code review request: 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp

Weijun Wang weijun.wang at oracle.com
Mon Feb 27 07:00:15 UTC 2012


Hi All

Please take a look at this code change:

    http://cr.openjdk.java.net/~weijun/7149012/webrev.00/

Jarsigner will not print a warning if the signer cert is expired but a 
timestamp shows the jar was signed before the expiration date.

Another change is that the chainNotValidated flag now does not cover 
hasExpiredCert and notYetValidCert anymore. The result is that when 
trying to sign (or verify) with an expired cert, instead of the 
duplicated and somewhat confusing

    The signer certificate has expired.
    The signer's certificate chain is not validated.

warnings, user will only see

    The signer certificate has expired.

User will still see the chainNotValidated warning if the CertPath is not 
validated because of other reasons.

On the other hand, since these 3 flags share the same exit code (4), 
users will not notice the exit code change when -strict is on.

There is no regression test added to the openjdk repository because it's 
not easy to generate a timestamp with an old date. I have found an old 
signed jar with a timestamp and signed by a now-expired cert. I will 
include these binary files into the jdk/test/closed repository and the 
test is a simple "jarsigner -verify -strict" call.

Thanks
Max

-------- Original Message --------
*Change Request ID*: 7149012

*Synopsis*: jarsigner needs not warn about cert expiration if the jar 
has a TSA timestamp

=== *Description* 
============================================================
If the cert used to sign a jar is expired, jarsigner will print out a 
warning, and if -strict is specified, exits with an error. However, if 
there is a TSA timestamp attached to the jar (and the timestamp is shown 
to be before the expiration), it's completely valid and jarsigner should 
not report any warning or error.




More information about the security-dev mailing list