<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I made a simple test case that will either pass of fail depending on how I choose to launch with Java 10. <div class="">On the class path it works.</div><div class=""><div class="">On the module path AND the class path it works</div><div class="">On the module path executed with -m it fails.<br class=""></div><div class="">On the module path with another *specific but totally unrelated jar* AND the class path, run using fully-qualified class name it fails.</div><div class="">On the module path only with fully qualified class name the class can’t be found (this is inconsistent with the previous).</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class=""># Run with Java 10.0.2</div><div class=""><br class=""></div><div class="">#DEBUG_OPT=-Djava.security.debug=all</div><div class="">#DEBUG_OPT=-Djava.security.debug=jar</div><div class=""><br class=""></div><div class=""># This works:</div><div class="">java --class-path SignTest.jar $DEBUG_OPT example.SignTest</div><div class=""><br class=""></div><div class=""># This works:</div><div class="">java --module-path SignTest.jar --class-path SignTest.jar $DEBUG_OPT example.SignTest</div><div class=""><br class=""></div><div class=""># This fails:</div><div class="">java --module-path SignTest.jar $DEBUG_OPT -m SignTest</div><div class=""><br class=""></div><div class=""># This fails:</div><div class="">java --module-path woodstox-core-asl-4.4.1.jar:SignTest.jar $DEBUG_OPT example.SignTest</div><div class=""><br class=""></div><div class=""># This can't find example.SignTest (Why not, given it can for the above?)</div><div class="">java --module-path SignTest.jar $DEBUG_OPT example.SignTest</div><div class=""><br class=""></div><div class=""># This fails:</div><div class="">java --module-path woodstox-core-asl-4.4.1.jar:SignTest.jar --class-path SignTest.jar $DEBUG_OPT example.SignTest</div></div><div class=""><br class=""></div><div class=""><br class=""></div></blockquote><div class=""><div>(Note that no classes from woodstox-core-asl-4.4.1.jar are needed, but its presence changes the behaviour.)</div><div><br class=""></div><div>Here is the code. It is the only class in SignTest.jar and that jar is signed with a newly created keypair using the default algorithm, no timestamps</div></div><div><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div><div>package example;</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div>import java.security.CodeSigner;</div></div></div><div class=""><div><div>import java.security.CodeSource;</div></div></div><div class=""><div><div>import java.security.ProtectionDomain;</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div>public class SignTest {</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>public static void main(String[] args) {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (signedByUs(SignTest.class)) {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>System.out.println("PASS");</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>} else {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>System.out.println("FAIL");</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>private static boolean signedByUs(Class<?> c) {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ProtectionDomain protectionDomain = c.getProtectionDomain();</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (protectionDomain == null) {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>return false;</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>CodeSource codeSource = protectionDomain.getCodeSource();</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (codeSource == null) {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>return false;</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>CodeSigner[] codeSigners = codeSource.getCodeSigners();</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (codeSigners != null) {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>System.out.println(c.getName() + " is signed by something.");</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>return true;</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>} else {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>System.out.println(c.getName() + " appears to be unsigned.");</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>return false;</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div>}</div></div></div></blockquote><div class=""><div><br class=""></div><div>It doesn’t make sense to me, but I am still getting used to modules, so perhaps I am missing something related to modules and security?</div><div><br class=""></div><div>Gradle code to build and sign:</div><div><br class=""></div></div></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class=""><div><div>apply plugin: 'java'</div></div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div>sourceCompatibility = '1.8'</div></div></div><div class=""><div><div>[compileJava, compileTestJava]*.options*.encoding = 'UTF-8'</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div>if (!hasProperty('mainClass')) {</div></div></div><div class=""><div><div> ext.mainClass = 'example.SignTest'</div></div></div><div class=""><div><div>}</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div>task makeCert() {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (! new File("$projectDir/testKeystore").exists()) {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>println "Creating new test keystore..."