SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 67

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 68

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Code should only be signed because it requires elevated privileges to perform some one or more tasks. See rule ENV00-J. Do not sign code that performs only unprivileged operations for more information.

...

Client code may lack programmatic checks of code signatures. For example, instances of URLClassLoader and its subclasses and java.util.jar automatically verify signatures of signed JAR files. Developer-implemented custom class loaders that subclass java.lang.ClassLoader may lack this check. Moreover, even in the URLClassLoader case, the automatic verification performs only an integrity check; it fails to authenticate the loaded class because the check only uses the public key contained within the JAR and does not validate without validating the public key. The legitimate JAR file may be replaced with a malicious JAR file containing a different public key along with appropriately modified digest values.

...

Code Block
bgColor#FFcccc
public class JarRunner {
  public static void main(String[] args)
       throws IOException, ClassNotFoundException,
              NoSuchMethodException, InvocationTargetException {
  
    URL url = new URL(args[0]);
    
    // Create the class loader for the application jar file
    JarClassLoader cl = new JarClassLoader(url);
    
    // Get the application's main class name
    String name = cl.getMainClassName();
    
    // Get arguments for the application
    String[] newArgs = new String[args.length - 1];
    System.arraycopy(args, 1, newArgs, 0, newArgs.length);
    
    // Invoke application's main class
    cl.invokeClass(name, newArgs);
  }
}

final class JarClassLoader extends URLClassLoader {
  private URL url;
  public JarClassLoader(URL url) {
    super(new URL[] { url });
    this.url = url;
  }

  public String getMainClassName() throws IOException {
    URL u = new URL("jar", "", url + "!/");
    JarURLConnection uc = (JarURLConnection) u.openConnection();
    Attributes attr = uc.getMainAttributes();
    return attr != null ? 
        attr.getValue(Attributes.Name.MAIN_CLASS) : null;
  }

  public void invokeClass(String name, String[] args)
      throws ClassNotFoundException, NoSuchMethodException,
             InvocationTargetException {
    Class c = loadClass(name);
    Method m = c.getMethod("main", new Class[] { args.getClass() });
    m.setAccessible(true);
    int mods = m.getModifiers();
    if (m.getReturnType() != void.class || !Modifier.isStatic(mods) ||
        !Modifier.isPublic(mods)) {
      throw new NoSuchMethodException("main");
    }
    try {
      m.invoke(null, new Object[] { args });
    } catch (IllegalAccessException e) {
      System.out.println("Access denied");
    }
  }
}

...

Users can — but usually do not — explicitly check JAR file signatures at the command line; this . This may be an adequate solution for programs that require manual installation of JAR files. Any malicious tampering results in a SecurityException when the jarsigner tool is invoked with the -verify option.

...

When the local system cannot reliably verify the signature, the invoking program must verify the signature programmatically by obtaining the chain of certificates from the CodeSource of the class being loaded and checking whether any of the certificates belong to a trusted signer whose certificate has been securely obtained beforehand and stored in a local keystore. This compliant solution demonstrates the necessary modifications to the invokeClass() method.

Code Block
bgColor#ccccff
public void invokeClass(String name, String[] args)
    throws ClassNotFoundException, NoSuchMethodException, 
           InvocationTargetException, GeneralSecurityException,
           IOException {
  Class c = loadClass(name);
  Certificate[] certs = 
      c.getProtectionDomain().getCodeSource().getCertificates();
  if (certs == null) {
    // return, do not execute if unsigned
    System.out.println("No signature!");
    return;  
  }  

  KeyStore ks = KeyStore.getInstance("JKS");
  ks.load(new FileInputStream(System.getProperty(
      "user.home"+ File.separator + "keystore.jks")),
      "loadkeystorepassword".toCharArray());
  // user is the alias
  Certificate pubCert = ks.getCertificate("user");  
  // check with the trusted public key, else throws exception
  certs[0].verify(pubCert.getPublicKey()); 
}

...

