OpenJDK / jdk8u / jdk8u / jdk

changeset 12324:c729ab3b13ae

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8169392: Additional jar validation steps Reviewed-by: mullan, herrick, ahgross
author igerasim
date Wed, 15 Mar 2017 20:09:04 -0700
parents 78a83e6e0fe8
children e95a13de2d36
files src/share/classes/java/util/jar/JarVerifier.java src/share/classes/sun/security/util/ManifestEntryVerifier.java
diffstat 2 files changed, 14 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/util/jar/JarVerifier.java	Mon Feb 13 10:23:34 2017 -0800
+++ b/src/share/classes/java/util/jar/JarVerifier.java	Wed Mar 15 20:09:04 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -180,10 +180,12 @@
 
         // only set the jev object for entries that have a signature
         // (either verified or not)
-        if (sigFileSigners.get(name) != null ||
-                verifiedSigners.get(name) != null) {
-            mev.setEntry(name, je);
-            return;
+        if (!name.equals(JarFile.MANIFEST_NAME)) {
+            if (sigFileSigners.get(name) != null ||
+                    verifiedSigners.get(name) != null) {
+                mev.setEntry(name, je);
+                return;
+            }
         }
 
         // don't compute the digest for this entry
--- a/src/share/classes/sun/security/util/ManifestEntryVerifier.java	Mon Feb 13 10:23:34 2017 -0800
+++ b/src/share/classes/sun/security/util/ManifestEntryVerifier.java	Wed Mar 15 20:09:04 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -107,6 +107,8 @@
         /* get the headers from the manifest for this entry */
         /* if there aren't any, we can't verify any digests for this entry */
 
+        skip = false;
+
         Attributes attr = man.getAttributes(name);
         if (attr == null) {
             // ugh. we should be able to remove this at some point.
@@ -141,7 +143,6 @@
                 }
 
                 if (digest != null) {
-                    skip = false;
                     digest.reset();
                     digests.add(digest);
                     manifestHashes.add(
@@ -197,6 +198,10 @@
             return null;
         }
 
+        if (digests.isEmpty()) {
+            throw new SecurityException("digest missing for " + name);
+        }
+
         if (signers != null)
             return signers;
© 2007, Oracle and/or its affiliates
Terms of Use · Privacy · Trademarks