# HG changeset patch # User ascarpino # Date 1487801521 28800 # Node ID 717c0cbb60fd35feffbe8b5aa17881ed8b2e2023 # Parent 348c43a85dcfc66ae6b721fd30420a1f680ee531 8175250: Manifest checking throws exception with no entry Reviewed-by: mullan diff -r 348c43a85dcf -r 717c0cbb60fd jdk/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java --- a/jdk/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java Tue Feb 21 05:58:23 2017 -0800 +++ b/jdk/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java Wed Feb 22 14:12:01 2017 -0800 @@ -433,7 +433,10 @@ { Attributes mattr = sf.getMainAttributes(); boolean manifestSigned = false; + // If only weak algorithms are used. boolean weakAlgs = true; + // If a "*-DIGEST-MANIFEST" entry is found. + boolean validEntry = false; // go through all the attributes and process *-Digest-Manifest entries for (Map.Entry se : mattr.entrySet()) { @@ -443,6 +446,7 @@ if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST-MANIFEST")) { // 16 is length of "-Digest-Manifest" String algorithm = key.substring(0, key.length()-16); + validEntry = true; // Check if this algorithm is permitted, skip if false. if (!permittedCheck(key, algorithm)) { @@ -486,12 +490,11 @@ } } - // If there were only weak algorithms used, throw an exception. - if (weakAlgs) { - String weakAlgorithms = getWeakAlgorithms("-DIGEST-MANIFEST"); + // If there were only weak algorithms entries used, throw an exception. + if (validEntry && weakAlgs) { throw new SignatureException("Manifest hash check failed " + "(DIGEST-MANIFEST). Disabled algorithm(s) used: " + - weakAlgorithms); + getWeakAlgorithms("-DIGEST-MANIFEST")); } return manifestSigned; } @@ -501,7 +504,10 @@ { Attributes mattr = sf.getMainAttributes(); boolean attrsVerified = true; + // If only weak algorithms are used. boolean weakAlgs = true; + // If a ATTR_DIGEST entry is found. + boolean validEntry = false; // go through all the attributes and process // digest entries for the manifest main attributes @@ -511,6 +517,7 @@ if (key.toUpperCase(Locale.ENGLISH).endsWith(ATTR_DIGEST)) { String algorithm = key.substring(0, key.length() - ATTR_DIGEST.length()); + validEntry = true; // Check if this algorithm is permitted, skip if false. if (!permittedCheck(key, algorithm)) { @@ -562,13 +569,12 @@ } } - // If there were only weak algorithms used, throw an exception. - if (weakAlgs) { - String weakAlgorithms = getWeakAlgorithms("-DIGEST-" + - ManifestDigester.MF_MAIN_ATTRS); + // If there were only weak algorithms entries used, throw an exception. + if (validEntry && weakAlgs) { throw new SignatureException("Manifest Main Attribute check " + - "failed (DIGEST-" + ManifestDigester.MF_MAIN_ATTRS + - "). " + "Disabled algorithm(s) used: " + weakAlgorithms); + "failed (" + ATTR_DIGEST + "). " + + "Disabled algorithm(s) used: " + + getWeakAlgorithms(ATTR_DIGEST)); } // this method returns 'true' if either: @@ -593,7 +599,10 @@ { boolean oneDigestVerified = false; ManifestDigester.Entry mde = md.get(name,block.isOldStyle()); + // If only weak algorithms are used. boolean weakAlgs = true; + // If a "*-DIGEST" entry is found. + boolean validEntry = false; if (mde == null) { throw new SecurityException( @@ -611,6 +620,7 @@ if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) { // 7 is length of "-Digest" String algorithm = key.substring(0, key.length()-7); + validEntry = true; // Check if this algorithm is permitted, skip if false. if (!permittedCheck(key, algorithm)) { @@ -679,12 +689,11 @@ } } - // If there were only weak algorithms used, throw an exception. - if (weakAlgs) { - String weakAlgorithms = getWeakAlgorithms("DIGEST"); + // If there were only weak algorithms entries used, throw an exception. + if (validEntry && weakAlgs) { throw new SignatureException("Manifest Main Attribute check " + - "failed (DIGEST). " + "Disabled algorithm(s) used: " + - weakAlgorithms); + "failed (DIGEST). Disabled algorithm(s) used: " + + getWeakAlgorithms("DIGEST")); } return oneDigestVerified;