United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-8009636 : JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161

Details
Type:
Enhancement
Submit Date:
2013-02-15
Status:
Closed
Updated Date:
2013-07-03
Project Name:
JDK
Resolved Date:
2013-04-19
Component:
security-libs
OS:
Sub-Component:
java.security
CPU:
Priority:
P3
Resolution:
Fixed
Affected Versions:
8
Fixed Versions:

Related Reports
Relates:
Relates:

Sub Tasks
JDK-8011869:
JDK-8011870:

Description
A DESCRIPTION OF THE REQUEST :
JARsigner is not proving options for defining an TSAPolicyID for TimeStamping signed code. This option is defined in RFC 3161 and that is also what jarsigner is using for communicating to the TSA (as described in the oracle docs: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html)
It always uses the default Policy on the TSA.

The ETSI TSA Policy - RFC3628  (http://www.ietf.org/rfc/rfc3628.txt) is currently defaulted and cannot be changed. Actually it might evne be interesting to include support for the RFC3628 TSA Policy.

Applications like Adobe, Word and signtool (amongst others) are already RFC3628 'ready' and/or provide support for the TSAPolicyID.

Example TimeStamp Servers:
http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer
http://tsa01.quovadisglobal.com/TSS/HttpTspServer
http://zd.e-guven.com/TSS/HttpTspServer

JUSTIFICATION :
TimeStamp Server can be configured with multiple TSAPolicies. This is due to (for instance) security and compliancy. Only one Policy can be defaulted, but it could be case that specific applications are unable to sign using the specific policy. So new policies can be generated to make several applications compliant. Many Application have options for Request Policy OID's, so the correct policy from the TSA can be selected instead of the default one.



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An additinal (optional) argument where a policy can be defined. For instance

-tsapolicyid policyid

example (fictional):

-tsapolicyid  " 1.3.2.4.332.122313.8 " 

When the argument is not included, the behaviour should be as it currently is.
ACTUAL -
There is no actual behaviour. It just errors out when trying to use a TimeStamp server with a non 'compatible' TSAPolicy as default. As it is the defaulted RFC3628 policy, it gives an error about not being capable to decode the bytes:

jarsigner: unable to sign jar: sun.security.pkcs.ParsingException: Unable to par
se the encoded bytes

---------- BEGIN SOURCE ----------
jarsigner -keystore CertName.p12 -storetype PKCS12 -tsa http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer test.jar  " CertName " 
---------- END SOURCE ----------
                                    

Comments
Add TSAPolicyID for affected java files, The code looks good.
the testcases sun/security/tools/jarsigner/ts.sh  pass in aurora nightly:
http://aurora.ru.oracle.com/functional/faces/RunDetails.xhtml?names=243966.CORELIBS-JDK8-NIGHTLY-JTREG-13
                                     
2013-06-28
URL:   http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/778b16225d85
User:  lana
Date:  2013-05-07 18:40:01 +0000

                                     
2013-05-07
URL:   http://hg.openjdk.java.net/jdk8/tl/jdk/rev/778b16225d85
User:  weijun
Date:  2013-04-19 07:43:14 +0000

                                     
2013-04-19
The command fails because there is a bug parsing the PKCS #6 ExtendedCertificateOrCertificate data type (we don't understand extended certificates). It seems not related to the policyId.
                                     
2013-04-08



Hardware and Software, Engineered to Work Together