search

java-json-tools / json-schema-validator

A JSON Schema validation implementation in pure Java, which aims for correctness and performance, in that order
http://json-schema-validator.herokuapp.com/
Other
1.63k stars 399 forks source link

Crash in Android Devices #344

Open UelitonFreitas opened 4 years ago

UelitonFreitas commented 4 years ago

Hi, first of all, thanks for developing this library. 🤘

I have some crashes on my android application and don't know what can be. So I opened this issue. Do you have any idea what can be? There is some recommendation for this problem?

Library Version: 2.2.13 Most affected Android Devices: Samsung J7 Most affected Android Version: Android 6 and 8

The problem:

Full Stack trace:

Caused by java.lang.SecurityException: Incorrect signature
       at org.apache.harmony.security.utils.JarUtils.verifySignature(JarUtils.java:225)
       at java.util.jar.JarVerifier.verifyCertificate(JarVerifier.java:294)
       at java.util.jar.JarVerifier.readCertificates(JarVerifier.java:268)
       at java.util.jar.JarFile.getInputStream(JarFile.java:380)
       at libcore.net.url.JarURLConnectionImpl.getInputStream(JarURLConnectionImpl.java:222)
       at java.net.URL.openStream(URL.java:470)
       at com.github.fge.jackson.JsonLoader.fromURL(JsonLoader.java:131)
       at com.github.fge.jsonschema.SchemaVersion.<init>(SchemaVersion.java:66)
       at com.github.fge.jsonschema.SchemaVersion.<clinit>(SchemaVersion.java:45)
       at com.github.fge.jsonschema.core.load.configuration.LoadingConfigurationBuilder.<init>(LoadingConfigurationBuilder.java:119)
       at com.github.fge.jsonschema.core.load.configuration.LoadingConfiguration.byDefault(LoadingConfiguration.java:151)
       at com.github.fge.jsonschema.main.JsonSchemaFactoryBuilder.<init>(JsonSchemaFactoryBuilder.java:67)
       at com.github.fge.jsonschema.main.JsonSchemaFactory.newBuilder(JsonSchemaFactory.java:123)
       at com.github.fge.jsonschema.main.JsonSchemaFactory.byDefault(JsonSchemaFactory.java:113)
       at com.app.client.schema.JSONSchemaValidator$Factory.get(JSONSchemaValidator.java:29)

Partial Stack trace:

Fatal Exception: java.lang.ExceptionInInitializerError
       at com.github.fge.jsonschema.core.load.configuration.LoadingConfigurationBuilder.<init>(LoadingConfigurationBuilder.java:119)
       at com.github.fge.jsonschema.core.load.configuration.LoadingConfiguration.byDefault(LoadingConfiguration.java:151)
       at com.github.fge.jsonschema.main.JsonSchemaFactoryBuilder.<init>(JsonSchemaFactoryBuilder.java:67)
       at com.github.fge.jsonschema.main.JsonSchemaFactory.newBuilder(JsonSchemaFactory.java:123)
       at com.github.fge.jsonschema.main.JsonSchemaFactory.byDefault(JsonSchemaFactory.java:113)
       at com.app.client.schema.JSONSchemaValidator$Factory.get(JSONSchemaValidator.java:29)

Seems like the library can not found draftv4 file specification in the devices with the problem, but the package is configured in build.gradle and the file is present on jar from resources:

packagingOptions {
        pickFirst 'META-INF/LICENSE.txt'
        pickFirst 'META-INF/NOTICE.txt'
        pickFirst 'META-INF/ASL-2.0.txt'
        pickFirst 'META-INF/LICENSE'
        pickFirst 'draftv4/schema'
        pickFirst 'draftv3/schema'
        pickFirst 'META-INF/LGPL-3.0.txt'
    }
Capstan commented 4 years ago

There doesn't appear to be the actual exception in this report; do you mind attaching that? We don't have Android experience among the maintainers, so it's entirely possible we have some loading bug that specific to that environment.

A quick internet search seems to yield and incorrect signature? That seems strange.

UelitonFreitas commented 4 years ago

Hi @Capstan, thank you for your answer. I updated the issue with all information that I have. I am having this problem only on some devices. I search for similar errors on the internet too without progress and sadly also I can't reproduce the problem on my devices. Do you have any idea what does this incorrect signature means?

Capstan commented 4 years ago

My guess is that it is https://source.android.com/security/apksigning#v1

UelitonFreitas commented 4 years ago

I'm not sure. Android signatures are independent of Jars at this point and just some devices got the error. Most of them work correctly. As the stack trace suggests, maybe we are missing some config in the library jar.

I have more information about SecurityException:

Caused by java.lang.SecurityException
cannot verify signature block file META-INF/BNDLTOOL

Does It makes sense?

To be honest, I think this can be something related to URL implementation. It can be different for each Android API version/ Fabricant.

Capstan commented 4 years ago

The .jars from maven central don't contain a META-INF/BNDLTOOL file in them and are not signed Jars, but rather just have .asc files per the central repository requirements.

I'm not sure how your jars have the extra file in the jar, or how they are signed such that the extra file invalidates the signature.