On what version of Java 8 does it work?
I am not sure what the problem is without additional information.
Also, have you tried running with -Djava.security.debug=all? Did
anything unusual (exceptions, etc) get logged?
I would also suggest filing a bug with a reproducible test case, if
possible: https://bugreport.java.com/bugreport/
--Sean
On 10/5/18 12:00 PM, Scott Palmer wrote:
Excuse me if this isn’t the right place to ask this.
I’ve been trying to debug something related to verifying that a class was
signed with a particular certificate. The certificate is self-signed and long
expired, if that makes a difference.
I have the following code to check the signature:
private static boolean signedByMe(Class<?> c) {
ProtectionDomain protectionDomain = c.getProtectionDomain();
if ( protectionDomain == null ) return false;
CodeSource codeSource = protectionDomain.getCodeSource();
if ( codeSource == null ) return false;
CodeSigner[] codeSigners = codeSource.getCodeSigners();
if (codeSigners != null) {
for (CodeSigner cs : codeSigners) {
for (Certificate cp :
cs.getSignerCertPath().getCertificates()) {
byte[] sigKey =
cp.getPublicKey().getEncoded();
if (Arrays.equals(sigKey, ourKey)) {
return true;
}
}
}
}
return false;
}
(ourKey is the byte[] of the public key of the certificate used to sign the jar)
On Java 8 this works fine.
On Java 10.0.2 codeSigners is null.
If I run with -Djava.security.debug=jar the output indicates that the classes
are signed in both cases.
Is this a bug or a specific change to how the expired certificate is handled?
Regards,
Scott
(please include me in replies, I’m not subscribed to the list)
