code review request: 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp

Xuelei Fan Xuelei.Fan at Oracle.Com
Fri Mar 2 15:56:33 UTC 2012


Looks fine to me.

Thanks for the update.

Xuelei

On Mar 2, 2012, at 2:29 AM, Weijun Wang <weijun.wang at oracle.com> wrote:

> 
> 
> On 02/29/2012 11:32 PM, Xuelei Fan wrote:
>> So far, I only have a very minor comment:
>> 
>> The block from line 875 to 880 is a little overlapped with lines 884 to
>> 889. Is it possible to improve the code?
> 
> A flag added:
> 
>  http://cr.openjdk.java.net/~weijun/7149012/webrev.01/
> 
>> 
>> I'm not sure whether it is better to not-show the warning for
>> timestamped signatures with expired certificates. Need more time to
> 
> In this case, jarsigner would show
> 
>      [entry was signed on 10/24/03 4:18 PM]
>      [certificate is valid from 10/24/03 5:29 AM to 10/25/03 5:29 AM]
> 
> if -verbose -certs is specified, please note the *was* word. It just does not print a warning. Except for the "Will Expire in 6 Months" one, most warnings will be actual errors when loaded in Java Plug-in.
> 
>> understand the scenarios of time-stamping in JarSigner. Does the
>> validity of TSA certificate is also checked?
> 
> Yes, during the verification of the jar file, its info is included in the CodeSigner class.
> 
> Thanks
> Max
> 
>> 
>> Xuelei
>> 
>> On 2/27/2012 3:00 PM, Weijun Wang wrote:
>>> Hi All
>>> 
>>> Please take a look at this code change:
>>> 
>>> http://cr.openjdk.java.net/~weijun/7149012/webrev.00/
>>> 
>>> Jarsigner will not print a warning if the signer cert is expired but a
>>> timestamp shows the jar was signed before the expiration date.
>>> 
>>> Another change is that the chainNotValidated flag now does not cover
>>> hasExpiredCert and notYetValidCert anymore. The result is that when
>>> trying to sign (or verify) with an expired cert, instead of the
>>> duplicated and somewhat confusing
>>> 
>>> The signer certificate has expired.
>>> The signer's certificate chain is not validated.
>>> 
>>> warnings, user will only see
>>> 
>>> The signer certificate has expired.
>>> 
>>> User will still see the chainNotValidated warning if the CertPath is not
>>> validated because of other reasons.
>>> 
>>> On the other hand, since these 3 flags share the same exit code (4),
>>> users will not notice the exit code change when -strict is on.
>>> 
>>> There is no regression test added to the openjdk repository because it's
>>> not easy to generate a timestamp with an old date. I have found an old
>>> signed jar with a timestamp and signed by a now-expired cert. I will
>>> include these binary files into the jdk/test/closed repository and the
>>> test is a simple "jarsigner -verify -strict" call.
>>> 
>>> Thanks
>>> Max
>>> 
>>> -------- Original Message --------
>>> *Change Request ID*: 7149012
>>> 
>>> *Synopsis*: jarsigner needs not warn about cert expiration if the jar
>>> has a TSA timestamp
>>> 
>>> === *Description*
>>> ============================================================
>>> If the cert used to sign a jar is expired, jarsigner will print out a
>>> warning, and if -strict is specified, exits with an error. However, if
>>> there is a TSA timestamp attached to the jar (and the timestamp is shown
>>> to be before the expiration), it's completely valid and jarsigner should
>>> not report any warning or error.
>>> 
>> 



More information about the security-dev mailing list