Bug 780417 (SOA-2848)

Summary: All jars in SOA-P must be signed with certificate that is not about to expire
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: Martin Vecera <mvecera>
Component: Build Process, SecurityAssignee: Anil Saldhana <anil.saldhana>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.1.0.ER7CC: kevin.conner, ldimaggi, mjc, mschoene, tkirby
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-2848
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-15 17:00:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 779562, 780312    

Description Martin Vecera 2011-01-27 13:26:15 UTC 
project_key: SOA

All signed jars are now signed with a certificate that will expire in less than 6 months. The certificate should be valid for the whole support period.

Example:
Verifying file: /jbosssoa/jboss-as/client/commons-collections.jar
[ERROR] This jar contains entries whose signer certificate will expire within six months.
Comment 1 Martin Vecera 2011-01-27 13:28:10 UTC 
Link: Added: This issue is a dependency of SOA-1938
Comment 2 Martin Vecera 2011-01-27 14:16:39 UTC 
Link: Added: This issue is a dependency of SOA-2718
Comment 3 trev 2011-01-27 16:03:38 UTC 
can you comment on this please, can you also comment on the case where have say a mix of jboss2009 and 2011 keys in the same appserver, ie a system gets patched with a different key
Comment 4 Anil Saldhana 2011-01-27 16:29:50 UTC 
Mark Cox's team who own the keys had been updated about the keys expiring few months back.  During the discussions, it was determined that the JVM does not check for expired certificates.  Also, we need to avoid jars signed by two different keys.
Comment 5 Kevin Conner 2011-01-27 16:52:20 UTC 
I thought the JVM did check but fell back to treating them as 'unsigned' if the certificate had expired.  I'll do a quick test of it this evening and post results.
Comment 6 Len DiMaggio 2011-01-28 13:48:46 UTC 
Link: Added: This issue related SOA-2287
Comment 7 Kevin Conner 2011-01-28 13:59:04 UTC 
I ran through a number of scenarios/jvms and always saw the certificates, even when expired.  The jarsigner still allowed me to sign jars with expired certificates (although it did emit a warning).  The certificate comparison is still made for packages, even when expired.

This behaviour can be altered by classloader implementations but doesn't appear to be.
Comment 8 trev 2011-01-28 16:16:37 UTC 
Can you confirm what will happen in the field if the original certificate has expired but a patch is provided that contains a valid later certificate, eg if we apply an eap security patch with a 2011 certificate after the original soa 2009 certificate has expired.
Comment 9 Kevin Conner 2011-01-28 16:26:17 UTC 
This will be an issue if you have a split package as the classloader will do a comparison of the encoded certificates and see the difference.

The signing must continue with the same certificate, even after it has expired, if this is to be avoided.
Comment 10 Mark J. Cox 2011-01-31 09:32:20 UTC 
So, Thawte will only issue 2-year code signing certificates, and they won't let me renew our one that expires in 2009 yet.

Ideally we'd be using timestamped jar signatures; where supported by the jre that would allow us to continue signing with the old cert right up until the expiry date, but the user would never get a notification of an out of date update.  We have the ability to do this, but timestamping support just didn't work well last time we tried it.

On Friday I experimented to see if I could get the signing server to re-use the key.  So when we renew the 2009 certificate we use the exact same key but get a new replacement cert with the 2 year lifespan.  

Could someone test to see what happens if you have parts signed by certificate #1, and parts by certificate #2 where both share the same private key but differ only in validity dates?
Comment 11 Mark J. Cox 2011-01-31 09:33:54 UTC 
(or in other words is the classloader comparing on the encoded certificate data (bad) or modulus (good)).
Comment 12 Kevin Conner 2011-01-31 09:41:25 UTC 
It's the encoded (bad) variety, this was one of my tests.
Comment 13 Mark J. Cox 2011-01-31 10:25:40 UTC 
Spoke to Kevin on irc; looks like we don't have any good options here.  Timestamping also doesn't help us for updates after June.

So we're really left with

1 - continue to sign updates to existing products with the expired key.  I've tested the signing server is happy to do this, it is.  We'd need to document exactly what happens to customers, and what to explain to them for why we're stuck having to do this.

2 - sign new complete products/major versions with the 2011 key, which we can have access to after March 24th.
Comment 14 Marc Schoenefeld 2011-01-31 16:59:33 UTC 
This matches the FAQ: https://docspace.corp.redhat.com/docs/DOC-24306#comment-15910
Comment 15 trev 2011-02-15 16:59:45 UTC 
Anil recommends that we continue to sign with the 2009 certificate