</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>project.exec {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>commandLine 'keytool',</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'-genkeypair',</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'-noprompt',</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'-keystore', "$projectDir/testKeystore",</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'-keypass', 'testing',</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'-storepass', 'testing',</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'-dname', 'CN=Test, OU=Test, O=Test, L=Test, ST=Test, C=CA',</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'-alias', 'test_alias'</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>} else {</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>println "Using existing keystore: 'testKeystore"</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div></div></div><div class=""><div><div>}</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div>jar.dependsOn makeCert</div></div></div><div class=""><div><div><br class=""></div></div></div><div class=""><div><div>jar {</div></div></div><div class=""><div><div> manifest {</div></div></div><div class=""><div><div> attributes(</div></div></div><div class=""><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>'Main-Class' : mainClass</div></div></div><div class=""><div><div> )</div></div></div><div class=""><div><div> }</div></div></div><div class=""><div><div> doLast {</div></div></div><div class=""><div><div> println "Signing jar..."</div></div></div><div class=""><div><div> project.exec {</div></div></div><div class=""><div><div> commandLine = ['jarsigner',</div></div></div><div class=""><div><div> '-keystore', "$projectDir/testKeystore",</div></div></div><div class=""><div><div> '-storepass', 'testing',</div></div></div><div class=""><div><div> '-keypass', 'testing',</div></div></div><div class=""><div><div> jar.archivePath,</div></div></div><div class=""><div><div> 'test_alias'</div></div></div><div class=""><div><div> ]</div></div></div><div class=""><div><div> }</div></div></div><div class=""><div><div> }</div></div></div><div class=""><div><div>}</div><div><br class=""></div></div></div></blockquote><div class=""><div>Regards,</div><div><br class=""></div><div>Scott</div><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 6, 2018, at 1:21 AM, Scott Palmer <<a href="mailto:swpalmer@gmail.com" class="">swpalmer@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="content-type" content="text/html; charset=utf-8" class=""><div dir="auto" class="">As is too often the case I discovered the difference while trying to isolate a test case. With Java 10 I had extra JVM args to deal with module path and that appeared to cause the problem. I’m not 100% sure what’s happening in my app, but the test case is working so there likely isn’t any issue to bother you guys about. Sorry. <br class=""><br class=""><div dir="ltr" class="">Scott</div><div dir="ltr" class=""><br class="">On Oct 6, 2018, at 12:24 AM, Scott Palmer <<a href="mailto:swpalmer@gmail.com" class="">swpalmer@gmail.com</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div dir="ltr" class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div class=""><span style="background-color: rgb(255, 255, 255);" class="">Sean asked:</span></div><span style="background-color: rgb(255, 255, 255);" class=""><pre class=""><blockquote type="cite" class="">On what version of Java 8 does it work?
<br class=""></blockquote></pre><pre class=""><font face="Helvetica" class="">Up to 8u181 at least.</font></pre><pre class=""></pre><blockquote type="cite" class=""><pre class="">I am not sure what the problem is without additional information.</pre><pre class=""><br class=""></pre></blockquote><pre class=""></pre><blockquote type="cite" class=""><pre class="">What do you need? I will try to sign something trivial with the same cert and create a test case for a bug report.
Also, have you tried running with -Djava.security.debug=all? Did
anything unusual (exceptions, etc) get logged?</pre></blockquote><pre class=""><font face="Helvetica" class="">No. All I notice is that on Java 10.0.2 it shows this (names sanitized for public consumption):</font></pre><pre class=""><font face="Courier New" class="">scl: getPermissions ProtectionDomain (file:/full/path/to/my/signed.jar <b class=""><no signer certificates></b>)<br class=""> jdk.internal.loader.ClassLoaders$AppClassLoader@57536d79<br class=""> <no principals><br class=""> java.security.Permissions@ba2f4ec (<br class=""> ("java.io.FilePermission” "/</font><span style="font-family: "Courier New";" class="">full/path/to/my/signed</span><font face="Courier New" class="">.jar" "read")<br class=""> ("java.lang.RuntimePermission" "exitVM")<br class="">)</font><br class=""><br class=""></pre><pre class=""><font face="Helvetica" class="">and on Java 8u181 it shows this:</font></pre><pre class=""><font face="Courier New" class="">scl: getPermissions ProtectionDomain (file:/full/path/to/my/signed.jar (Signer: [<br class="">[<br class=""> Version: V3<br class=""> Subject: