3 9A A9 59 41 5E 8D F5 DE 77 A3 .0.S.#..YA^...w. 0080: E0 6C CA D7 1C 9F EF F1 AF 82 79 56 25 E7 3F 14 .l........yV%.?. 0090: 40 86 01 0D 6A B2 76 09 3A 07 92 9B DE BE 49 FD @...j.v.:.....I. 00A0: 4E 28 11 75 14 1A 64 A9 15 EA 37 32 20 9F EB 6D N(.u..d...72 ..m 00B0: E5 83 62 74 A6 85 9F CE 25 26 BE 9E 45 68 B5 05 ..bt....%&..Eh.. 00C0: E9 A0 97 E3 64 3B 34 35 7B 3C 90 7D 51 DD AB 36 ....d;45.<..Q..6 00D0: 37 DE 71 3A B4 27 90 2F 5D 79 71 E6 67 0A 07 D9 7.q:.'./]yq.g... 00E0: 96 7E 71 9B 6B 95 98 25 FE 11 A5 A8 EF 04 A2 F0 ..q.k..%........ 00F0: C4 2F 41 39 0C A9 4F FE BC 7B 5B 49 97 E0 39 63 ./A9..O...[I..9c ] jar: Signature Block File: test2.tar digest=MD5 jar: expected 57969286dfabc836f3eb95d37fc34893 jar: computed 57969286dfabc836f3eb95d37fc34893 jar: jar: Signature Block File: test2.tar digest=SHA1 jar: expected d9f925d021967da73a572d8c9077755dd71d5a40 jar: computed d9f925d021967da73a572d8c9077755dd71d5a40 jar: jar: processSignature signed name = test2.tar jar: done with meta! jar: Manifest Entry: test2.tar digest=MD5 jar: manifest 97155dfe1ac78c1c22c1388e65659079 jar: computed 97155dfe1ac78c1c22c1388e65659079 jar: jar: Manifest Entry: test2.tar digest=SHA1 jar: manifest 3a9d6bd3a95a8679abacdba6e3b1e7ee9d8967c4 jar: computed d6905c45616341ba67715fc4ff0286c90840427c jar: jarsigner: java.lang.SecurityException: SHA1 digest error for test2.tar ----------- If you could look into this, it would be appreciated ###@###.### 2004-02-02 I am signing files using netscape signtool 1.3 (signed patches on sunsolve are also signed using signtool 1.3) and have come across a bug where if the jar file contains a file that is large (my example fails on files >=20 MB), the verification fails. I have verified this under both solaris 9: % java -version java version "1.4.0_00" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0_00-b05) Java HotSpot(TM) Client VM (build 1.4.0_00-b05, mixed mode) and under the JDS Linux client: % java -version java version "1.4.2_02" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_02-b03) Java HotSpot(TM) Client VM (build 1.4.2_02-b03, mixed mode) The following is the error I get: % jarsigner -verbose -certs -verify test_small2.jar jarsigner: java.lang.SecurityException: SHA1 digest error for test2.tar If I check it with signtool, the signature verifies OK. The failing jar file contains: % unzip -l test_small2.jar Archive: test_small2.jar Length Date Time Name ------ ---- ---- ---- 19885568 02-03-04 15:43 test2.tar 241 02-03-04 15:43 META-INF/manifest.mf 349 02-03-04 15:43 META-INF/zigbert.sf 3697 02-03-04 15:43 META-INF/zigbert.rsa ------ ------- 19889855 4 files If the file contained in the jarfile is smaller, the verification works: % jarsigner -verbose -certs -verify test_small.jar sm 9937465 Tue Feb 03 15:47:08 EST 2004 test.tar.gz X.509, CN=Tony's test certificate, O=Sun Microsystems Inc X.509, O=Sun Microsystems Inc, CN=Sun Microsystems Inc TEST CA X.509, CN=Sun Microsystems Inc TEST Root CA, O=Sun Microsystems Inc, C=US 243 Tue Feb 03 15:47:08 EST 2004 META-INF/manifest.mf 351 Tue Feb 03 15:47:08 EST 2004 META-INF/zigbert.sf 3697 Tue Feb 03 15:47:08 EST 2004 META-INF/zigbert.rsa s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. The contents of this jarfile are: % unzip -l test_small.jar Archive: test_small.jar Length Date Time Name ------ ---- ---- ---- 9937465 02-03-04 15:47 test.tar.gz 243 02-03-04 15:47 META-INF/manifest.mf 351 02-03-04 15:47 