JDK-8009636 : JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-02-15
  • Updated: 2017-05-17
  • Resolved: 2013-04-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 Other
8 b89Fixed openjdk7uFixed
Related Reports
Relates :  
JDK-8011745 - Unknown CertificateChoices
Relates :  
JDK-8011867 - Accept unknown PKCS #9 attributes
Sub Tasks
JDK-8011869 :  
New jarsigner.html changes for JDK-8009636 - Resolved
JDK-8011870 :  
i18n translations for JDK-8009636 - Closed
Description
A DESCRIPTION OF THE REQUEST :
JARsigner is not proving options for defining an TSAPolicyID for TimeStamping signed code. This option is defined in RFC 3161 and that is also what jarsigner is using for communicating to the TSA (as described in the oracle docs: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html)
It always uses the default Policy on the TSA.

The ETSI TSA Policy - RFC3628  (http://www.ietf.org/rfc/rfc3628.txt) is currently defaulted and cannot be changed. Actually it might evne be interesting to include support for the RFC3628 TSA Policy.

Applications like Adobe, Word and signtool (amongst others) are already RFC3628 'ready' and/or provide support for the TSAPolicyID.

Example TimeStamp Servers:
http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer
http://tsa01.quovadisglobal.com/TSS/HttpTspServer
http://zd.e-guven.com/TSS/HttpTspServer

JUSTIFICATION :
TimeStamp Server can be configured with multiple TSAPolicies. This is due to (for instance) security and compliancy. Only one Policy can be defaulted, but it could be case that specific applications are unable to sign using the specific policy. So new policies can be generated to make several applications compliant. Many Application have options for Request Policy OID's, so the correct policy from the TSA can be selected instead of the default one.



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An additinal (optional) argument where a policy can be defined. For instance

-tsapolicyid policyid

example (fictional):

-tsapolicyid  " 1.3.2.4.332.122313.8 " 

When the argument is not included, the behaviour should be as it currently is.
ACTUAL -
There is no actual behaviour. It just errors out when trying to use a TimeStamp server with a non 'compatible' TSAPolicy as default. As it is the defaulted RFC3628 policy, it gives an error about not being capable to decode the bytes:

jarsigner: unable to sign jar: sun.security.pkcs.ParsingException: Unable to par
se the encoded bytes

---------- BEGIN SOURCE ----------
jarsigner -keystore CertName.p12 -storetype PKCS12 -tsa http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer test.jar  " CertName " 
---------- END SOURCE ----------
Comments
The command fails because there is a bug parsing the PKCS #6 ExtendedCertificateOrCertificate data type (we don't understand extended certificates). It seems not related to the policyId.
08-04-2013