CSR :
|
Summary ------- Clarify when a Jar file's Manifest is accessible via the JarInputStream class. Problem ------- The JarInputStream class description does not specify the circumstances as to when the JarInputStream::getManifest and JarInputStream::getNext{jar]Entry methods will return a Jar file's Manfiest. The behavior dates back to JDK 1.2 when JarInputStream was first added to the JDK Solution -------- The class description will be updated to describe when the Manifest will be accessible. Specification ------------- *The class description will be updated as follows:* The JarInputStream class, which extends ZipInputStream, is used to read the contents of a JAR file from an input stream. It provides support for reading an optional Manifest entry. The Manifest can be used to store meta-information about the JAR file and its entries. Accessing the Manifest The getManifest() method will return the Manifest when it is the first entry in the stream, or META-INF/ is the first entry and the Manifest is the second entry within the stream. When the Manifest is returned by getManifest(), the getNextEntry() and getNextJarEntry() methods will not return the Manifest. If META-INF/ is the first entry in the input stream it will be also not be returned by getNextEntry() and getNextJarEntry(). JarEntry.getAttributes() will return the Manifest's attributes for the current JAR file entry, if any, providing getManifest() returns a Manifest for the JAR file. **Verifying a JarInputStream** JarInputStream(InputStream, boolean) may be used to verify the signatures of a signed JarInputStream assuming the following requirements are met: The getManifest() returns a Manifest for the JAR file All signature-related entries immediately follow the Manifest Once the JarEntry has been completely verified, which is done by reading until the end of the entry's input stream, JarEntry.getCertificates() may be called to obtain the certificates for this entry and JarEntry.getCodeSigners() may be called to obtain the signers. **Note**: If a JarEntry is modified after the JAR file is signed, a SecurityException will be thrown when the entry is read.