1st round RFR 8191438: jarsigner should print when a timestamp will expire

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

1st round RFR 8191438: jarsigner should print when a timestamp will expire

Weijun Wang
Hi All

Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.

Major changes:

1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation.

2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors.

3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed.

The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near.

An example:

 $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose
requesting a signature timestamp
TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z
 updating: META-INF/A.SF
 updating: META-INF/A.RSA
  signing: ks

>>> Signer
    X.509, CN=a
    [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
    X.509, CN=ca
    [trusted certificate]
>>> TSA
    X.509, CN=ts
    [certificate will expire on 12/15/17, 12:27 PM]
    X.509, CN=ca
    [trusted certificate]

jar signed.

Warning:
The timestamp will expire within six months on 2017-12-15.
c $ jarsigner ... a.jar -verify -verbose:grouped -certs

s k     145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF

      [entry was signed on 11/20/17, 8:00 AM]
      >>> Signer
      X.509, CN=a (a)
      [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]
      >>> TSA
      X.509, CN=ts
      [certificate will expire on 12/15/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]

        307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF
       3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA

      (Signature related entries)

          0 Tue Dec 05 10:23:42 CST 2017 META-INF/

      (Unsigned entries)

smk    8364 Tue Dec 05 10:23:00 CST 2017 ks

      [entry was signed on 11/20/17, 8:00 AM]
      >>> Signer
      X.509, CN=a (a)
      [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]
      >>> TSA
      X.509, CN=ts
      [certificate will expire on 12/15/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=a"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key
  Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

Warning:
The timestamp will expire within six months on 2017-12-15.

Thanks
Max

Reply | Threaded
Open this post in threaded view
|

Re: 1st round RFR 8191438: jarsigner should print when a timestamp will expire

Sean Mullan
When signing, I think we should always print when the timestamp will
expire, even if it is 10 years from now. For the warning, I would bump
it up 6 months to a year. (It could potentially be more than this - a
fresh timestamp ideally should be good for > 5 years in my opinion).
Perhaps we don't warn when signing - just make it informational. But
only warn when verifying.

Just some quick thoughts -- I'll think about it some more.

--Sean



On 12/5/17 4:35 AM, Weijun Wang wrote:

> Hi All
>
> Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.
>
> Major changes:
>
> 1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation.
>
> 2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors.
>
> 3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed.
>
> The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near.
>
> An example:
>
>   $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose
> requesting a signature timestamp
> TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z
>   updating: META-INF/A.SF
>   updating: META-INF/A.RSA
>    signing: ks
>
>>>> Signer
>      X.509, CN=a
>      [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>      X.509, CN=ca
>      [trusted certificate]
>>>> TSA
>      X.509, CN=ts
>      [certificate will expire on 12/15/17, 12:27 PM]
>      X.509, CN=ca
>      [trusted certificate]
>
> jar signed.
>
> Warning:
> The timestamp will expire within six months on 2017-12-15.
> c $ jarsigner ... a.jar -verify -verbose:grouped -certs
>
> s k     145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF
>
>        [entry was signed on 11/20/17, 8:00 AM]
>        >>> Signer
>        X.509, CN=a (a)
>        [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>        X.509, CN=ca (ca)
>        [trusted certificate]
>        >>> TSA
>        X.509, CN=ts
>        [certificate will expire on 12/15/17, 12:27 PM]
>        X.509, CN=ca (ca)
>        [trusted certificate]
>
>          307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF
>         3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA
>
>        (Signature related entries)
>
>            0 Tue Dec 05 10:23:42 CST 2017 META-INF/
>
>        (Unsigned entries)
>
> smk    8364 Tue Dec 05 10:23:00 CST 2017 ks
>
>        [entry was signed on 11/20/17, 8:00 AM]
>        >>> Signer
>        X.509, CN=a (a)
>        [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>        X.509, CN=ca (ca)
>        [trusted certificate]
>        >>> TSA
>        X.509, CN=ts
>        [certificate will expire on 12/15/17, 12:27 PM]
>        X.509, CN=ca (ca)
>        [trusted certificate]
>
>
>    s = signature was verified
>    m = entry is listed in manifest
>    k = at least one certificate was found in keystore
>
> - Signed by "CN=a"
>      Digest algorithm: SHA-256
>      Signature algorithm: SHA256withRSA, 2048-bit key
>    Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017
>      Timestamp digest algorithm: SHA-256
>      Timestamp signature algorithm: SHA256withRSA, 2048-bit key
>
> jar verified.
>
> Warning:
> The timestamp will expire within six months on 2017-12-15.
>
> Thanks
> Max
>
Reply | Threaded
Open this post in threaded view
|

