Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6284489

REGRESSION: JarEntry.getCertificates() works in jdk 1.4 but null in JDK 1.5

    Details

    • Subcomponent:
    • Resolved In Build:
      b63
    • CPU:
      x86
    • OS:
      linux, windows_xp

      Description

      FULL PRODUCT VERSION :
      java version "1.5.0_03"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_03-b07)
      Java HotSpot(TM) Client VM (build 1.5.0_03-b07, mixed mode, sharing)


      ADDITIONAL OS VERSION INFORMATION :
      Linux xxx 2.6.8-24.14-default #1 Tue Mar 29 09:27:43 UTC 2005 i686 i686 i386 GNU/Linux

      A DESCRIPTION OF THE PROBLEM :
      I had an applet that by code verified signature of a JAR file. It used JarEntry, code looks like:
                  JarInputStream jis = new JarInputStream(new BufferedInputStream( in )); // in points to the jar file
                  JarEntry jEntry;
                  while ((jEntry = jis.getNextJarEntry()) != null) {
                      ByteArrayOutputStream bos = new ByteArrayOutputStream();
                      int byteRead;
                      while ((byteRead = jis.read()) != -1) {
                          bos.write(byteRead);
                      }
                      Certificate[] certs = jEntry.getCertificates();
                      ...
      In 1.4 and before, it used to work, as jEntry.getCertificates(); returns 3 Certificates, and then I go on with my logic. In 1.5, it was added the method getCodeSigners(), and since then, it seems that getCertificates() returns null. I can debug my application and in the point where I do jEntry.getCertificates() when using 1.4 or before, it returns 3 Certificates, but in 1.5, it returns null. I can also verify that in 1.5, getCodeSigners() would return a CodeSigner containing a Certificate chain with my 3 certificates. So, since it is an applet and I don't have control of the environment it will be run, I can't make it work both in 1.4 and 1.5. Method getCertificates() works in a different way in 1.4 and 1.5, thats the cause of the problem.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Open a signed JAR and with a similar code to this, you will get certs = null for all the entries inside.
                 JarInputStream jis = new JarInputStream(new BufferedInputStream( in )); // in points to the jar file
                  JarEntry jEntry;
                  while ((jEntry = jis.getNextJarEntry()) != null) {
                      ByteArrayOutputStream bos = new ByteArrayOutputStream();
                      int byteRead;
                      while ((byteRead = jis.read()) != -1) {
                          bos.write(byteRead);
                      }
                      Certificate[] certs = jEntry.getCertificates();
                      ...
                 }

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      I was expecting jEntry.getCertificates(); returned a non empty Certificate[], as it does in previous JDK (1.4)
      ACTUAL -
       jEntry.getCertificates() returns null in 1.5, and same code in 1.4 returns a valid Certificate chain.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.*;
      import java.util.jar.*;

      public class TestJar {
          public static void main(String args[]) throws Exception {
              JarInputStream jis = new JarInputStream(new FileInputStream(args[0]));
              JarEntry jEntry;
              while ((jEntry = jis.getNextJarEntry()) != null) {
                  ByteArrayOutputStream bos = new ByteArrayOutputStream();
                  int byteRead;
                  while ((byteRead = jis.read()) != -1) {
                      bos.write(byteRead);
                  }
                  System.out.println(jEntry.getName()+" has certificates: "+jEntry.getCertificates());
              }
          }
      }
      ---------------------------------------------------------------------------------------
      I run this class like this, and that's what I get (I use a signed JAR named example.jar with an XML file inside example.xml):

      (1.5)
      java TestJar example.jar
      META-INF/1.SF has certificates: null
      META-INF/1.RSA has certificates: null
      META-INF/ has certificates: null
      example.xml has certificates: null

      (1.4 and before)
      java TestJar example.jar
      META-INF/1.SF has certificates: null
      META-INF/1.RSA has certificates: null
      META-INF/ has certificates: null
      example.xml has certificates: [Ljava.security.cert.Certificate;@1975b59

      The JAR is signed with jarsigner, using a pkcs12

      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      I have none...

      Release Regression From : 5.0
      The above release value was the last known release where this
      bug was known to work. Since then there has been a regression.
      ###@###.### 2005-06-13 09:11:56 GMT

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                vinnie Vincent Ryan
                Reporter:
                jssunw Jitender S (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: