Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8169392: Additional jar validation steps
authorweijun
Fri, 03 Feb 2017 10:32:58 +0800
changeset 45975 d61490c560bf
parent 45974 321669d70772
child 45976 f20dcd6e2b82
8169392: Additional jar validation steps Reviewed-by: mullan, herrick, ahgross
jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java file | annotate | diff | comparison | revisions
jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java	Wed Dec 21 10:15:49 2016 -0500
+++ b/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java	Fri Feb 03 10:32:58 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -180,10 +180,12 @@
 
         // only set the jev object for entries that have a signature
         // (either verified or not)
-        if (sigFileSigners.get(name) != null ||
-                verifiedSigners.get(name) != null) {
-            mev.setEntry(name, je);
-            return;
+        if (!name.equals(JarFile.MANIFEST_NAME)) {
+            if (sigFileSigners.get(name) != null ||
+                    verifiedSigners.get(name) != null) {
+                mev.setEntry(name, je);
+                return;
+            }
         }
 
         // don't compute the digest for this entry
--- a/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java	Wed Dec 21 10:15:49 2016 -0500
+++ b/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java	Fri Feb 03 10:32:58 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -107,6 +107,8 @@
         /* get the headers from the manifest for this entry */
         /* if there aren't any, we can't verify any digests for this entry */
 
+        skip = false;
+
         Attributes attr = man.getAttributes(name);
         if (attr == null) {
             // ugh. we should be able to remove this at some point.
@@ -141,7 +143,6 @@
                 }
 
                 if (digest != null) {
-                    skip = false;
                     digest.reset();
                     digests.add(digest);
                     manifestHashes.add(
@@ -197,6 +198,10 @@
             return null;
         }
 
+        if (digests.isEmpty()) {
+            throw new SecurityException("digest missing for " + name);
+        }
+
         if (signers != null)
             return signers;
jdk-sandbox