0

I have a signed JAR. How could I check if the corresponding code-signing certificate was revoked? Technically there seem to be the following options:

  1. The Java TrustStore holds CRLs/revoked certificates.
  2. The JarSigner checks CRLs automatically or manually.

However, keytool doesnt have a command line options to import CRLs/mark certificates as revoked. So 1. is off the table. The Jarsigner doesnt have a command line option to check CRLs. Looking at the main class of the JarSigner I also couldn't find any calls to certificate revocation check functions. So 2. is off the table too.

To some extent this breaks JAR signing. In case of a stolen code-signing certificate i.e. a leaf certificate, either

  • the root certificate of the leaf certificate must be removed from the TrustStore, effectively removing trust from all leaf certificates with the same root certificate or
  • the leaf certificate stays valid and can be used to sign malicious code

This seems odd to me, am I overlooking something?

D.O.
  • 600
  • 3
  • 9
  • You know, web browsers don't check revocation for web certificates either, and that's arguably a lot more important than signed jars. Revoked certificates just don't seem to be such a big deal. –  Dec 18 '19 at 12:58
  • @MechMK1 Web browsers are indeed a bit shoddy (have you seen the HTML spec?!). CRL are ungainly. OCSP (online certificate something) suffers from hopelessly unreliable infrastructure (I tried switching it on many years ago - failed using public wifi a London City Airport - they had blocked it before signing onto their web page that required it). Browsers ended up checking OCSP and then failing open... Stapled-OCSP (a signed "not revoked" response signed by a timestamp server, then sent over the https) was the new hotness five years or so ago - I have no idea how far that has got. – Tom Hawtin - tackline Dec 18 '19 at 17:48

0 Answers0