Mercurial > hg > icedtea7-forest > jdk

changeset 9214:acd986bf1ba5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8169392: Additional jar validation steps Reviewed-by: mullan, herrick, ahgross
author igerasim
date Thu, 13 Jul 2017 22:44:24 +0100
parents d76d9a9720ef
children b37777c2c9c5
files src/share/classes/java/util/jar/JarVerifier.java src/share/classes/sun/security/util/ManifestEntryVerifier.java
diffstat 2 files changed, 14 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/util/jar/JarVerifier.java	Fri Mar 17 16:41:06 2017 -0700
+++ b/src/share/classes/java/util/jar/JarVerifier.java	Thu Jul 13 22:44:24 2017 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -180,10 +180,12 @@
 
         // only set the jev object for entries that have a signature
         // (either verified or not)
-        if (sigFileSigners.get(name) != null ||
-                verifiedSigners.get(name) != null) {
-            mev.setEntry(name, je);
-            return;
+        if (!name.equals(JarFile.MANIFEST_NAME)) {
+            if (sigFileSigners.get(name) != null ||
+                    verifiedSigners.get(name) != null) {
+                mev.setEntry(name, je);
+                return;
+            }
         }
 
         // don't compute the digest for this entry
--- a/src/share/classes/sun/security/util/ManifestEntryVerifier.java	Fri Mar 17 16:41:06 2017 -0700
+++ b/src/share/classes/sun/security/util/ManifestEntryVerifier.java	Thu Jul 13 22:44:24 2017 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -109,6 +109,8 @@
         /* get the headers from the manifest for this entry */
         /* if there aren't any, we can't verify any digests for this entry */
 
+        skip = false;
+
         Attributes attr = man.getAttributes(name);
         if (attr == null) {
             // ugh. we should be able to remove this at some point.
@@ -143,7 +145,6 @@
                 }
 
                 if (digest != null) {
-                    skip = false;
                     digest.reset();
                     digests.add(digest);
                     manifestHashes.add(
@@ -199,6 +200,10 @@
             return null;
         }
 
+        if (digests.isEmpty()) {
+            throw new SecurityException("digest missing for " + name);
+        }
+
         if (signers != null)
             return signers;