and not in a subdirectory of META-INF.
The mentioned call sites needs updates to check and ignore such files.
A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF,
penjdk.org/jdk/commit/5dfc4ec7d94af9fe39fdee9d83b06101b827a3c6
Stats: 429 lines in 6 files changed: 405 ins; 8 del; 16 mod
8300140: ZipFile.isSignatureRelated returns true for files in META-INF
subdirectories
Reviewed-by: weijun
-
PR: https://git.openjdk.org/jdk/pull/11976
On Thu, 12 Jan 2023 18:44:26 GMT, Eirik Bjorsnos wrote:
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new te
On Fri, 13 Jan 2023 22:31:28 GMT, Weijun Wang wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
>> files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A new
On Fri, 13 Jan 2023 22:36:01 GMT, Weijun Wang wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
>> files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A new
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
On Fri, 13 Jan 2023 22:36:47 GMT, Weijun Wang wrote:
>> Eirik Bjorsnos has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains six additional
>> commits
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
On Sat, 14 Jan 2023 13:17:32 GMT, Eirik Bjorsnos wrote:
>> test/jdk/java/util/jar/JarFile/VerifyUnrelatedSignatureFiles.java line 61:
>>
>>> 59: File j = createJarFile();
>>> 60: File s = signJarFile(j, "signed");
>>> 61: File m = moveSignatureRelated(s);
>>
>> Try sign
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
On Sat, 14 Jan 2023 12:14:54 GMT, Eirik Bjorsnos wrote:
>> src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980:
>>
>>> 978: * Returns true iff the entry resides directly in the META-INF/
>>> directory
>>> 979: */
>>> 980: private boolean isInMetaInf(ZipEnt
On Sat, 14 Jan 2023 12:02:11 GMT, Eirik Bjorsnos wrote:
>> src/java.base/share/classes/java/util/zip/ZipFile.java line 1748:
>>
>>> 1746: .isBlockOrSF(new String(name, off, len,
>>> UTF_8.INSTANCE)
>>> 1747: .toUpperCase(Locale.ENGLISH)));
>>> 1748:
>>
>> H
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
On Tue, 17 Jan 2023 16:46:28 GMT, Weijun Wang wrote:
>> I started there, but ran into some problems:
>>
>> SignatureFileVerifier.isSigningRelated calls isBlockOrSF, but it removes the
>> "META-INF/" prefix from the path first. So we can't assume that input to
>> isBlockOrSF is the full path.
>
On Wed, 18 Jan 2023 09:47:29 GMT, Eirik Bjorsnos wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
>> files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A
On Tue, 17 Jan 2023 16:11:42 GMT, Weijun Wang wrote:
>> This duplicated check annoyed me also, but the existing checks have
>> different behavior:
>>
>> - JarVerifier.beginEntry normalizes the path to uppercase, them checks that
>> it starts with "META-INF/" or "/META-INF/"
>> - JarSigner.sign
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
On Wed, 18 Jan 2023 09:51:35 GMT, Eirik Bjorsnos wrote:
>> While `JarSigner` has not normalize to uppercase, the check is the same. As
>> for `/META-INF/`, it must be very broken now since
>> `JarFile::maybeInstantiateVerifier` is using
>> `JUZFA.getManifestName(this,true)` to read the manifes
On Wed, 18 Jan 2023 12:57:17 GMT, Eirik Bjorsnos wrote:
>> I agree this deserves a cleanup, and since we're already deep into it it can
>> make sense to fix this in this PR.
>>
>> I have introduced SignatureFileVerifier.isInMetaInf as a common method to
>> replace duplicated logic in JarVerifi
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies t
On Wed, 18 Jan 2023 13:42:12 GMT, Eirik Bjorsnos wrote:
>> When introducing the call to isInMetaInf in isSigningRelated, I accidentally
>> broke the matching of MANIFEST.MF and SIG-* files.
>>
>> When fixing this regression, I now match against the full path instead of
>> the existing prefix s
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
> files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test IgnoreUnrelatedSignatureFiles is added which verifies t
On Tue, 24 Jan 2023 12:31:30 GMT, Eirik Bjorsnos wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
>> files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A
On Tue, 24 Jan 2023 18:54:59 GMT, Weijun Wang wrote:
> Precisely `ZipFile::isSignatureRelated` should also contain those `SIG-`
> files.
Should they though? These files are ultimately read by
JarFile.initializeVerifier, which I guess only cares about signature/block
files it actually knows
On Tue, 24 Jan 2023 12:31:30 GMT, Eirik Bjorsnos wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
>> files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A
On Fri, 27 Jan 2023 22:16:18 GMT, Weijun Wang wrote:
> Maybe we can rename `ZipFile::isSignatureRelated` to `ZipFile::isBlockOrSF`
> as well?
The term "signature related" seems to be used quite extensively around ZipFile
and also in JavaUtilZipFileAccess. Semantics are very similar, but not ex
36 matches
Mail list logo
