8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories #11976
Conversation
eirbjo
changed the title
|
👋 Welcome back eirbjo! A progress list of the required criteria for merging this PR into |
openjdk
bot
added
security
eirbjo
changed the title
eirbjo
changed the title
Webrevs
|
| @@ -1745,8 +1745,27 @@ private boolean isSignatureRelated(int off, int len) { | |||
| assert(signatureRelated == SignatureFileVerifier | |||
| .isBlockOrSF(new String(name, off, len, UTF_8.INSTANCE) | |||
| .toUpperCase(Locale.ENGLISH))); | |||
|
|
|||
There was a problem hiding this comment.
How about updating SignatureFileVerifier.isBlockOrSF so that it only returns true for files inside META-INF/. This way it's consistent to this method.
There was a problem hiding this comment.
I started there, but ran into some problems:
SignatureFileVerifier.isSigningRelated calls isBlockOrSF, but it removes the "META-INF/" prefix from the path first. So we can't assume that input to isBlockOrSF is the full path.
I could update SignatureFileVerifier.isSigningRelated to send the full path, but we still have another problem:
JarSigner.sign0 puts META-INF/ files in a vector, such that it can output them first. We want to update this method such that it outputs only files which live directly in META-INF/ first. So we still need to check for "directness" outside isBlockOrSF.
isBlockOrSF has 8 call sites, most of them in security sensitive and tricky code. In the end, I felt safer leaving isBlockOrSF alone and just fix the bug-relevant call sites instead. Also, being a new contributor to security-dev, I wanted to keep the PR relatively simple and easy to review.
WDYT?
There was a problem hiding this comment.
In almost every call to isBlockOrSF, there is already an isInMetaInf (or equivalent) call right before it so it's always safe. The only exception is in jarsigner's verifyJar method:
hasSignature = hasSignature
|| SignatureFileVerifier.isBlockOrSF(name);
and it makes a subtle difference. The unrelated-signature-files-modified.jar your test created has SF/block files inside a sub-directory. Try verifying it with jarsigner. Here hasSignature is true but the SF/block is not considered signature-related, an error message will show Signature is either not parsable or not verifiable. If isBlockOrSF is modified to return false, it will be simply jar is unsigned.
There was a problem hiding this comment.
Good catch!
I've added a guarding call to SignatureFileVerifier.isSigningRelated here, similar to the earlier call site of isBlockOrSf in this methid. I've also added a new check to the test to verify that there is no WARNING when calling jarsigner with the modified jar.
| /** | ||
| * Returns true iff the entry resides directly in the META-INF/ directory | ||
| */ | ||
| private boolean isInMetaInf(ZipEntry ze) { |
There was a problem hiding this comment.
Maybe move this method and the one in JarVerifier to a common place like sun.security.util.SignatureFileVerifier?
There was a problem hiding this comment.
This duplicated check annoyed me also, but the existing checks have different behavior:
- JarVerifier.beginEntry normalizes the path to uppercase, them checks that it starts with "META-INF/" or "/META-INF/"
- JarSigner.sign0 does not normalize to uppercase , then checks that the path starts with "META-INF/"
Introducing a common method would need change behaviour of one of these methods. This change of behaviour would not be relevant to the bug being fixed in this PR.
Since I'm cautious of changing behaviour, I decided to keep the two methods.
There was a problem hiding this comment.
While JarSigner has not normalize to uppercase, the check is the same. As for /META-INF/, it must be very broken now since JarFile::maybeInstantiateVerifier is using JUZFA.getManifestName(this,true) to read the manifest and since ZipFile cannot see the signature-related files starting with /META-INF/ this method will always return null.
There was a problem hiding this comment.
I agree this deserves a cleanup, and since we're already deep into it it can make sense to fix this in this PR.
I have introduced SignatureFileVerifier.isInMetaInf as a common method to replace duplicated logic in JarVerifier and JarSigner. I also noticed that SignatureFileVerifier.isSigningRelated performs the same check, so I updated that method to also call the isInMetaInf.
This introduces two subtle behavioural changes:
- JarSigner is relaxed to ignore case when checking isInMetaInf, meaning "meta-inf/" files will now be moved to the beginning of the signed JAR
- JarVerifier is tightened to reject /META-INF/ as not in META-INF/. This is believed to have little practical impact, since ZipFile.Source.isMetaName already rejects such paths.
