NPE in jarsigner -verify for broken TSA
Weijun Wang
weijun.wang at oracle.com
Sat Jul 25 08:53:28 UTC 2020
Hi Bernd,
We've found out the problem inside JDK. There is a place where it takes for granted that a trusted chain can be built and then uses the output directly without checking for null. We'll most likely throw a SignatureException instead.
Is it still the same reason that the TSA server sometimes sends the full chain and sometimes not? This is quite interesting.
Thanks,
Max
> On Jul 25, 2020, at 3:03 PM, Bernd Eckenfels <ecki at zusammenkunft.net> wrote:
>
> Hello,
>
> Just a little update, after implementing a jarsigner -verify after each sign operation and by retrying signatures when it fails, we could resolve the problem, when signing 50 jars one or two failed with NullPointer and worked after immediate retry.
>
> Gruss
> Bernd
> --
> https://bernd.eckenfels.net
>
>
More information about the security-dev
mailing list