United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-8021788 : JarInputStream doesn't provide certificates for some file under META-INF

Details
Type:
Enhancement
Submit Date:
2013-06-19
Status:
Closed
Updated Date:
2014-01-22
Project Name:
JDK
Resolved Date:
2013-09-11
Component:
security-libs
OS:
linux
Sub-Component:
CPU:
Priority:
P3
Resolution:
Fixed
Affected Versions:
7u21
Fixed Versions:
7u60 (b01)

Related Reports
Backport:
Relates:
Relates:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version  " 1.7.0_21 " 
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux nyt 2.6.32-46-server #108-Ubuntu SMP Thu Apr 11 16:11:15 UTC 2013 x86_64 GNU/Linux

EXTRA RELEVANT SYSTEM CONFIGURATION :
Not relevant

A DESCRIPTION OF THE PROBLEM :
This bug causes the JarInputStream to miss picking up certificates for files under the  " META-INF "  directory if they in the JAR file directly follow the META-INF signature related files.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
> javac JarInputStreamReader.java
> mkdir -p META-INF/SUB
> echo hello > META-INF/SUB/FILE
> jar cfe x.jar  JarInputStreamBug  META-INF/SUB/FILE JarInputStreamBug.class
> jarsigner x.jar any  (Sign with any certificate available)
> java -jar x.jar x.jar

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
getJarFileCert(JarInputStreamBug.class) = [
[
  Version: V3
  Subject: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    b5cf357d ee2e2f12 b2e471b4 b135bade 2e28c3c8 b3e8beaf 520becc0 76848cd2
    972995ac b8efad85 afcfc6ac 2a84dabf fe27426a 6109d715 c10b65a2 1307dcdc
    3696e0ed 8f30bdf4 63846be9 3f711dd2 b577207b 138f925c 4af346e5 7a9e4cea
    5a931f95 88fdd981 50367b4b fa7991cb c3a2bcd8 1fe9cfc8 e8c23b8a aac4bc4c

  Validity: [From: Mon Jun 17 14:56:09 CEST 2013,
               To: Tue Jun 17 14:56:09 CEST 2014]
  Issuer: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  SerialNumber: [    51bf0769]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 75 CF 8F 6A   13 53 57 00 26 8F 65 FB  0,..u..j.SW.&.e.
0010: E0 17 A8 47 A9 34 55 EF   02 14 78 CB E1 08 DB 8D  ...G.4U...x.....
0020: 4F 88 5D 98 BA 73 BB 45   6D D1 41 05 95 D7        O.]..s.Em.A...

]
getJarInputStreamCert(JarInputStreamBug.class) = [
[
  Version: V3
  Subject: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    b5cf357d ee2e2f12 b2e471b4 b135bade 2e28c3c8 b3e8beaf 520becc0 76848cd2
    972995ac b8efad85 afcfc6ac 2a84dabf fe27426a 6109d715 c10b65a2 1307dcdc
    3696e0ed 8f30bdf4 63846be9 3f711dd2 b577207b 138f925c 4af346e5 7a9e4cea
    5a931f95 88fdd981 50367b4b fa7991cb c3a2bcd8 1fe9cfc8 e8c23b8a aac4bc4c

  Validity: [From: Mon Jun 17 14:56:09 CEST 2013,
               To: Tue Jun 17 14:56:09 CEST 2014]
  Issuer: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  SerialNumber: [    51bf0769]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 75 CF 8F 6A   13 53 57 00 26 8F 65 FB  0,..u..j.SW.&.e.
0010: E0 17 A8 47 A9 34 55 EF   02 14 78 CB E1 08 DB 8D  ...G.4U...x.....
0020: 4F 88 5D 98 BA 73 BB 45   6D D1 41 05 95 D7        O.]..s.Em.A...

