RFR 8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RFR 8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires

Weijun Wang
Please review the fix at

  http://cr.openjdk.java.net/~weijun/8180289/webrev.00/

The code change contains:

- Fix the bug by passing the timestamp to Validator::validate.

- CertPath validation on timestamp signer cert and related warning messages

- Output change: "chain not validated" -> "invalid chain". Otherwise it looks jarsigner has not validated them.

Thanks
Max

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires

Sean Mullan
- test/jdk/sun/security/tools/jarsigner/TimestampCheck.java

65  * @bug 6543842 6543440 6939248 8009636 8024302 8163304 8169911
8166222 8180289

should not include 8166222

  346                 // 8166222: unvalidated TSA cert chain
  347                 sign("tsnoca")
  348                         .shouldContain("TSA certificate chain is
invalid")
  349                         .shouldHaveExitValue(64);

wrong bugid?

Looks fine otherwise.

--Sean

On 10/19/17 3:11 AM, Weijun Wang wrote:

> Please review the fix at
>
>    http://cr.openjdk.java.net/~weijun/8180289/webrev.00/
>
> The code change contains:
>
> - Fix the bug by passing the timestamp to Validator::validate.
>
> - CertPath validation on timestamp signer cert and related warning messages
>
> - Output change: "chain not validated" -> "invalid chain". Otherwise it looks jarsigner has not validated them.
>
> Thanks
> Max
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires

Weijun Wang


> On Oct 27, 2017, at 3:58 AM, Sean Mullan <[hidden email]> wrote:
>
> - test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
>
> 65  * @bug 6543842 6543440 6939248 8009636 8024302 8163304 8169911 8166222 8180289
>
> should not include 8166222

Yes.

>
> 346                 // 8166222: unvalidated TSA cert chain
> 347                 sign("tsnoca")
> 348                         .shouldContain("TSA certificate chain is invalid")
> 349                         .shouldHaveExitValue(64);
>
> wrong bugid?

This part is about the newly added timestamp cert validation. I'll use 8180289.

Thanks
Max

>
> Looks fine otherwise.
>
> --Sean
>
> On 10/19/17 3:11 AM, Weijun Wang wrote:
>> Please review the fix at
>>   http://cr.openjdk.java.net/~weijun/8180289/webrev.00/
>> The code change contains:
>> - Fix the bug by passing the timestamp to Validator::validate.
>> - CertPath validation on timestamp signer cert and related warning messages
>> - Output change: "chain not validated" -> "invalid chain". Otherwise it looks jarsigner has not validated them.
>> Thanks
>> Max