META-INF/zigbert.sf 3697 02-03-04 15:47 META-INF/zigbert.rsa ------ ------- 9941756 4 files If I add some debugging information for the failing jarfile it looks like there is a problem with the SHA1 algorithm. ------ % jarsigner -J-Djava.security.debug=jar -verbose -verify -certs test_small2.jar jar: beginEntry META-INF/MANIFEST.MF jar: done with meta! jar: nothing to verify! jar: beginEntry META-INF/manifest.mf jar: beginEntry META-INF/zigbert.sf jar: processEntry: processing block jar: beginEntry META-INF/zigbert.rsa jar: processEntry: processing block jar: beginEntry META-INF/MANIFEST.MF jar: beginEntry META-INF/4JCEJARS.SF jar: processEntry: processing block jar: beginEntry META-INF/4JCEJARS.DSA jar: processEntry: processing block jar: Signature Block Certificate: [ [ Version: V3 Subject: CN=Sun Microsystems Inc, OU=Java Software Code Signing, O=Sun Microsystems Inc Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3 Key: Sun DSA Public Key Parameters:DSA p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7 q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5 g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267 5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1 3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a y: 07ccf638 3acdd358 99900f71 afaad003 273b74e1 643811bf fab7bf2c e7bba792 2f08ce27 f8b4fdd8 141da395 bb0316a6 babc35c0 cdf9f56c a7945b23 01f9aef5 c9e0817a e8e469eb f8f58025 042c9173 9659b406 8317b250 ac4feb9d 51253df7 eeb02425 0efeb432 a1c40eb3 6641e057 ce9dbe33 2e939ac9 7a57dccd 8860a7ce Validity: [From: Sat Oct 20 09:04:31 EST 2001, To: Tue Oct 24 09:04:31 EST 2006] Issuer: CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US SerialNumber: [ 0104] Certificate Extensions: 5 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 55 8D 1F 2A 05 AB 9B CE 86 10 AE 3B 5D F6 BA 3F U..*.......;]..? 0010: 22 C5 6A CA ".j. ] ] [2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ Object Signing ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 65 E2 F4 86 C9 D3 4E F0 91 4E 58 A2 6A F5 D8 78 e.....N..NX.j..x 0010: 5A 9A C1 A6 Z... ] ] [4]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ [RFC822Name: ###@###.###] [5]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment ] ] Algorithm: [SHA1withDSA] Signature: 0000: 30 2C 02 14 75 4B E8 21 37 78 79 0A D0 B5 DC 7E 0,..uK.!7xy..... 0010: 36 75 B9 E4 14 B5 D0 46 02 14 6A 51 DC BA 6D 1A 6u.....F..jQ..m. 0020: 6B 5C 18 23 6A F1 CA 21 8A 77 C2 05 16 42 k\.#j..!.w...B ] jar: Signature File: Manifest digest SHA1 jar: sigfile cb3249a2833537adcb04fc7aa3f5cc18dff465f4 jar: computed cb3249a2833537adcb04fc7aa3f5cc18dff465f4 jar: jar: processSignature signed name = com/sun/crypto/provider/SunJCE_s.class jar: processSignature signed name = com/sun/crypto/provider/BlowfishParameters.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_q.class jar: processSignature signed name = com/sun/crypto/provider/DHPublicKey.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_o.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_m.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_k.class jar: processSignature signed name = com/sun/crypto/provider/JceKeyStore.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_i.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_g.class jar: processSignature signed name = com/sun/crypto/provider/ai.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_e.