JDK-8166222 : Don't treat signed jars with invalid timestamps as unsigned
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2016-09-16
  • Updated: 2017-10-19
  • Resolved: 2017-10-19
Related Reports
Relates :  
JDK-8180289 - jarsigner treats timestamped signed jar invalid after the signer cert expires
Description
We should consider changing the behavior for signed JARs that are timestamped and which the jar signature is valid but the timestamp is not parseable or uses an unsupported or weak algorithm. Currently, it appears that these JARs are treated as completely unsigned. However, it really should be treated as signed but without a timestamp.
Comments
If such a jar as signed without a timestamp, it will stay unnoticed until the day the certificate expires. This is not good. It's better to treat it as unsigned from the beginning so it will not be deployed at all.
19-10-2017
When addressing this issue, try the following patch to sun.security.util.SignatureFileVerifier: diff -r 3ecfccc5c705 src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java --- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java Mon Oct 10 00:45:13 2016 -0700 +++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java Tue Oct 11 11:32:59 2016 -0400 @@ -525,7 +525,13 @@ signers = new ArrayList<>(); } // Append the new code signer - signers.add(new CodeSigner(certChain, info.getTimestamp())); + try { + signers.add(new CodeSigner(certChain, info.getTimestamp())); + } catch (IOException | NoSuchAlgorithmException | SignatureException | CertificateException e) { + if (debug != null) debug.println("getSigners caught: "+e); + // Treat code as signed, but not timestamped + signers.add(new CodeSigner(certChain, null)); + } if (debug != null) { debug.println("Signature Block Certificate: " +
11-10-2016