code review request: 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
Weijun Wang
weijun.wang at oracle.com
Mon Feb 27 07:00:15 UTC 2012
Hi All
Please take a look at this code change:
http://cr.openjdk.java.net/~weijun/7149012/webrev.00/
Jarsigner will not print a warning if the signer cert is expired but a
timestamp shows the jar was signed before the expiration date.
Another change is that the chainNotValidated flag now does not cover
hasExpiredCert and notYetValidCert anymore. The result is that when
trying to sign (or verify) with an expired cert, instead of the
duplicated and somewhat confusing
The signer certificate has expired.
The signer's certificate chain is not validated.
warnings, user will only see
The signer certificate has expired.
User will still see the chainNotValidated warning if the CertPath is not
validated because of other reasons.
On the other hand, since these 3 flags share the same exit code (4),
users will not notice the exit code change when -strict is on.
There is no regression test added to the openjdk repository because it's
not easy to generate a timestamp with an old date. I have found an old
signed jar with a timestamp and signed by a now-expired cert. I will
include these binary files into the jdk/test/closed repository and the
test is a simple "jarsigner -verify -strict" call.
Thanks
Max
-------- Original Message --------
*Change Request ID*: 7149012
*Synopsis*: jarsigner needs not warn about cert expiration if the jar
has a TSA timestamp
=== *Description*
============================================================
If the cert used to sign a jar is expired, jarsigner will print out a
warning, and if -strict is specified, exits with an error. However, if
there is a TSA timestamp attached to the jar (and the timestamp is shown
to be before the expiration), it's completely valid and jarsigner should
not report any warning or error.
More information about the security-dev
mailing list