-
Bug
-
Resolution: Unresolved
-
P4
-
None
If a jar is signed with a private key entry containing more then one certificate in the chain (ie signer cert + intermediate CA) then jarsigner -verify outputs:
Warning:
This jar contains signed entries that are not signed by alias in this keystore.
incorrectly. This happens because the inKeyStoreForOneSigner method in sun.security.tools.jarsigner.Main is using store.getCertificateAlias(c) for each certificate in the CodeSigner's signer path. However getCertificateAlias only checks the first certificate in the chain for a private key entry.
Additionally, the global allAliasesFound flag is set with:
allAliasesFound =
(inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;
It seems that should be:
allAliasesFound &=
(inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;
Issue observed in Oracle JDK 21 and 22.
Warning:
This jar contains signed entries that are not signed by alias in this keystore.
incorrectly. This happens because the inKeyStoreForOneSigner method in sun.security.tools.jarsigner.Main is using store.getCertificateAlias(c) for each certificate in the CodeSigner's signer path. However getCertificateAlias only checks the first certificate in the chain for a private key entry.
Additionally, the global allAliasesFound flag is set with:
allAliasesFound =
(inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;
It seems that should be:
allAliasesFound &=
(inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;
Issue observed in Oracle JDK 21 and 22.
- csr for
-
JDK-8334263 Spurious warning from jarsigner -verify when keystore with intermediate CA is used
-
- Draft
-
- links to
-
Review(master)
openjdk/jdk/19701