code review request: 7081783: jarsigner error when no $HOME/.keystore
Weijun Wang
weijun.wang at oracle.com
Tue Aug 30 04:56:48 UTC 2011
Hi All
7081783: jarsigner error when no $HOME/.keystore
Webrev is at --
http://cr.openjdk.java.net/~weijun/7081783/webrev.00/
Description:
jarsigner includes a certpath validation check, and shows a warning when
the check fails. The CertPathValidator object, unfortunately, is
initialized in a method that can only be executed if a local keystore is
found (either ~/.keystore or specified by -keystore). Therefore, if
there is no local keystore but the jarfile's signer can be directly
verified by a cert in cacerts, we still see:
Warning:
This jar contains entries whose certificate chain is not validated.
The code changes make sure the CertPathValidator object is always
initialized.
For reg test, it's a simple call --
${TESTJAVA}${FS}bin${FS}jarsigner \
-J-Duser.home=. \
-verify -strict ${TESTSRC}${FS}bootstrap.jar
Here I override user.home so that even if the test machine has a
./keystore, it won't be affected. The bootstrap.jar file is a small
signed jar that is signed by a real CA that can be chained into an item
in cacerts.
Thanks
Max
More information about the security-dev
mailing list