-
Bug
-
Resolution: Fixed
-
P3
-
25
-
b11
The class description for JarFile currently has the following text:
"Please note that the verification process does not include validating the signer's certificate. A caller should inspect the return value of JarEntry.getCodeSigners() to further determine if the signature can be trusted."
The class description of JarInputStream also has a similar warning.
A similar warning should be added to the getCertificates and getCodeSigners methods of JarEntry and the getCertificates method of JarURLConnection since these are the methods that return the code signer's certificate chain. We should state that these methods do not validate or establish trust in the code signer and instead it is the caller's responsibility to do that.
"Please note that the verification process does not include validating the signer's certificate. A caller should inspect the return value of JarEntry.getCodeSigners() to further determine if the signature can be trusted."
The class description of JarInputStream also has a similar warning.
A similar warning should be added to the getCertificates and getCodeSigners methods of JarEntry and the getCertificates method of JarURLConnection since these are the methods that return the code signer's certificate chain. We should state that these methods do not validate or establish trust in the code signer and instead it is the caller's responsibility to do that.
- csr for
-
JDK-8350117 Define the order of certificates returned by JarURLConnection.getCertificates()
-
- Closed
-
- links to
-
Commit(master)
openjdk/jdk/577ff98a
-
Review(master)
openjdk/jdk/23616