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_c.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_ad.class jar: processSignature signed name = com/sun/crypto/provider/DESedeCipher.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_ab.class jar: processSignature signed name = com/sun/crypto/provider/DHKeyPairGenerator.class jar: processSignature signed name = com/sun/crypto/provider/BlowfishCipher.classjar: processSignature signed name = com/sun/crypto/provider/DHParameterGenerator.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE.class jar: processSignature signed name = com/sun/crypto/provider/PBEKeyFactory.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_z.class jar: processSignature signed name = com/sun/crypto/provider/PBEParameters.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_x.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_v.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_t.class jar: processSignature signed name = com/sun/crypto/provider/HmacMD5.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_r.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_p.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_n.class jar: processSignature signed name = com/sun/crypto/provider/PBEWithMD5AndTripleDESCipher.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_l.class jar: processSignature signed name = com/sun/crypto/provider/HmacSHA1.class jar: processSignature signed name = com/sun/crypto/provider/PBEWithMD5AndDESCipher.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_j.class jar: processSignature signed name = com/sun/crypto/provider/DESedeKey.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_h.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_f.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_d.class jar: processSignature signed name = com/sun/crypto/provider/DESKeyGenerator.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_b.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_ae.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_ac.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_aa.class jar: processSignature signed name = com/sun/crypto/provider/DESKeyFactory.class jar: processSignature signed name = com/sun/crypto/provider/DESParameters.class jar: processSignature signed name = com/sun/crypto/provider/DHKeyFactory.class jar: processSignature signed name = com/sun/crypto/provider/DHKeyAgreement.classjar: processSignature signed name = com/sun/crypto/provider/DHParameters.class jar: processSignature signed name = com/sun/crypto/provider/DESKey.class jar: processSignature signed name = com/sun/crypto/provider/PBEKey.class jar: processSignature signed name = com/sun/crypto/provider/HmacMD5KeyGenerator.class jar: processSignature signed name = com/sun/crypto/provider/DESedeKeyGenerator.class jar: processSignature signed name = com/sun/crypto/provider/HmacSHA1KeyGenerator.class jar: processSignature signed name = com/sun/crypto/provider/DHPrivateKey.class jar: processSignature signed name = com/sun/crypto/provider/DESedeKeyFactory.class jar: processSignature signed name = com/sun/crypto/provider/SealedObjectForKeyProtector.class jar: processSignature signed name = com/sun/crypto/provider/BlowfishKeyGenerator.class jar: processSignature signed name = com/sun/crypto/provider/DESedeParameters.class jar: processSignature signed name = com/sun/crypto/provider/DESCipher.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_y.