JDK-8158124 : Jarsigner does not support TSA with precision better than miliseconds
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u73,9
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_10
  • CPU: x86
  • Submitted: 2016-04-20
  • Updated: 2023-12-06
  • Resolved: 2023-12-06
Related Reports
Duplicate :  
JDK-8181841 - A TSA server returns timestamp with precision higher than milliseconds
Description
FULL PRODUCT VERSION :
java version "1.8.0_73"
Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 10.0.10586]

A DESCRIPTION OF THE PROBLEM :
The problem is that the use of jarsigner on RFC 3161 compliant TSA server fails if the server is set to return time precise better than milliseconds. The Generalized Time reported from server throws "unsupported precision" exception despite it being set correctly, and the whole signing process fails.

The problem probably lies in sun.security.util.DerInputBuffer while parsing the Generalized Time.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
jarsigner -keystore "my.key" -storepass XXX -keypass XXX -tsa http://tsa.cesnet.cz:3161/tsa my_library.jar myLabel

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Signed JAR library.
ACTUAL -
Throws exception.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
jarsigner: unable to sign jar: java.io.IOException: Parse Generalized time,
unsupported precision for seconds value

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
Changing the type to Enhancement. If the new (java8+) API from java.time package is used, then the precision may be possibly increased to nano-seconds.
15-07-2016
This is a "by design" limitation of sun.security.util.DerInputBuffer class. Here are a few related comments: http://hg.openjdk.java.net/jdk9/dev/jdk/file/8891a2cd0d54/src/java.base/share/classes/sun/security/util/DerInputBuffer.java#l290 * Generalized time has a four-digit year and allows any * precision specified in ISO 8601. However, for our purposes, * we will only allow the same format as UTC time, except that * fractional seconds (millisecond precision) are supported. ... * We allow for non-encoded seconds, even though the * IETF-PKIX specification says that the seconds should * always be encoded even if it is zero. ... * Generalized time can theoretically allow any precision, * but we're not supporting that.
15-07-2016
8u92 - Fail 9 ea b121 - Fail
13-06-2016
Not able to reproduce this issue, it has dependecy with http://tsa.cesnet.cz:3161/tsa, which is not accessible. Forwarding for development team's review.
30-05-2016