Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Has anyone successfully used signature timestamps in a java applet?

Java 1.5 added an enhancement to support signature timestamps. The idea, as far as I can tell, is that signed jar files should not become invalid just because the code signing certificate has expired, as long as the files were signed while the certificate was valid. In theory, this means we do not have to re-sign and redeploy our applications every year when the certificate expires. Unfortunately, there seem to be problems in the implementation, based on these two forum threads:

http://forums.sun.com/thread.jspa?threadID=744677
http://forums.sun.com/thread.jspa?threadID=5309004

I'm about to begin testing this, but I was wondering if anyone has successfully done this, without having to import the timestamping certificate on the client (which would defeat the whole purpose)?

like image 525
Jason Day Avatar asked Jan 12 '09 16:01

Jason Day


2 Answers

The Thawte TSA root certificate was added to Sun's JRE cacerts file in 6u10 and 5.0u18.

like image 81
Sean Mullan Avatar answered Nov 14 '22 23:11

Sean Mullan


Unfortunately, this feature appears to be completely worthless at this time. It is easy to add a timestamp when signing a jar file, just add this parameter to the jarsigner command:

-tsa https://timestamp.geotrust.com/tsa

This is the URL to Thawte's timestamping server. Unfortunately, the Thawte timestamping CA cert is not included in the Java runtime's list of trusted CA certs, so it is effectively meaningless. That is, if you load the applet after the code signing certificate has expired, you get the "untrusted" warning dialog instead of the "trusted" one.

There is a "workaround", of sorts, posted here, but it works by embedding the Thawte timestamping CA cert in the applet itself, and running keytool on the client to import the cert. I can't see how this would work though, since the user will already have seen the signed code dialog before this code can run.

I'll keep looking for a solution, but I'm not hopeful. I can't imagine why a usable timestamping CA cert has not been included with the Java runtime after all this time.

like image 45
Jason Day Avatar answered Nov 14 '22 21:11

Jason Day