Bug ID: JDK-4399443 jarsigner -verify bug (cf. #107042)

JDK-4399443 : jarsigner -verify bug (cf. #107042)

Details

Type:	Bug	Submit Date:	2000-12-19
Status:	Closed	Updated Date:	2002-11-22
Project Name:	JDK	Resolved Date:	2002-10-24
Component:	security-libs	OS:	windows_nt
Sub-Component:	java.security	CPU:	x86
Priority:	P4
Resolution:	Fixed
Affected Versions:	1.3.0
Fixed Versions:	1.4.2 (mantis)

Related Reports

Sub Tasks

Description


Name: rl16235			Date: 12/19/2000


java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)

jarsigner -verify returns jar verified in the following cases:

1. files have been added to the jar file.
2. The manifest has been updated

This can cause the following potential security problems.
Someone adds classes to a jar file and updates the manifest to run these rogue
classes as the main class.  Someone does a jarsigner -verify says the jar file
has been verified.  They then run the jar file and it deletes their hard drive
(for example).

Here is an example which demonstrates the problem.
Create the following files:
=========================
HelloWorld.java
public class HelloWorld
{
   public static void main (String [] args)
   {
      System.out.println ("Hello World!!");
   }
}
========================
RogueHelloWorld.java
public class RogueHelloWorld
{
   public static void main (String [] args)
   {
      System.out.println ("Ha, your hard drive has just been deleted, sucker.");
   }
}
===========================
Manifest1.mf
Main-Class: HelloWorld
===========================
Manifest2.mf
Main-Class: RogueHelloWorld
===========================

2) perform the following steps:

a) Compile the java files:
javac *.java

b) Create a key for signing
keytool -genkey -alias test -keystore test.store -storepass 123456 -keypass
123456
Use any values you want for the prompts from keytool

c) Jar up helloworld
jar cvfm hello.jar Manifest1.mf HelloWorld.class

d) Sign hello.jar
jarsigner -keystore test.store -storepass 123456 hello.jar test

e) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.

f) run jar file
java -jar hello.jar
Get the following result
Hello World!!

g) Someone later adds rogue classes to jar file
jar uvfm hello.jar Manifest2.mf RogueHelloWorld.class

h) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.

i) run jar file
java -jar hello.jar
Get the following result
Ha, your hard drive has just been deleted, sucker.

I believe that step h should return that the jar file is not signed properly to
inform the user that the file has been tampered with.  I believe this problem
exists on all platforms, but I can only test on Windows NT 4.0.  I know the
jarsigner documentation states that this is acceptable, but I believe it is a
major security risk.  At the least the user should be notified that the manifest
may have been tampered with and additional unsigned files have been added.

This is all additional information from report with the internal ID of 107042

###@###.###  2000-12-19
reproduced it on Solaris2.7 with JDK1.3.
(Review ID: 107122) 
======================================================================

Comments

CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
mantis

FIXED IN:
mantis

INTEGRATED IN:
mantis
mantis-b05

VERIFIED IN:
mantis

2004-06-14

EVALUATION


###@###.### 2002-10-18
This bug actually reports several issues with the jarsigner tool.
JarSigner only verifies "signed" entries, so the reported "jar verified" message is valid. However, this means that users have to always invoke "-verbose" option and inspects its output to make sure that there are no unsigned entry present.
To make users' life easier, we can change JarSigner to report the following message "Note: This jar contains unsigned entries which are not integrity-checked. Re-run with -verbose to list unsigned entries." in addition to "jar verified" to indicate the presence of unsigned entries in the verified jar file.

As for other JarSigner issues, please see bug#4308063.

2004-06-11

WORK AROUND



Name: rl16235			Date: 12/19/2000


Use the verbose option to manually scan the results which shows additional files
have been added that are not signed.  Does not show any information about the
manifest.
======================================================================

2004-06-11

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together