[jboss-jira] [JBoss JIRA] (WFLY-4576) JCE jar file inside a deployment fails the signature check

Eric Hodges (JIRA) issues at jboss.org
Fri Feb 9 09:53:02 EST 2018 

    [ https://issues.jboss.org/browse/WFLY-4576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13531206#comment-13531206 ] 

Eric Hodges commented on WFLY-4576:
-----------------------------------



I've stepped into this in Java 9, WildFly 11 and can see the root cause.  

1. VFS's VirtualJarInputStream sets the currentEntryStream field to VFSUtils.EMPTY_STREAM by default.  
2. During verification, sun.net.www.protocol.jar.URLJarFile tries to copy the JAR file to a temporary file using java.nio.file.Files.copy(). 
3. Files.copy() calls VirtualJarInputStream.read() without first calling getNextEntry() or getNextZipEntry(), so the currentEntryStream is still set to EMPTY_STREAM.
4. Files.copy() creates an empty temporary file.
5. ZipFile fails with the "zip file is empty" exception.

I thought VirtualJarInputStream was implementing read() improperly, but the documentation on ZipInputStream.read() says explicitly that method should read from the current entry.  The standard ZipInputStream implementation does the same thing as VirtualJarInputStream.

It looks like the bug is actually in sun.net.www.protocol.jar.URLJarFile.  That shouldn't be trying to read a JAR file that way.

>  JCE jar file inside a deployment fails the signature check 
> ------------------------------------------------------------
>
>                 Key: WFLY-4576
>                 URL: https://issues.jboss.org/browse/WFLY-4576
>             Project: WildFly
>          Issue Type: Bug
>          Components: VFS
>    Affects Versions: 9.0.0.Beta2
>         Environment: Wildfly build from master on April 22, 2015
>            Reporter: Tom Fonteyne
>         Attachments: bouncycastle.zip
>
>
> deploy a war file which contains the bouncycastle (or any other JCE) signed jar file. Initialise and try to use a cipher results in a failure due to VFS not being able to read and verify the file



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list