JDK-4399443 : jarsigner -verify bug (cf. #107042)
  • Type: Bug
  • Status: Closed
  • Resolution: Fixed
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P4
  • Affected Version: 1.3.0
  • OS: windows_nt
  • CPU: x86
  • Submit Date: 2000-12-19
  • Updated Date: 2002-11-22
  • Resolved Date: 2002-10-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
Other
1.4.2 mantisFixed
Description

Name: rl16235			Date: 12/19/2000


java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)

jarsigner -verify returns jar verified in the following cases:

1. files have been added to the jar file.
2. The manifest has been updated

This can cause the following potential security problems.
Someone adds classes to a jar file and updates the manifest to run these rogue
classes as the main class.  Someone does a jarsigner -verify says the jar file
has been verified.  They then run the jar file and it deletes their hard drive
(for example).

Here is an example which demonstrates the problem.
Create the following files:
=========================
HelloWorld.java
public class HelloWorld
{
   public static void main (String [] args)
   {
      System.out.println ("Hello World!!");
   }
}
========================
RogueHelloWorld.java
public class RogueHelloWorld
{
   public static void main (String [] args)
   {
      System.out.println ("Ha, your hard drive has just been deleted, sucker.");
   }
}
===========================
Manifest1.mf
Main-Class: HelloWorld
===========================
Manifest2.mf
Main-Class: RogueHelloWorld
===========================

2) perform the following steps:

a) Compile the java files:
javac *.java

b) Create a key for signing
keytool -genkey -alias test -keystore test.store -storepass 123456 -keypass
123456
Use any values you want for the prompts from keytool

c) Jar up helloworld
jar cvfm hello.jar Manifest1.mf HelloWorld.class

d) Sign hello.jar
jarsigner -keystore test.store -storepass 123456 hello.jar test

e) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.

f) run jar file
java -jar hello.jar
Get the following result
Hello World!!

g) Someone later adds rogue classes to jar file
jar uvfm hello.jar Manifest2.mf RogueHelloWorld.class

h) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.

i) run jar file
java -jar hello.jar
Get the following result
Ha, your hard drive has just been deleted, sucker.

I believe that step h should return that the jar file is not signed properly to
inform the user that the file has been tampered with.  I believe this problem
exists on all platforms, but I can only test on Windows NT 4.0.  I know the
jarsigner documentation states that this is acceptable, but I believe it is a
major security risk.  At the least the user should be notified that the manifest
may have been tampered with and additional unsigned files have been added.

This is all additional information from report with the internal ID of 107042

###@###.###  2000-12-19
reproduced it on Solaris2.7 with JDK1.3.
(Review ID: 107122) 
======================================================================
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: mantis FIXED IN: mantis INTEGRATED IN: mantis mantis-b05 VERIFIED IN: mantis
2004-06-14
EVALUATION ###@###.### 2002-10-18 This bug actually reports several issues with the jarsigner tool. JarSigner only verifies "signed" entries, so the reported "jar verified" message is valid. However, this means that users have to always invoke "-verbose" option and inspects its output to make sure that there are no unsigned entry present. To make users' life easier, we can change JarSigner to report the following message "Note: This jar contains unsigned entries which are not integrity-checked. Re-run with -verbose to list unsigned entries." in addition to "jar verified" to indicate the presence of unsigned entries in the verified jar file. As for other JarSigner issues, please see bug#4308063.
2004-06-11
WORK AROUND Name: rl16235 Date: 12/19/2000 Use the verbose option to manually scan the results which shows additional files have been added that are not signed. Does not show any information about the manifest. ======================================================================
2004-06-11