jar signing and verification
Bernd Eckenfels
ecki at zusammenkunft.net
Thu Dec 3 11:50:47 UTC 2020
Hello,
It is a bit unfortunate but the JCE Codesigning Roots are not part of the cacerts file. They are hardcoded in the Oracle JDK and not present in OpenJDK as far as I understand it.
It is documented here, that those CAs are not available for general deployments:
https://www.oracle.com/java/technologies/javase/getcodesigningcertificate.html
Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: security-dev <security-dev-retn at openjdk.java.net> im Auftrag von Raj Arora <raj.arora.sw.eng at gmail.com>
Gesendet: Wednesday, December 2, 2020 8:29:28 PM
An: security-dev at openjdk.java.net <security-dev at openjdk.java.net>
Betreff: jar signing and verification
Hi
In attempting to validate jar signing I am seeing warnings as such displaying Invalid certificate chain
-----------------------
>jarsigner -verify -certs bcprov-jdk15on-1.66.jar
s 606774 Sat Jul 04 15:48:42 EDT 2020 META-INF/MANIFEST.MF
>>> Signer
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc
[certificate expired on 4/25/20 3:00 AM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
[certificate expired on 4/25/20 3:00 AM]
[Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
>>> Signer
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM]
[Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
-----------------------
jarsigner -keystore ...\jre\lib\security\cacerts -verify -verbose -certs bcprov-jdk15on-1.66.jar >out.txt
s 606774 Sat Jul 04 15:48:42 EDT 2020 META-INF/MANIFEST.MF
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc
[certificate expired on 4/25/20 3:00 AM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
[certificate expired on 4/25/20 3:00 AM]
[CertPath not validated: Path does not chain with any of the trust anchors]
[entry was signed on 7/4/20 1:48 AM]
X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM]
X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Oracle Corporation
[certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM]
[CertPath not validated: Path does not chain with any of the trust anchors]
-----------------------
Why do we get warnings of "Invalid certificate chain"?
(I do not believe it's related to the expired warning as I see newer jars exhibiting the same outcome without an expired notice)
Is the jar incorrectly signed or is the required chain simply not found in cacerts and if so why is it not there. I do see that at the end of the listing it says "jar verified"
The samples in
https://docs.oracle.com/en/java/javase/15/docs/specs/man/jarsigner.html#errors-and-warnings
seem to show a fully validated chain.
thanks
Raj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201203/20110c77/attachment.htm>
More information about the security-dev
mailing list