RFR 8191438: jarsigner should print when a timestamp will expire

Weijun Wang
All suggestions accepted. Here is an updated webrev.

   http://cr.openjdk.java.net/~weijun/8191438/webrev.01/

New test cases added. Other changes are:

1. noTimestamp == true at signing side means no TSA or timestamping failed.

2. New method certsAndTSInfo() used by both signing and verification to display signer/tsa info and set warning flags.

Thanks
Max

> On Dec 7, 2017, at 5:01 AM, Sean Mullan <[hidden email]> wrote:
>
> When signing, I think we should always print when the timestamp will expire, even if it is 10 years from now. For the warning, I would bump it up 6 months to a year. (It could potentially be more than this - a fresh timestamp ideally should be good for > 5 years in my opinion). Perhaps we don't warn when signing - just make it informational. But only warn when verifying.
>
> Just some quick thoughts -- I'll think about it some more.
>
> --Sean
>
>
>
> On 12/5/17 4:35 AM, Weijun Wang wrote:
>> Hi All
>> Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.
>> Major changes:
>> 1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation.
>> 2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors.
>> 3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed.
>> The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near.
>> An example:
>>  $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose
>> requesting a signature timestamp
>> TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z
>>  updating: META-INF/A.SF
>>  updating: META-INF/A.RSA
>>   signing: ks
>>>>> Signer
>>     X.509, CN=a
>>     [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>     X.509, CN=ca
>>     [trusted certificate]
>>>>> TSA
>>     X.509, CN=ts
>>     [certificate will expire on 12/15/17, 12:27 PM]
>>     X.509, CN=ca
>>     [trusted certificate]
>> jar signed.
>> Warning:
>> The timestamp will expire within six months on 2017-12-15.
>> c $ jarsigner ... a.jar -verify -verbose:grouped -certs
>> s k     145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF
>>       [entry was signed on 11/20/17, 8:00 AM]
>>       >>> Signer
>>       X.509, CN=a (a)
>>       [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>       X.509, CN=ca (ca)
>>       [trusted certificate]
>>       >>> TSA
>>       X.509, CN=ts
>>       [certificate will expire on 12/15/17, 12:27 PM]
>>       X.509, CN=ca (ca)
>>       [trusted certificate]
>>         307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF
>>        3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA
>>       (Signature related entries)
>>           0 Tue Dec 05 10:23:42 CST 2017 META-INF/
>>       (Unsigned entries)
>> smk    8364 Tue Dec 05 10:23:00 CST 2017 ks
>>       [entry was signed on 11/20/17, 8:00 AM]
>>       >>> Signer
>>       X.509, CN=a (a)
>>       [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>       X.509, CN=ca (ca)
>>       [trusted certificate]
>>       >>> TSA
>>       X.509, CN=ts
>>       [certificate will expire on 12/15/17, 12:27 PM]
>>       X.509, CN=ca (ca)
>>       [trusted certificate]
>>   s = signature was verified
>>   m = entry is listed in manifest
>>   k = at least one certificate was found in keystore
>> - Signed by "CN=a"
>>     Digest algorithm: SHA-256
>>     Signature algorithm: SHA256withRSA, 2048-bit key
>>   Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017
>>     Timestamp digest algorithm: SHA-256
>>     Timestamp signature algorithm: SHA256withRSA, 2048-bit key
>> jar verified.
>> Warning:
>> The timestamp will expire within six months on 2017-12-15.
>> Thanks
>> Max

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8191438: jarsigner should print when a timestamp will expire

Sean Mullan
Looks good, but just to confirm something -- when verifying, if the
signer's certificate chain is still valid and unexpired, then an expired
or invalid timestamp or chain should not be an error. Essentially, the
validation of the timestamp should only be done when the signer's
certificate chain expires. Is that how it works?