Failure to verify a digital signature, whether manually or programmatically, can lead to result in the execution of malicious code.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="704eb988ad540c05-964566fd-40d54023-a271b8f1-30724f66bcad8d2d1db4d90f"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

Improperly Verified Signature [XZR]

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-300. Channel accessible by non-endpoint (aka "man-in-the-middle")

 

CWE-319. Cleartext transmission of sensitive information

 

CWE-494. Download of code without integrity check

 

CWE-347. Improper verification of cryptographic signature

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f5cb4130e1ae251b-3cb6aaed-479048ed-9eeaa7f6-732466fc9248ba55e851b983"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0c766cd37bcd2cf1-1fdaab4e-45ed4cb6-86939d5f-9614da1516e23e4afffe73e5"><ac:plain-text-body><![CDATA[

[[Bea 2008

AA. Bibliography#Bea 08]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7f637b5f16feba58-3dfdba61-41234719-ae03a799-f738df2dab8beaf10139a2eb"><ac:plain-text-body><![CDATA[

[[Eclipse 2008

AA. Bibliography#Eclipse 08]]

[JAR Signing

http://wiki.eclipse.org/JAR_Signing] and [Signed bundles and protecting against malicious code

http://help.eclipse.org/stable/index.jsp?topic=/org.eclipse.platform.doc.isv/guide]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9855df1f5fd88d72-1a24fb60-4bc242ba-9d139366-c47d4131d2280158e05941c1"><ac:plain-text-body><![CDATA[

[[Fairbanks 2007

AA. Bibliography#Fairbanks 07]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a401b6562a834027-6210285c-44b74393-abff8620-7047e3dae96a97cdd35c14d8"><ac:plain-text-body><![CDATA[

[[Flanagan 2005

AA. Bibliography#Flanagan 05]]

Chapter 24, The java.util.jar Package

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2d8e8860b6d2de7a-e83724e1-4965415a-b999a25f-8cf557f8046e8bdcc8c6f561"><ac:plain-text-body><![CDATA[

[[Gong 2003

AA. Bibliography#Gong 03]]

12.8.3, jarsigner

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="883b3fb6f884dbd4-388bbf45-43154a42-ba6e96c7-7e14d34783c0c3939b5c14c7"><ac:plain-text-body><![CDATA[

[[Halloway 2001

AA. Bibliography#Halloway 01]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="71d74374648e1962-a97b081c-44654cd4-820da233-5356c4205ad22e11945040d1"><ac:plain-text-body><![CDATA[

[[JarSpec 2008

AA. Bibliography#JarSpec 08]]

Signature Validation

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f2af34a2c37d7f7f-86aeea4b-429b4b42-a0809253-1e5b92fb8c4ff14b014d236e"><ac:plain-text-body><![CDATA[

[[Oaks 2001

AA. Bibliography#Oaks 01]]

Chapter 12, Digital Signatures, Signed Classes

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d1e0dfbdeac6d189-c1a3f66c-4cc6473d-955a99f9-5122e2ddb6fc05cdabf28db3"><ac:plain-text-body><![CDATA[

[[Muchow 2001

AA. Bibliography#Muchow 01]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="65a4a3c80f4ac1cd-865c6968-4d7d4da1-a7f9abda-dfe2d5c0c8993a7a0a66d77d"><ac:plain-text-body><![CDATA[

[[Tutorials 2008

AA. Bibliography#Tutorials 08]]

[The JarRunner Class

http://java.sun.com/docs/books/tutorial/deployment/jar/jarrunner.html], [Lesson: API and Tools Use for Secure Code and File Exchanges

http://java.sun.com/docs/books/tutorial/security/sigcert/index.html] and [Verifying Signed JAR Files

http://java.sun.com/docs/books/tutorial/deployment/jar/verify.html]

]]></ac:plain-text-body></ac:structured-macro>

...