JDK-8022761 : regression: SecurityException is NOT thrown while trying to pack a wrongly signed Indexed Jar file
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-08-10
  • Updated: 2014-05-09
  • Resolved: 2013-08-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u60Fixed 8 b106Fixed
Related Reports
Relates :  
JDK-8021788 - JarInputStream doesn't provide certificates for some file under META-INF
Description
This seems a regression since 2013-08-08 TL nightly
SecurityException is NOT thrown while trying to pack a wrongly signed Indexed Jar file

Test case attached.

Test PASS with jdk8/b102
bash-3.2$  /java/re/jdk/8/promoted/all/b102/binaries/solaris-sparc/bin/java Pack200Tests `pwd`
pack200Test3 PASS ... expected SecurityException thrown
java.lang.SecurityException: cannot verify signature block file META-INF/MYKEY
        at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:219)
        at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:192)
        at java.util.jar.JarVerifier.processEntry(JarVerifier.java:304)
        at java.util.jar.JarVerifier.update(JarVerifier.java:216)
        at java.util.jar.JarFile.initializeVerifier(JarFile.java:375)
        at java.util.jar.JarFile.getInputStream(JarFile.java:442)
        at com.sun.java.util.jar.pack.PackerImpl$DoPack$InFile.getInputStream(PackerImpl.java:384)
        at com.sun.java.util.jar.pack.PackerImpl$DoPack.run(PackerImpl.java:472)
        at com.sun.java.util.jar.pack.PackerImpl.pack(PackerImpl.java:98)
        at Pack200Tests.pack200Test3(Pack200Tests.java:46)
        at Pack200Tests.main(Pack200Tests.java:22)

Test FAIL since 2013-08-08 TL nightly
bash-3.2$ /java/re/jdk/8/nightly-tl/ws/build/solaris-sparc/j2sdk-image/bin/java Pack200Tests `pwd`
pack200Test3 FAIL ... expected SecurityException is not thrown

bash-3.2$ /java/re/jdk/8/nightly-tl/ws/build/solaris-sparc/j2sdk-image/bin/java -version
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-langtools-nightly-h5344-20130808-b103-b00)
Java HotSpot(TM) Server VM (build 25.0-b44, mixed mode)
Comments
sqe test and regression test all passed in B106
06-09-2013
Before JDK-8021788, the jar was regarded as an invalid signed jar. After it, it's regarded as an unsigned jar. Neither could be a security threat. But I'll see which one could be nicer.
12-08-2013
Following SQE tests failed due to this issue: java_util/jar/phase2/Pack200Tests java_util/jar/phase2/IndexedJarWithCorruptedSignatureTest
10-08-2013