8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories

Reviewed-by: weijun

Author: eirbjo

src/java.base/share/classes/java/util/jar/JarVerifier.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,6 +39,8 @@
 import sun.security.util.SignatureFileVerifier;
 import sun.security.util.Debug;
 
+import static sun.security.util.SignatureFileVerifier.isInMetaInf;
+
 /**
  *
  * @author      Roland Schemers
@@ -135,15 +137,14 @@ public void beginEntry(JarEntry je, ManifestEntryVerifier mev)
          */
 
         if (parsingMeta) {
-            String uname = name.toUpperCase(Locale.ENGLISH);
-            if ((uname.startsWith("META-INF/") ||
-                 uname.startsWith("/META-INF/"))) {
+
+            if (isInMetaInf(name)) {
 
                 if (je.isDirectory()) {
                     mev.setEntry(null, je);
                     return;
                 }
-
+                String uname = name.toUpperCase(Locale.ENGLISH);
                 if (uname.equals(JarFile.MANIFEST_NAME) ||
                         uname.equals(JarIndex.INDEX_NAME)) {
                     return;

src/java.base/share/classes/java/util/zip/ZipFile.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1745,8 +1745,27 @@ private boolean isSignatureRelated(int off, int len) {
             assert(signatureRelated == SignatureFileVerifier
                 .isBlockOrSF(new String(name, off, len, UTF_8.INSTANCE)
                     .toUpperCase(Locale.ENGLISH)));
+
+            // Signature related files must reside directly in META-INF/
+            if (signatureRelated && hasSlash(name, off + META_INF_LEN, off + len)) {
+                signatureRelated = false;
+            }
             return signatureRelated;
         }
+        /*
+         * Return true if the encoded name contains a '/' within the byte given range
+         * This assumes an ASCII-compatible encoding, which is ok here since
+         * it is already assumed in isMetaName
+         */
+        private boolean hasSlash(byte[] name, int start, int end) {
+            for (int i = start; i < end; i++) {
+                int c = name[i];
+                if (c == '/') {
+                    return true;
+                }
+            }
+            return false;
+        }
 
         /*
          * If the bytes represents a non-directory name beginning

src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -81,6 +81,8 @@ public class SignatureFileVerifier {
     /** ConstraintsParameters for checking disabled algorithms */
     private JarConstraintsParameters params;
 
+    private static final String META_INF = "META-INF/";
+
     /**
      * Create the named SignatureFileVerifier.
      *
@@ -141,6 +143,18 @@ public void setSignatureFile(byte[] sfBytes)
         this.sfBytes = sfBytes;
     }
 
+    /**
+     * Utility method used by JarVerifier and JarSigner
+     * to determine if a path is located directly in the
+     * META-INF/ directory
+     *
+     * @param name the path name to check
+     * @return true if the path resides in META-INF directly, ignoring case
+     */
+    public static boolean isInMetaInf(String name) {
+        return name.regionMatches(true, 0, META_INF, 0, META_INF.length())
+                && name.lastIndexOf('/') < META_INF.length();
+    }
     /**
      * Utility method used by JarVerifier and JarSigner
      * to determine the signature file names and PKCS7 block
@@ -153,7 +167,7 @@ public void setSignatureFile(byte[] sfBytes)
      */
     public static boolean isBlockOrSF(String s) {
         // Note: keep this in sync with j.u.z.ZipFile.Source#isSignatureRelated
-        // we currently only support DSA and RSA PKCS7 blocks
+        // we currently only support DSA, RSA or EC PKCS7 blocks
         return s.endsWith(".SF")
             || s.endsWith(".DSA")
             || s.endsWith(".RSA")
@@ -191,19 +205,15 @@ public static String getBlockExtension(PrivateKey key) {
      * @return true if the input file name is signature related
      */
     public static boolean isSigningRelated(String name) {
-        name = name.toUpperCase(Locale.ENGLISH);
-        if (!name.startsWith("META-INF/")) {
+        if (!isInMetaInf(name)) {
             return false;
         }
-        name = name.substring(9);
-        if (name.indexOf('/') != -1) {
-            return false;
-        }
-        if (isBlockOrSF(name) || name.equals("MANIFEST.MF")) {
+        name = name.toUpperCase(Locale.ENGLISH);
+        if (isBlockOrSF(name) || name.equals("META-INF/MANIFEST.MF")) {
             return true;
-        } else if (name.startsWith("SIG-")) {
+        } else if (name.startsWith("SIG-", META_INF.length())) {
             // check filename extension
-            // see http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
+            // see https://docs.oracle.com/en/java/javase/19/docs/specs/jar/jar.html#digital-signatures
             // for what filename extensions are legal
             int extIndex = name.lastIndexOf('.');
             if (extIndex != -1) {

src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java

@@ -63,6 +63,8 @@
 import java.util.zip.ZipFile;
 import java.util.zip.ZipOutputStream;
 
+import static sun.security.util.SignatureFileVerifier.isInMetaInf;
+
 /**
  * An immutable utility class to sign a jar file.
  * <p>
@@ -475,8 +477,6 @@ public JarSigner build() {
         }
     }
 
-    private static final String META_INF = "META-INF/";
-
     // All fields in Builder are duplicated here as final. Those not
     // provided but has a default value will be filled with default value.
 
@@ -731,7 +731,7 @@ private void sign0(ZipFile zipFile, OutputStream os)
              enum_.hasMoreElements(); ) {
             ZipEntry ze = enum_.nextElement();
 
-            if (ze.getName().startsWith(META_INF)) {
+            if (isInMetaInf(ze.getName())) {
                 // Store META-INF files in vector, so they can be written
                 // out first
                 mfFiles.addElement(ze);
@@ -959,7 +959,7 @@ private void sign0(ZipFile zipFile, OutputStream os)
              enum_.hasMoreElements(); ) {
             ZipEntry ze = enum_.nextElement();
 
-            if (!ze.getName().startsWith(META_INF)) {
+            if (!isInMetaInf(ze.getName())) {
                 if (handler != null) {
                     if (manifest.getAttributes(ze.getName()) != null) {
                         handler.accept("signing", ze.getName());
@@ -974,6 +974,7 @@ private void sign0(ZipFile zipFile, OutputStream os)
         zos.close();
     }
 
+
     private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
             throws IOException {
         ZipEntry ze2 = new ZipEntry(ze.getName());

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -835,8 +835,7 @@ void verifyJar(String jarName)
                     if (!extraAttrsDetected && JUZFA.getExtraAttributes(je) != -1) {
                         extraAttrsDetected = true;
                     }
-                    hasSignature = hasSignature
-                            || SignatureFileVerifier.isBlockOrSF(name);
+                    hasSignature |= signatureRelated(name) && SignatureFileVerifier.isBlockOrSF(name);
 
                     CodeSigner[] signers = je.getCodeSigners();
                     boolean isSigned = (signers != null);