On 4/30/2010 2:02 PM, Bob Foss wrote:
>
> Here you are importing the certificate into a keystore which is
> only used to sign your jar file. It's not a keystore that contains
> the root CA used to verify all JCE providers when loaded by the JVM.
But if that were the case, why would they send you CA cert and instruct
"First import the CA's certificate as a 'trusted certificate'" and "Then
import the code-signing certificate"?
Regardless, one shouldn't go about trusting CA certs as they land in
your inbox. It's the equivalent of clicking on a link in email to
"verify your PayPal account information".
> I'm not sure where they stored away the root CA(s).
The doc mentions
"sun.security.provider.JavaKeyStore" and
"com.sun.crypto.provider.JceKeyStore"
If, in fact, there is something magic about the signatures on
code-signing certs, strace and/or grep should be able to answer that.
> I have read that the OpenJDK doesn't have this restriction;
> unfortunately, I cannot switch at this time. That will probably
> be the long term solution.
I think so, too. :-)
- Marsh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
