Signed Jar verification fails from a nested Jar under Oracle Java 17 #28837
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
See #28157. |
|
#28150 The ticket doesn’t consider the used Java Version. See: https://www.baeldung.com/oracle-jdk-vs-openjdk I think that is why there was a problem to recreate the issue. |
|
I can reproduce the issue with my test app (Spring Boot 2.5.7) on all the following configurations. Note that these are all different physical computers - WSL is running on a different Windows 10 machine.
However, the problem does not occur using OpenJDK 17.0.0 on Ubuntu 20.04 (Windows Subsystem for Linux). Issue #28157 has a similar exception message, but a different root cause exception. I can reproduce my issue across multiple machines and operating systems, and the root cause is always "zip file closed." Each of these machines has downloaded a separate copy of the bouncy castle jar, so I don't believe it's corrupt. |
thelateperseus
changed the title
|
Thanks for the sample, @thelateperseus. I've reproduced the problem on macOS using Oracle JDK 17.0.1: |
wilkinsona
added
type: bug
|
😭 |
|
I've managed to find some time to dig into this today and unfortunately we have more than just the "zip file closed" issue to solve. I patched a local build so that It took a bit more digging to get to the bottom of it (not helped by the lack of source code for if (!jarManifestNameChecked && SharedSecrets.getJavaUtilZipFileAccess().getManifestName(jf, true) == null) {
throw new JarException("The JCE Provider " + jarURL.toString() + " is not signed.");
}The I've managed to hack around the problem by adding an empty I'm not sure that this is really a good long term suggestions. I'll flag the issue for team attention to see if anyone has any bright ideas. Ideally we'd like |
philwebb
added
the
for: team-attention
|
Hacked up code is at https://github.com/philwebb/spring-boot/tree/gh-28837 |
|
I am having same issue on spring boot 2.6.2 and oracle java 17 (oracle java 11 is working, same as open JDK versions as listed above). |
philwebb
removed
the
for: team-attention
|
same blocking issue here |
|
I have the same blocking issue :( |
|
@zeroleak @evgenyigumnov sorry about that but please use the reaction on the original description rather than this. |
@snicoll what do you mean? I can not use Oracle JDK 11 version. I have to use 17 version. |
|
I mean that "I have the same issue" is not very helpful and send a notification to the 3K watchers of this repository. If you want to indicate you're affected by this issue without any extra information, please rather use the reaction (👍) in the original description above. |
|
I could work around this issue by running my Spring Boot app using an exploded directory format. This is the recommended approach by Spring Boot for container images → Container Images |
wilkinsona
added
the
for: team-meeting
wilkinsona
removed
the
for: team-meeting
|
For anyone watching this issue I just pushed a fix for #29356 which should allow |
|
I've tested this with my sample Spring Boot app and it works now. I had to change the Spring Boot version in bootJar {
requiresUnpack '**/bcprov-jdk15on-*.jar'
} |
|
A comment appeared under bug entry at Oracle. They conclude it requires investigation on Spring Boot side: I think this issue would have to be evaluated in the spring-boot project. It appears that the spring-boot project extends the java.util.jar.JarFile. That extended JarFile instances get used by the spring-boot launcher code. There's a specific piece of code in the extended class implementation here which immediately calls close() on the java.util.jar.JarFile https://github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/jar/JarFile.java#L131 which thus marks the JarFile instance as closed. I am not familiar with spring-boot and why it does this. |
This comment was marked as duplicate.
This comment was marked as duplicate.
|
The only workaround I could find so far for this issue is the following (quite hacky). You need to run the verification of BouncyCastle before the Spring Boot "magic" starts as @jarekczek suggested - while still keeping the fat-jar (mostly). Please note: in Oracle JDK 17 the verification result is stored in a permanent HashMap. If they change it to WeakHashMap somehow this will not work anymore! You can do so as follows: Create your own launcher derived from JarLauncher public class MyLauncher extends JarLauncher {
public static void main(String[] args) throws Exception {
// perform the registering / verification (cached) of BouncyCastle prior to any SpringMagic
Security.addProvider(new BouncyCastleProvider());
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding","BC");
new MyLauncher().launch(args);
}
}exclude bcprov from your fat jar (you have to -cp it separately along with your fat jar for launching - but at least it's the only other jar) <exclude>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclude>use e.g. maven-antrun-plugin to repack your fat-jar to include your "MyLauncher" in the right place of the jar <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>copy-and-repair-zips</id>
<phase>package</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<zip destfile="${project.build.directory}/${project.artifactId}-${project.version}_mod.jar" keepcompression="true">
<zipfileset src="${project.build.directory}/${project.artifactId}-${project.version}.jar"/>
<zipfileset dir="${project.build.outputDirectory}/launcher" includes="MyLauncher.class" fullpath="launcher/MyLauncher.class" />
</zip>
<move file="${project.build.directory}/${project.artifactId}-${project.version}_mod.jar" tofile="${project.build.directory}/${project.artifactId}-${project.version}.jar" overwrite="true" />
<!-- now the modified jar is available -->
</target>
</configuration>
</execution>
</executions>
</plugin>Hopefully this gets fixed with 3.2.x or earlier - thanks! (sorry, I could not get the code formatting to work) |
|
You need to use triple backticks, as described in GitHub's documentation. I have edited your comment to do so. |
Thank you @wilkinsona. I only found the - supposedly outdated - hints to add two spaces at the end of the lines. |
philwebb
changed the title
|
Hi @philwebb ..When it will be fixed ?..The work around given not working |
Update `spring-boot-loader-tests` with a test that checks verified BouncyCastle jars can be loaded. Currently the Oracle JDK only supports verification if the jar is unpacked. See gh-28837
|
@amalajone We don't have an exact ETA for a fix, but we did push code for #37668 which was a substantial amount of work that will hopefully make it easier to fix this one. I've also just pushed some tests in 6c24ea0 which seem to suggest that the new nested jar support is supporting the |
philwebb
changed the title
|
I have the same problem. My solution is to replace Oracle JDK and use OpenJDK-based TencentKona instead. TencentKona does not verify the signature of the jar package, so the problem is solved (although this is not the best solution). |
Oracle has fixed this issue on 11/06/2023 in version 17.0.11, please upgrade your JDK version. |
Is this version released , I can see 17.0.9 as latest |
|
I am using the latest version of jdk17 and I still have the same error |
I am using the latest version of jdk17 and I still have the same error |
|
Try JDK 17.0.10 released today. The JDK-8313742 is mentioned as fixed in the release notes of this JDK release: |
|
JDK 17.0.10 -> Effective for me. |
|
When we generate the package as jar and if we using spring 3.2.2 and Java 17.0.9 then issue resolved but same issue still there when we generate the package as war . |
@philwebb anyone reported same issue ? |
|
@amalajone I don't think so. Please open a new issue with a reproducer and we can take a look. |
|
Ok sure |
and others
When running a Spring Boot app as a fat Jar under Java 17, using the Bouncy Castle provider results in an exception
SecurityException: JCE cannot authenticate the provider BCwith causeIllegalStateException: zip file closed. Any use of the provider seems to trigger the exception, e.g.I have created a sample Spring Boot app that reproduces the problem.
I stepped through the code and I believe the problem is caused by the Spring Boot
JarURLConnectionreturning an already closed Jar file fromgetJarFile(). I think this relates to issues #17127 and #25538, but I could be wrong.This same issue does not occur under Java 11, so I assume something has changed in
JarVerifier.verifySingleJarbetween Java 11 and 17.The exception stack trace is:
The text was updated successfully, but these errors were encountered: