Unfulfilled Expectations: Revoked Certificates in JAR Signing

Image by Aleksey Boev

Oracle JarSigner does not check CRLs

In April 2020 we became aware of a conceptual security issue in the Java JarSigner. The JarSigner does not check certificate revocations, which breaks JAR signing to some extent.

In this blog post we are going to talk about this issue. The blog post is written in cooperation with Daniel Ostovary from SignPath. We have reported this issue to Oracle shortly after its discovery. To understand this issue, one has to understand Certificate Revocation Lists (CRLs) first.

Certificate Revocation Lists

If the owner of a certificate wishes to revoke their certificate (i.e. invalidate it, for example, because of compromise), they can request the issuing Certificate Authority (CA) to put the certificate on a CRL (e.g. see [5]). The CRL distribution point is indicated in the CA’s certificate [5]. Often, a verifier of a signature checks the certificate’s CRL to see if it is revoked [6] (e.g. the Windows signature verification of an executable).

The Security Issue

We found evidence that there was some CRL check for JAR signatures in the past (e.g. for Java Applets in JDK 7; see [1-3]). However, a source code analysis of the JarSigner of the JDK 12 and a review of its official documentation [4] show that CRLs are not automatically checked, neither by the JarSigner nor anywhere else in the JDK. Instead, as Oracle told us, developers are expected to call the PKIXRevocationChecker explicitly to check for revocations.

The Impact

Since the JarSigner does not check CRLs, any stolen and revoked code-signing certificate can be used to sign JARs without the JarSigner warning users of a revoked certificate. That is unless users explicitely check revocation with the PKIXRevocationChecker. As verifiers of a signature often check the CRL of the certificate, users of the JarSigner almost certainly expect the JarSigner to do so too. These users rely on CRLs for security, but the JarSigner does not actually provide this level of security.

Addressing the Security Issue

Shortly after discussing the issue with Oracle, they created a ticket to address this issue [7]. This ticket is expected to be resolved with JDK 15, which is planned to be released on September 15, 2020 [6]. Users of the JarSigner should note that this issue will not be addressed in older versions of the JDK (i.e. JDKs before JDK 15).

Sources