I have a question about how TSA should work.
I have signed our jar files with use of TSA, but after the signing certificate had expired I was surprised to see that Openwebstart complains about the expired certificate. I checked the jar and the signing chain of the timestamp did not contain the complete chain, only the CA was missing. I did not expect a problem because the CA is in "cacerts" of the JRE.
I checked the source code and I discovered that at the end in the icedtea project the chain is ''checked" by checking if one of the certificates in the chain (without the CA, from the timestamp in the signed jar) is also in one of the JRE keystore (ex. cacerts). In my case this not the case which ends up in the warning. I expected that Openwebstart/icedtea validates the chain (without the CA) from the signed timestamp against the trusted keystores (find a CA ijn the JRE keystores which trust the provided chain).
Complete chain: signer<-intermediate2<-intermediate1<-CA
Timestamp chain in the signed jar: signer<-intermediate2<-intermediate1
Cacerts: CA
Two question:
My biggest question is should we include the full timestamp chain in the signed jar, is this a specification? I think not because I think, for example, jarsigner -verify checks the cacerts if it can find the signer of this chain is in cacerts and in my case it gives me an OK
Second question is it save to assume that the provided timestamp chain of the jar entry is safe without verifying? Maybe the jarfile.class is handling this, but I did not check this.
Robert
TSA check
-
- Posts: 895
- Joined: 24 Mar 2020, 13:37
Re: TSA check
I did not get time to go through the jar signing code yet. I will have a look in coming days but cannot promise when. For guaranteed response time, please consider paid support : https://openwebstart.com/support/
-
- Posts: 895
- Joined: 24 Mar 2020, 13:37
Re: TSA check
We had a brief look.
Is it possible for you to sign the jars with certificate chain that includes the CA cert?
https://github.com/AdoptOpenJDK/IcedTea ... ifier.java has a method isTrustedTsa which is doing the check.
Is it possible for you to sign the jars with certificate chain that includes the CA cert?
https://github.com/AdoptOpenJDK/IcedTea ... ifier.java has a method isTrustedTsa which is doing the check.
-
- Posts: 2
- Joined: 15 Oct 2024, 00:29
Re: TSA check
I'm not sure if we can do this (we are using jarsigner), but my question is more about how this (should) work. See the above questions.
If the current way is not correct I can probably make some time to improve this. But when the existing approach is correct then the only way is to include somehow the full signing chain in the jar.
If the current way is not correct I can probably make some time to improve this. But when the existing approach is correct then the only way is to include somehow the full signing chain in the jar.
-
- Posts: 895
- Joined: 24 Mar 2020, 13:37
Re: TSA check
> If the current way is not correct I can probably make some time to improve this
I have pointed to the Class and method. You are welcome to improve upon it and create a Pull Request.
I have pointed to the Class and method. You are welcome to improve upon it and create a Pull Request.