Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8334263

Spurious warning from jarsigner -verify when keystore with intermediate CA is used

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P5 P5
    • None
    • security-libs
    • None
    • behavioral
    • medium
    • Hide
      As shown in the Problem section above, there will be behavior change and it's not uncommon. For example, in an enterprise environment, a JAR file signer might get its certificate from a private CA. In this case, in order to verify the JAR file, a user usually puts the certificate of the private CA in a local keystore and runs the jarsigner command with it. Since the signer certificate itself is not in the keystore, the warning should be shown. The new behavior matches this expectation.

      As for the exit code, before this code change, the exit code is zero since the CA is in the keystore. After the change, this warning is no longer severe and the exit code is still zero.
      Show
      As shown in the Problem section above, there will be behavior change and it's not uncommon. For example, in an enterprise environment, a JAR file signer might get its certificate from a private CA. In this case, in order to verify the JAR file, a user usually puts the certificate of the private CA in a local keystore and runs the jarsigner command with it. Since the signer certificate itself is not in the keystore, the warning should be shown. The new behavior matches this expectation. As for the exit code, before this code change, the exit code is zero since the CA is in the keystore. After the change, this warning is no longer severe and the exit code is still zero.
    • Other
    • Implementation

      Summary

      Fix the jarsigner aliasNotInStore warning implementation and no longer treat it as a severe warning.

      Problem

      According to description of the aliasNotInStore warning code in the jarsigner man page, when jarsigner -verify -keystore ksfile detects that one or more signers are not inside the specified keystore, it should print out a warning "This jar contains signed entries that are not signed by alias in this keystore" and exit with a non-zero code if -strict is also on the command line.

      This was not implemented correctly as the exit code and the warning message are controlled by different (but related) flags. Sometimes the warning is shown but the exit code is still zero.

      Furthermore, the flags not only depend on the certificate of the signer itself, but might also on CAs that issue the certificate to the signer. Sometimes when a signer is not in the keystore but one of its CAs is inside, the exit code is zero, although the warning is still shown.

      At last, the aliasNotInStore warning should not have been categorized as "severe" at all. In a real world a signed JAR file should be verified by someone other than the signer. Thus we should not expect the verifier having the signer's key or certificate in their local keystore.

      Solution

      1. Change the warning from severe to informational, i.e. do not emit a non-zero exit code even when -strict is on.
      2. Only detect whether the signer itself is in the keystore and not any of its CAs (if they exists).

      Specification

      In the man page from jarsigner, move the aliasNotInStore warning from the "Severe Warnings" section to the "Informational Warnings" section, and remove its related exit code. See https://docs.oracle.com/en/java/javase/23/docs/specs/man/jarsigner.html#severe-warnings.

            weijun Weijun Wang
            revans Richard Evans
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: