Check signing certificates in a JAR file without jarsigner

When troubleshooting Java code signing issues, we need to understand which certificates are involved, since one common root cause is some of them not being trusted on the system.

Code signing involves typically 2 distinct end entity certificates and their corresponding chains, one for the code signature itself and another one for timestamping. The CA chain in either of those not being trusted is a common source of problems.

When signed JAR files are involved, e.g. Java applications or the Deployment Rule Set itself, it is often the case that troubleshooting takes place on a system that only has the JRE installed, and not the full JDK.

The standard approach to validate the signature of a JAR file is to use jarsigner -verify, but on systems that only have the JRE installed jarsigner is not available. If all we are after is to understand which code signing and timestamping certificates and chains are at play, one option is to inspect the files included in the JAR file.

If we open the JAR file with a file compression utility and brose to the META-INF directory we will find a .RSA file in there:


Opening it with a file editor will display the binary data, and within it we can typically find some details of the CAs involved in human readable form:


This can already provide some hints, but a much better way to identify the certificates and chains used when jarsigner is not available is to use keytool.

There are 2 useful variations of keytool commands we can use to check the certificates:

keytool -printcert -jarfile <SignedJARFile>

keytool -printcert -rfc -jarfile <SignedJARFile>

Both commands will print the certificate chains used for JAR signing, both for code signing and timestamping.First a block starting with Signature will be displayed, followed by the certificate chain used for the code signing part:


Followed by a Timestamp block including the details for the timestamping certificate chain:


The first option (with the -rfc flag) will directly display the details of each certificate:

While the second one (with the -rfc flag) will output each certificate in PEM format:

Once the certificates involved in both chains are known whether those are trusted by Java (via its own trust store) and/or the underlying OS can be validated.

Please note: The above commands, unlike jarsigner -verify, do not perform any signature validation, so they can only to be used to troubleshoot trust decisions.




Comments

Popular posts from this blog

Decoding OCSP GET requests

Signing a CSR with an Enrollment Agent certificate

Compacting an AD CS database