Certificate validity check (was 7144564: jarsigner should report timestamp failure as a warning)
Weijun Wang
weijun.wang at oracle.com
Mon Feb 20 08:35:23 UTC 2012
Hi All
I'm looking at this bug report. The jar is recently signed on 2/9/12 but
the cert expired long time ago on 10/14/03, and jarsigner -verify shows
[CertPath not validated: timestamp check failed]
This failure message is totally correct. However, because the test was
about timestamping, the bug reporter mistakenly believe the error is
about the timestamping authority (TSA), instead of the notAfter and/or
notBefore attributes of the signer.
The words above is from the verifyTimestamp() method from lines 176 of
sun/security/provider/certpath/BasicChecker.java. Is it possible to
change the message to something like "validity check failed"?
If anyone in the PKI/CertPath team thinks this makes sense, please take
the bug and make some change. Otherwise, I will close it as NOT-A-BUG.
Thanks
Max
-------- Original Message --------
*Change Request ID*: 7144564
*Synopsis*: jarsigner should report timestamp failure as a warning
=== *Description*
============================================================
jarsigner -verify on a jar, signed with a expired certificate, with a
timestamp,
shows "[CertPath not validated: timestamp check failed]"
But this is not reported as a warning.
This should also be reported.
-bash-3.00$ $JDK8_HOME/bin/jarsigner -keystore srikar.p12.data
-storepass password -storetype pkcs12 -verify -verify -verbose -certs
SignedWithTimeStamp.jar
s k 161 Thu Feb 09 13:59:26 PST 2012 META-INF/MANIFEST.MF
[entry was signed on 2/9/12 1:59 PM]
X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar,
EMAILADDRESS=srikar.sagi at sun.com (srikarcert)
[certificate expired on 10/14/03 7:10 AM]
[CertPath not validated: timestamp check failed]
323 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.SF
2786 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.RSA
0 Thu Feb 09 13:59:24 PST 2012 META-INF/
smk 4448 Thu Feb 09 13:59:12 PST 2012 CheckJarEntries.class
[entry was signed on 2/9/12 1:59 PM]
X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar,
EMAILADDRESS=srikar.sagi at sun.com (srikarcert)
[certificate expired on 10/14/03 7:10 AM]
[CertPath not validated: timestamp check failed]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is not validated.
More information about the security-dev
mailing list