mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-27 23:04:50 +02:00
Merge
This commit is contained in:
Jesper Wilhelmsson
commit
c36755dedf
33 changed files with 483 additions and 114 deletions
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -419,7 +419,13 @@ public class JarFile extends ZipFile {
|
|||
if (verify) {
|
||||
byte[] b = getBytes(manEntry);
|
||||
if (!jvInitialized) {
|
||||
jv = new JarVerifier(b);
|
||||
if (JUZFA.getManifestNum(this) == 1) {
|
||||
jv = new JarVerifier(manEntry.getName(), b);
|
||||
} else {
|
||||
if (JarVerifier.debug != null) {
|
||||
JarVerifier.debug.println("Multiple MANIFEST.MF found. Treat JAR file as unsigned");
|
||||
}
|
||||
}
|
||||
}
|
||||
man = new Manifest(jv, new ByteArrayInputStream(b), getName());
|
||||
} else {
|
||||
|
|
@ -745,7 +751,7 @@ public class JarFile extends ZipFile {
|
|||
mev = new ManifestEntryVerifier
|
||||
(getManifestFromReference());
|
||||
}
|
||||
if (name.equals(MANIFEST_NAME)) {
|
||||
if (name.equalsIgnoreCase(MANIFEST_NAME)) {
|
||||
b = jv.manifestRawBytes;
|
||||
} else {
|
||||
b = getBytes(e);
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ public class JarInputStream extends ZipInputStream {
|
|||
man.read(new ByteArrayInputStream(bytes));
|
||||
closeEntry();
|
||||
if (doVerify) {
|
||||
jv = new JarVerifier(bytes);
|
||||
jv = new JarVerifier(e.getName(), bytes);
|
||||
mev = new ManifestEntryVerifier(man);
|
||||
}
|
||||
return (JarEntry)super.getNextEntry();
|
||||
|
|
|
|||
|
|
@ -84,6 +84,9 @@ class JarVerifier {
|
|||
/** the bytes for the manDig object */
|
||||
byte manifestRawBytes[] = null;
|
||||
|
||||
/** the manifest name this JarVerifier is created upon */
|
||||
final String manifestName;
|
||||
|
||||
/** controls eager signature validation */
|
||||
boolean eagerValidation;
|
||||
|
||||
|
|
@ -93,7 +96,8 @@ class JarVerifier {
|
|||
/** collect -DIGEST-MANIFEST values for deny list */
|
||||
private List<Object> manifestDigests;
|
||||
|
||||
public JarVerifier(byte rawBytes[]) {
|
||||
public JarVerifier(String name, byte rawBytes[]) {
|
||||
manifestName = name;
|
||||
manifestRawBytes = rawBytes;
|
||||
sigFileSigners = new Hashtable<>();
|
||||
verifiedSigners = new Hashtable<>();
|
||||
|
|
@ -180,7 +184,7 @@ class JarVerifier {
|
|||
|
||||
// only set the jev object for entries that have a signature
|
||||
// (either verified or not)
|
||||
if (!name.equals(JarFile.MANIFEST_NAME)) {
|
||||
if (!name.equalsIgnoreCase(JarFile.MANIFEST_NAME)) {
|
||||
if (sigFileSigners.get(name) != null ||
|
||||
verifiedSigners.get(name) != null) {
|
||||
mev.setEntry(name, je);
|
||||
|
|
@ -270,7 +274,8 @@ class JarVerifier {
|
|||
}
|
||||
|
||||
sfv.setSignatureFile(bytes);
|
||||
sfv.process(sigFileSigners, manifestDigests);
|
||||
sfv.process(sigFileSigners, manifestDigests,
|
||||
manifestName);
|
||||
}
|
||||
}
|
||||
return;
|
||||
|
|
@ -313,7 +318,7 @@ class JarVerifier {
|
|||
sfv.setSignatureFile(bytes);
|
||||
}
|
||||
}
|
||||
sfv.process(sigFileSigners, manifestDigests);
|
||||
sfv.process(sigFileSigners, manifestDigests, manifestName);
|
||||
|
||||
} catch (IOException | CertificateException |
|
||||
NoSuchAlgorithmException | SignatureException e) {
|
||||
|
|
@ -419,9 +424,9 @@ class JarVerifier {
|
|||
manDig = null;
|
||||
// MANIFEST.MF is always treated as signed and verified,
|
||||
// move its signers from sigFileSigners to verifiedSigners.
