What are the Hashes, signatures algorithms and key Sizes? Maybe one of the newer security properties turning those off? Does it have a timestamp?
Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: -2123340816m Auftrag von Gesendet: Freitag, Oktober 5, 2018 10:13 PM An: security-dev@openjdk.java.net Betreff: Jar's CodeSigner null on Java 10, non-null on Java 8 Excuse me if this isn’t the right place to ask this. I’ve been trying to debug something related to verifying that a class was signed with a particular certificate. The certificate is self-signed and long expired, if that makes a difference. I have the following code to check the signature: private static boolean signedByMe(Class<?> c) { ProtectionDomain protectionDomain = c.getProtectionDomain(); if ( protectionDomain == null ) return false; CodeSource codeSource = protectionDomain.getCodeSource(); if ( codeSource == null ) return false; CodeSigner[] codeSigners = codeSource.getCodeSigners(); if (codeSigners != null) { for (CodeSigner cs : codeSigners) { for (Certificate cp : cs.getSignerCertPath().getCertificates()) { byte[] sigKey = cp.getPublicKey().getEncoded(); if (Arrays.equals(sigKey, ourKey)) { return true; } } } } return false; } (ourKey is the byte[] of the public key of the certificate used to sign the jar) On Java 8 this works fine. On Java 10.0.2 codeSigners is null. If I run with -Djava.security.debug=jar the output indicates that the classes are signed in both cases. Is this a bug or a specific change to how the expired certificate is handled? Regards, Scott (please include me in replies, I’m not subscribed to the list)
