Uploaded image for project: 'JBoss VFS'
  1. JBoss VFS
  2. JBVFS-176

CertificateReaderInputStream can eagerly load certificate information, causing SecurityException

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 2.2.1.GA
    • 2.2.0.GA
    • Release
    • None

    Description

      The version in question is 2.2.0.SP1

      CertificateReaderInputStream can cause the certificate information within EntryInfo to be initialised before the JarVerifier has had the opportunity to initialise the certificates associated with its JarEntry, resulting in this information being ignored. This is a particular problem if the entry represents a class file as any subsequent attempt to define the class will not be associated with the correct certificate/signers, causing a SecurityException to be raised if classes from the same package have already been loaded.

      The SecurityException will be similar to the following

      java.lang.SecurityException: class "org.drools.spi.CompiledInvoker"'s signer information does not match signer information of other classes in the same package

      Attachments

        Issue Links

          blocks

          Support Patch - A one-off patch related to a customer support case, provided by Support and not Engineering JBPAPP-6983 One-off patch for JBVFS-176

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              ajustin@redhat.com Ales Justin
              kconner@redhat.com Kevin Conner (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: