Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8244046

Add revocation checking to jarsigner

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P3
    • 15
    • security-libs
    • None
    • minimal
    • add/remove/modify command line option
    • JDK

    Description

      Summary

      Add a new option '-revCheck' to jarsigner command. When the '-revCheck' option is specified, jarsigner will enable revocation checking to find out if the certificates are revoked.

      Problem

      The jarsigner tool does certificate chain validation when signing or verifying the JAR file, but does not check revocation. Users won't be able to know if the certificates are revoked and are no longer trusted. Option should be provided so users can have jarsigner to check the revocation status of certificates.

      Solution

      Provide '-revCheck' option for jarsigner to enable revocation check.

      Specification

      New option for jarsigner signing or verifying:

      • -revCheck: Enable revocation checking when it is specified. The jarsigner command will perform network connections to fetch OCSP responses and CRL. Default is off when not specified.

      Jarsigner will emit new indication messages when the revocation check is taking place for OCSP and CRLDP respectively:

      • Contacting OCSP server at ...
      • Downloading CRL from ...

      Attachments

        Issue Links

          Activity

            People

              hchao Haimay Chao
              hchao Haimay Chao
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: