United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4399443 : jarsigner -verify bug (cf. #107042)

Details
Type:
Bug
Submit Date:
2000-12-19
Status:
Closed
Updated Date:
2002-11-22
Project Name:
JDK
Resolved Date:
2002-10-24
Component:
security-libs
OS:
windows_nt
Sub-Component:
java.security
CPU:
x86
Priority:
P4
Resolution:
Fixed
Affected Versions:
1.3.0
Fixed Versions:
1.4.2 (mantis)

Related Reports

Sub Tasks

Description

Name: rl16235			Date: 12/19/2000


java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)

jarsigner -verify returns jar verified in the following cases:

1. files have been added to the jar file.
2. The manifest has been updated

This can cause the following potential security problems.
Someone adds classes to a jar file and updates the manifest to run these rogue
classes as the main class.  Someone does a jarsigner -verify says the jar file
has been verified.  They then run the jar file and it deletes their hard drive
(for example).

Here is an example which demonstrates the problem.
Create the following files:
=========================
HelloWorld.java
public class HelloWorld
{
   public static void main (String [] args)
   {
      System.out.println ("Hello World!!");
   }
}
========================
RogueHelloWorld.java
public class RogueHelloWorld
{
   public static void main (String [] args)
   {
      System.out.println ("Ha, your hard drive has just been deleted, sucker.");
   }
}
===========================
Manifest1.mf
Main-Class: HelloWorld
===========================
Manifest2.mf
Main-Class: RogueHelloWorld
===========================

2) perform the following steps:

a) Compile the java files:
javac *.java

b) Create a key for signing
keytool -genkey -alias test -keystore test.store -storepass 123456 -keypass
123456
Use any values you want for the prompts from keytool

c) Jar up helloworld
jar cvfm hello.jar Manifest1.mf HelloWorld.class

d) Sign hello.jar
jarsigner -keystore test.store -storepass 123456 hello.jar test

e) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.

f) run jar file
java -jar hello.jar
Get the following result
Hello World!!

g) Someone later adds rogue classes to jar file
jar uvfm hello.jar Manifest2.mf RogueHelloWorld.class

h) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.

i) run jar file
java -jar hello.jar
Get the following result
Ha, your hard drive has just been deleted, sucker.

I believe that step h should return that the jar file is not signed properly to
inform the user that the file has been tampered with.  I believe this problem
exists on all platforms, but I can only test on Windows NT 4.0.  I know the
jarsigner documentation states that this is acceptable, but I believe it is a
major security risk.  At the least the user should be notified that the manifest
may have been tampered with and additional unsigned files have been added.

This is all additional information from report with the internal ID of 107042

###@###.###  2000-12-19
reproduced it on Solaris2.7 with JDK1.3.
(Review ID: 107122) 
======================================================================

                                    

Comments
WORK AROUND



Name: rl16235			Date: 12/19/2000


Use the verbose option to manually scan the results which shows additional files
have been added that are not signed.  Does not show any information about the
manifest.
======================================================================
                                     
2004-06-11
EVALUATION


###@###.### 2002-10-18
This bug actually reports several issues with the jarsigner tool.
JarSigner only verifies "signed" entries, so the reported "jar verified" message is valid. However, this means that users have to always invoke "-verbose" option and inspects its output to make sure that there are no unsigned entry present.
To make users' life easier, we can change JarSigner to report the following message "Note: This jar contains unsigned entries which are not integrity-checked. Re-run with -verbose to list unsigned entries." in addition to "jar verified" to indicate the presence of unsigned entries in the verified jar file.

As for other JarSigner issues, please see bug#4308063.
                                     
2004-06-11
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
mantis

FIXED IN:
mantis

INTEGRATED IN:
mantis
mantis-b05

VERIFIED IN:
mantis


                                     
2004-06-14



Hardware and Software, Engineered to Work Together