RFR: JDK-8234128 jarsigner will not show not-signed-by-alias warning if an intermediate cert is in this keystore

Jamil Nimeh jnimeh at openjdk.java.net
Thu Apr 7 14:45:44 UTC 2022

On Tue, 8 Mar 2022 23:22:56 GMT, Mark Powers <duke at openjdk.java.net> wrote:

> https://bugs.openjdk.java.net/browse/JDK-8234128
> My initial attempt had too many bad side-effects. This latest fix only tries to suppress the warning message.

test/jdk/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest2.java line 50:

> 48: 
> 49:         createAlias(CA_KEY_ALIAS, "-ext", "bc");
> 50:         createAlias(FIRST_KEY_ALIAS);

Is this creating a 3-cert chain (signer -> intermediate -> trust anchor) or just a 2-cert chain (signer -> trust anchor)?  I ask because the bug description specifies that it requires a missing signer alias but an intermediate CA being present (and I assume the TA as well).  This looks like it's creating a 2-cert chain.  From looking at the loop in intKeyStoreForOneSigner perhaps it doesn't matter and a 2-cert is just as good as a 3-cert chain.


PR: https://git.openjdk.java.net/jdk/pull/7751

More information about the security-dev mailing list