jar verification regression Oracle 8u141

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

jar verification regression Oracle 8u141

Bernd Eckenfels-4
Hello,

after upgrading Java Web Start to 8u141 an application fails to start with a JAR verification error:

com.sun.deploy.net.JARSigningException: Signatur konnte nicht verifiziert werden in Ressource: http://localhost:10000/seeburger/app/commons-httpclient.jar
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source)
    at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

java.lang.SecurityException: digest missing for org/apache/commons/httpclient
    at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:202)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243)
    at java.util.jar.JarVerifier.update(JarVerifier.java:211)
    at java.util.jar.JarVerifier$VerifierStream.<init>(JarVerifier.java:457)
    at java.util.jar.JarFile.getInputStream(JarFile.java:464)
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)


If I use jarsigner -verify (from 8u141) on that file it does not show a problem. The file also worked with 8u131.

We signed that file ourself and I am not sure when the broken entry is generated, it looks like:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Built-By: oleg
Maven-Version: 1.1
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)

Name: org/apache/commons/httpclient/Header.class
SHA-256-Digest: 5HHGzly6O0szGtB9rGU+bY2PXW54N9EmRkoz9g5QFEQ=
...
Name: org/apache/commons/httpclient/methods/multipart/PartSource.class
SHA-256-Digest: mk7TML731ZpUoSypwlvr2qtT67lwUgxl7FwSZ+/6B6s=

Name: org/apache/commons/httpclient
Implementation-Title: org.apache.commons.httpclient
Implementation-Version: 3.1
X-Compile-Target-JDK: 1.2
Specification-Vendor: Apache Software Foundation
Specification-Title: Jakarta Commons HttpClient
Implementation-Vendor-Id: org.apache
Extension-name: org.apache.commons.httpclient
X-Compile-Source-JDK: 1.2
Specification-Version: 3.1
Implementation-Vendor: Apache Software Foundation

Name: org/apache/commons/httpclient/methods/multipart/FilePart.class
SHA-256-Digest: uCUbczb7+sVYzJ+pxl+I6Qk3SBS6xeztmAOJvuUzmsM=
...

This structure is created by JAR signer becaue the original apache artifact manifest looks like this:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)
Built-By: oleg
Maven-Version: 1.1

Name: org/apache/commons/httpclient
Extension-name: org.apache.commons.httpclient
Specification-Title: Jakarta Commons HttpClient
Specification-Vendor: Apache Software Foundation
Specification-Version: 3.1
Implementation-Title: org.apache.commons.httpclient
Implementation-Vendor: Apache Software Foundation
Implementation-Version: 3.1
Implementation-Vendor-Id: org.apache
X-Compile-Source-JDK: 1.2
X-Compile-Target-JDK: 1.2

I think different jarsigner versions behave differently, some remove that section.

jarsigner -verify should be as strict as JWS. JWS should probalbly ignroe sections like that like before.

Gruss
Bernd




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: jar verification regression Oracle 8u141

Reto Merz-2

Our webstart app is also killed by this issue.

 

Tested with:

Java u141 b15 (FAIL)

Java u141 b32 (FAIL)

Java u131 b11 (OK)

 

Regards

Reto

 

 

Von: security-dev [mailto:[hidden email]] Im Auftrag von Bernd
Gesendet: Mittwoch, 19. Juli 2017 14:01
An: [hidden email]
Betreff: jar verification regression Oracle 8u141

 

Hello,

after upgrading Java Web Start to 8u141 an application fails to start with a JAR verification error:

com.sun.deploy.net.JARSigningException: Signatur konnte nicht verifiziert werden in Ressource: http://localhost:10000/seeburger/app/commons-httpclient.jar
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source)
    at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
    at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
    at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

java.lang.SecurityException: digest missing for org/apache/commons/httpclient
    at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:202)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243)
    at java.util.jar.JarVerifier.update(JarVerifier.java:211)
    at java.util.jar.JarVerifier$VerifierStream.<init>(JarVerifier.java:457)
    at java.util.jar.JarFile.getInputStream(JarFile.java:464)
    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)

If I use jarsigner -verify (from 8u141) on that file it does not show a problem. The file also worked with 8u131.

We signed that file ourself and I am not sure when the broken entry is generated, it looks like:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Built-By: oleg
Maven-Version: 1.1
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)

Name: org/apache/commons/httpclient/Header.class
SHA-256-Digest: 5HHGzly6O0szGtB9rGU+bY2PXW54N9EmRkoz9g5QFEQ=
...
Name: org/apache/commons/httpclient/methods/multipart/PartSource.class
SHA-256-Digest: mk7TML731ZpUoSypwlvr2qtT67lwUgxl7FwSZ+/6B6s=

Name: org/apache/commons/httpclient
Implementation-Title: org.apache.commons.httpclient
Implementation-Version: 3.1
X-Compile-Target-JDK: 1.2
Specification-Vendor: Apache Software Foundation
Specification-Title: Jakarta Commons HttpClient
Implementation-Vendor-Id: org.apache
Extension-name: org.apache.commons.httpclient
X-Compile-Source-JDK: 1.2
Specification-Version: 3.1
Implementation-Vendor: Apache Software Foundation

Name: org/apache/commons/httpclient/methods/multipart/FilePart.class
SHA-256-Digest: uCUbczb7+sVYzJ+pxl+I6Qk3SBS6xeztmAOJvuUzmsM=
...

This structure is created by JAR signer becaue the original apache artifact manifest looks like this:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)
Built-By: oleg
Maven-Version: 1.1

Name: org/apache/commons/httpclient
Extension-name: org.apache.commons.httpclient
Specification-Title: Jakarta Commons HttpClient
Specification-Vendor: Apache Software Foundation
Specification-Version: 3.1
Implementation-Title: org.apache.commons.httpclient
Implementation-Vendor: Apache Software Foundation
Implementation-Version: 3.1
Implementation-Vendor-Id: org.apache
X-Compile-Source-JDK: 1.2
X-Compile-Target-JDK: 1.2

I think different jarsigner versions behave differently, some remove that section.

jarsigner -verify should be as strict as JWS. JWS should probalbly ignroe sections like that like before.

 

Gruss

Bernd

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: jar verification regression Oracle 8u141

Bernd Eckenfels-4
In reply to this post by Bernd Eckenfels-4
Hello,

one more thing:

2017-07-19 14:01 GMT+02:00 Bernd <[hidden email]>:
I think different jarsigner versions behave differently, some remove that section.

It is actually not "different jarsigner versions", but we have our own jar signer implementation (used for self signed test certificates in the build pipeline). This implementation removes the whole name: section. When using jarsigner.exe on our sign server on the other hand, it produces the named section with no digest, which causes JWS to break,

Gruss
Bernd
Loading...