]
getJarFileCert(META-INF/SUB/FILE) = [
[
  Version: V3
  Subject: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    b5cf357d ee2e2f12 b2e471b4 b135bade 2e28c3c8 b3e8beaf 520becc0 76848cd2
    972995ac b8efad85 afcfc6ac 2a84dabf fe27426a 6109d715 c10b65a2 1307dcdc
    3696e0ed 8f30bdf4 63846be9 3f711dd2 b577207b 138f925c 4af346e5 7a9e4cea
    5a931f95 88fdd981 50367b4b fa7991cb c3a2bcd8 1fe9cfc8 e8c23b8a aac4bc4c

  Validity: [From: Mon Jun 17 14:56:09 CEST 2013,
               To: Tue Jun 17 14:56:09 CEST 2014]
  Issuer: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  SerialNumber: [    51bf0769]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 75 CF 8F 6A   13 53 57 00 26 8F 65 FB  0,..u..j.SW.&.e.
0010: E0 17 A8 47 A9 34 55 EF   02 14 78 CB E1 08 DB 8D  ...G.4U...x.....
0020: 4F 88 5D 98 BA 73 BB 45   6D D1 41 05 95 D7        O.]..s.Em.A...

]
getJarInputStreamCert(META-INF/SUB/FILE) =  [
[
  Version: V3
  Subject: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    b5cf357d ee2e2f12 b2e471b4 b135bade 2e28c3c8 b3e8beaf 520becc0 76848cd2
    972995ac b8efad85 afcfc6ac 2a84dabf fe27426a 6109d715 c10b65a2 1307dcdc
    3696e0ed 8f30bdf4 63846be9 3f711dd2 b577207b 138f925c 4af346e5 7a9e4cea
    5a931f95 88fdd981 50367b4b fa7991cb c3a2bcd8 1fe9cfc8 e8c23b8a aac4bc4c

  Validity: [From: Mon Jun 17 14:56:09 CEST 2013,
               To: Tue Jun 17 14:56:09 CEST 2014]
  Issuer: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  SerialNumber: [    51bf0769]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 75 CF 8F 6A   13 53 57 00 26 8F 65 FB  0,..u..j.SW.&.e.
0010: E0 17 A8 47 A9 34 55 EF   02 14 78 CB E1 08 DB 8D  ...G.4U...x.....
0020: 4F 88 5D 98 BA 73 BB 45   6D D1 41 05 95 D7        O.]..s.Em.A...

]

ACTUAL -
getJarFileCert(JarInputStreamBug.class) = [
[
  Version: V3
  Subject: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    b5cf357d ee2e2f12 b2e471b4 b135bade 2e28c3c8 b3e8beaf 520becc0 76848cd2
    972995ac b8efad85 afcfc6ac 2a84dabf fe27426a 6109d715 c10b65a2 1307dcdc
    3696e0ed 8f30bdf4 63846be9 3f711dd2 b577207b 138f925c 4af346e5 7a9e4cea
    5a931f95 88fdd981 50367b4b fa7991cb c3a2bcd8 1fe9cfc8 e8c23b8a aac4bc4c

  Validity: [From: Mon Jun 17 14:56:09 CEST 2013,
               To: Tue Jun 17 14:56:09 CEST 2014]
  Issuer: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  SerialNumber: [    51bf0769]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 75 CF 8F 6A   13 53 57 00 26 8F 65 FB  0,..u..j.SW.&.e.
0010: E0 17 A8 47 A9 34 55 EF   02 14 78 CB E1 08 DB 8D  ...G.4U...x.....
0020: 4F 88 5D 98 BA 73 BB 45   6D D1 41 05 95 D7        O.]..s.Em.A...

]
getJarInputStreamCert(JarInputStreamBug.class) = [
[
  Version: V3
  Subject: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    b5cf357d ee2e2f12 b2e471b4 b135bade 2e28c3c8 b3e8beaf 520becc0 76848cd2
    972995ac b8efad85 afcfc6ac 2a84dabf fe27426a 6109d715 c10b65a2 1307dcdc
    3696e0ed 8f30bdf4 63846be9 3f711dd2 b577207b 138f925c 4af346e5 7a9e4cea
    5a931f95 88fdd981 50367b4b fa7991cb c3a2bcd8 1fe9cfc8 e8c23b8a aac4bc4c

  Validity: [From: Mon Jun 17 14:56:09 CEST 2013,
               To: Tue Jun 17 14:56:09 CEST 2014]
  Issuer: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  SerialNumber: [    51bf0769]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 75 CF 8F 6A   13 53 57 00 26 8F 65 FB  0,..u..j.SW.&.e.
0010: E0 17 A8 47 A9 34 55 EF   02 14 78 CB E1 08 DB 8D  ...G.4U...x.....
0020: 4F 88 5D 98 BA 73 BB 45   6D D1 41 05 95 D7        O.]..s.Em.A...

