为什么这个证书存储不能与 jarsigner 一起使用?
why does this certificate store not work with jarsigner?
我正在使用以下 keystore(pass=123456) 通过此命令对 zip 文件进行签名:
jarsigner -keystore Iran_Nara_nochain_rev.p12 -tsa http://tsa.gica.ir:8080/signserver/process?workerName=TimeStampSigner mfkey3.zip "Iran Nara"
暂停
包已成功签名,但有一些警告。
但是,当我尝试使用此命令验证签名时:
jarsigner -verify -verbose -certs mfkey3.zip
它说 jar 文件是未签名的。我对其他主要商店没有问题,但这个正在发挥作用。关于为什么的任何想法?
我猜问题是您的证书有一个 OID 1.3.6.1.4.1.311.21.10 的扩展,标记为 critical.
因为它被标记为关键应用程序,无法识别该扩展将不会处理证书。该扩展位于 Microsoft (1.3.6.1.4.1.311) 树下,因此不是 Jarsigner (Java) 识别的标准扩展。
您很可能需要获得没有将此扩展标记为关键的适当证书,以便能够在非 Microsoft 环境中将其用于代码签名。
您的参考证书(由 openssl 打印):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:8f:c3:a0:00:00:00:00:00:1e
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IR, O=Governmental, OU=Iran Center for e-Commerce Development, OU=Deputy of PKI and Commercial Information Security, OU=General Intermediate CA, CN=GICA Code Sign Silver No.2
Validity
Not Before: Dec 7 07:33:27 2015 GMT
Not After : Dec 6 07:33:27 2016 GMT
Subject: C=IR, O=Non-Governmental, OU=Iran Nara, OU=Non-Individual Level 2 (Silver)/serialNumber=10100800459, CN=Iran Nara
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c5:36:99:38:c6:a8:d1:9b:2d:c9:9a:71:f6:65:
58:a3:14:85:e4:6b:00:04:98:51:d6:f4:50:14:2f:
2b:4d:84:b4:7a:9a:19:11:02:e4:aa:4b:ee:7c:6e:
0e:11:3d:f8:fb:03:ca:87:46:71:14:69:b6:43:9b:
4c:0f:9f:4f:c5:b1:d8:72:5c:24:29:8b:7b:d4:46:
f2:66:18:62:37:e6:36:f9:18:35:75:a8:77:9e:f2:
30:3b:9e:5d:b6:e5:cc:f4:f9:5d:bb:47:5f:f0:69:
a9:43:61:e1:4a:ee:bc:2d:8c:bc:53:4a:36:a4:66:
a2:0b:20:b3:a5:5c:33:79:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F4:66:A0:E1:CA:74:37:7C:6F:4D:16:EF:8B:25:20:CC:15:6F:0D:23
X509v3 Authority Key Identifier:
keyid:B5:D4:04:47:D9:8A:07:8E:9A:B8:45:19:00:E4:2D:AF:56:6A:2A:4F
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.gica.ir/repository/CS/CS-Silver-No.2.crl
Authority Information Access:
OCSP - URI:http://ocsp.gica.ir/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage: critical
Code Signing
X509v3 Certificate Policies:
Policy: 2.16.364.101.1.1.3.2.1
CPS: http://www.gica.ir/repository/cps-gica.pdf
Policy: 2.16.364.101.1.1.1.2.2
CPS: http://www.gica.ir/repository/cps-gica.pdf
Policy: 2.16.364.101.1.3.1
CPS: http://www.gica.ir/repository/cps-gica.pdf
1.3.6.1.4.1.311.21.10: critical
0.0
..+.......
Signature Algorithm: sha1WithRSAEncryption
0b:98:e2:25:5d:58:61:d1:17:ad:85:3f:a6:47:79:15:0f:48:
1f:45:36:70:43:f8:72:f7:4d:19:d8:87:8b:84:f7:5a:df:b9:
a9:55:ce:1f:95:53:e5:31:f7:94:ad:8c:a3:34:98:31:a6:d7:
78:38:36:b6:f9:b0:ee:4a:99:3f:f8:f9:58:3f:80:13:8a:c8:
f2:9d:e2:66:60:e4:bd:cd:12:bb:ec:57:52:f8:81:f2:50:dd:
9d:cd:13:7d:06:43:57:1d:24:c1:f4:9d:a5:40:de:70:75:35:
69:07:8c:d0:8e:b6:ce:69:54:2b:6d:5a:4f:49:6f:8f:66:e1:
46:2a:e4:3d:e5:95:fb:4d:63:bb:68:6c:d1:d8:fb:6b:0c:5e:
1e:53:e0:af:01:b6:d6:25:c2:1a:c6:3b:f5:db:a9:28:47:c8:
09:0a:fc:bf:18:d2:61:29:67:82:bb:72:96:a4:c1:ae:6a:7b:
c6:4c:18:35:c1:b9:1a:00:2e:32:a3:85:1a:79:9b:cc:fc:fa:
c3:c1:3e:04:4a:c7:5c:71:e6:70:17:35:2c:b4:2a:d2:f4:8f:
9e:1b:81:e9:d6:e1:c0:30:90:68:fb:e2:ea:9f:13:27:b8:80:
bc:bf:72:35:ee:24:e4:94:78:75:a5:b2:a0:f1:bc:8a:b4:d3:
ec:1d:82:51
我正在使用以下 keystore(pass=123456) 通过此命令对 zip 文件进行签名:
jarsigner -keystore Iran_Nara_nochain_rev.p12 -tsa http://tsa.gica.ir:8080/signserver/process?workerName=TimeStampSigner mfkey3.zip "Iran Nara"
暂停 包已成功签名,但有一些警告。 但是,当我尝试使用此命令验证签名时:
jarsigner -verify -verbose -certs mfkey3.zip
它说 jar 文件是未签名的。我对其他主要商店没有问题,但这个正在发挥作用。关于为什么的任何想法?
