author | weijun |
Fri, 27 Oct 2017 21:11:15 +0800 | |
changeset 47469 | 6ae08c311cd3 |
parent 47216 | 71c04702a3d5 |
child 48543 | 7067fe4e054e |
permissions | -rw-r--r-- |
2 | 1 |
/* |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2 |
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
26 |
package sun.security.tools.jarsigner; |
2 | 27 |
|
28 |
import java.io.*; |
|
43183 | 29 |
import java.security.cert.CertPathValidatorException; |
30 |
import java.security.cert.PKIXBuilderParameters; |
|
2 | 31 |
import java.util.*; |
32 |
import java.util.zip.*; |
|
33 |
import java.util.jar.*; |
|
34 |
import java.net.URI; |
|
35 |
import java.text.Collator; |
|
36 |
import java.text.MessageFormat; |
|
37 |
import java.security.cert.Certificate; |
|
38 |
import java.security.cert.X509Certificate; |
|
39 |
import java.security.cert.CertificateException; |
|
40 |
import java.security.*; |
|
41 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
42 |
import java.net.SocketTimeoutException; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
43 |
import java.net.URL; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
44 |
import java.security.cert.CertPath; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
45 |
import java.security.cert.CertificateExpiredException; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
46 |
import java.security.cert.CertificateFactory; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
47 |
import java.security.cert.CertificateNotYetValidException; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
48 |
import java.security.cert.TrustAnchor; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
49 |
import java.util.Map.Entry; |
33872 | 50 |
|
51 |
import jdk.security.jarsigner.JarSigner; |
|
52 |
import jdk.security.jarsigner.JarSignerException; |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
53 |
import sun.security.pkcs.PKCS7; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
54 |
import sun.security.pkcs.SignerInfo; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
55 |
import sun.security.timestamp.TimestampToken; |
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
56 |
import sun.security.tools.KeyStoreUtil; |
43183 | 57 |
import sun.security.validator.Validator; |
58 |
import sun.security.validator.ValidatorException; |
|
2 | 59 |
import sun.security.x509.*; |
60 |
import sun.security.util.*; |
|
61 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
62 |
|
2 | 63 |
/** |
64 |
* <p>The jarsigner utility. |
|
65 |
* |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
66 |
* The exit codes for the main method are: |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
67 |
* |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
68 |
* 0: success |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
69 |
* 1: any error that the jar cannot be signed or verified, including: |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
70 |
* keystore loading error |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
71 |
* TSP communication error |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
72 |
* jarsigner command line error... |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
73 |
* otherwise: error codes from -strict |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
74 |
* |
2 | 75 |
* @author Roland Schemers |
76 |
* @author Jan Luehe |
|
77 |
*/ |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
78 |
public class Main { |
2 | 79 |
|
80 |
// for i18n |
|
81 |
private static final java.util.ResourceBundle rb = |
|
82 |
java.util.ResourceBundle.getBundle |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
83 |
("sun.security.tools.jarsigner.Resources"); |
2 | 84 |
private static final Collator collator = Collator.getInstance(); |
85 |
static { |
|
86 |
// this is for case insensitive string comparisions |
|
87 |
collator.setStrength(Collator.PRIMARY); |
|
88 |
} |
|
89 |
||
90 |
private static final String NONE = "NONE"; |
|
91 |
private static final String P11KEYSTORE = "PKCS11"; |
|
92 |
||
93 |
private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds |
|
94 |
||
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
95 |
private static final DisabledAlgorithmConstraints DISABLED_CHECK = |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
96 |
new DisabledAlgorithmConstraints( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
97 |
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
98 |
|
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
99 |
private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
100 |
.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
101 |
private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
102 |
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
103 |
|
2 | 104 |
// Attention: |
105 |
// This is the entry that get launched by the security tool jarsigner. |
|
106 |
public static void main(String args[]) throws Exception { |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
107 |
Main js = new Main(); |
2 | 108 |
js.run(args); |
109 |
} |
|
110 |
||
111 |
static final String VERSION = "1.0"; |
|
112 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
113 |
static final int IN_KEYSTORE = 0x01; // signer is in keystore |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
114 |
static final int NOT_ALIAS = 0x04; // alias list is NOT empty and |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
115 |
// signer is not in alias list |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
116 |
static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list |
2 | 117 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
118 |
X509Certificate[] certChain; // signer's cert chain (when composing) |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
119 |
PrivateKey privateKey; // private key |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
120 |
KeyStore store; // the keystore specified by -keystore |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
121 |
// or the default keystore, never null |
2 | 122 |
|
123 |
String keystore; // key store file |
|
124 |
boolean nullStream = false; // null keystore input stream (NONE) |
|
125 |