CN=My Company Corp., OU=Development, O=My Company Corp., L=Markham, ST=Ontario, C=CA<br class=""> Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3<br class=""><br class=""> Key: Sun DSA Public Key<br class=""> Parameters:DSA<br class=""> p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669<br class=""> 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7<br class=""> 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb<br class=""> 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7<br class=""> q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5<br class=""> g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267<br class=""> 5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1<br class=""> 3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b<br class=""> cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a<br class=""><br class=""> y:<br class=""> 4d96a9d5 2b20f1f7 f12decd1 4b5ba0e8 4a98d40a 7d745661 b12f661f 84eae997<br class=""> 071d3619 308961f8 6879f76a 0feba11f e08a63fe b044441a fbd33b3c 30ba3e96<br class=""> e1ac938b bb19ec59 89422123 6b15ad53 ed33e791 a616a61e c6fda1d5 bf95657e<br class=""> 399bb7a1 2ae77ce1 d1806666 5d68c61a 80f967db 525e36c5 a011594a 382ca7aa<br class=""><br class=""> Validity: [From: Thu May 31 16:16:20 EDT 2012,<br class=""> To: Wed Aug 29 16:16:20 EDT 2012]<br class=""> Issuer: CN=</font><span style="font-family: "Courier New";" class="">My Company</span><font face="Courier New" class=""> Corp., OU=Development, O=</font><span style="font-family: "Courier New";" class="">My Company</span><font face="Courier New" class=""> Corp., L=Markham, ST=Ontario, C=CA<br class=""> SerialNumber: [ 4daa8ba0]<br class=""><br class="">Certificate Extensions: 1<br class="">[1]: ObjectId: 2.5.29.14 Criticality=false<br class="">SubjectKeyIdentifier [<br class="">KeyIdentifier [<br class="">0000: 89 81 49 B9 64 68 72 52 18 39 CE 77 97 7A E9 C9 ..I.dhrR.9.w.z..<br class="">0010: 0C C1 C0 5D ...]<br class="">]<br class="">]<br class=""><br class="">]<br class=""> Algorithm: [SHA1withDSA]<br class=""> Signature:<br class="">0000: 30 2C 02 14 3A FE E1 48 12 0A 02 86 D2 C2 17 56 0,..:..H.......V<br class="">0010: 98 88 76 B6 E7 10 C6 0B 02 14 7C 59 CC AF F6 8E ..v........Y....<br class="">0020: BF ED 27 59 42 E1 78 6E 5C 5E E6 E4 A7 53 ..'YB.xn\^...S<br class=""><br class="">]))<br class=""> sun.misc.Launcher$AppClassLoader@3d4eac69<br class=""> <no principals><br class=""> java.security.Permissions@5cb0d902 (<br class=""> ("java.io.FilePermission" "/full/path/to/my/signed.jar" "read")<br class=""> ("java.lang.RuntimePermission" "exitVM")<br class="">)</font><br class=""><br class=""></pre><pre class=""><blockquote type="cite" class="">
I would also suggest filing a bug with a reproducible test case, if
possible: <a href="https://bugreport.java.com/bugreport/" class="">https://bugreport.java.com/bugreport/</a>
</blockquote><pre class=""><font face="Helvetica" class="">I’ll try to put something together.</font></pre></pre><pre class=""><font face="Helvetica" class="">Bernd asked:</font></pre><pre class=""></pre></span><blockquote type="cite" class=""><span style="background-color: rgb(255, 255, 255);" class=""><div class=""><pre class="">What are the Hashes, signatures algorithms and key Sizes? Maybe one of the newer security properties turning those off? Does it have a timestamp?</pre></div></span></blockquote><div class=""><br class=""></div><div class="">SHA1withDSA 1024 bit. There is no timestamp.</div><div class=""><br class=""></div><div class="">I checked the $JAVA_HOME/conf/security/java.security file and the key size and algorithm appear to allowed. But there is a lot in there and I’m not 100% sure - What property are you thinking of? I did comment out two of the restrictions that I thought could be related even though they looked okay (jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms) and it had no effect</div><div class=""><br class=""></div><div class=""><br class=""></div><span style="background-color: rgb(255, 255, 255);" class="">*please include me in replies, I’m not subscribed to the list*</span><div class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></div><div class=""><span style="background-color: rgb(255, 255, 255);" class="">Regards,</span></div><div class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></div><div class=""><span style="background-color: rgb(255, 255, 255);" class="">Scott</span></div><div class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span><div class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span><div class=""><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><pre style="background-color: rgb(255, 255, 255);" class="">Excuse me if this isn’t the right place to ask this.
I have the following code to check the signature:
private static boolean signedByMe(Class<?> c) {
ProtectionDomain protectionDomain = c.getProtectionDomain();
if ( codeSource == null ) return false;
if (codeSigners != null) {
byte[] sigKey = cp.getPublicKey().getEncoded();
return true;
}
}
}
}
return false;
On Java 8 this works fine.
On Java 10.0.2 codeSigners is null.
Is this a bug or a specific change to how the expired certificate is handled?
Regards,
</pre></blockquote></div></div></div></div></blockquote></div></div></blockquote></div><br class=""></div></body></html>