我猜问题是您的证书有一个 OID 1.3.6.1.4.1.311.21.10 的扩展,标记为 critical.
因为它被标记为关键应用程序,无法识别该扩展将不会处理证书。该扩展位于 Microsoft (1.3.6.1.4.1.311) 树下,因此不是 Jarsigner (Java) 识别的标准扩展。
您很可能需要获得没有将此扩展标记为关键的适当证书,以便能够在非 Microsoft 环境中将其用于代码签名。
您的参考证书(由 openssl 打印):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:8f:c3:a0:00:00:00:00:00:1e
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IR, O=Governmental, OU=Iran Center for e-Commerce Development, OU=Deputy of PKI and Commercial Information Security, OU=General Intermediate CA, CN=GICA Code Sign Silver No.2
Validity
Not Before: Dec 7 07:33:27 2015 GMT
Not After : Dec 6 07:33:27 2016 GMT
Subject: C=IR, O=Non-Governmental, OU=Iran Nara, OU=Non-Individual Level 2 (Silver)/serialNumber=10100800459, CN=Iran Nara
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c5:36:99:38:c6:a8:d1:9b:2d:c9:9a:71:f6:65:
58:a3:14:85:e4:6b:00:04:98:51:d6:f4:50:14:2f:
2b:4d:84:b4:7a:9a:19:11:02:e4:aa:4b:ee:7c:6e:
0e:11:3d:f8:fb:03:ca:87:46:71:14:69:b6:43:9b:
4c:0f:9f:4f:c5:b1:d8:72:5c:24:29:8b:7b:d4:46:
f2:66:18:62:37:e6:36:f9:18:35:75:a8:77:9e:f2:
30:3b:9e:5d:b6:e5:cc:f4:f9:5d:bb:47:5f:f0:69:
a9:43:61:e1:4a:ee:bc:2d:8c:bc:53:4a:36:a4:66:
a2:0b:20:b3:a5:5c:33:79:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F4:66:A0:E1:CA:74:37:7C:6F:4D:16:EF:8B:25:20:CC:15:6F:0D:23
X509v3 Authority Key Identifier:
keyid:B5:D4:04:47:D9:8A:07:8E:9A:B8:45:19:00:E4:2D:AF:56:6A:2A:4F
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.gica.ir/repository/CS/CS-Silver-No.2.crl
Authority Information Access:
OCSP - URI:http://ocsp.gica.ir/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage: critical
Code Signing
X509v3 Certificate Policies:
Policy: 2.16.364.101.1.1.3.2.1
CPS: http://www.gica.ir/repository/cps-gica.pdf
Policy: 2.16.364.101.1.1.1.2.2
CPS: http://www.gica.ir/repository/cps-gica.pdf
Policy: 2.16.364.101.1.3.1
CPS: http://www.gica.ir/repository/cps-gica.pdf
1.3.6.1.4.1.311.21.10: critical
0.0
..+.......
Signature Algorithm: sha1WithRSAEncryption
0b:98:e2:25:5d:58:61:d1:17:ad:85:3f:a6:47:79:15:0f:48:
1f:45:36:70:43:f8:72:f7:4d:19:d8:87:8b:84:f7:5a:df:b9:
a9:55:ce:1f:95:53:e5:31:f7:94:ad:8c:a3:34:98:31:a6:d7:
78:38:36:b6:f9:b0:ee:4a:99:3f:f8:f9:58:3f:80:13:8a:c8:
f2:9d:e2:66:60:e4:bd:cd:12:bb:ec:57:52:f8:81:f2:50:dd:
9d:cd:13:7d:06:43:57:1d:24:c1:f4:9d:a5:40:de:70:75:35:
69:07:8c:d0:8e:b6:ce:69:54:2b:6d:5a:4f:49:6f:8f:66:e1:
46:2a:e4:3d:e5:95:fb:4d:63:bb:68:6c:d1:d8:fb:6b:0c:5e:
1e:53:e0:af:01:b6:d6:25:c2:1a:c6:3b:f5:db:a9:28:47:c8:
09:0a:fc:bf:18:d2:61:29:67:82:bb:72:96:a4:c1:ae:6a:7b:
c6:4c:18:35:c1:b9:1a:00:2e:32:a3:85:1a:79:9b:cc:fc:fa:
c3:c1:3e:04:4a:c7:5c:71:e6:70:17:35:2c:b4:2a:d2:f4:8f:
9e:1b:81:e9:d6:e1:c0:30:90:68:fb:e2:ea:9f:13:27:b8:80:
bc:bf:72:35:ee:24:e4:94:78:75:a5:b2:a0:f1:bc:8a:b4:d3:
ec:1d:82:51