commit add995be4611574fa40fa86257e1e26d13797c4f
author Sean Mullan <mullan@openjdk.org> Thu Apr 15 14:28:56 2021 +0000
committer Henry Jen <henryjen@openjdk.org> Wed Jul 21 20:28:56 2021 +0000
tree 4dd9473a86a4ffae8f02c3e07158a724f433467a
parent ca6b222c9734982a49dba09fa240d9308ffc5ca8

8265201: JarFile.getInputStream not validating invalid signed jars

Reviewed-by: pkoppula, coffeys

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java

diff --git a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
index 08c6be2..b651f43 100644
--- a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
+++ b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
@@ -331,7 +331,18 @@
     throws NoSuchAlgorithmException, SignatureException {
 
         try {
-            Timestamp timestamp = getTimestamp();
+            Timestamp timestamp = null;
+            try {
+                timestamp = getTimestamp();
+            } catch (Exception e) {
+                // Log exception and continue. This allows for the case
+                // where, if there are no other errors, the code is
+                // signed but w/o a timestamp.
+                if (debug != null) {
+                    debug.println("Unexpected exception while getting" +
+                                  " timestamp: " + e);
+                }
+            }
 
             ContentInfo content = block.getContentInfo();
             if (data == null) {
@@ -471,7 +482,7 @@
             if (sig.verify(encryptedDigest)) {
                 return this;
             }
-        } catch (IOException | CertificateException e) {
+        } catch (IOException e) {
             throw new SignatureException("Error verifying signature", e);
         }
         return null;