Closed lanwen closed 1 year ago
Jsign expects the signing certificate to appear first in the chain. The consistency of the private and public keys wasn't checked before, it's likely that Jsign 4.2 produced an invalid signature in the same situation. I plan to improve the selection of the signing certificate in the chain to make it work with any order.
I've pushed the modification to sort automatically the certificate chain in the order expected. Could you give it a try?
Could you share a hint on how to do that? I didn't find a snapshot for 5.1 here https://oss.sonatype.org/content/repositories/snapshots/net/jsign/jsign-core/
Nevermind, tested with my original p7b chain and it worked totally fine!
Great! Thank you for the feedback. I'll release Jsign 5.1 in a few weeks, in the meantime you can build the snapshot from the sources (with mvn install -DskipTests
).
I'm trying to use
GOOGLECLOUD
HSM option with an EV certificate and it fails with5.0
but works with4.2
I'm trying to follow this guide https://icedev.pl/posts/setting-up-ev-code-signing-google-hsm-fips-140-2 and got already my EV cert chain in
PKCS#7
in PEM. The chain contains 3 certs - the root one from GlobalSign, the intermediate one and mine.Once I start signing with the following code:
it works fine with 4.2, but with 5.0 produces the following exception:
With debug I found, that in 5.0 there is a verification change: https://github.com/ebourg/jsign/compare/4.2...5.0#diff-385c6cc5266e53175e4e952d55124fb5876e082087a5746583a28397a6f742f0L367-L368
that grabs the first pubkey from the chain: https://github.com/ebourg/jsign/blob/master/jsign-core/src/main/java/net/jsign/AuthenticodeSigner.java#L476
I'm not sure how that works in 4.2 with the same pubkey, however with the chain containing 3 certs the assumption of the first key is wrong. For the obvious reason I don't have private key from the CA, but the last one is mine, and I do have the private key in HSM.
I verified my assumption replacing the
chain[0]
withchain[2]
in the debugger and got a positive result.Please let me know if I could provide any additional info.