Details
-
CSR
-
Resolution: Approved
-
P3
-
None
-
minimal
-
add/remove/modify command line option
-
JDK
Description
Summary
Add a new option '-revCheck' to jarsigner command. When the '-revCheck' option is specified, jarsigner will enable revocation checking to find out if the certificates are revoked.
Problem
The jarsigner tool does certificate chain validation when signing or verifying the JAR file, but does not check revocation. Users won't be able to know if the certificates are revoked and are no longer trusted. Option should be provided so users can have jarsigner to check the revocation status of certificates.
Solution
Provide '-revCheck' option for jarsigner to enable revocation check.
Specification
New option for jarsigner signing or verifying:
- -revCheck: Enable revocation checking when it is specified. The jarsigner command will perform network connections to fetch OCSP responses and CRL. Default is off when not specified.
Jarsigner will emit new indication messages when the revocation check is taking place for OCSP and CRLDP respectively:
- Contacting OCSP server at ...
- Downloading CRL from ...
Attachments
Issue Links
- csr of
-
JDK-8242060 Add revocation checking to jarsigner
- Resolved