diff --git a/src/share/classes/sun/security/tools/JarSigner.java b/src/share/classes/sun/security/tools/JarSigner.java index 89b9c7e75d739af18b5393a5b892cc239032acd2..2cf5de66f35febe80b693aa139c5f6859132a49f 100644 --- a/src/share/classes/sun/security/tools/JarSigner.java +++ b/src/share/classes/sun/security/tools/JarSigner.java @@ -723,7 +723,7 @@ public class JarSigner { if (signatureRelated(name)) { // Entries inside META-INF and other unsigned // entries are grouped separately. - label = "-" + label.substring(1); + label = "-" + label; } // The label finally contains 2 parts separated by '|': @@ -752,7 +752,7 @@ public class JarSigner { List files = s.getValue(); String key = s.getKey(); if (key.charAt(0) == '-') { // the signature-related group - key = ' ' + key.substring(1); + key = key.substring(1); } int pipe = key.indexOf('|'); if (verbose.equals("all")) { diff --git a/src/share/classes/sun/security/util/ManifestEntryVerifier.java b/src/share/classes/sun/security/util/ManifestEntryVerifier.java index 3952ccee86dbc85b3d145b787e8948e6cad9c38d..2fe98e500357c12b313c57deba8df4b6b786a320 100644 --- a/src/share/classes/sun/security/util/ManifestEntryVerifier.java +++ b/src/share/classes/sun/security/util/ManifestEntryVerifier.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -185,7 +185,10 @@ public class ManifestEntryVerifier { Hashtable sigFileSigners) throws JarException { - if (skip) return null; + // MANIFEST.MF should not be skipped. It has signers. + if (skip && !entry.getName().equals(JarFile.MANIFEST_NAME)) { + return null; + } if (signers != null) return signers; diff --git a/src/share/classes/sun/security/util/SignatureFileVerifier.java b/src/share/classes/sun/security/util/SignatureFileVerifier.java index b0a334ee49804f2bb0473b21ab5b3b585aa4d27e..d3ce9013e1570a1bdf90a597e605f9fcf6526fdc 100644 --- a/src/share/classes/sun/security/util/SignatureFileVerifier.java +++ b/src/share/classes/sun/security/util/SignatureFileVerifier.java @@ -265,6 +265,9 @@ public class SignatureFileVerifier { debug.println("processSignature unsigned name = "+name); } } + + // MANIFEST.MF is always regarded as signed + updateSigners(newSigners, signers, JarFile.MANIFEST_NAME); } /** diff --git a/test/sun/security/tools/jarsigner/JarSigningNonAscii.java b/test/sun/security/tools/jarsigner/JarSigningNonAscii.java index ed17e6e7bb6454481b884d7e1fc466e0b654d9dd..c0cae086252a65a361e1cb44af050b2c4865572f 100644 --- a/test/sun/security/tools/jarsigner/JarSigningNonAscii.java +++ b/test/sun/security/tools/jarsigner/JarSigningNonAscii.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -113,7 +113,7 @@ public class JarSigningNonAscii { } } - if (isSignedCount != 3) { + if (isSignedCount != 4) { throw new SecurityException("error signing JAR file"); } diff --git a/test/sun/security/tools/jarsigner/concise_jarsigner.sh b/test/sun/security/tools/jarsigner/concise_jarsigner.sh index 0b145a902b62bf86550d659c590422d59f54cff7..252facbe6a27b7667d2f31ff0f199a26f6f9a80f 100644 --- a/test/sun/security/tools/jarsigner/concise_jarsigner.sh +++ b/test/sun/security/tools/jarsigner/concise_jarsigner.sh @@ -1,5 +1,5 @@ # -# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -103,27 +103,31 @@ LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l` LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l` [ $LINES = 12 ] || exit $LINENO -# 3 groups: unrelated, signed, unsigned +# 4 groups: MANIFST, unrelated, signed, unsigned LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l` +[ $LINES = 4 ] || exit $LINENO + +# still 4 groups, but MANIFEST group has no other file +LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep "more)" | wc -l` [ $LINES = 3 ] || exit $LINENO -# 4 groups: unrelated, signed by a1/a2, signed by a2, unsigned +# 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l` -[ $LINES = 4 ] || exit $LINENO +[ $LINES = 5 ] || exit $LINENO -# 2*2 for A1/A2, 2 for A3/A4 +# 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4 LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l` -[ $LINES = 6 ] || exit $LINENO +[ $LINES = 8 ] || exit $LINENO -# a1,a2 for A1/A2, a2 for A3/A4 +# a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4 LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l` -[ $LINES = 3 ] || exit $LINENO +[ $LINES = 5 ] || exit $LINENO -# a1,a2 for A1/A2, a2 for A3/A4 +# a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l` -[ $LINES = 3 ] || exit $LINENO +[ $LINES = 5 ] || exit $LINENO -# 4 groups +# still 5 groups, but MANIFEST group has no other file LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l` [ $LINES = 4 ] || exit $LINENO diff --git a/test/sun/security/tools/jarsigner/onlymanifest.sh b/test/sun/security/tools/jarsigner/onlymanifest.sh new file mode 100644 index 0000000000000000000000000000000000000000..5ea95784b1b5007280fa58396efddbd70a8f5856 --- /dev/null +++ b/test/sun/security/tools/jarsigner/onlymanifest.sh @@ -0,0 +1,68 @@ +# +# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 7004035 +# @summary signed jar with only META-INF/* inside is not verifiable +# + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + ;; + * ) + FS="/" + ;; +esac + +KS=onlymanifest.jks +JFILE=onlymanifest.jar + +KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit \ + -keystore $KS" +JAR=$TESTJAVA${FS}bin${FS}jar +JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner + +rm $KS $JFILE 2> /dev/null + +# Create an empty jar file with only MANIFEST.MF + +echo "Key: Value" > manifest +$JAR cvfm $JFILE manifest + +$KT -alias a -dname CN=a -genkey -validity 300 || exit 1 +$JARSIGNER -keystore $KS -storepass changeit $JFILE a -debug -strict || exit 2 +$JARSIGNER -keystore $KS -storepass changeit -verify $JFILE a -debug -strict \ + > onlymanifest.out || exit 3 + +grep unsigned onlymanifest.out && exit 4 + +exit 0 +