Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Not an Issue
    • Affects Version/s: 7u4
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      J2SE Version (please include all output from java -version flag):
        java version "1.7.0_04"
        Java(TM) SE Runtime Environment (build 1.7.0_04-b20)
        Java HotSpot(TM) Client VM (build 23.0-b21, mixed mode, sharing)

      Does this problem occur on J2SE 6ux or 7ux? Yes / No (pick one)
        Java 7

      Operating System Configuration Information (be specific):

        Windows Vista Business SP2

      Hardware Configuration Information (be specific):

        HP Pavillion dv9000
        Windows Vista Business SP2 32 bit
        3 GB RAM
        Intel Core 2 Duo T9300

      Bug Description:

      The problem is that signing jar files with a timestamping service does work in
      practice. Verisign, being one of the players in certificates, has a recommend
      TSA service to use. jarsigner does not work with their service using Java 7,
      returning:

      > jarsigner: unable to sign jar: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

      This bug has been reported to both Oracle and Versign, with no resolution.

      In the previous bug report sent to Oracle, there is a comment in the evaluation:
      > > however since most Browsers happyly connect to those servers,
      > I tried to access the UEL mentioned in the bug description,
         "https://timestamp.geotrust.com/tsa",
      > with IE and Firefox. Both shows no page found. So what's your mean about
      > "most browsers happyly connection to those servers"?

      The evaluator is correct that this URL is not accessible to browsers, but it does
      work from jarsigner. They must be blocking this URL from browsers. However,
      https://timestamp.geotrust.com does work from a browser and the certificate
      information can be obtained from this URL.

      The crux of this issue is that timestamping is the recommend way to do things.
      Verisign (part of Symantec) is doing its thing, and Oracle is doing theirs.
      However, people like me need both entities to cooperate to get our job done.

      Current workaround is just to use the jarsigner from Java 6. However, using a
      "workaround" is always a bit unnerving since one can never be quite sure how long
      the workaround will work.

      http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7127374

      https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO19577&actp=search&viewlocale=en_US&searchid=1338314020925


      Steps to Reproduce (be specific):

      Created a certificate just for this test, called mykey in the attached keystore.
      The password is 'passwd'. The dsn.jar is a jar I downloaded as part of the
      java mail bundle to have a jar to include in this report.

      jarsigner -keystore keystore -tsa https://timestamp.geotrust.com/tsa -signedjar dns-signed.jar dsn.jar mykey

      > jarsigner: unable to sign jar: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                xuelei Xue-Lei Fan
                Reporter:
                tyao Ting-Yun Ingrid Yao (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: