Bug ID: JDK-8180289 jarsigner treats timestamped signed jar invalid after the signer cert expires

JDK-8180289 : jarsigner treats timestamped signed jar invalid after the signer cert expires

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 9

Priority: P3
Status: Closed
Resolution: Fixed

Submitted: 2017-05-12
Updated: 2018-11-14
Resolved: 2017-10-27

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 10	JDK 7	JDK 8	JDK 9	Other
10 b30Fixed	7u221Fixed	8u191Fixed	9.0.6Fixed	openjdk7uFixed

Related Reports

Blocks :	JDK-8191438 - jarsigner should print when a timestamp will expire
Relates :	JDK-8172529 - Use PKIXValidator in jarsigner
Relates :	JDK-8166222 - Don't treat signed jars with invalid timestamps as unsigned

Sub Tasks

JDK-8184229 :	Release Note: jarsigner treats timestamped signed jar invalid after the signer cert expires - Closed
JDK-8194060 :	doc change for JDK-8180289 on tsaChainNotValidated - Resolved

Description

If a jar was signed some time ago with a timestamp when the signer cert was valid, it should be treated valid even after the signer cert expires. However, jarsigner shows a warning saying signer cert chain not validated.

Jarsigner has always been doing the validity check itself and the timestamp is considered. On the other hand, it also performs a CertPath validation and this validation has never used the timestamp. Before JDK-8172529, when the validation throws a CertificateExpiredException or CertificateNotYetValidException, it is simply ignored because the validity is already checked. After JDK-8172529, the exceptions are only ignored when jarsigner's own validity check fails. The result is that when a timestamp exists and the signer cert has expired after the timestamp, jarsigner's own validity check succeeds, but the CertPath validation fails (since it has not used the timestamp) and the exception is now rethrown.

Comments

The TSA certificate chain validation uses PKIXValidator like JDK-8172529 does for signer's certificate chain. So my opinion is that if we decide to backport the TSA certificate chain validation part to 8/7/6, then we might also want to backport JDK-8172529.
01-12-2017
[~pkoppula] The test change in this fix has a bug. Please rememeber to include the change for JDK-8190674 when backporting this fix.
01-12-2017
Do we need 8/7/6 backports? The JDK-8172529 was only integrated in 9 and 10.
16-11-2017
With this fix, jarsigner also validates the TSA certificate chain, whereas previously it did not.
15-11-2017
This bug will be fixed along with JDK-8166222.
12-07-2017