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_w.class jar: processSignature signed name = com/sun/crypto/provider/SunJCE_u.class jar: done with meta! jar: beginEntry com/sun/crypto/provider/SunJCE.class jar: Manifest Entry: com/sun/crypto/provider/SunJCE.class digest=SHA1 jar: manifest 0fe82e2de1fb12e454f2d0040a5f03fed540137c jar: computed 0fe82e2de1fb12e454f2d0040a5f03fed540137c jar: jar: beginEntry com/sun/crypto/provider/SunJCE_b.class jar: Manifest Entry: com/sun/crypto/provider/SunJCE_b.class digest=SHA1 jar: manifest 9eeb08cf129453b71839ae5eaab988d419eda23d jar: computed 9eeb08cf129453b71839ae5eaab988d419eda23d jar: jar: Signature Block Certificate: [ [ Version: V3 Subject: CN=Tony's test certificate, O=Sun Microsystems Inc Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@66e815 Validity: [From: Tue Feb 03 09:07:52 EST 2004, To: Wed Feb 02 09:07:52 EST 2005] Issuer: O=Sun Microsystems Inc, CN=Sun Microsystems Inc TEST CA SerialNumber: [ 11000708 ] Certificate Extensions: 8 [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 5A 30 58 30 2B 06 08 2B 06 01 05 05 07 30 01 .Z0X0+..+.....0. 0010: 86 1F 68 74 74 70 3A 2F 2F 74 65 73 74 76 61 2E ..http://testva. 0020: 73 69 6E 67 61 70 6F 72 65 2E 73 75 6E 2E 63 6F singapore.sun.co 0030: 6D 30 29 06 08 2B 06 01 05 05 07 30 01 86 1D 68 m0)..+.....0...h 0040: 74 74 70 3A 2F 2F 74 65 73 74 76 61 2E 63 65 6E ttp://testva.cen 0050: 74 72 61 6C 2E 73 75 6E 2E 63 6F 6D tral.sun.com [2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 16 B1 22 00 32 E3 2F 00 0D BD 43 F9 5D 75 73 92 ..".2./...C.]us. 0010: C0 03 43 9A ..C. ] ] [3]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ Object Signing ] [4]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: AB A5 A4 68 74 43 B9 0E 0F 45 B6 0C 08 2D 40 C9 ...htC...E...-@. 0010: 8C 1E 38 D4 ..8. ] ] [5]: ObjectId: 2.5.29.31 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 7A 30 78 30 76 A0 28 A0 26 86 24 68 74 74 70 .z0x0v.(.&.$http 0010: 3A 2F 2F 70 6B 69 2E 63 6F 72 70 2E 73 75 6E 2E ://pki.corp.sun. 0020: 63 6F 6D 2F 70 6B 69 73 6D 69 71 61 2E 63 72 6C com/pkismiqa.crl 0030: A2 4A A4 48 30 46 31 25 30 23 06 03 55 04 03 13 .J.H0F1%0#..U... 0040: 1C 53 75 6E 20 4D 69 63 72 6F 73 79 73 74 65 6D .Sun Microsystem 0050: 73 20 49 6E 63 20 54 45 53 54 20 43 41 31 1D 30 s Inc TEST CA1.0 0060: 1B 06 03 55 04 0A 13 14 53 75 6E 20 4D 69 63 72 ...U....Sun Micr 0070: 6F 73 79 73 74 65 6D 73 20 49 6E 63 osystems Inc [6]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ [1.3.6.1.5.5.7.3.3]] [7]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113536.509.2527] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1F 68 74 74 70 3A 2F 2F 77 77 77 2E 73 75 6E ..http://www.sun 0010: 2E 63 6F 6D 2F 70 6B 69 2F 63 70 73 2E 68 74 6D .com/pki/cps.htm 0020: 6C l ]] ] ] [8]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature ] ] Algorithm: [SHA1withRSA] Signature: 0000: A3 5E BF 19 7D 4C 2D B0 22 05 39 FC 17 7A 33 D2 .^...L-.".9..z3. 0010: 13 E7 42 BE AB 27 77 48 DC 1C F6 97 D5 07 52 4A ..B..'wH......RJ 0020: 05 92 AF 2F 5E 1A 97 58 8A CA 06 0F 4F BA 42 23 .../^..X....O.B# 0030: DA 56 AC DC 82 66 A1 FB 73 5D 99 52 46 C4 D4 42 .V...f..s].RF..B 0040: CE 99 D0 AC 75 8C B0 0C 09 96 77 02 17 EB 0D 54 ....u.....w....T 0050: F9 82 09 51 DB 2C 10 5C FC 48 D8 C8 B5 2D D2 99 ...Q.,.\.H...-.. 0060: 30 DC B8 D8 2E AD 50 0E 00 8E DB 67 13 04 1D BC 0.....P....g.... 0070: FE 30 13 53 8C 2
|