RFR 8026393: jarsigner never shows a warning in badKeyUsage case

Weijun Wang weijun.wang at oracle.com
Thu Oct 17 07:00:12 UTC 2019

While verifying a signed jar, the signer certificate's KeyUsage and ExtendedKeyUsage extensions are treated differently. If the ExtendedKeyUsage extension does not allow code signing, the JarFile API will accept the signature (i.e. jarEntry.getCodeSigners() returns something), and then jarsigner will check the cert and print out a warning. If the KeyUsage extension does not allow code signing, the JarFile API will reject it directly and jarsigner will skip the certificate checking because the file is treated unsigned.

We used to think that we could treat them in the same manner. Two tests - BadExtendedKeyUsageTest.java[2] and BadKeyUsageTest.java[1] - were developed for this purpose, and BadKeyUsageTest.java is labeled @ignore (before we make the change).

My current opinion is we will not update the JarFile API for this, and will also keep the jarsigner behavior, i.e. if JarFile API think it's unsigned, we treat it unsigned and stop.

Thus one will never see the badKeyUsage warning at verification time. The fix to the issue will be simply -

   remove test/jdk/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java

I assume there is no need to post a webrev.

Please note that there will be no change to the jarsigner doc because the badKeyUsage warning is still possible when signing a file.


[1] https://hg.openjdk.java.net/jdk/jdk/file/d2108d9fc4f5/test/jdk/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java
[2] https://hg.openjdk.java.net/jdk/jdk/file/d2108d9fc4f5/test/jdk/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java

More information about the security-dev mailing list