boolean token = false; // token-based keystore |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5461
diff
changeset
|
126 |
String jarfile; // jar files to sign or verify |
2 | 127 |
String alias; // alias to sign jar with |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
128 |
List<String> ckaliases = new ArrayList<>(); // aliases in -verify |
2 | 129 |
char[] storepass; // keystore password |
130 |
boolean protectedPath; // protected authentication path |
|
131 |
String storetype; // keystore type |
|
132 |
String providerName; // provider name |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
133 |
List<String> providers = null; // list of provider names |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
134 |
List<String> providerClasses = null; // list of provider classes |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
135 |
// arguments for provider constructors |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
136 |
HashMap<String,String> providerArgs = new HashMap<>(); |
2 | 137 |
char[] keypass; // private key password |
138 |
String sigfile; // name of .SF file |
|
139 |
String sigalg; // name of signature algorithm |
|
33872 | 140 |
String digestalg; // name of digest algorithm |
2 | 141 |
String signedjar; // output filename |
142 |
String tsaUrl; // location of the Timestamping Authority |
|
143 |
String tsaAlias; // alias for the Timestamping Authority's certificate |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
144 |
String altCertChain; // file to read alternative cert chain from |
17161
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
145 |
String tSAPolicyID; |
33872 | 146 |
String tSADigestAlg; |
2 | 147 |
boolean verify = false; // verify the jar |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
148 |
String verbose = null; // verbose output when signing/verifying |
2 | 149 |
boolean showcerts = false; // show certs when verifying |
150 |
boolean debug = false; // debug |
|
151 |
boolean signManifest = true; // "sign" the whole manifest |
|
152 |
boolean externalSF = true; // leave the .SF out of the PKCS7 block |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
153 |
boolean strict = false; // treat warnings as error |
2 | 154 |
|
155 |
// read zip entry raw bytes |
|
156 |
private String altSignerClass = null; |
|
157 |
private String altSignerClasspath = null; |
|
158 |
private ZipFile zipFile = null; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
159 |
|
22315 | 160 |
// Informational warnings |
161 |
private boolean hasExpiringCert = false; |
|
162 |
private boolean noTimestamp = false; |
|
163 |
private Date expireDate = new Date(0L); // used in noTimestamp warning |
|
164 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
165 |
// Severe warnings. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
166 |
|
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
167 |
// jarsigner used to check signer cert chain validity and key usages |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
168 |
// itself and set various warnings. Later CertPath validation is |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
169 |
// added but chainNotValidated is only flagged when no other existing |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
170 |
// warnings are set. TSA cert chain check is added separately and |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
171 |
// only tsaChainNotValidated is set, i.e. has no affect on hasExpiredCert, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
172 |
// notYetValidCert, or any badXyzUsage. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
173 |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
174 |
private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg |
2 | 175 |
private boolean hasExpiredCert = false; |
176 |
private boolean notYetValidCert = false; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
177 |
private boolean chainNotValidated = false; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
178 |
private boolean tsaChainNotValidated = false; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
179 |
private boolean notSignedByAlias = false; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
180 |
private boolean aliasNotInStore = false; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
181 |
private boolean hasUnsignedEntry = false; |
2 | 182 |
private boolean badKeyUsage = false; |
183 |
private boolean badExtendedKeyUsage = false; |
|
184 |
private boolean badNetscapeCertType = false; |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
185 |
private boolean signerSelfSigned = false; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
186 |
|
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
187 |
private Throwable chainNotValidatedReason = null; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
188 |
private Throwable tsaChainNotValidatedReason = null; |
2 | 189 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
190 |
private boolean seeWeak = false; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
191 |
|
43183 | 192 |
PKIXBuilderParameters pkixParameters; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
193 |
|
2 | 194 |
public void run(String args[]) { |
195 |
try { |
|
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
196 |
args = parseArgs(args); |
2 | 197 |
|
198 |
// Try to load and install the specified providers |
|
199 |
if (providers != null) { |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
200 |
for (String provName: providers) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
201 |
try { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
202 |
KeyStoreUtil.loadProviderByName(provName, |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
203 |
providerArgs.get(provName)); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
204 |
if (debug) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
205 |
System.out.println("loadProviderByName: " + provName); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
206 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
207 |
} catch (IllegalArgumentException e) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
208 |
