stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8265201: JarFile.getInputStream not validating invalid signed jars

Browse Source 
Reviewed-by: pkoppula, coffeys
This commit is contained in:
Sean Mullan 2021-04-15 14:28:56 +00:00 committed by Henry Jen
parent ca6b222c97
commit add995be46
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
View File

@ -331,7 +331,18 @@ public class SignerInfo implements DerEncoder {
throws NoSuchAlgorithmException, SignatureException { throws NoSuchAlgorithmException, SignatureException {
try { try {
Timestamp timestamp = getTimestamp(); Timestamp timestamp = null;
try {
timestamp = getTimestamp();
} catch (Exception e) {
// Log exception and continue. This allows for the case
// where, if there are no other errors, the code is
// signed but w/o a timestamp.
if (debug != null) {
debug.println("Unexpected exception while getting" +
" timestamp: " + e);
}
}
ContentInfo content = block.getContentInfo(); ContentInfo content = block.getContentInfo();
if (data == null) { if (data == null) {
@ -471,7 +482,7 @@ public class SignerInfo implements DerEncoder {
if (sig.verify(encryptedDigest)) { if (sig.verify(encryptedDigest)) {
return this; return this;
} }
} catch (IOException | CertificateException e) { } catch (IOException e) {
throw new SignatureException("Error verifying signature", e); throw new SignatureException("Error verifying signature", e);
} }
return null; return null;