RFR: JDK-8234128 jarsigner will not show not-signed-by-alias warning if an intermediate cert is in this keystore
Jamil Nimeh
jnimeh at openjdk.java.net
Thu Apr 7 14:45:44 UTC 2022
On Tue, 8 Mar 2022 23:22:56 GMT, Mark Powers <duke at openjdk.java.net> wrote:
> https://bugs.openjdk.java.net/browse/JDK-8234128
>
> My initial attempt had too many bad side-effects. This latest fix only tries to suppress the warning message.
test/jdk/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest2.java line 50:
> 48:
> 49: createAlias(CA_KEY_ALIAS, "-ext", "bc");
> 50: createAlias(FIRST_KEY_ALIAS);
Is this creating a 3-cert chain (signer -> intermediate -> trust anchor) or just a 2-cert chain (signer -> trust anchor)? I ask because the bug description specifies that it requires a missing signer alias but an intermediate CA being present (and I assume the TA as well). This looks like it's creating a 2-cert chain. From looking at the loop in intKeyStoreForOneSigner perhaps it doesn't matter and a 2-cert is just as good as a 3-cert chain.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7751
More information about the security-dev
mailing list