Re: [Cryptix-users] Impending certificate expiration

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

we are currently using the Cryptix-JCE implementation and we have tried 
in a development box to set a system date past to Aug the 29th, 2009. We 
have experimented that the environment starts and runs as usual.

I think (actually, I hope) that this is the expected and correct 
behaviour, after reading from the Sun forum where they say: “The 
validation code which checked for certificate expiration was only found 
in JCE 1.2.1. It WAS REMOVED from JCE 1.2.2 and all successive releases 
like JCE in JDK 1.4.x and 5.x (and soon in 6.x). This expiration problem 
was the primary reason for releasing JCE 1.2.2 over three years ago. 
Export control regulations changed following the release of JCE 1.2.1, 
and Sun released 1.2.2 shortly thereafter so that customers wouldn't 
have this expiration problem. This change is documented as the first 
bullet in the change log for JCE 1.2.2, which is found both in the 
product distribution itself and on the following JCE product page: 
http://java.sun.com/products/jce/jce122_changes.html. That said, JCE 
1.2.2 is indeed signed with a certificate which is valid until October 
2006, HOWEVER the JCE 1.2.2 and JCE in JDK 1.4.x/5.x code no longer 
checks that expiration date. All it cares about is that the code 
signature is valid”. (Refer to:
http://forums.sun.com/thread.jspa?threadID=678679&tstart=2506).

As suggested in 
http://forums.sun.com/thread.jspa?threadID=716308&tstart=2235, I’ve also 
tried the command: “jarsigner -verify -certs -verbose 
cryptix-jce-provider.jar” and in both cases (real current date and faked 
date) the jar (and the single classes) is verified. Only the final 
warnings are different.
Current date: jar verified. - Warning: This jar contains entries whose 
signer certificate will expire within six months.
Faked date: jar verified. - Warning: This jar contains entries whose 
signer certificate has expired.
(Similarly for each class we had "[certificate will expire on 8/29/09 
12:04 AM]" in the case of current date and "[certificate expired on 
8/29/09 12:04 AM]" in the case of the faked date).

As a matter of comparison to the real word it is reasanable to think 
that a signed hand written paper document is still valid even after 
years and even after the signer’s death. At the same time I think that 
it is correct to assume that a digitally signed document (or file, a jar 
in this case) is still integer/verified even after that the signing 
certificate (actually its corresponding private key) is expired. Of 
course it is correct (for security reasons) that a signing key (and 
certificate) expires after a certain period of time, but the signatures 
of documents signed with that key should “survive” to it.

Best regards and apologizes for the long post
Gianni Polidoro

Edwin Woudt ha scritto:
>> I am using cryptix-jce and cryptix-openpgp in an application. The
>> certificate that signed the cryptix-jce-provider jar expires on 28  
>> Aug 2009.
>>
>> We will all either need:
>>
>> 1 - A new build, signed with a newer key.
>>     
>
> The Cryptix Foundation ltd is the owner of the certificate, but that  
> organisation was dissolved a few years ago. While the private key is  
> still (somewhere) in my possession, the foundation cannot get that  
> certificate renewed anymore.
>
> So unless there is some other way for me to obtain a new certificate,  
> there will be no new build.
>
>
>   
>> 2 - A new JCE implementation that doesn't require signed jars.
>> 3 - A new package to use.
>>     
>
> Switching to Bouncycastle may be an option, but as the API is  
> different that requires some work.
>
> Alternatively you or your organization could try to get your own code  
> signing key and use it to create your own 'custom' version of the  
> Cryptix JCE. Instructions are on the following page:
>
> http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61
>
> I'm very interested in the results.
>
>
> Edwin
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Cryptix-Users mailing list
> Cry...@li...
> https://lists.sourceforge.net/lists/listinfo/cryptix-users
>
>   