Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8009636

JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161

    Details

    • Subcomponent:
    • Resolved In Build:
      b89
    • Verification:
      Verified

      Backports

        Description

        A DESCRIPTION OF THE REQUEST :
        JARsigner is not proving options for defining an TSAPolicyID for TimeStamping signed code. This option is defined in RFC 3161 and that is also what jarsigner is using for communicating to the TSA (as described in the oracle docs: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html)
        It always uses the default Policy on the TSA.

        The ETSI TSA Policy - RFC3628 (http://www.ietf.org/rfc/rfc3628.txt) is currently defaulted and cannot be changed. Actually it might evne be interesting to include support for the RFC3628 TSA Policy.

        Applications like Adobe, Word and signtool (amongst others) are already RFC3628 'ready' and/or provide support for the TSAPolicyID.

        Example TimeStamp Servers:
        http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer
        http://tsa01.quovadisglobal.com/TSS/HttpTspServer
        http://zd.e-guven.com/TSS/HttpTspServer

        JUSTIFICATION :
        TimeStamp Server can be configured with multiple TSAPolicies. This is due to (for instance) security and compliancy. Only one Policy can be defaulted, but it could be case that specific applications are unable to sign using the specific policy. So new policies can be generated to make several applications compliant. Many Application have options for Request Policy OID's, so the correct policy from the TSA can be selected instead of the default one.



        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        An additinal (optional) argument where a policy can be defined. For instance

        -tsapolicyid policyid

        example (fictional):

        -tsapolicyid " 1.3.2.4.332.122313.8 "

        When the argument is not included, the behaviour should be as it currently is.
        ACTUAL -
        There is no actual behaviour. It just errors out when trying to use a TimeStamp server with a non 'compatible' TSAPolicy as default. As it is the defaulted RFC3628 policy, it gives an error about not being capable to decode the bytes:

        jarsigner: unable to sign jar: sun.security.pkcs.ParsingException: Unable to par
        se the encoded bytes

        ---------- BEGIN SOURCE ----------
        jarsigner -keystore CertName.p12 -storetype PKCS12 -tsa http://free-tsu.e-timing.ne.jp/TSS/HttpTspServer test.jar " CertName "
        ---------- END SOURCE ----------

          Issue Links

            Activity

            Hide
            weijun Weijun Wang added a comment - - edited
            The command fails because there is a bug parsing the PKCS #6 ExtendedCertificateOrCertificate data type (we don't understand extended certificates). It seems not related to the policyId.
            Show
            weijun Weijun Wang added a comment - - edited The command fails because there is a bug parsing the PKCS #6 ExtendedCertificateOrCertificate data type (we don't understand extended certificates). It seems not related to the policyId.
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/778b16225d85
            User: weijun
            Date: 2013-04-19 07:43:14 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/778b16225d85 User: weijun Date: 2013-04-19 07:43:14 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/778b16225d85
            User: lana
            Date: 2013-05-07 18:40:01 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/778b16225d85 User: lana Date: 2013-05-07 18:40:01 +0000

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: