-
Bug
-
Resolution: Fixed
-
P3
-
5.0
-
b63
-
x86
-
linux, windows_xp
FULL PRODUCT VERSION :
java version "1.5.0_03"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_03-b07)
Java HotSpot(TM) Client VM (build 1.5.0_03-b07, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux xxx 2.6.8-24.14-default #1 Tue Mar 29 09:27:43 UTC 2005 i686 i686 i386 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
I had an applet that by code verified signature of a JAR file. It used JarEntry, code looks like:
JarInputStream jis = new JarInputStream(new BufferedInputStream( in )); // in points to the jar file
JarEntry jEntry;
while ((jEntry = jis.getNextJarEntry()) != null) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int byteRead;
while ((byteRead = jis.read()) != -1) {
bos.write(byteRead);
}
Certificate[] certs = jEntry.getCertificates();
...
In 1.4 and before, it used to work, as jEntry.getCertificates(); returns 3 Certificates, and then I go on with my logic. In 1.5, it was added the method getCodeSigners(), and since then, it seems that getCertificates() returns null. I can debug my application and in the point where I do jEntry.getCertificates() when using 1.4 or before, it returns 3 Certificates, but in 1.5, it returns null. I can also verify that in 1.5, getCodeSigners() would return a CodeSigner containing a Certificate chain with my 3 certificates. So, since it is an applet and I don't have control of the environment it will be run, I can't make it work both in 1.4 and 1.5. Method getCertificates() works in a different way in 1.4 and 1.5, thats the cause of the problem.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Open a signed JAR and with a similar code to this, you will get certs = null for all the entries inside.
JarInputStream jis = new JarInputStream(new BufferedInputStream( in )); // in points to the jar file
JarEntry jEntry;
while ((jEntry = jis.getNextJarEntry()) != null) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int byteRead;
while ((byteRead = jis.read()) != -1) {
bos.write(byteRead);
}
Certificate[] certs = jEntry.getCertificates();
...
}
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I was expecting jEntry.getCertificates(); returned a non empty Certificate[], as it does in previous JDK (1.4)
ACTUAL -
jEntry.getCertificates() returns null in 1.5, and same code in 1.4 returns a valid Certificate chain.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.*;
import java.util.jar.*;
public class TestJar {
public static void main(String args[]) throws Exception {
JarInputStream jis = new JarInputStream(new FileInputStream(args[0]));
JarEntry jEntry;
while ((jEntry = jis.getNextJarEntry()) != null) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int byteRead;
while ((byteRead = jis.read()) != -1) {
bos.write(byteRead);
}
System.out.println(jEntry.getName()+" has certificates: "+jEntry.getCertificates());
}
}
}
---------------------------------------------------------------------------------------
I run this class like this, and that's what I get (I use a signed JAR named example.jar with an XML file inside example.xml):
(1.5)
java TestJar example.jar
META-INF/1.SF has certificates: null
META-INF/1.RSA has certificates: null
META-INF/ has certificates: null
example.xml has certificates: null
(1.4 and before)
java TestJar example.jar
META-INF/1.SF has certificates: null
META-INF/1.RSA has certificates: null
META-INF/ has certificates: null
example.xml has certificates: [Ljava.security.cert.Certificate;@1975b59
The JAR is signed with jarsigner, using a pkcs12
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I have none...
Release Regression From : 5.0
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.
###@###.### 2005-06-13 09:11:56 GMT
java version "1.5.0_03"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_03-b07)
Java HotSpot(TM) Client VM (build 1.5.0_03-b07, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux xxx 2.6.8-24.14-default #1 Tue Mar 29 09:27:43 UTC 2005 i686 i686 i386 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
I had an applet that by code verified signature of a JAR file. It used JarEntry, code looks like:
JarInputStream jis = new JarInputStream(new BufferedInputStream( in )); // in points to the jar file
JarEntry jEntry;
while ((jEntry = jis.getNextJarEntry()) != null) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int byteRead;
while ((byteRead = jis.read()) != -1) {
bos.write(byteRead);
}
Certificate[] certs = jEntry.getCertificates();
...
In 1.4 and before, it used to work, as jEntry.getCertificates(); returns 3 Certificates, and then I go on with my logic. In 1.5, it was added the method getCodeSigners(), and since then, it seems that getCertificates() returns null. I can debug my application and in the point where I do jEntry.getCertificates() when using 1.4 or before, it returns 3 Certificates, but in 1.5, it returns null. I can also verify that in 1.5, getCodeSigners() would return a CodeSigner containing a Certificate chain with my 3 certificates. So, since it is an applet and I don't have control of the environment it will be run, I can't make it work both in 1.4 and 1.5. Method getCertificates() works in a different way in 1.4 and 1.5, thats the cause of the problem.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Open a signed JAR and with a similar code to this, you will get certs = null for all the entries inside.
JarInputStream jis = new JarInputStream(new BufferedInputStream( in )); // in points to the jar file
JarEntry jEntry;
while ((jEntry = jis.getNextJarEntry()) != null) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int byteRead;
while ((byteRead = jis.read()) != -1) {
bos.write(byteRead);
}
Certificate[] certs = jEntry.getCertificates();
...
}
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I was expecting jEntry.getCertificates(); returned a non empty Certificate[], as it does in previous JDK (1.4)
ACTUAL -
jEntry.getCertificates() returns null in 1.5, and same code in 1.4 returns a valid Certificate chain.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.*;
import java.util.jar.*;
public class TestJar {
public static void main(String args[]) throws Exception {
JarInputStream jis = new JarInputStream(new FileInputStream(args[0]));
JarEntry jEntry;
while ((jEntry = jis.getNextJarEntry()) != null) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
int byteRead;
while ((byteRead = jis.read()) != -1) {
bos.write(byteRead);
}
System.out.println(jEntry.getName()+" has certificates: "+jEntry.getCertificates());
}
}
}
---------------------------------------------------------------------------------------
I run this class like this, and that's what I get (I use a signed JAR named example.jar with an XML file inside example.xml):
(1.5)
java TestJar example.jar
META-INF/1.SF has certificates: null
META-INF/1.RSA has certificates: null
META-INF/ has certificates: null
example.xml has certificates: null
(1.4 and before)
java TestJar example.jar
META-INF/1.SF has certificates: null
META-INF/1.RSA has certificates: null
META-INF/ has certificates: null
example.xml has certificates: [Ljava.security.cert.Certificate;@1975b59
The JAR is signed with jarsigner, using a pkcs12
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I have none...
Release Regression From : 5.0
The above release value was the last known release where this
bug was known to work. Since then there has been a regression.
###@###.### 2005-06-13 09:11:56 GMT
- duplicates
-
-
- Closed
-