|
||||
if (sigFileSigners.containsKey(JarFile.MANIFEST_NAME)) {
|
||||
CodeSigner[] codeSigners = sigFileSigners.remove(JarFile.MANIFEST_NAME);
|
||||
verifiedSigners.put(JarFile.MANIFEST_NAME, codeSigners);
|
||||
if (sigFileSigners.containsKey(manifestName)) {
|
||||
CodeSigner[] codeSigners = sigFileSigners.remove(manifestName);
|
||||
verifiedSigners.put(manifestName, codeSigners);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -873,7 +878,7 @@ class JarVerifier {
|
|||
*/
|
||||
boolean isTrustedManifestEntry(String name) {
|
||||
// How many signers? MANIFEST.MF is always verified
|
||||
CodeSigner[] forMan = verifiedSigners.get(JarFile.MANIFEST_NAME);
|
||||
CodeSigner[] forMan = verifiedSigners.get(manifestName);
|
||||
if (forMan == null) {
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -226,6 +226,7 @@ public class ZipFile implements ZipConstants, Closeable {
|
|||
Integer.toHexString(mode));
|
||||
}
|
||||
String name = file.getPath();
|
||||
file = new File(name);
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
|
|
@ -1032,6 +1033,18 @@ public class ZipFile implements ZipConstants, Closeable {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the number of the META-INF/MANIFEST.MF entries, case insensitive.
|
||||
* When this number is greater than 1, JarVerifier will treat a file as
|
||||
* unsigned.
|
||||
*/
|
||||
private int getManifestNum() {
|
||||
synchronized (this) {
|
||||
ensureOpen();
|
||||
return res.zsrc.manifestNum;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the name of the META-INF/MANIFEST.MF entry, ignoring
|
||||
* case. If {@code onlyIfSignatureRelatedFiles} is true, we only return the
|
||||
|
|
@ -1079,6 +1092,10 @@ public class ZipFile implements ZipConstants, Closeable {
|
|||
return ((ZipFile)jar).getManifestAndSignatureRelatedFiles();
|
||||
}
|
||||
@Override
|
||||
public int getManifestNum(JarFile jar) {
|
||||
return ((ZipFile)jar).getManifestNum();
|
||||
}
|
||||
@Override
|
||||
public String getManifestName(JarFile jar, boolean onlyIfHasSignatureRelatedFiles) {
|
||||
return ((ZipFile)jar).getManifestName(onlyIfHasSignatureRelatedFiles);
|
||||
}
|
||||
|
|
@ -1131,6 +1148,7 @@ public class ZipFile implements ZipConstants, Closeable {
|
|||
private byte[] comment; // zip file comment
|
||||
// list of meta entries in META-INF dir
|
||||
private int manifestPos = -1; // position of the META-INF/MANIFEST.MF, if exists
|
||||
private int manifestNum = 0; // number of META-INF/MANIFEST.MF, case insensitive
|
||||
private int[] signatureMetaNames; // positions of signature related entries, if such exist
|
||||
private int[] metaVersions; // list of unique versions found in META-INF/versions/
|
||||
private final boolean startsWithLoc; // true, if zip file starts with LOCSIG (usually true)
|
||||
|
|
@ -1313,6 +1331,7 @@ public class ZipFile implements ZipConstants, Closeable {
|
|||
entries = null;
|
||||
table = null;
|
||||
manifestPos = -1;
|
||||
manifestNum = 0;
|
||||
signatureMetaNames = null;
|
||||
metaVersions = EMPTY_META_VERSIONS;
|
||||
}
|
||||
|
|
@ -1504,6 +1523,7 @@ public class ZipFile implements ZipConstants, Closeable {
|
|||
int pos = 0;
|
||||
int entryPos = CENHDR;
|
||||
int limit = cen.length - ENDHDR;
|
||||
manifestNum = 0;
|
||||
while (entryPos <= limit) {
|
||||
if (idx >= entriesLength) {
|
||||
// This will only happen if the zip file has an incorrect
|
||||
|
|
@ -1522,6 +1542,7 @@ public class ZipFile implements ZipConstants, Closeable {
|
|||
// nlen is at least META_INF_LENGTH
|
||||
if (isManifestName(entryPos + META_INF_LEN, nlen - META_INF_LEN)) {
|
||||
manifestPos = pos;
|
||||
manifestNum++;
|
||||
} else {
|
||||
if (isSignatureRelated(entryPos, nlen)) {
|
||||
if (signatureNames == null)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue