8265201: JarFile.getInputStream not validating invalid signed jars

Reviewed-by: pkoppula, coffeys
2025-08-28 15:24:43 +02:00 · 2021-04-15 14:28:56 +00:00 · 2021-04-15 14:28:56 +00:00 · add995be46
commit add995be46
parent ca6b222c97
1 changed files with 13 additions and 2 deletions
--- a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
+++ b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
@ -331,7 +331,18 @@ public class SignerInfo implements DerEncoder {
    throws NoSuchAlgorithmException, SignatureException {

        try {
-            Timestamp timestamp = getTimestamp();
+            Timestamp timestamp = null;
+            try {
+                timestamp = getTimestamp();
+            } catch (Exception e) {
+                // Log exception and continue. This allows for the case
+                // where, if there are no other errors, the code is
+                // signed but w/o a timestamp.
+                if (debug != null) {
+                    debug.println("Unexpected exception while getting" +
+                                  " timestamp: " + e);
+                }
+            }

            ContentInfo content = block.getContentInfo();
            if (data == null) {
@ -471,7 +482,7 @@ public class SignerInfo implements DerEncoder {
            if (sig.verify(encryptedDigest)) {
                return this;
            }
-        } catch (IOException | CertificateException e) {
+        } catch (IOException e) {
            throw new SignatureException("Error verifying signature", e);
        }
        return null;