# HG changeset patch
# User weijun
# Date 1486089178 -28800
# Node ID 8f495dec1ba68cb81d4bc37cfa8cff011ea57bf0
# Parent  6ec8211b3adc665ce9f6936d75bf8da004e4eb49
8169392: Additional jar validation steps
Reviewed-by: mullan, herrick, ahgross

diff -r 6ec8211b3adc -r 8f495dec1ba6 src/java.base/share/classes/java/util/jar/JarVerifier.java
--- a/src/java.base/share/classes/java/util/jar/JarVerifier.java	Wed Dec 21 10:15:49 2016 -0500
+++ b/src/java.base/share/classes/java/util/jar/JarVerifier.java	Fri Feb 03 10:32:58 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -180,10 +180,12 @@
 
         // only set the jev object for entries that have a signature
         // (either verified or not)
-        if (sigFileSigners.get(name) != null ||
-                verifiedSigners.get(name) != null) {
-            mev.setEntry(name, je);
-            return;
+        if (!name.equals(JarFile.MANIFEST_NAME)) {
+            if (sigFileSigners.get(name) != null ||
+                    verifiedSigners.get(name) != null) {
+                mev.setEntry(name, je);
+                return;
+            }
         }
 
         // don't compute the digest for this entry
diff -r 6ec8211b3adc -r 8f495dec1ba6 src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java
--- a/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java	Wed Dec 21 10:15:49 2016 -0500
+++ b/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java	Fri Feb 03 10:32:58 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -107,6 +107,8 @@
         /* get the headers from the manifest for this entry */
         /* if there aren't any, we can't verify any digests for this entry */
 
+        skip = false;
+
         Attributes attr = man.getAttributes(name);
         if (attr == null) {
             // ugh. we should be able to remove this at some point.
@@ -141,7 +143,6 @@
                 }
 
                 if (digest != null) {
-                    skip = false;
                     digest.reset();
                     digests.add(digest);
                     manifestHashes.add(
@@ -197,6 +198,10 @@
             return null;
         }
 
+        if (digests.isEmpty()) {
+            throw new SecurityException("digest missing for " + name);
+        }
+
         if (signers != null)
             return signers;