Jar's CodeSigner null on Java 10, non-null on Java 8

[Bernd Eckenfels]

What are the Hashes, signatures algorithms and key Sizes? Maybe one of the newer security properties turning those off? Does it have a timestamp?

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: -2123340816m Auftrag von
Gesendet: Freitag, Oktober 5, 2018 10:13 PM
An: security-dev at openjdk.java.net
Betreff: Jar's CodeSigner null on Java 10, non-null on Java 8

Excuse me if this isn’t the right place to ask this.

I’ve been trying to debug something related to verifying that a class was signed with a particular certificate. The certificate is self-signed and long expired, if that makes a difference.

I have the following code to check the signature:

private static boolean signedByMe(Class<?> c) {
ProtectionDomain protectionDomain = c.getProtectionDomain();
if ( protectionDomain == null ) return false;
CodeSource codeSource = protectionDomain.getCodeSource();
if ( codeSource == null ) return false;
CodeSigner[] codeSigners = codeSource.getCodeSigners();
if (codeSigners != null) {
for (CodeSigner cs : codeSigners) {
for (Certificate cp : cs.getSignerCertPath().getCertificates()) {
byte[] sigKey = cp.getPublicKey().getEncoded();
if (Arrays.equals(sigKey, ourKey)) {
return true;
}
}
}
}
return false;
}

(ourKey is the byte[] of the public key of the certificate used to sign the jar)

On Java 8 this works fine.

On Java 10.0.2 codeSigners is null.

If I run with -Djava.security.debug=jar the output indicates that the classes are signed in both cases.

Is this a bug or a specific change to how the expired certificate is handled?

Regards,

Scott
(please include me in replies, I’m not subscribed to the list)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181005/3bb2edf6/attachment.htm>