Certificate validity check (was 7144564: jarsigner should report timestamp failure as a warning) (original) (raw)

Sean Mullan sean.mullan at oracle.com
Mon Feb 20 15:07:55 UTC 2012

I could see how that exception message could be confused with a timestamp applied to the signed jar.

I'd probably suggest changing the exception message to: "certificate expired" or "certificate not yet valid" depending on how the check failed.

I suggest lowering the priority, leaving the bug open to make this change, and leave it unassigned for now.

--Sean

On 02/20/2012 03:35 AM, Weijun Wang wrote:

Hi All

I'm looking at this bug report. The jar is recently signed on 2/9/12 but the cert expired long time ago on 10/14/03, and jarsigner -verify shows [CertPath not validated: timestamp check failed] This failure message is totally correct. However, because the test was about timestamping, the bug reporter mistakenly believe the error is about the timestamping authority (TSA), instead of the notAfter and/or notBefore attributes of the signer. The words above is from the verifyTimestamp() method from lines 176 of sun/security/provider/certpath/BasicChecker.java. Is it possible to change the message to something like "validity check failed"? If anyone in the PKI/CertPath team thinks this makes sense, please take the bug and make some change. Otherwise, I will close it as NOT-A-BUG. Thanks Max -------- Original Message -------- Change Request ID: 7144564 Synopsis: jarsigner should report timestamp failure as a warning

=== Description ============================================================ jarsigner -verify on a jar, signed with a expired certificate, with a timestamp, shows "[CertPath not validated: timestamp check failed]" But this is not reported as a warning. This should also be reported. -bash-3.00$ $JDK8HOME/bin/jarsigner -keystore srikar.p12.data -storepass password -storetype pkcs12 -verify -verify -verbose -certs SignedWithTimeStamp.jar s k 161 Thu Feb 09 13:59:26 PST 2012 META-INF/MANIFEST.MF [entry was signed on 2/9/12 1:59 PM] X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar, EMAILADDRESS=srikar.sagi at sun.com (srikarcert) [certificate expired on 10/14/03 7:10 AM] [CertPath not validated: timestamp check failed] 323 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.SF 2786 Thu Feb 09 13:59:26 PST 2012 META-INF/SRIKARCE.RSA 0 Thu Feb 09 13:59:24 PST 2012 META-INF/ smk 4448 Thu Feb 09 13:59:12 PST 2012 CheckJarEntries.class [entry was signed on 2/9/12 1:59 PM] X.509, CN=SRIKAR, O=SMI, OU=BGR, ST=KAR, C=IN, UID=srikar, EMAILADDRESS=srikar.sagi at sun.com (srikarcert) [certificate expired on 10/14/03 7:10 AM] [CertPath not validated: timestamp check failed] s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Warning: This jar contains entries whose signer certificate has expired. This jar contains entries whose certificate chain is not validated.

More information about the security-dev mailing list