[MJARSIGNER-74] Allow usage of multiple Time Stamping Authority (TSA) servers #19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… servers Using multiple TSA URLs to try if first fail Adding support for tsapolicyid and tsadigestalg
slawekjaranowski
force-pushed
the
MJARSIGNER-74_multi_tsa
branch
from
8ab64ea
to
a045a11
Compare
slawekjaranowski
approved these changes
Sep 3, 2024
pzygielo
reviewed
Sep 3, 2024
| private final String tsaUrl; | ||
| private final String tsaAlias; | ||
| private final String tsaPolicyId; | ||
| private final String tsaDigestAlt; |
There was a problem hiding this comment.
Oops, yes it should be tsaDigestAlg!
There was a problem hiding this comment.
we have:
request.setTsadigestalg(tsaServer.getTsaDigestAlt());
There was a problem hiding this comment.
I think it's very internal usage of package-visible only class. No need to cancel vote, as this is not exposed anywhere.
This might be updated anytime later.
There was a problem hiding this comment.
I have made pull request #38 for a spelling error fix. It can be merged at a later time.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implementation of support for multiple TSA servers. A new server will be tried if the jarsigner command fails. The failure could be with communication with the TSA server, or could be something unrelated to TSA (for example access to a network based PKSC11 keystore).
I have also implemented support for:
tsapolicyidOID(s) to send to the TSA server(s)tsadigestalg) to use in communication with the TSA server (no multi-support, only one value for all TSA servers).The hardest thing working with this ticket was to figure out what should be possible to configure from an end user perspective. This is what I came up with (and would like feedback on):
tsaandtsacertseems wrong. At least jarsigner will ignore-tsacertif-tsais set. However from a bigger perspective it might be possible for the end user to want to configure 1 TSA url and 2 keystore alias as to try 3 TSA servers in total? But this scenario felt too complicated to document and specify, so I skipped it.tsadigestalgon the other hand I did not see any need to specify multiple. All TSA servers will handle the most common message digest algorithms.tsacert,tsapolicyidandtsadigestalgis probably obscure. I'm not sure anybody is interested in using these features. It took me many hours before I could create a testing keystore that contained a valid certificate to use. And it took me some additions hours to figure out what OIDs to use. It was only after using Wireshark to sniff the traffic that I understood how the protocol in RFC 3161 worked.Note: this pull request can not be merged until a new release build of https://github.com/apache/maven-jarsigner has been made.