Also, please add a release note and a separate docs issue to update the
jarsigner doc with these new warnings/errors.

--Sean

On 12/13/17 10:37 AM, Weijun Wang wrote:

> All suggestions accepted. Here is an updated webrev.
>
>     http://cr.openjdk.java.net/~weijun/8191438/webrev.01/
>
> New test cases added. Other changes are:
>
> 1. noTimestamp == true at signing side means no TSA or timestamping failed.
>
> 2. New method certsAndTSInfo() used by both signing and verification to display signer/tsa info and set warning flags.
>
> Thanks
> Max
>
>> On Dec 7, 2017, at 5:01 AM, Sean Mullan <[hidden email]> wrote:
>>
>> When signing, I think we should always print when the timestamp will expire, even if it is 10 years from now. For the warning, I would bump it up 6 months to a year. (It could potentially be more than this - a fresh timestamp ideally should be good for > 5 years in my opinion). Perhaps we don't warn when signing - just make it informational. But only warn when verifying.
>>
>> Just some quick thoughts -- I'll think about it some more.
>>
>> --Sean
>>
>>
>>
>> On 12/5/17 4:35 AM, Weijun Wang wrote:
>>> Hi All
>>> Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.
>>> Major changes:
>>> 1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation.
>>> 2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors.
>>> 3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed.
>>> The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near.
>>> An example:
>>>   $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose
>>> requesting a signature timestamp
>>> TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z
>>>   updating: META-INF/A.SF
>>>   updating: META-INF/A.RSA
>>>    signing: ks
>>>>>> Signer
>>>      X.509, CN=a
>>>      [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>>      X.509, CN=ca
>>>      [trusted certificate]
>>>>>> TSA
>>>      X.509, CN=ts
>>>      [certificate will expire on 12/15/17, 12:27 PM]
>>>      X.509, CN=ca
>>>      [trusted certificate]
>>> jar signed.
>>> Warning:
>>> The timestamp will expire within six months on 2017-12-15.
>>> c $ jarsigner ... a.jar -verify -verbose:grouped -certs
>>> s k     145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF
>>>        [entry was signed on 11/20/17, 8:00 AM]
>>>        >>> Signer
>>>        X.509, CN=a (a)
>>>        [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>>        X.509, CN=ca (ca)
>>>        [trusted certificate]
>>>        >>> TSA
>>>        X.509, CN=ts
>>>        [certificate will expire on 12/15/17, 12:27 PM]
>>>        X.509, CN=ca (ca)
>>>        [trusted certificate]
>>>          307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF
>>>         3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA
>>>        (Signature related entries)
>>>            0 Tue Dec 05 10:23:42 CST 2017 META-INF/
>>>        (Unsigned entries)
>>> smk    8364 Tue Dec 05 10:23:00 CST 2017 ks
>>>        [entry was signed on 11/20/17, 8:00 AM]
>>>        >>> Signer
>>>        X.509, CN=a (a)
>>>        [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>>        X.509, CN=ca (ca)
>>>        [trusted certificate]
>>>        >>> TSA
>>>        X.509, CN=ts
>>>        [certificate will expire on 12/15/17, 12:27 PM]
>>>        X.509, CN=ca (ca)
>>>        [trusted certificate]
>>>    s = signature was verified
>>>    m = entry is listed in manifest
>>>    k = at least one certificate was found in keystore
>>> - Signed by "CN=a"
>>>      Digest algorithm: SHA-256
>>>      Signature algorithm: SHA256withRSA, 2048-bit key
>>>    Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017
>>>      Timestamp digest algorithm: SHA-256
>>>      Timestamp signature algorithm: SHA256withRSA, 2048-bit key
>>> jar verified.
>>> Warning:
>>> The timestamp will expire within six months on 2017-12-15.
>>> Thanks
>>> Max
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8191438: jarsigner should print when a timestamp will expire

Weijun Wang


> On Dec 14, 2017, at 5:18 AM, Sean Mullan <[hidden email]> wrote:
>
> Looks good, but just to confirm something -- when verifying, if the signer's certificate chain is still valid and unexpired, then an expired or invalid timestamp or chain should not be an error. Essentially, the validation of the timestamp should only be done when the signer's certificate chain expires. Is that how it works?

No.

