7023056: NPE from sun.security.util.ManifestEntryVerifier.verify during Maven build

Reviewed-by: mullan

7023056: NPE from sun.security.util.ManifestEntryVerifier.verify during Maven build
Reviewed-by: mullan
4885bba5 · weijun · 3a4dff44 · 4885bba5 · 4885bba5 · 4885bba5
3 changed file
--- a/src/share/classes/java/util/jar/JarVerifier.java
+++ b/src/share/classes/java/util/jar/JarVerifier.java
@@ -415,6 +415,12 @@ class JarVerifier {
        pendingBlocks = null;
        signerCache = null;
        manDig = null;
+        // MANIFEST.MF is always treated as signed and verified,
+        // move its signers from sigFileSigners to verifiedSigners.
+        if (sigFileSigners.containsKey(JarFile.MANIFEST_NAME)) {
+            verifiedSigners.put(JarFile.MANIFEST_NAME,
+                    sigFileSigners.remove(JarFile.MANIFEST_NAME));
+        }
    }
    static class VerifierStream extends java.io.InputStream {

--- a/src/share/classes/sun/security/util/ManifestEntryVerifier.java
+++ b/src/share/classes/sun/security/util/ManifestEntryVerifier.java
@@ -195,8 +195,7 @@ public class ManifestEntryVerifier {
                Hashtable<String, CodeSigner[]> sigFileSigners)
        throws JarException
    {
-        // MANIFEST.MF should not be skipped. It has signers.
+        if (skip) {
-        if (skip && !entry.getName().equals(JarFile.MANIFEST_NAME)) {
            return null;
        }

--- a/test/java/util/jar/JarFile/MevNPE.java
+++ b/test/java/util/jar/JarFile/MevNPE.java
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+/* @test
+ * @bug 7023056
+ * @summary NPE from sun.security.util.ManifestEntryVerifier.verify during Maven build
+ */
+import java.io.*;
+import java.util.jar.*;
+public class MevNPE {
+    public static void main(String[] args) throws Exception {
+        File f = new File(System.getProperty("test.src", "."), "Signed.jar");
+        try (JarFile jf = new JarFile(f, true)) {
+            try (InputStream s1 = jf.getInputStream(
+                    jf.getJarEntry(JarFile.MANIFEST_NAME))) {
+                s1.read(new byte[10000]);
+            };
+            try (InputStream s2 = jf.getInputStream(
+                    jf.getJarEntry(JarFile.MANIFEST_NAME))) {
+                s2.read(new byte[10000]);
+            };
+        }
+    }
+}