[jboss-dev] certs and verified signers

Adrian Brock abrock at redhat.com
Tue Sep 15 11:13:14 EDT 2009 

Read the fine manual :-)
http://java.sun.com/j2se/1.5.0/docs/api/java/util/jar/JarEntry.html#getCertificates()

i.e. you have to read() the entire stream before asking 
for the certs/signers.

The classloader will have already done that when it loaded the byte
code, see BaseClassLoader.loadClassLocally():

// Load the bytecode
byte[] byteCode = ClassLoaderUtils.loadByteCode(name, is);
            
// Let the policy do things before we define the class
BaseClassLoaderPolicy basePolicy = policy;
ProtectionDomain protectionDomain = basePolicy.getProtectionDomain(name,
resourcePath);

where the last line will expect the VFSClassLoaderPolicy to
get the certificates for the "resource path".

But the real reason for JBCL-67 - besides having a
mechanism to do a VirtualFile.getCertificates() - is how to do it for
non-jar files, e.g. unpacked deployments?

On Tue, 2009-09-15 at 16:26 +0200, Ales Justin wrote:
> WRT JBCL-67.
> 
> I have a jar which I signed with
> 
> keytool -genkeypair -alias mycert -keystore keystore -keypass ambam123
> 
> jarsigner -keystore keystore -storepass ambam123 
> ..\DIFramework\dist\another.jar mycert
> 
> keytool -exportcert -keystore keystore -alias mycert -file mare_cert.cer
> 
> keytool -importcert -file mare_cert.cer -keystore ales_store -storepass 
> ambam5
> 
> java -Djavax.net.ssl.trustStore=ales_store 
> -Djavax.net.ssl.trustStorePassword=ambam5
> 
> This jar includes com/acme/X.class.
> 
> So, I would now expect when I access this class in jar via JarEntry
> to be able to get its certificates: JarEntry::getCertificates.
> But I get null.
> 
> I guess I'm missing a list of verified signers?
> 
> JarVerfier.class:
> 
>      /**
>       * Return an array of java.security.cert.Certificate objects for
>       * the given file in the jar.
>       */
>      public java.security.cert.Certificate[] getCerts(String name)
>      {
> 	CodeSigner[] signers = getCodeSigners(name);
> 	// Extract the certs in each code signer's cert chain
> 	if (signers != null) { // <----- THIS is null in my case
> 
> How do I add this signers?
> I already hacked out my security knowledge, w/o any success. ;-(
> _______________________________________________
> jboss-development mailing list
> jboss-development at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-development
-- 
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Adrian Brock
Chief Scientist
JBoss by Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx

More information about the jboss-development mailing list