Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JarFile implementation calls close early which breaks verification of signed unpacked nested jars on Oracle JDK #29356

Closed
philwebb opened this issue Jan 12, 2022 · 3 comments
Closed

JarFile implementation calls close early which breaks verification of signed unpacked nested jars on Oracle JDK #29356

philwebb opened this issue Jan 12, 2022 · 3 comments
Assignees
@philwebb
Labels
type: bug A general bug
Milestone
2.6.9

Comments

@philwebb
Copy link
Member

See #28837. A work-around should be to set the unpack flag but this doesn't work since we still wrap things.
@philwebb philwebb added this to the 2.5.x milestone Jan 12, 2022
@philwebb philwebb added the type: bug A general bug label Jan 12, 2022
@philwebb philwebb self-assigned this Jan 13, 2022
@wilkinsona wilkinsona modified the milestones: 2.5.x, 2.6.x May 19, 2022
@philwebb philwebb changed the title Unpacked jars are still wrapped by our handler Unpacked jars use Spring Boot's JarURLConnection which breaks with signed jars on an Oracle JDK Jun 15, 2022
@philwebb philwebb changed the title Unpacked jars use Spring Boot's JarURLConnection which breaks with signed jars on an Oracle JDK JarFile implementation calls close early which breaks verification of signed unpacked nested jars on Oracle JDK Jun 15, 2022
@philwebb philwebb mentioned this issue Jun 15, 2022
Closed
@philwebb philwebb modified the milestones: 2.6.x, 2.6.9 Jun 15, 2022
@wilkinsona
Copy link
Member

For reasons that I don't yet understand, this fix doesn't work once spring-boot-loader-tests-signed-jar-unpack-app has been upgraded to Bouncycastle 1.71:

Exception in thread "main" java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:722)
    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:642)
    at org.springframework.boot.loaderapp.LoaderSignedJarTestApplication.main(LoaderSignedJarTestApplication.java:31)
    ... 8 more
Caused by: java.lang.IllegalStateException: zip file closed
    at java.base/java.util.zip.ZipFile.ensureOpen(ZipFile.java:831)
    at java.base/java.util.zip.ZipFile.getManifestName(ZipFile.java:1057)
    at java.base/java.util.zip.ZipFile$1.getManifestName(ZipFile.java:1100)
    at java.base/javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:461)
    at java.base/javax.crypto.JarVerifier.verifyJars(JarVerifier.java:317)
    at java.base/javax.crypto.JarVerifier.verify(JarVerifier.java:260)
    at java.base/javax.crypto.ProviderVerifier.verify(ProviderVerifier.java:130)
    at java.base/javax.crypto.JceSecurity.verifyProvider(JceSecurity.java:190)
    at java.base/javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:218)
    at java.base/javax.crypto.Cipher.getInstance(Cipher.java:718)
    ... 10 more

@wilkinsona wilkinsona reopened this Jun 16, 2022
@wilkinsona
Copy link
Member

wilkinsona commented Jun 16, 2022
edited
Loading

It's a mistake in the Bouncy Castle upgrade. It didn't change the requiresUnpack pattern.

@philwebb philwebb mentioned this issue Jun 16, 2022
Closed
This was referenced Aug 15, 2022
Closed
Closed
Closed
@philwebb
Copy link
Member Author

I'm afraid this fix caused several regressions to be reported. We're going to need to revert it and find a different approach. I've opened #32106.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philwebb philwebb

Labels
type: bug A general bug
Projects
None yet
Milestone
2.6.9
Development

No branches or pull requests
2 participants
@philwebb @wilkinsona