Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

jarsigner -certchain ?

shoening-OracleMay 13 2014 — edited May 19 2014

Hi,

I am trying to setup signed jar files for Java Webstart. (Using Java 1.8.0_05 on a Linux box)

In a first test - which works - I have created a 'CA Certificate' and a 'Signer Certificate. The 'Signer Certificate' is signed using the private key of the

CA Certificate.

The 'CA Certificate is stored inside a keystore named 'ca_keystore.jks' using alias 'My Personal CA'.

The 'Signer Certificate is stored inside a keystore named 'signer_keystore.jks' using alias 'Signer'

I have added the 'CA Certificate' to the cacerts file (${JRE_HOME}/lib/security/cacerts).

This way I can sign any Jar file via:

jarsign

Hi,

I am trying to setup signed jar files for Java Webstart. (Using Java 1.8.0_05 on a Linux box)

In a first test - which works - I have created a 'CA Certificate' and a 'Signer Certificate. The 'Signer Certificate' is signed using the private key of the

CA Certificate.

The 'CA Certificate is stored inside a keystore named 'ca_keystore.jks' using alias 'My Personal CA'.

The 'Signer Certificate is stored inside a keystore named 'signer_keystore.jks' using alias 'Signer'

I have added the 'CA Certificate' to the cacerts file (${JRE_HOME}/lib/security/cacerts).

This way I can sign any Jar file via:

jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore signer_keystore.jks -storepass XXXXXXX my-app.jar signer

This did not produce any Warnings or Error messages.

But now to my problem:

I created another set of keypairs/certificates - this time with an intermediate CA. So I have now:

'Root CA' -------------> 'Intermediate CA' ---------------> 'Signer'

Again I have added the 'Root CA' to the cacerts file and I have a Keystore 'signer_keystore.jks' which contains the the signers keypair/certificate - but not the intermediate ca certificate and not the root ca certificate.

Additionally I have created a 'cert-chain.der' file containing the concatenated DER Encodings of the 'Signer Certificate', 'Intermediate Certificate', 'Root CA Certificate'

When I try to sign a jar using

jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore signer_keystore.jks -storepass XXXXXXX -certchain cert-chain.der my-app.jar signer

I am getting a warning message 'The signer's certificate chain is not validated.'

Is there any documentation with more details on how to create the file provided as parameter for tho "-certchain" option?

Does anyone has a working Example on how to deal with a case like mine, where the trust-chain from the Leaf-Certificate to the Root Certificate contains intermediate Certificates?

Thanks in advance

Stefan
This post has been answered by shoening-Oracle on May 19 2014
Jump to Answer

Comments

Oyvind Isene

The first statement for declaring the package is not really relevant, or am I missing something? Anyway, I did this in latest version of SQL Developer against an 11.2.0.4 database without getting any errors:

create or replace type user1_type 
AS OBJECT ( DEMO VARCHAR2(3)) ; 
/
create table nobeer 
( col1 user1_type ) ; 
SELECT * FROM NOBEER ;
1 person found this helpful
1 - 1
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Jun 16 2014
Added on May 13 2014
#other-security-apis-tools-and-issues
1 comment
2,468 views