On Fri, 13 Jan 2023 22:36:01 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that
>> files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF,
>> *.RSA] files in META-INF/ subdirectories are indeed ignored.
>
> src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 980:
>
>> 978: * Returns true iff the entry resides directly in the META-INF/
>> directory
>> 979: */
>> 980: private boolean isInMetaInf(ZipEntry ze) {
>
> Maybe move this method and the one in `JarVerifier` to a common place like
> `sun.security.util.SignatureFileVerifier`?
This duplicated check annoyed me also, but the existing checks have different
behavior:
- JarVerifier.beginEntry normalizes the path to uppercase, them checks that it
starts with "META-INF/" or "/META-INF/"
- JarSigner.sign0 does not normalize to uppercase , then checks that the path
starts with "META-INF/"
Introducing a common method would need change behaviour of one of these
methods. This change of behaviour would not be relevant to the bug being fixed
in this PR.
Since I'm cautious of changing behaviour, I decided to keep the two methods.
-------------
PR: https://git.openjdk.org/jdk/pull/11976
