jmod enhancements to support signed modules
Sean Mullan
sean.mullan at oracle.com
Thu Jun 3 11:33:35 PDT 2010
Hi Vinnie,
Some comments -
* Library
- For the install method verifySignature parameter, it should state that the
signature verification is performed only if a signature exists
- I think that we will need more than the verifySignature flag. There are many
settings that one may want control over when validating certificate chains. I
would suggest keeping the one-arg install methods (for no signature
verification) and adding overloaded install methods that take additional
parameters for verifying the signature, ex:
public void install(Collection<File> mfs,
ModuleFileVerifier.Parameters parameters)
However, I don't think this is critical right now. This is something we could do
as a follow-on change once we understand the use cases a little better.
* Librarian
- When we document the -noverify option, we should make it clear that this means
the signature is completely ignored and the module will be installed as an
unsigned module.
* ModuleFileVerifier
- The description of verifySignature should also state that the digital
signature is verified
- I think that we will need an extensible mechanism to allow the caller to
decide if it wants to trust each CodeSigner. There also may be cases where the
certificate chain validation fails (ex: certificate is expired) but the local
policy allows the user to decide if they want to trust the signer.
We need some sort of callback mechanism to allow the caller (and/or policy) to
decide if it wants to trust each code signer. But this needs more thought,
because the callback needs to be supplied with the appropriate level of
information to make that decision. Minimally the CodeSigner, but probably also
information about the module and where it came from.
This is also something I don't think is critical right now, and I think the use
cases will become clearer as we do more testing and work on other jigsaw tasks.
* ModuleFileFormat
- line 1624, 1728, you can just return ModuleFile.SignatureType.PKCS7, enums are
constants already
- lines 1743-1748, needs to be inside a doPrivileged block, also
System.getProperty could be called once, or is java.home cached anywhere else?
- line 1747, looks like you never close this file input stream
- line 1768-1770, I think a parsing exception should be treated as an error
(also see my last comment below) ...
- It doesn't look like the PKCS7VerifierParameters class is used, should it be
removed?
- lines 1810-1812, I think we should throw the CertificateException. Until we
have a callback mechanism in place, I think it is better both for debugging and
security to treat any certificate validation exception as fatal and by default
do not install the module.
--Sean
On 6/2/10 2:49 PM, Vincent Ryan wrote:
> Hello,
>
> Please review these code changes to support the creation of signed modules:
>
> http://cr.openjdk.java.net/~vinnie/6957907/webrev.00/
>
> 'jmod install<module-file>' now performs certificate path validation of
> each signer's cert chain when the module file carries a signature.
>
> Thanks.
More information about the jigsaw-dev
mailing list