jar signing and verification

Raj Arora raj.arora.sw.eng at gmail.com
Wed Dec 2 19:29:28 UTC 2020 

Hi

In attempting to validate jar signing I am seeing warnings as such
displaying Invalid certificate chain

-----------------------
>jarsigner -verify -certs bcprov-jdk15on-1.66.jar

s     606774 Sat Jul 04 15:48:42 EDT 2020 META-INF/MANIFEST.MF

      >>> Signer
      X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code
Signing, O=Sun Microsystems Inc
      [certificate expired on 4/25/20 3:00 AM]
      X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun
Microsystems Inc, L=Palo Alto, ST=CA, C=US
      [certificate expired on 4/25/20 3:00 AM]
      [Invalid certificate chain: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]

      >>> Signer
      X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code
Signing, O=Oracle Corporation
      [certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM]
      X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing,
O=Oracle Corporation
      [certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM]
      [Invalid certificate chain: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]

-----------------------
jarsigner -keystore ...\jre\lib\security\cacerts -verify -verbose -certs
bcprov-jdk15on-1.66.jar >out.txt


s     606774 Sat Jul 04 15:48:42 EDT 2020 META-INF/MANIFEST.MF

      X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code
Signing, O=Sun Microsystems Inc
      [certificate expired on 4/25/20 3:00 AM]
      X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun
Microsystems Inc, L=Palo Alto, ST=CA, C=US
      [certificate expired on 4/25/20 3:00 AM]
      [CertPath not validated: Path does not chain with any of the trust
anchors]

      [entry was signed on 7/4/20 1:48 AM]
      X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code
Signing, O=Oracle Corporation
      [certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM]
      X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing,
O=Oracle Corporation
      [certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM]
      [CertPath not validated: Path does not chain with any of the trust
anchors]

-----------------------



Why do we get warnings of  "Invalid certificate chain"?

(I do not believe it's related to the expired warning as I see newer jars
exhibiting the same outcome without an expired notice)

Is the jar incorrectly signed or is the required chain simply not found in
cacerts and if so why is it not there. I do see that at the end of the
listing it says "jar verified"

The samples in
https://docs.oracle.com/en/java/javase/15/docs/specs/man/jarsigner.html#errors-and-warnings
seem to show a fully validated chain.

thanks
Raj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201202/2b249768/attachment.htm>

More information about the security-dev mailing list