Jar's CodeSigner null on Java 10, non-null on Java 8

Sean Mullan sean.mullan at oracle.com
Fri Oct 5 19:52:45 UTC 2018


On what version of Java 8 does it work?

I am not sure what the problem is without additional information.

Also, have you tried running with -Djava.security.debug=all? Did 
anything unusual (exceptions, etc) get logged?

I would also suggest filing a bug with a reproducible test case, if 
possible: https://bugreport.java.com/bugreport/

--Sean

On 10/5/18 12:00 PM, Scott Palmer wrote:
> Excuse me if this isn’t the right place to ask this.
> 
> I’ve been trying to debug something related to verifying that a class was signed with a particular certificate.  The certificate is self-signed and long expired, if that makes a difference.
> 
> I have the following code to check the signature:
> 
> 	private static boolean signedByMe(Class<?> c) {
> 		ProtectionDomain protectionDomain = c.getProtectionDomain();
> 		if ( protectionDomain == null ) return false;
> 		CodeSource codeSource = protectionDomain.getCodeSource();
> 		if ( codeSource == null ) return false;
> 		CodeSigner[] codeSigners = codeSource.getCodeSigners();
> 		if (codeSigners != null) {
> 			for (CodeSigner cs : codeSigners) {
> 				for (Certificate cp : cs.getSignerCertPath().getCertificates()) {
> 					byte[] sigKey = cp.getPublicKey().getEncoded();
> 					if (Arrays.equals(sigKey, ourKey)) {
> 						return true;
> 					}
> 				}
> 			}
> 		}
> 		return false;
> 	}
> 
> (ourKey is the byte[] of the public key of the certificate used to sign the jar)
> 
> On Java 8 this works fine.
> 
> On Java 10.0.2 codeSigners is null.
> 
> If I run with -Djava.security.debug=jar the output indicates that the classes are signed in both cases.
> 
> Is this a bug or a specific change to how the expired certificate is handled?
> 
> Regards,
> 
> Scott
> (please include me in replies, I’m not subscribed to the list)
> 



More information about the security-dev mailing list