code review request: 7081783: jarsigner error when no $HOME/.keystore

Weijun Wang weijun.wang at oracle.com
Tue Aug 30 04:56:48 UTC 2011


Hi All

7081783: jarsigner error when no $HOME/.keystore

Webrev is at --
    http://cr.openjdk.java.net/~weijun/7081783/webrev.00/

Description:

jarsigner includes a certpath validation check, and shows a warning when 
the check fails. The CertPathValidator object, unfortunately, is 
initialized in a method that can only be executed if a local keystore is 
found (either ~/.keystore or specified by -keystore). Therefore, if 
there is no local keystore but the jarfile's signer can be directly 
verified by a cert in cacerts, we still see:

    Warning:
    This jar contains entries whose certificate chain is not validated.

The code changes make sure the CertPathValidator object is always 
initialized.

For reg test, it's a simple call --

${TESTJAVA}${FS}bin${FS}jarsigner \
         -J-Duser.home=. \
         -verify -strict ${TESTSRC}${FS}bootstrap.jar

Here I override user.home so that even if the test machine has a 
./keystore, it won't be affected. The bootstrap.jar file is a small 
signed jar that is signed by a real CA that can be chained into an item 
in cacerts.

Thanks
Max




More information about the security-dev mailing list