throw new Exception(String.format(rb.getString( |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
209 |
"provider.name.not.found"), provName)); |
2 | 210 |
} |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
211 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
212 |
} |
2 | 213 |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
214 |
if (providerClasses != null) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
215 |
ClassLoader cl = ClassLoader.getSystemClassLoader(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
216 |
for (String provClass: providerClasses) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
217 |
try { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
218 |
KeyStoreUtil.loadProviderByClass(provClass, |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
219 |
providerArgs.get(provClass), cl); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
220 |
if (debug) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
221 |
System.out.println("loadProviderByClass: " + provClass); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
222 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
223 |
} catch (ClassCastException cce) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
224 |
throw new Exception(String.format(rb.getString( |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
225 |
"provclass.not.a.provider"), provClass)); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
226 |
} catch (IllegalArgumentException e) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
227 |
throw new Exception(String.format(rb.getString( |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
228 |
"provider.class.not.found"), provClass), e.getCause()); |
2 | 229 |
} |
230 |
} |
|
231 |
} |
|
232 |
||
233 |
if (verify) { |
|
234 |
try { |
|
235 |
loadKeyStore(keystore, false); |
|
236 |
} catch (Exception e) { |
|
237 |
if ((keystore != null) || (storepass != null)) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
238 |
System.out.println(rb.getString("jarsigner.error.") + |
2 | 239 |
e.getMessage()); |
33872 | 240 |
if (debug) { |
241 |
e.printStackTrace(); |
|
242 |
} |
|
2 | 243 |
System.exit(1); |
244 |
} |
|
245 |
} |
|
246 |
/* if (debug) { |
|
247 |
SignatureFileVerifier.setDebug(true); |
|
248 |
ManifestEntryVerifier.setDebug(true); |
|
249 |
} |
|
250 |
*/ |
|
251 |
verifyJar(jarfile); |
|
252 |
} else { |
|
253 |
loadKeyStore(keystore, true); |
|
254 |
getAliasInfo(alias); |
|
255 |
||
33872 | 256 |
signJar(jarfile, alias); |
2 | 257 |
} |
258 |
} catch (Exception e) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
259 |
System.out.println(rb.getString("jarsigner.error.") + e); |
2 | 260 |
if (debug) { |
261 |
e.printStackTrace(); |
|
262 |
} |
|
263 |
System.exit(1); |
|
264 |
} finally { |
|
265 |
// zero-out private key password |
|
266 |
if (keypass != null) { |
|
267 |
Arrays.fill(keypass, ' '); |
|
268 |
keypass = null; |
|
269 |
} |
|
270 |
// zero-out keystore password |
|
271 |
if (storepass != null) { |
|
272 |
Arrays.fill(storepass, ' '); |
|
273 |
storepass = null; |
|
274 |
} |
|
275 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
276 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
277 |
if (strict) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
278 |
int exitCode = 0; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
279 |
if (weakAlg != 0 || chainNotValidated |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
280 |
|| hasExpiredCert || notYetValidCert || signerSelfSigned) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
281 |
exitCode |= 4; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
282 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
283 |
if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
284 |
exitCode |= 8; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
285 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
286 |
if (hasUnsignedEntry) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
287 |
exitCode |= 16; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
288 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
289 |
if (notSignedByAlias || aliasNotInStore) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
290 |
exitCode |= 32; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
291 |
} |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
292 |
if (tsaChainNotValidated) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
293 |
exitCode |= 64; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
294 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
295 |
if (exitCode != 0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
296 |
System.exit(exitCode); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
297 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
298 |
} |
2 | 299 |
} |
300 |
||
301 |
/* |
|
302 |
* Parse command line arguments. |
|
303 |
*/ |
|
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
304 |
String[] parseArgs(String args[]) throws Exception { |
2 | 305 |
/* parse flags */ |
306 |
int n = 0; |
|
307 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
308 |
if (args.length == 0) fullusage(); |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
309 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
310 |
String confFile = null; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
311 |
String command = "-sign"; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
312 |
for (n=0; n < args.length; n++) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
313 |
if (collator.compare(args[n], "-verify") == 0) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
314 |
command = "-verify"; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
315 |
} else if (collator.compare(args[n], "-conf") == 0) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
316 |
if (n == args.length - 1) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
317 |
usageNoArg(); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
318 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
319 |
confFile = args[++n]; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
320 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
321 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
