RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v2]
Weijun Wang
weijun at openjdk.org
Wed Jul 24 19:17:33 UTC 2024
On Wed, 24 Jul 2024 19:12:59 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> There is an error in `jarsigner` on the "This JAR contains signed entries that aren't signed by alias in this keystore" warning. The exit code is determined by [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L344) but the warning message is controlled by [`allAliasesFound`](https://github.com/openjdk/jdk/blob/0a60b0f99efb38d2cc97f3862ef95a0d26ba49a7/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java#L1183).
>>
>> Also, inside the `inKeyStoreForOneSigner()` method, all certificates in a cert chain are used to determine whether the signer is in a keystore and if any is inside the JAR file is treated as being signed by an alias in this keystore. In fact, only the end-entity certificate (the first one in the chain) should be checked.
>>
>> After the fix, the `allAliasesFound` field and the `SOME_ALIASES_NOT_FOUND` constant are useless and can be removed.
>
> Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>
> - Merge branch 'master' into 8330217
> - aliasNotInStore not severe
> - the fix
New commit pushed. `aliasNotInStore` is no longer considered as a severe warning. This is reasonable because in a real world we should not expect the JAR file verifier having the signer's key or certificate in their local keystore. As long the root CA for the signer is in either `cacerts` or the local keystore the verification should succeed with no severe warning.
The jarsigner man page will need to be updated.
A new `OutputAnalyzer::shouldContainOrderedSequence` method is added to ensure that a series of strings are contained inside the output in their order. There has an existing similar method `shouldContainMultiLinePattern` but it requires the containing lines are consecutive. Therefore a new method is introduced.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/19701#issuecomment-2248730195
More information about the security-dev
mailing list