Details
-
Enhancement
-
Resolution: Fixed
-
P3
-
8
-
b89
-
Verified
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8163049 | openjdk7u | Weijun Wang | P3 | Resolved | Fixed | master |
Description
A DESCRIPTION OF THE REQUEST :
JARsigner is not proving options for defining an TSAPolicyID for TimeStamping signed code. This option is defined in RFC 3161 and that is also what jarsigner is using for communicating to the TSA (as described in the oracle docs: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html)
It always uses the default Policy on the TSA.
The ETSI TSA Policy - RFC3628 (http://www.ietf.org/rfc/rfc3628.txt) is currently defaulted and cannot be changed. Actually it might evne be interesting to include support for the RFC3628 TSA Policy.
Applications like Adobe, Word and signtool (amongst others) are already RFC3628 'ready' and/or provide support for the TSAPolicyID.
Example TimeStamp Servers:
http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer
http://tsa01.quovadisglobal.com/TSS/HttpTspServer
http://zd.e-guven.com/TSS/HttpTspServer
JUSTIFICATION :
TimeStamp Server can be configured with multiple TSAPolicies. This is due to (for instance) security and compliancy. Only one Policy can be defaulted, but it could be case that specific applications are unable to sign using the specific policy. So new policies can be generated to make several applications compliant. Many Application have options for Request Policy OID's, so the correct policy from the TSA can be selected instead of the default one.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An additinal (optional) argument where a policy can be defined. For instance
-tsapolicyid policyid
example (fictional):
-tsapolicyid " 1.3.2.4.332.122313.8 "
When the argument is not included, the behaviour should be as it currently is.
ACTUAL -
There is no actual behaviour. It just errors out when trying to use a TimeStamp server with a non 'compatible' TSAPolicy as default. As it is the defaulted RFC3628 policy, it gives an error about not being capable to decode the bytes:
jarsigner: unable to sign jar: sun.security.pkcs.ParsingException: Unable to par
se the encoded bytes
---------- BEGIN SOURCE ----------
jarsigner -keystore CertName.p12 -storetype PKCS12 -tsa http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer test.jar " CertName "
---------- END SOURCE ----------
JARsigner is not proving options for defining an TSAPolicyID for TimeStamping signed code. This option is defined in RFC 3161 and that is also what jarsigner is using for communicating to the TSA (as described in the oracle docs: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html)
It always uses the default Policy on the TSA.
The ETSI TSA Policy - RFC3628 (http://www.ietf.org/rfc/rfc3628.txt) is currently defaulted and cannot be changed. Actually it might evne be interesting to include support for the RFC3628 TSA Policy.
Applications like Adobe, Word and signtool (amongst others) are already RFC3628 'ready' and/or provide support for the TSAPolicyID.
Example TimeStamp Servers:
http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer
http://tsa01.quovadisglobal.com/TSS/HttpTspServer
http://zd.e-guven.com/TSS/HttpTspServer
JUSTIFICATION :
TimeStamp Server can be configured with multiple TSAPolicies. This is due to (for instance) security and compliancy. Only one Policy can be defaulted, but it could be case that specific applications are unable to sign using the specific policy. So new policies can be generated to make several applications compliant. Many Application have options for Request Policy OID's, so the correct policy from the TSA can be selected instead of the default one.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An additinal (optional) argument where a policy can be defined. For instance
-tsapolicyid policyid
example (fictional):
-tsapolicyid " 1.3.2.4.332.122313.8 "
When the argument is not included, the behaviour should be as it currently is.
ACTUAL -
There is no actual behaviour. It just errors out when trying to use a TimeStamp server with a non 'compatible' TSAPolicy as default. As it is the defaulted RFC3628 policy, it gives an error about not being capable to decode the bytes:
jarsigner: unable to sign jar: sun.security.pkcs.ParsingException: Unable to par
se the encoded bytes
---------- BEGIN SOURCE ----------
jarsigner -keystore CertName.p12 -storetype PKCS12 -tsa http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer test.jar " CertName "
---------- END SOURCE ----------
Attachments
Issue Links
- backported by
-
JDK-8163049 JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
- Resolved
- relates to
-
JDK-8011867 Accept unknown PKCS #9 attributes
- Closed
-
JDK-8011745 Unknown CertificateChoices
- Closed
1.
|
New jarsigner.html changes for JDK-8009636 | Resolved | Raymond Gallardo | ||
2.
|
i18n translations for JDK-8009636 | Closed | Michael Fang (Inactive) | 2013-07-02 |