Certificate validity check (was 7144564: jarsigner should report timestamp failure as a warning)
Weijun Wang
weijun.wang at oracle.com
Mon Feb 20 15:22:22 UTC 2012
Hi Sean
OK, updated the bug status as suggested.
In fact, I've just tried jarsigner on a signed jar that was signed some
time ago with a cert which was valid at that time but is expired now.
Jarsigner still reports some warning like cert expired or certpath
validation failed. This is not very friendly.
I'll file another bug on it.
Thanks
Max
On 02/20/2012 11:07 PM, Sean Mullan wrote:
> I could see how that exception message could be confused with a
> timestamp applied to the signed jar.
>
> I'd probably suggest changing the exception message to: "certificate
> expired" or "certificate not yet valid" depending on how the check failed.
>
> I suggest lowering the priority, leaving the bug open to make this
> change, and leave it unassigned for now.
>
> --Sean
>
> On 02/20/2012 03:35 AM, Weijun Wang wrote:
>> Hi All
>>
>> I'm looking at this bug report. The jar is recently signed on 2/9/12 but
>> the cert expired long time ago on 10/14/03, and jarsigner -verify shows
>>
>> [CertPath not validated: timestamp check failed]
>>
>> This failure message is totally correct. However, because the test was
>> about timestamping, the bug reporter mistakenly believe the error is
>> about the timestamping authority (TSA), instead of the notAfter and/or
>> notBefore attributes of the signer.
>>
>> The words above is from the verifyTimestamp() method from lines 176 of
>> sun/security/provider/certpath/BasicChecker.java. Is it possible to
>> change the message to something like "validity check failed"?
>>
>> If anyone in the PKI/CertPath team thinks this makes sense, please take
>> the bug and make some change. Otherwise, I will close it as NOT-A-BUG.
>>
>> Thanks
>> Max
>>
>> -------- Original Message --------
>>
>> *Change Request ID*: 7144564
>> *Synopsis*: jarsigner should report timestamp failure as a warning
>>
>>
>> === *Description*
>> ============================================================
>> jarsigner -verify on a jar, signed with a expired certificate, with a
>> timestamp,
>> shows "[CertPath not validated: timestamp check failed]"
>> But this is not reported as a warning.
>> This should also be reported.
>>
>>
>> -bash-3.00$ $JDK8_HOME/bin/jarsigner -keystore srikar.p12.data
>> -storepass password -storetype pkcs12 -verify -verify -verbose -certs
>> SignedWithTimeStamp.jar
>>
>> s k 161 Thu Feb 09 13:59:26 PST 2012 META-INF/MANIFEST.MF
>>
>> [entry was signed on 2/9/12 1:59 PM]
>> X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar,
>> EMAILADDRESS=srikar.sagi at sun.com (srikarcert)
>> [certificate expired on 10/14/03 7:10 AM]
>> [CertPath not validated: timestamp check failed]
>>
>> 323 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.SF
>> 2786 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.RSA
>> 0 Thu Feb 09 13:59:24 PST 2012 META-INF/
>> smk 4448 Thu Feb 09 13:59:12 PST 2012 CheckJarEntries.class
>>
>> [entry was signed on 2/9/12 1:59 PM]
>> X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar,
>> EMAILADDRESS=srikar.sagi at sun.com (srikarcert)
>> [certificate expired on 10/14/03 7:10 AM]
>> [CertPath not validated: timestamp check failed]
>>
>>
>> s = signature was verified
>> m = entry is listed in manifest
>> k = at least one certificate was found in keystore
>> i = at least one certificate was found in identity scope
>>
>> jar verified.
>>
>> Warning:
>> This jar contains entries whose signer certificate has expired.
>> This jar contains entries whose certificate chain is not validated.
>>
>
More information about the security-dev
mailing list