You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2020/04/14 18:54:33 UTC
[GitHub] [tomcat-jakartaee-migration] smarkwal opened a new issue #3: Bug:
Removing signature from JAR file with JCE providers leads to
SecurityException
smarkwal opened a new issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3
If this migration tool removes the cryptographic signature from a JAR file which contains JCE providers (e.g., Bouncy Castle), Java refuses to use these providers afterward:
```
java.lang.SecurityException: JCE cannot authenticate the provider BC
[...]
Caused by: java.util.jar.JarException: file:/tmp/[...]/bcprov-ext-jdk15on-1.65.jar has unsigned entries - org/bouncycastle/LICENSE.class
```
I see two possible solutions:
1. If the classes in a JAR file do not have dependencies on Java EE classes, the JAR file is not touched by this migration tool. This means that the signature remains intact.
2. If a JAR file contains JCE providers, it is not touched by this migration tool. Instead, a warning is printed.
I think that solution 1 is easier to implement, since it does not require special knowledge about JCE providers (or other features which require signed JAR files).
Bouncy Castle's main JAR file does not have dependencies on any Java EE classes. This means that both solutions would work for it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #3: Bug:
Removing signature from JAR file with JCE providers leads to
SecurityException
Posted by GitBox <gi...@apache.org>.
ebourg commented on issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3#issuecomment-613718792
Leaving JAR files unmodified if they don't reference any EE class sounds like the best solution to me. This will probably require buffering the files in memory.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] rmaucher commented on issue #3: Bug:
Removing signature from JAR file with JCE providers leads to
SecurityException
Posted by GitBox <gi...@apache.org>.
rmaucher commented on issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3#issuecomment-613880074
I think users should probably use scripting to exclude problem JARs from the migration.
Trying to do too much would lead to more problems, here a likely excessive memory use [there is the same problem with SB which wants some uncompressed JARs, also not doable without full load in memory]. This tool is IMO better if it stays simple.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] rmaucher commented on issue #3: Bug:
Removing signature from JAR file with JCE providers leads to
SecurityException
Posted by GitBox <gi...@apache.org>.
rmaucher commented on issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3#issuecomment-613924051
Yes, a resource filtering pattern or some kind could be a good add with plenty of uses.
Still copy out and in should work and would likely be easier for you to do with your JCE JAR.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #3: Bug:
Removing signature from JAR file with JCE providers leads to
SecurityException
Posted by GitBox <gi...@apache.org>.
ebourg commented on issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3#issuecomment-613937324
> Trying to do too much would lead to more problems, here a likely excessive memory use.
What is an excessive memory usage? A typical jar easily fits in the heap allocated by default to the JVM. This tool is mainly used at build time on beefy machines, I don't think the memory usage is really a concern.
> How about adding a command line option to exclude certain JAR files from getting migrated?
Good idea, something like an `--exclude` option with a glob parameter that could be repeated many times.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #3: Bug:
Removing signature from JAR file with JCE providers leads to
SecurityException
Posted by GitBox <gi...@apache.org>.
ebourg commented on issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3#issuecomment-613938070
Also `bcprov*.jar` could be excluded by default.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] smarkwal commented on issue #3: Bug:
Removing signature from JAR file with JCE providers leads to
SecurityException
Posted by GitBox <gi...@apache.org>.
smarkwal commented on issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3#issuecomment-613915909
How about adding a command line option to exclude certain JAR files from getting migrated? It adds just a little bit of complexity in how to use the tool, but it has no impact on memory usage. And it is maybe useful in other scenarios as well.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org