There was a problem hiding this comment.
When introducing the call to isInMetaInf in isSigningRelated, I accidentally broke the matching of MANIFEST.MF and SIG-* files.
When fixing this regression, I now match against the full path instead of the existing prefix stripping substring. (A nice side effect of this is that isBlockOrSF is now always called with the full path)
Since the regression was not caught by any existing test, I'm also adding a sanity check that a basic signed JAR has the expected sections in MANIFEST.MF. (The regression introduced a section for META-INF/MANIFEST.MF which seemed to not be caught by tests)
There was a problem hiding this comment.
On a similar note, I added test covering for the matching of custom SIG-* files in SignatureFileVerifier.isSigningRelated.
The test now checks both valid and invalid SIG- file extensions and directory locations inside/outside META-INF
There was a problem hiding this comment.
Added test cases for:
- META-INF/unrelated.txt (Unrelated file in META-INF)
- META-INF/SIG-CUSTOM (No extension is ok)
- META-INF/SIG-CUSTOM2. (Extension too short)
- META-INF/SIG-CUSTOM2.ABCD (Extension too long)
Reading the Jar File Specification, I cannot see that it explicitly allows no extension for SIG- files, but that's what the current code does. It feels safest to leave it that way.
|
|
||
| File j = createJarFile(); | ||
| File s = signJarFile(j, "signed"); | ||
| File m = moveSignatureRelated(s); |
There was a problem hiding this comment.
Try sign it again to a different file. Let's see if the moved files are also signed.
There was a problem hiding this comment.
Nice, I added a check which verifies that a JAR containing non signature related files is signed as expected
There was a problem hiding this comment.
I also added a check verifying that JarSigner does not move unrelated signature files to the beginning of the signed JAR
…ar (non signature related) files during signing
…ginning of signed JARs
…er is actually being exercised by our tests, add unrelated signature files also at the beginning of the test JAR
…n of JARs created during the test
…is for try,while,if.Removed final accessors for some local variables.
…lace duplicated logic in JarVerifier, JarSigner and SignatureFileVerifier.isSigningRelated. This introduces two subtle behavioural changes: - JarSigner is relaxed to ignore case when checking isInMetaInf, meaning "meta-inf/" files will now be moved to the beginning of the signed JAR - JarVerifier is tightened to reject /META-INF/ as not in META-INF/. This is believed to have little impact, since ZipFile.Source.isMetaName already rejects such paths.
|
I added a few style fixes to the test which primarily adds whitespace between try,for,while,if and their following left parenthesis. |
…hat unrelated files should be ignored.
…Inf accidentally removed "META-INF/" prefix stripping. This broke some checks in the remainder of this method. I chose to restore current behaviour by comparing MANIFEST.MF and "SIG-" files using the full path. This saves the allocation caused by substring and also makes sure isBlockOrSF now always called with the full path.
…d by SignatureFileVerifier.isSigningRelated revealed was not caught by any test. Adding a sanity check to IgnoreUnrelatedSignatureFiles which verifies that a basic signed JAR has the expected manifest sections.
…Verifier.isSigningRelated
…ding META-INF/unrelated.txt and META-INF/SIG- files with invalid as well as no file extension
|
The change looks fine. I'll run some test. Precisely |
Should they though? These files are ultimately read by JarFile.initializeVerifier, which I guess only cares about signature/block files it actually knows how to verify, currently EC, RSA, DSA?
The JAR File Specification is a bit short on the purpose of these files. I assume they are expected to be verified by code external to the JDK? |
|
Yes, you're right. Maybe we can rename I'll approved this PR. Thanks. |
|
@eirbjo This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 251 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@wangweij) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
The term "signature related" seems to be used quite extensively around ZipFile and also in JavaUtilZipFileAccess. Semantics are very similar, but not exactly equal. Because of this, I'm a bit reluctant to rename it.
Thank for your help and guidance in reviewing this PR! |
|
/integrate |
|
/sponsor |
|
Going to push as commit 5dfc4ec.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
The mentioned call sites needs updates to check and ignore such files.
A new test IgnoreUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/11976/head:pull/11976$ git checkout pull/11976Update a local copy of the PR:
$ git checkout pull/11976$ git pull https://git.openjdk.org/jdk pull/11976/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 11976View PR using the GUI difftool:
$ git pr show -t 11976Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11976.diff