8172529: Use PKIXValidator in jarsigner

Weijun Wang weijun.wang at oracle.com
Tue Jan 17 02:09:20 UTC 2017

On 01/17/2017 01:26 AM, Xuelei Fan wrote:
> On 1/15/2017 5:42 PM, Weijun Wang wrote:
>> Sorry, wrong subject, resending.
>> On 01/16/2017 09:41 AM, Weijun Wang wrote:
>>> Please review the code change at
>>> http://cr.openjdk.java.net/~weijun/8172529/webrev.02
>>> The validator is updated to be a PKIXValidator of the
>>> Validator.VAR_CODE_SIGNING variant.
> What's the variant used by plugin? Is it VAR_PLUGIN_CODE_SIGNING?

Yes, it is.

> I'm asking because the behaviors of VAR_PLUGIN_CODE_SIGNING and
> VAR_CODE_SIGNING is a little bit different (See the use of
> PKIXValidator.plugin variable).

There is a small difference. If I read correctly, the different code 
allows Plugin to validate a chain anyway (even if there is no trust 
anchor) and then decide if the last cert can be trusted itself, most 
likely by showing a dialog and asking the user to decide.

In jarsigner, the certpath validation is used for showing warnings and 
the jar file is signed anyway. The warning is enough to alert the user 
and I do not intend to add a layer of user interaction here like in Plugin.

The major purpose of the fix is to detect a cross-signed certificate in 
the certchain. I should update the bug description.


> Xuelei
>>> In order to have the same output message and exit code as before,
>>> the ValidatorException thrown when validation fails is suppressed
>>> when there are existing error flags for several reasons.
>>> *jigsaw-dev*: The following change is made in
>>> java.base/module-info.java:
>>> +    exports sun.security.validator to +        jdk.jartool;
>>> Thanks Max

More information about the security-dev mailing list