mojira.dev
MC-302008

JAR signature certificate expired over a decade ago

Open
0

If you unpack the 25w37a Minecraft jar and run 

openssl pkcs7 -inform DER -in META-INF/MOJANGCS.RSA -noout -print

it gives you the following output:

[a bunch of stuff ...]
    signer_info:
        version: 1
        issuer_and_serial: 
          issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
          serial: 117037030252897022741835730519179147736
[a bunch of stuff ...]

If you look at the signer info, you can see that the signature was created by the certificate with the serial number 117037030252897022741835730519179147736 or 58:0c:83:1a:13:2a:97:3b:fe:6e:e6:4a:5a:d4:39:d8 in hex notation.

That certificate is available on crt.sh and is also printed by the command:

[a bunch of stuff ...]
        cert_info:
          version: 2
          serialNumber: 117037030252897022741835730519179147736
          signature:
            algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
            parameter: NULL
          issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
          validity:
            notBefore: Apr  5 00:00:00 2012 GMT
            notAfter: Apr  5 23:59:59 2015 GMT
          subject: C=SE, ST=Stockholm, L=Stockholm, O=Mojang, OU=Digital ID Class 3 - Java Object Signing, CN=Mojang
[a bunch of stuff ...]

As it turns out, the certificate expired on April 6th 2015, more than a decade ago.

I’m pretty sure that this signature is never actually correctly verified as this hasn’t caused any issues as far as I can tell but it would be nice to have an up-to-date signing certificate that signs new Minecraft releases.

The sha1WithRSAEncryption also opens up the theoretical albeit unlikely possibility that a rogue developer could produce a pair of two Minecraft JARs with one being the official one that is released and one being a malicious one that they give to a victim with both having the same signature as SHA-1 chosen prefix attacks are possible for individuals to make).

I’ve also gone ahead and attached the complete openssl dump to this issue.

Attachments

openssl.txt

Comments 1

I have to correct myself: the SHA-1 thing isn’t an issue as the signature algorithm to sign the PKCS-7 data is actually sha384WithRSAEncryption, which is safe.

Jakob Kirsch

(Unassigned)

Plausible

(Unassigned)

1.21.8, 25w37a

Retrieved