JDK-8009617 : jarsigner fails when TSA response contains a status string
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6-pool,7u40
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-03-07
  • Updated: 2017-08-29
  • Resolved: 2013-03-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u171Fixed 7u40 b18Fixed
Related Reports
Relates :  
Description
When using the jarsigner utility and the TSA response contains a status string,
the tool fails the following stacktrace:

jarsigner: unable to sign jar: java.io.IOException: DER input not a UTF-8
string
java.io.IOException: DER input not a UTF-8 string
    at sun.security.util.DerInputStream.readString(DerInputStream.java:480)
    at sun.security.util.DerInputStream.getUTF8String(DerInputStream.java:424)
    at sun.security.timestamp.TSResponse.parse(TSResponse.java:344)
    at sun.security.timestamp.TSResponse.<init>(TSResponse.java:205)
    at
sun.security.timestamp.HttpTimestamper.generateTimestamp(HttpTimestamper.java:154)
    at
sun.security.tools.TimestampedSigner.generateTimestampToken(TimestampedSigner.java:334)
    at
sun.security.tools.TimestampedSigner.generateSignedData(TimestampedSigner.java:222)
    at sun.security.tools.SignatureFile$Block.<init>(JarSigner.java:2064)
    at sun.security.tools.SignatureFile.generateBlock(JarSigner.java:1961)
    at sun.security.tools.JarSigner.signJar(JarSigner.java:1063)
    at sun.security.tools.JarSigner.run(JarSigner.java:221)
    at sun.security.tools.JarSigner.main(JarSigner.java:91)

Investigating this a bit leads me to believe there is a bug in
sun.security.timestamp.TSResponse.

Since this is an internal class and I wanted to make a simple test case using a
hardcoded TSA response, I took the code from this class and made a local
stand-along test project to examine the bug.

If I change the line 322 in TSResponse.java to read:

statusString[i] = strings[i].getUTF8String();

the exception is gone.
I'm not fully confident with the code, but I believe taking .data on strings[i]
gets the raw DER data, which is not a tagged UTF8 string.

This seems to happen also with OpenJDK 7.

The bug was reported against 6-open at https://bugs.openjdk.java.net/show_bug.cgi?id=100304. It's already fixed in jdk8 as part of 7102686.
Comments
Verified with jdk 7u40 b30 with regression test on Windows x64
2013-07-26