8265201: JarFile.getInputStream not validating invalid signed jars

Reviewed-by: coffeys, mullan
2025-12-10 14:50:36 -06:00 · 2021-04-15 19:59:47 +00:00 · 2021-04-15 19:59:47 +00:00 · 19faaa007c
commit 19faaa007c
parent 49dda6f5f6
1 changed files with 13 additions and 2 deletions
--- a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
+++ b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
@ -331,7 +331,18 @@ public class SignerInfo implements DerEncoder {
    throws NoSuchAlgorithmException, SignatureException {

        try {
-            Timestamp timestamp = getTimestamp();
+            Timestamp timestamp = null;
+            try {
+                timestamp = getTimestamp();
+            } catch (Exception e) {
+                // Log exception and continue. This allows for the case
+                // where, if there are no other errors, the code is
+                // signed but w/o a timestamp.
+                if (debug != null) {
+                    debug.println("Unexpected exception while getting" +
+                                  " timestamp: " + e);
+                }
+            }

            ContentInfo content = block.getContentInfo();
            if (data == null) {
@ -471,7 +482,7 @@ public class SignerInfo implements DerEncoder {
            if (sig.verify(encryptedDigest)) {
                return this;
            }
-        } catch (IOException | CertificateException e) {
+        } catch (IOException e) {
            throw new SignatureException("Error verifying signature", e);
        }
        return null;