NPE in jarsigner -verify for broken TSA

Bernd ecki at zusammenkunft.net
Fri Jul 17 17:54:48 UTC 2020 

Hello,

I have currently intermittent errors with codesigning by Setico. Some
signed JARs will cause a NullPointerException in jarsigner -verify:

"C:\Program Files\Java\jdk-14.0.2\bin\jarsigner.exe" -verify -debug
adapter.deployment.util-1.95.0.jar
Command line args: [-verify, -debug, adapter.deployment.util-1.95.0.jar]
jarsigner: java.lang.NullPointerException
java.lang.NullPointerException
        at
java.base/sun.security.pkcs.SignerInfo.getTimestamp(SignerInfo.java:568)
        at
java.base/sun.security.util.SignatureFileVerifier.getSigners(SignatureFileVerifier.java:728)
        at
java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:300)
        at
java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:268)
        at
java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)
        at java.base/java.util.jar.JarVerifier.update(JarVerifier.java:230)
        at
java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:759)
        at java.base/java.util.jar.JarFile.getInputStream(JarFile.java:840)
        at
jdk.jartool/sun.security.tools.jarsigner.Main.verifyJar(Main.java:698)
        at jdk.jartool/sun.security.tools.jarsigner.Main.run(Main.java:264)
        at jdk.jartool/sun.security.tools.jarsigner.Main.main(Main.java:118)

(this is java.net 14 GA release, also happens on Zulu-8)

Looking at the code this seems to be a TS validation error suppressed
internally. And indeed, if I try to validate the Timestamp in the PKCS7
SECTIGO_.RSA file (with bouncycastle) it tells me that it looks like the
TSA has provided the wrong certificate.

This is of course something I need to check with Setigo (anybody has same
experience?).

However there are two questions:

a) should jarsigner when signing with a TSA do some validation, especially
on the received timestamp object? (I cant try different jarsigner for
signing due to isolated sign server, I think the version who created the
signature is java8).

b) should the TS validation in jarsigner -verify be either ignored/skipped
(in some other places it looks like the same exception is already catched
and ignored) or should it throw a more qualified error than a NPE (in
-strict mode).

Gruss
Bernd

BC Test Code:

https://gist.github.com/ecki/42aaa3a8621344c1cd0034c440a73400


Failed Sectigo Signature:

SECTIGO_.RSA:
https://mft.seeburger.de:443/portal-seefx/~public/ZjgwNzgxNWItZGE5MC00MWU2LWFkYWUtOWNkNzkwMTdmODI5?download

(i can share the test jar privately only)

BC Test Result (failed):

TS validating sig file: SECTIGO_.RSA
Signature has 3 certs.
Has 1 signers
Has 1 timestamps
TS Signer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo
Limited,CN=Sectigo RSA Time Stamping CA
TS generated: Fri Jul 17 15:43:20 CEST 2020
Checking C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo
RSA Time Stamping Signer #1 <- C=GB,ST=Greater
Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA
Failed org.bouncycastle.tsp.TSPValidationException: signature not created
by certificate.
at org.bouncycastle.tsp.TimeStampToken.validate(Unknown Source)
at
net.eckenfels.test.jartest.JarTimestampChecker.main(JarTimestampChecker.java:87)

(I tested with a signature from Comodo and the test program worked)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200717/6f55f23b/attachment.htm>

More information about the security-dev mailing list