1st round RFR 8191438: jarsigner should print when a timestamp will expire
Sean Mullan
sean.mullan at oracle.com
Wed Dec 6 21:01:11 UTC 2017
When signing, I think we should always print when the timestamp will
expire, even if it is 10 years from now. For the warning, I would bump
it up 6 months to a year. (It could potentially be more than this - a
fresh timestamp ideally should be good for > 5 years in my opinion).
Perhaps we don't warn when signing - just make it informational. But
only warn when verifying.
Just some quick thoughts -- I'll think about it some more.
--Sean
On 12/5/17 4:35 AM, Weijun Wang wrote:
> Hi All
>
> Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.
>
> Major changes:
>
> 1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation.
>
> 2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors.
>
> 3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed.
>
> The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near.
>
> An example:
>
> $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose
> requesting a signature timestamp
> TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z
> updating: META-INF/A.SF
> updating: META-INF/A.RSA
> signing: ks
>
>>>> Signer
> X.509, CN=a
> [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
> X.509, CN=ca
> [trusted certificate]
>>>> TSA
> X.509, CN=ts
> [certificate will expire on 12/15/17, 12:27 PM]
> X.509, CN=ca
> [trusted certificate]
>
> jar signed.
>
> Warning:
> The timestamp will expire within six months on 2017-12-15.
> c $ jarsigner ... a.jar -verify -verbose:grouped -certs
>
> s k 145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF
>
> [entry was signed on 11/20/17, 8:00 AM]
> >>> Signer
> X.509, CN=a (a)
> [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
> X.509, CN=ca (ca)
> [trusted certificate]
> >>> TSA
> X.509, CN=ts
> [certificate will expire on 12/15/17, 12:27 PM]
> X.509, CN=ca (ca)
> [trusted certificate]
>
> 307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF
> 3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA
>
> (Signature related entries)
>
> 0 Tue Dec 05 10:23:42 CST 2017 META-INF/
>
> (Unsigned entries)
>
> smk 8364 Tue Dec 05 10:23:00 CST 2017 ks
>
> [entry was signed on 11/20/17, 8:00 AM]
> >>> Signer
> X.509, CN=a (a)
> [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
> X.509, CN=ca (ca)
> [trusted certificate]
> >>> TSA
> X.509, CN=ts
> [certificate will expire on 12/15/17, 12:27 PM]
> X.509, CN=ca (ca)
> [trusted certificate]
>
>
> s = signature was verified
> m = entry is listed in manifest
> k = at least one certificate was found in keystore
>
> - Signed by "CN=a"
> Digest algorithm: SHA-256
> Signature algorithm: SHA256withRSA, 2048-bit key
> Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017
> Timestamp digest algorithm: SHA-256
> Timestamp signature algorithm: SHA256withRSA, 2048-bit key
>
> jar verified.
>
> Warning:
> The timestamp will expire within six months on 2017-12-15.
>
> Thanks
> Max
>
More information about the security-dev
mailing list