322 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
323 |
if (confFile != null) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
324 |
args = KeyStoreUtil.expandArgs( |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
325 |
"jarsigner", confFile, command, null, args); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
326 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
327 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
328 |
debug = Arrays.stream(args).anyMatch( |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
329 |
x -> collator.compare(x, "-debug") == 0); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
330 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
331 |
if (debug) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
332 |
// No need to localize debug output |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
333 |
System.out.println("Command line args: " + |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
334 |
Arrays.toString(args)); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
335 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
336 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
337 |
for (n=0; n < args.length; n++) { |
2 | 338 |
|
339 |
String flags = args[n]; |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
340 |
String modifier = null; |
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
341 |
|
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
342 |
if (flags.startsWith("-")) { |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
343 |
int pos = flags.indexOf(':'); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
344 |
if (pos > 0) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
345 |
modifier = flags.substring(pos+1); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
346 |
flags = flags.substring(0, pos); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
347 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
348 |
} |
2 | 349 |
|
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
350 |
if (!flags.startsWith("-")) { |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
351 |
if (jarfile == null) { |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
352 |
jarfile = flags; |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
353 |
} else { |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
354 |
alias = flags; |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
355 |
ckaliases.add(alias); |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
356 |
} |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
357 |
} else if (collator.compare(flags, "-conf") == 0) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
358 |
if (++n == args.length) usageNoArg(); |
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
359 |
} else if (collator.compare(flags, "-keystore") == 0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
360 |
if (++n == args.length) usageNoArg(); |
2 | 361 |
keystore = args[n]; |
362 |
} else if (collator.compare(flags, "-storepass") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
363 |
if (++n == args.length) usageNoArg(); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
364 |
storepass = getPass(modifier, args[n]); |
2 | 365 |
} else if (collator.compare(flags, "-storetype") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
366 |
if (++n == args.length) usageNoArg(); |
2 | 367 |
storetype = args[n]; |
368 |
} else if (collator.compare(flags, "-providerName") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
369 |
if (++n == args.length) usageNoArg(); |
2 | 370 |
providerName = args[n]; |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
371 |
} else if (collator.compare(flags, "-provider") == 0 || |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
372 |
collator.compare(flags, "-providerClass") == 0) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
373 |
if (++n == args.length) usageNoArg(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
374 |
if (providerClasses == null) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
375 |
providerClasses = new ArrayList<>(3); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
376 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
377 |
providerClasses.add(args[n]); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
378 |
|
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
379 |
if (args.length > (n+1)) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
380 |
flags = args[n+1]; |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
381 |
if (collator.compare(flags, "-providerArg") == 0) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
382 |
if (args.length == (n+2)) usageNoArg(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
383 |
providerArgs.put(args[n], args[n+2]); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
384 |
n += 2; |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
385 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
386 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
387 |
} else if (collator.compare(flags, "-addprovider") == 0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
388 |
if (++n == args.length) usageNoArg(); |
2 | 389 |
if (providers == null) { |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
390 |
providers = new ArrayList<>(3); |
2 | 391 |
} |
392 |
providers.add(args[n]); |
|
393 |
||
394 |
if (args.length > (n+1)) { |
|
395 |
flags = args[n+1]; |
|
396 |
if (collator.compare(flags, "-providerArg") == 0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
397 |
if (args.length == (n+2)) usageNoArg(); |
2 | 398 |
providerArgs.put(args[n], args[n+2]); |
399 |
n += 2; |
|
400 |
} |
|
401 |
} |
|
402 |
} else if (collator.compare(flags, "-protected") ==0) { |
|
403 |
protectedPath = true; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
404 |
} else if (collator.compare(flags, "-certchain") ==0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
405 |
if (++n == args.length) usageNoArg(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
406 |
altCertChain = args[n]; |
17161
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
407 |
} else if (collator.compare(flags, "-tsapolicyid") ==0) { |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
