...
Java-based technologies typically use the Java Archive (JAR) feature for packaging files to facilitate platform independent deployment. JAR files are the preferred means of distribution for Enterprise Java Beans (EJB), MIDlets (J2ME), and Weblogic Server J2EE applications, for example. The point and click installation provided by Java Web Start also relies on the JAR file format for packaging. Vendors sign their JAR files when required. This certifies the authenticity of the code; , but it cannot guarantee the security of the code.
| Wiki Markup |
|---|
According to the Java Tutorials \[[Tutorials 2008|AA. Bibliography#Tutorials 08]\], |
If you are creating applet code that you will sign, it needs to be placed in a JAR file. The same is true if you are creating application code that may be similarly restricted by running it with a security manager. The reason you need the JAR file is that when a policy file specifies that code signed by a particular entity is permitted one or more operations, such as specific file reads or writes, the code is expected to come from a signed JAR file. (The term "signed code" is an abbreviated way of saying "code in a class file that appears in a JAR file that was signed.")
...
The default automatic signature verification process may still be used , but is not sufficient. Systems that use the default automatic signature verification process must perform additional checks to ensure that the signature is correct (such as comparing it against a known trusted signature).
...
This noncompliant code example demonstrates the JarRunner application, which can be used to dynamically execute a particular class residing within a JAR file (abridged version of the class in The Java Tutorials [Tutorials 2008]). It creates a JarClassLoader that loads an application update, plug-in, or patch over an untrusted network such as the Internet. The URL to fetch the code is specified as the first argument (for example, http://www.securecoding.cert.org/software-updates.jar
); any other arguments specify the arguments that are to be passed to the class that is loaded. JarRunner uses reflection to invoke the main method of the loaded class. Unfortunately, by default, JarClassLoader verifies the signature using the public key contained within the JAR file.
...
| Code Block | ||
|---|---|---|
| ||
jarsigner -verify signed-updates-jar-file.jar |
Compliant Solution (
...
Certificate Chain)
When the local system cannot reliably verify the signature, the invoking program must verify the signature programmatically by obtaining the chain of certificates from the CodeSource of the class being loaded and checking whether any of the certificates belongs belong to a trusted signer whose certificate has been securely obtained beforehand and stored in a local keystore. This compliant solution demonstrates the necessary modifications to the invokeClass method.
...
The URLClassLoader and all its subclasses are given by default only enough permissions to interact with the URL that was specified when the URLClassLoader object was created. This means that the loaded code can interact only with the specified host. This fails to mitigate the risk completely, however, as because the loaded code may have been granted privileges that permit other sensitive operations such as updating an existing local JAR file.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6ae0bf09cddd451-55710761-43dc442f-a153a3e9-a1f6d0d664cdbec9e8e63bed"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Improperly Verified Signature [XZR]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE ID -300, "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')" | ||||
| CWE ID -319, "Cleartext Transmission of Sensitive Information" | |||
| CWE ID -494, "Download of Code Without Integrity Check" | |||
| CWE ID -347, "Improper Verification of Cryptographic Signature" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="412ef6185f1221d4-9c14a560-4f884a59-8bd6adb5-c986809aecfdad4afed05211"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="de3d9e48e999877c-3e7653e5-4c9d46b8-bdee9269-83c8218b86ef731919fa5172"><ac:plain-text-body><![CDATA[ | [[Bea 2008 | AA. Bibliography#Bea 08]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3fafc0336eb8be27-2906e7b7-492b405e-85f38681-85ea4488827677ae099a2154"><ac:plain-text-body><![CDATA[ | [[Eclipse 2008 | AA. Bibliography#Eclipse 08]] | [JAR Signing | http://wiki.eclipse.org/JAR_Signing] and [Signed bundles and protecting against malicious code | http://help.eclipse.org/stable/index.jsp?topic=/org.eclipse.platform.doc.isv/guide] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1aa69b20d60b80e2-265d19eb-4b014b14-87f28703-21cfea161cdc81926b605e90"><ac:plain-text-body><![CDATA[ | [[Fairbanks 07 | AA. Bibliography#Fairbanks 07]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4e3e3284c83f018d-39fcd82a-41bd498c-812dbe21-2bd6f95e22930afe04d69763"><ac:plain-text-body><![CDATA[ | [[Flanagan 2005 | AA. Bibliography#Flanagan 05]] | Chapter 24. The java.util.jar Package | ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="738fb1dc501a27b7-503c38fc-48db4a6e-b003b088-424d64608bbbaca32f03ff30"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | 12.8.3 jarsigner | ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="691dcdcaac84a6f0-a19a1612-489040bd-9fd6b323-270370ac4ef49063e32d02b4"><ac:plain-text-body><![CDATA[ | [[Halloway 2001 | AA. Bibliography#Halloway 01]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aa442c9a453a62b4-cd59cd67-4be34d45-aebea22b-67f4eee2425623342c207712"><ac:plain-text-body><![CDATA[ | [[JarSpec 2008 | AA. Bibliography#JarSpec 08]] | Signature Validation |
| ]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="483838f0a83f40ce-343ae05c-4a0647a9-9e44ae3e-b50c333f7b03e0193555463d"><ac:plain-text-body><![CDATA[ | [[Oaks 2001 | AA. Bibliography#Oaks 01]] | Chapter 12: Digital Signatures, Signed Classes | ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e146eab803affd34-6be12856-4b6e4298-9f659063-028859a84137aaddd02a525d"><ac:plain-text-body><![CDATA[ | [[Muchow 2001 | AA. Bibliography#Muchow 01]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a01c7efd12135ce7-ba7203ad-40384153-b45e9ae8-0f89d37c2d14ad2eab18df56"><ac:plain-text-body><![CDATA[ | [[Tutorials 2008 | AA. Bibliography#Tutorials 08]] | [The JarRunner Class | http://java.sun.com/docs/books/tutorial/deployment/jar/jarrunner.html], [Lesson: API and Tools Use for Secure Code and File Exchanges | http://java.sun.com/docs/books/tutorial/security/sigcert/index.html] and [Verifying Signed JAR Files | http://java.sun.com/docs/books/tutorial/deployment/jar/verify.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...