JDK-8180289 : jarsigner treats timestamped signed jar invalid after the signer cert expires
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2017-05-12
  • Updated: 2018-11-14
  • Resolved: 2017-10-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 10 JDK 7 JDK 8 JDK 9 Other
10 b30Fixed 7u221Fixed 8u191Fixed 9.0.6Fixed openjdk7uFixed
Related Reports
Blocks :  
Relates :  
Relates :  
Sub Tasks
JDK-8184229 :  
JDK-8194060 :  
If a jar was signed some time ago with a timestamp when the signer cert was valid, it should be treated valid even after the signer cert expires. However, jarsigner shows a warning saying signer cert chain not validated.

Jarsigner has always been doing the validity check itself and the timestamp is considered. On the other hand, it also performs a CertPath validation and this validation has never used the timestamp. Before JDK-8172529, when the validation throws a CertificateExpiredException or CertificateNotYetValidException, it is simply ignored because the validity is already checked. After JDK-8172529, the exceptions are only ignored when jarsigner's own validity check fails. The result is that when a timestamp exists and the signer cert has expired after the timestamp, jarsigner's own validity check succeeds, but the CertPath validation fails (since it has not used the timestamp) and the exception is now rethrown.
The TSA certificate chain validation uses PKIXValidator like JDK-8172529 does for signer's certificate chain. So my opinion is that if we decide to backport the TSA certificate chain validation part to 8/7/6, then we might also want to backport JDK-8172529.

[~pkoppula] The test change in this fix has a bug. Please rememeber to include the change for JDK-8190674 when backporting this fix.

Do we need 8/7/6 backports? The JDK-8172529 was only integrated in 9 and 10.

With this fix, jarsigner also validates the TSA certificate chain, whereas previously it did not.

This bug will be fixed along with JDK-8166222.