Adding intermediate certificates to a signed Jar signature .rsa file

Thread view:

Michel Gallant - 15 Mar 2005 22:47 GMT

Is it possible to add extra certificate(s) to the pkcs7 signature blob in
a signed JAR archive?
This may be necessary in some cases .. for example VeriSign
issuing code-signing certificate via an INTERMEDIATE CA
which is NOT included in the default cacerts file ... so that the
issuers signature on the users (signing) certificate, which is included
in the .rsa file can't be properly verified without the intermediate CA cert.
Can that intermediate CA cert be added to the .rsa signature file at the time of signing
using either jarsigner or some other approach?

- Mitch

Reply to this Message

Michel Gallant - 16 Mar 2005 20:43 GMT

OK for anyone interested, I have found a way to do this!
Basically, the xxxx.rsa signature block within a signed JAR archive
can be replaced by another PKCS7 signed block, with added certificates,
without breaking the signature. The JAR is "re-jar'd" with exactly the same
manifest.mf, the same xxxx.sf, and all class (and other) files. The only difference
is the xxxx.RSA file is swapped (by signing the xxxx.sf file again, using other
tools).
An example of this is the updated digest calculator signed Java applet
here:
http://www.jensign.com/JavaScience/www/messagedigestj2
It this example, the VeriSign intermediate CA was appended to the PKCS7
sig blob and then re-jar'd. That intermediate CA is not included in the most
recent cacerts trusted CA files, but is required to verify my VeriSign signers
certificate.

- Mitch

> Is it possible to add extra certificate(s) to the pkcs7 signature blob in
> a signed JAR archive?
[quoted text clipped - 7 lines]
>
> - Mitch

Reply to this Message

Adding intermediate certificates to a signed Jar signature .rsa file

Free Magazines