]
getJarFileCert(META-INF/SUB/FILE) = [
[
  Version: V3
  Subject: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    b5cf357d ee2e2f12 b2e471b4 b135bade 2e28c3c8 b3e8beaf 520becc0 76848cd2
    972995ac b8efad85 afcfc6ac 2a84dabf fe27426a 6109d715 c10b65a2 1307dcdc
    3696e0ed 8f30bdf4 63846be9 3f711dd2 b577207b 138f925c 4af346e5 7a9e4cea
    5a931f95 88fdd981 50367b4b fa7991cb c3a2bcd8 1fe9cfc8 e8c23b8a aac4bc4c

  Validity: [From: Mon Jun 17 14:56:09 CEST 2013,
               To: Tue Jun 17 14:56:09 CEST 2014]
  Issuer: CN=Knopflerfish Dude, OU=Surf, O=Wave Inc., L=Paradise, ST=HI, C=KF
  SerialNumber: [    51bf0769]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 75 CF 8F 6A   13 53 57 00 26 8F 65 FB  0,..u..j.SW.&.e.
0010: E0 17 A8 47 A9 34 55 EF   02 14 78 CB E1 08 DB 8D  ...G.4U...x.....
0020: 4F 88 5D 98 BA 73 BB 45   6D D1 41 05 95 D7        O.]..s.Em.A...

]
getJarInputStreamCert(META-INF/SUB/FILE) = null


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.io.*;
import java.security.cert.Certificate;
import java.util.jar.*;

class JarInputStreamBug {

  static public void main(String [] args) {
    if (args.length != 1) {
      System.err.println( " One arg? " );
      return;
    }
    String elems [] = new String [] {
       " JarInputStreamBug.class " ,
       " META-INF/SUB/FILE "  };

    for (String e : elems) {
      System.out.print( " getJarFileCert( "  + e +  " ) =  " );
      try {
        System.out.println(getJarFileCert(args[0], e));
      } catch (Exception exc) {
        System.out.println(exc);
      }
      System.out.print( " getJarInputStreamCert( "  + e +  " ) =  " );
      try {
        System.out.println(getJarInputStreamCert(args[0], e));
      } catch (Exception exc) {
        System.out.println(exc);
      }
    }
  }

  static Certificate getJarFileCert(String f, String e) throws IOException {
    JarFile jf = new JarFile(f);
    JarEntry je = jf.getJarEntry(e);
    readIt(jf.getInputStream(je));
    Certificate c[] = je.getCertificates();
    return c != null ? c[0] : null;
  }

  static Certificate getJarInputStreamCert(String f, String e) throws IOException {
    JarInputStream jis = new JarInputStream(new FileInputStream (f));
    JarEntry je;
    while ((je = jis.getNextJarEntry()) != null) {
      if (je.getName().equals(e)) {
        readIt(jis);
        Certificate c[] = je.getCertificates();
        return c != null ? c[0] : null;
      }
    }
    throw new IOException( " Entry  "  + e +  "  not found " );
  }

  static void readIt(InputStream is) throws IOException {
    byte [] b = new byte[512];
    while (is.read(b) >= 0)
      ;
    is.close();
  }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
* Use JarFile if possible.

* Move META-INF files that need the certificate for last in the jar file.
                                    

Comments
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/c2a02bfda994
User:  weijun
Date:  2013-09-11 02:54:08 +0000

                                     
2013-09-11
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/c2a02bfda994
User:  lana
Date:  2013-09-23 18:24:17 +0000

                                     
2013-09-23



Hardware and Software, Engineered to Work Together