Forum Stats

  • 3,740,530 Users
  • 2,248,268 Discussions
  • 7,861,317 Comments

Discussions

CRL Check on signed JAR

I have a signed JAR. How could I check if the corresponding code-signing certificate was revoked? Technically there seem to be the following options:

  1. The Java TrustStore holds CRLs/revoked certificates.
  2. The JarSigner checks CRLs automatically or manually.

However, keytool doesnt have a command line options to import CRLs/mark certificates as revoked. So 1. is off the table. The Jarsigner doesn't have a command line option to check CRLs. Looking at the main class of the JarSigner I also couldn't find any calls to certificate revocation check functions. So 2. is off the table too.To some extent this breaks JAR signing. In case of a stolen code-signing certificate i.e. a leaf certificate, either

  • the root certificate of the leaf certificate must be removed from the TrustStore, effectively removing trust from all leaf certificates with the same root certificate or
  • the leaf certificate stays valid and can be used to sign malicious code

This seems odd to me, am I overlooking something?

Sign In or Register to comment.