Suppose the signer cert is expiring next month and the timestamp is expiring next year, I think we still need to show a warning on the expiring timestamp and validate its cert chain.

I agree that even of the timestamp has expired, this is not an error. I'll need to clean the exit code.

Thanks
Max

>
> Also, please add a release note and a separate docs issue to update the jarsigner doc with these new warnings/errors.
>
> --Sean
>
> On 12/13/17 10:37 AM, Weijun Wang wrote:
>> All suggestions accepted. Here is an updated webrev.
>>    http://cr.openjdk.java.net/~weijun/8191438/webrev.01/
>> New test cases added. Other changes are:
>> 1. noTimestamp == true at signing side means no TSA or timestamping failed.
>> 2. New method certsAndTSInfo() used by both signing and verification to display signer/tsa info and set warning flags.
>> Thanks
>> Max
>>> On Dec 7, 2017, at 5:01 AM, Sean Mullan <[hidden email]> wrote:
>>>
>>> When signing, I think we should always print when the timestamp will expire, even if it is 10 years from now. For the warning, I would bump it up 6 months to a year. (It could potentially be more than this - a fresh timestamp ideally should be good for > 5 years in my opinion). Perhaps we don't warn when signing - just make it informational. But only warn when verifying.
>>>
>>> Just some quick thoughts -- I'll think about it some more.
>>>
>>> --Sean
>>>
>>>
>>>
>>> On 12/5/17 4:35 AM, Weijun Wang wrote:
>>>> Hi All
>>>> Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.
>>>> Major changes:
>>>> 1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation.
>>>> 2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors.
>>>> 3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed.
>>>> The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near.
>>>> An example:
>>>>  $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose
>>>> requesting a signature timestamp
>>>> TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z
>>>>  updating: META-INF/A.SF
>>>>  updating: META-INF/A.RSA
>>>>   signing: ks
>>>>>>> Signer
>>>>     X.509, CN=a
>>>>     [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>>>     X.509, CN=ca
>>>>     [trusted certificate]
>>>>>>> TSA
>>>>     X.509, CN=ts
>>>>     [certificate will expire on 12/15/17, 12:27 PM]
>>>>     X.509, CN=ca
>>>>     [trusted certificate]
>>>> jar signed.
>>>> Warning:
>>>> The timestamp will expire within six months on 2017-12-15.
>>>> c $ jarsigner ... a.jar -verify -verbose:grouped -certs
>>>> s k     145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF
>>>>       [entry was signed on 11/20/17, 8:00 AM]
>>>>       >>> Signer
>>>>       X.509, CN=a (a)
>>>>       [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>>>       X.509, CN=ca (ca)
>>>>       [trusted certificate]
>>>>       >>> TSA
>>>>       X.509, CN=ts
>>>>       [certificate will expire on 12/15/17, 12:27 PM]
>>>>       X.509, CN=ca (ca)
>>>>       [trusted certificate]
>>>>         307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF
>>>>        3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA
>>>>       (Signature related entries)
>>>>           0 Tue Dec 05 10:23:42 CST 2017 META-INF/
>>>>       (Unsigned entries)
>>>> smk    8364 Tue Dec 05 10:23:00 CST 2017 ks
>>>>       [entry was signed on 11/20/17, 8:00 AM]
>>>>       >>> Signer
>>>>       X.509, CN=a (a)
>>>>       [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
>>>>       X.509, CN=ca (ca)
>>>>       [trusted certificate]
>>>>       >>> TSA
>>>>       X.509, CN=ts
>>>>       [certificate will expire on 12/15/17, 12:27 PM]
>>>>       X.509, CN=ca (ca)
>>>>       [trusted certificate]
>>>>   s = signature was verified
>>>>   m = entry is listed in manifest
>>>>   k = at least one certificate was found in keystore
>>>> - Signed by "CN=a"
>>>>     Digest algorithm: SHA-256
>>>>     Signature algorithm: SHA256withRSA, 2048-bit key
>>>>   Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017
>>>>     Timestamp digest algorithm: SHA-256
>>>>     Timestamp signature algorithm: SHA256withRSA, 2048-bit key
>>>> jar verified.
>>>> Warning:
>>>> The timestamp will expire within six months on 2017-12-15.
>>>> Thanks
>>>> Max