8169392: Additional jar validation steps

Reviewed-by: mullan, herrick, ahgross
2026-03-01 03:30:34 +00:00 · 2017-02-03 10:32:58 +08:00 · 2017-02-03 10:32:58 +08:00 · 1820a4cd5b
commit 1820a4cd5b
parent 2310374abe
2 changed files with 14 additions and 7 deletions
--- a/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java
+++ b/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -180,10 +180,12 @@ class JarVerifier {

        // only set the jev object for entries that have a signature
        // (either verified or not)
-        if (sigFileSigners.get(name) != null ||
-                verifiedSigners.get(name) != null) {
-            mev.setEntry(name, je);
-            return;
+        if (!name.equals(JarFile.MANIFEST_NAME)) {
+            if (sigFileSigners.get(name) != null ||
+                    verifiedSigners.get(name) != null) {
+                mev.setEntry(name, je);
+                return;
+            }
        }

        // don't compute the digest for this entry
--- a/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java
+++ b/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -107,6 +107,8 @@ public class ManifestEntryVerifier {
        /* get the headers from the manifest for this entry */
        /* if there aren't any, we can't verify any digests for this entry */

+        skip = false;
+
        Attributes attr = man.getAttributes(name);
        if (attr == null) {
            // ugh. we should be able to remove this at some point.
@ -141,7 +143,6 @@ public class ManifestEntryVerifier {
                }

                if (digest != null) {
-                    skip = false;
                    digest.reset();
                    digests.add(digest);
                    manifestHashes.add(
@ -197,6 +198,10 @@ public class ManifestEntryVerifier {
            return null;
        }

+        if (digests.isEmpty()) {
+            throw new SecurityException("digest missing for " + name);
+        }
+
        if (signers != null)
            return signers;