<div dir="ltr"><div>I just found another case, when jarsigner correctly verifies a JAR with this sectigo signing I see two certificates in the TS record and one of them does validate. In the failed case only the CA cert seems to have been present in the list (see last mail and gist)<br></div><div><br></div><div>The signer certificate will expire on 2023-06-04.<br>The timestamp will expire on 2030-08-02.<br>TS validating sig file: D:\dev\wsBIS65\JavaCryptoTest\SECTIGO2.RSA<br>Signature has 3 certs.<br>Has 1 signers<br>Has 1 timestamps<br>TS Signer issuer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA<br>TS generated: Mon Jul 13 16:10:10 CEST 2020<br>Checking C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping Signer #1 <- C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA<br><b>ok</b><br>Checking C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA <- C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority<br>Failed org.bouncycastle.tsp.TSPValidationException: certificate hash does not match certID hash.<br> at org.bouncycastle.tsp.TimeStampToken.validate(Unknown Source)<br> at net.eckenfels.test.jartest.JarTimestampChecker.main(JarTimestampChecker.java:88)</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Fr., 17. Juli 2020 um 19:54 Uhr schrieb Bernd <<a href="mailto:ecki@zusammenkunft.net">ecki@zusammenkunft.net</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello,</div><div><br></div><div>I have currently intermittent errors with codesigning by Setico. Some signed JARs will cause a NullPointerException in jarsigner -verify:</div><div><br></div><div>"C:\Program Files\Java\jdk-14.0.2\bin\jarsigner.exe" -verify -debug adapter.deployment.util-1.95.0.jar<br>Command line args: [-verify, -debug, adapter.deployment.util-1.95.0.jar]<br>jarsigner: java.lang.NullPointerException<br>java.lang.NullPointerException<br> at java.base/sun.security.pkcs.SignerInfo.getTimestamp(SignerInfo.java:568)<br> at java.base/sun.security.util.SignatureFileVerifier.getSigners(SignatureFileVerifier.java:728)<br> at java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:300)<br> at java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:268)<br> at java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)<br> at java.base/java.util.jar.JarVerifier.update(JarVerifier.java:230)<br> at java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:759)<br> at java.base/java.util.jar.JarFile.getInputStream(JarFile.java:840)<br> at jdk.jartool/sun.security.tools.jarsigner.Main.verifyJar(Main.java:698)<br> at jdk.jartool/sun.security.tools.jarsigner.Main.run(Main.java:264)<br> at jdk.jartool/sun.security.tools.jarsigner.Main.main(Main.java:118)</div><div><br></div><div>(this is <a href="http://java.net" target="_blank">java.net</a> 14 GA release, also happens on Zulu-8)</div><div><br></div><div>Looking at the code this seems to be a TS validation error suppressed internally. And indeed, if I try to validate the Timestamp in the PKCS7 SECTIGO_.RSA file (with bouncycastle) it tells me that it looks like the TSA has provided the wrong certificate.</div><div><br></div><div>This is of course something I need to check with Setigo (anybody has same experience?).</div><div><br></div><div>However there are two questions:</div><div><br></div><div>a) should jarsigner when signing with a TSA do some validation, especially on the received timestamp object? (I cant try different jarsigner for signing due to isolated sign server, I think the version who created the signature is java8).<br></div><div><br></div><div>b) should the TS validation in jarsigner -verify be either ignored/skipped (in some other places it looks like the same exception is already catched and ignored) or should it throw a more qualified error than a NPE (in -strict mode).</div><div><br></div><div>Gruss</div><div>Bernd<br></div><div><br></div><div>BC Test Code:</div><div><br></div><div><a href="https://gist.github.com/ecki/42aaa3a8621344c1cd0034c440a73400" target="_blank">https://gist.github.com/ecki/42aaa3a8621344c1cd0034c440a73400</a></div><div><br></div><div><br></div><div>Failed Sectigo Signature:</div><div><br></div><div>
SECTIGO_.RSA:<br><a href="https://mft.seeburger.de:443/portal-seefx/~public/ZjgwNzgxNWItZGE5MC00MWU2LWFkYWUtOWNkNzkwMTdmODI5?download" target="_blank">https://mft.seeburger.de:443/portal-seefx/~public/ZjgwNzgxNWItZGE5MC00MWU2LWFkYWUtOWNkNzkwMTdmODI5?download</a>
</div><div><br></div><div>(i can share the test jar privately only)<br></div><div><br></div><div>
<div>BC Test Result (failed):</div>
</div><div><br></div><div>TS validating sig file: SECTIGO_.RSA<br>Signature has 3 certs.<br>Has 1 signers<br>Has 1 timestamps<br>TS Signer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA<br>TS generated: Fri Jul 17 15:43:20 CEST 2020<br>Checking C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping Signer #1 <- C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Time Stamping CA<br>Failed org.bouncycastle.tsp.TSPValidationException: signature not created by certificate.<br> at org.bouncycastle.tsp.TimeStampToken.validate(Unknown Source)<br> at net.eckenfels.test.jartest.JarTimestampChecker.main(JarTimestampChecker.java:87)</div><div><br></div><div>(I tested with a signature from Comodo and the test program worked)</div><div><br></div></div>
</blockquote></div>