Certificate validity check (was 7144564: jarsigner should report timestamp failure as a warning)

Sean Mullan sean.mullan at oracle.com
Mon Feb 20 15:07:55 UTC 2012


I could see how that exception message could be confused with a 
timestamp applied to the signed jar.

I'd probably suggest changing the exception message to: "certificate 
expired" or "certificate not yet valid" depending on how the check failed.

I suggest lowering the priority, leaving the bug open to make this 
change, and leave it unassigned for now.

--Sean

On 02/20/2012 03:35 AM, Weijun Wang wrote:
> Hi All
>
> I'm looking at this bug report. The jar is recently signed on 2/9/12 but
> the cert expired long time ago on 10/14/03, and jarsigner -verify shows
>
> [CertPath not validated: timestamp check failed]
>
> This failure message is totally correct. However, because the test was
> about timestamping, the bug reporter mistakenly believe the error is
> about the timestamping authority (TSA), instead of the notAfter and/or
> notBefore attributes of the signer.
>
> The words above is from the verifyTimestamp() method from lines 176 of
> sun/security/provider/certpath/BasicChecker.java. Is it possible to
> change the message to something like "validity check failed"?
>
> If anyone in the PKI/CertPath team thinks this makes sense, please take
> the bug and make some change. Otherwise, I will close it as NOT-A-BUG.
>
> Thanks
> Max
>
> -------- Original Message --------
>
> *Change Request ID*: 7144564
> *Synopsis*: jarsigner should report timestamp failure as a warning
>
>
> === *Description*
> ============================================================
> jarsigner -verify on a jar, signed with a expired certificate, with a
> timestamp,
> shows "[CertPath not validated: timestamp check failed]"
> But this is not reported as a warning.
> This should also be reported.
>
>
> -bash-3.00$ $JDK8_HOME/bin/jarsigner -keystore srikar.p12.data
> -storepass password -storetype pkcs12 -verify -verify -verbose -certs
> SignedWithTimeStamp.jar
>
> s k 161 Thu Feb 09 13:59:26 PST 2012 META-INF/MANIFEST.MF
>
> [entry was signed on 2/9/12 1:59 PM]
> X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar,
> EMAILADDRESS=srikar.sagi at sun.com (srikarcert)
> [certificate expired on 10/14/03 7:10 AM]
> [CertPath not validated: timestamp check failed]
>
> 323 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.SF
> 2786 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.RSA
> 0 Thu Feb 09 13:59:24 PST 2012 META-INF/
> smk 4448 Thu Feb 09 13:59:12 PST 2012 CheckJarEntries.class
>
> [entry was signed on 2/9/12 1:59 PM]
> X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar,
> EMAILADDRESS=srikar.sagi at sun.com (srikarcert)
> [certificate expired on 10/14/03 7:10 AM]
> [CertPath not validated: timestamp check failed]
>
>
> s = signature was verified
> m = entry is listed in manifest
> k = at least one certificate was found in keystore
> i = at least one certificate was found in identity scope
>
> jar verified.
>
> Warning:
> This jar contains entries whose signer certificate has expired.
> This jar contains entries whose certificate chain is not validated.
>




More information about the security-dev mailing list