408 |
if (++n == args.length) usageNoArg(); |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
409 |
tSAPolicyID = args[n]; |
24034
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
410 |
} else if (collator.compare(flags, "-tsadigestalg") ==0) { |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
411 |
if (++n == args.length) usageNoArg(); |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
412 |
tSADigestAlg = args[n]; |
2 | 413 |
} else if (collator.compare(flags, "-debug") ==0) { |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
414 |
// Already processed |
2 | 415 |
} else if (collator.compare(flags, "-keypass") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
416 |
if (++n == args.length) usageNoArg(); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
417 |
keypass = getPass(modifier, args[n]); |
2 | 418 |
} else if (collator.compare(flags, "-sigfile") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
419 |
if (++n == args.length) usageNoArg(); |
2 | 420 |
sigfile = args[n]; |
421 |
} else if (collator.compare(flags, "-signedjar") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
422 |
if (++n == args.length) usageNoArg(); |
2 | 423 |
signedjar = args[n]; |
424 |
} else if (collator.compare(flags, "-tsa") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
425 |
if (++n == args.length) usageNoArg(); |
2 | 426 |
tsaUrl = args[n]; |
427 |
} else if (collator.compare(flags, "-tsacert") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
428 |
if (++n == args.length) usageNoArg(); |
2 | 429 |
tsaAlias = args[n]; |
430 |
} else if (collator.compare(flags, "-altsigner") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
431 |
if (++n == args.length) usageNoArg(); |
2 | 432 |
altSignerClass = args[n]; |
31060 | 433 |
System.err.println( |
434 |
rb.getString("This.option.is.deprecated") + |
|
435 |
"-altsigner"); |
|
2 | 436 |
} else if (collator.compare(flags, "-altsignerpath") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
437 |
if (++n == args.length) usageNoArg(); |
2 | 438 |
altSignerClasspath = args[n]; |
31060 | 439 |
System.err.println( |
440 |
rb.getString("This.option.is.deprecated") + |
|
441 |
"-altsignerpath"); |
|
2 | 442 |
} else if (collator.compare(flags, "-sectionsonly") ==0) { |
443 |
signManifest = false; |
|
444 |
} else if (collator.compare(flags, "-internalsf") ==0) { |
|
445 |
externalSF = false; |
|
446 |
} else if (collator.compare(flags, "-verify") ==0) { |
|
447 |
verify = true; |
|
448 |
} else if (collator.compare(flags, "-verbose") ==0) { |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
449 |
verbose = (modifier != null) ? modifier : "all"; |
2 | 450 |
} else if (collator.compare(flags, "-sigalg") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
451 |
if (++n == args.length) usageNoArg(); |
2 | 452 |
sigalg = args[n]; |
453 |
} else if (collator.compare(flags, "-digestalg") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
454 |
if (++n == args.length) usageNoArg(); |
2 | 455 |
digestalg = args[n]; |
456 |
} else if (collator.compare(flags, "-certs") ==0) { |
|
457 |
showcerts = true; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
458 |
} else if (collator.compare(flags, "-strict") ==0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
459 |
strict = true; |
2 | 460 |
} else if (collator.compare(flags, "-h") == 0 || |
44597 | 461 |
collator.compare(flags, "-?") == 0 || |
2 | 462 |
collator.compare(flags, "-help") == 0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
463 |
fullusage(); |
2 | 464 |
} else { |
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
465 |
System.err.println( |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
466 |
rb.getString("Illegal.option.") + flags); |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
467 |
usage(); |
2 | 468 |
} |
469 |
} |
|
470 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
471 |
// -certs must always be specified with -verbose |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
472 |
if (verbose == null) showcerts = false; |
2 | 473 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
474 |
if (jarfile == null) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
475 |
System.err.println(rb.getString("Please.specify.jarfile.name")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
476 |
usage(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
477 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
478 |
if (!verify && alias == null) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
479 |
System.err.println(rb.getString("Please.specify.alias.name")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
480 |
usage(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
481 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
482 |
if (!verify && ckaliases.size() > 1) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
483 |
System.err.println(rb.getString("Only.one.alias.can.be.specified")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
484 |
usage(); |
2 | 485 |
} |
486 |
||
487 |
if (storetype == null) { |
|
488 |
storetype = KeyStore.getDefaultType(); |
|
489 |
} |
|
490 |
storetype = KeyStoreUtil.niceStoreTypeName(storetype); |
|
491 |
||
3481
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
492 |
try { |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
493 |
if (signedjar != null && new File(signedjar).getCanonicalPath().equals( |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
494 |
new File(jarfile).getCanonicalPath())) { |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
495 |
signedjar = null; |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
496 |
} |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
497 |
} catch (IOException ioe) { |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
498 |
// File system error? |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
499 |
// Just ignore it. |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
500 |
} |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
501 |
|
2 | 502 |
if (P11KEYSTORE.equalsIgnoreCase(storetype) || |
503 |
KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
504 |
token = true; |
|
505 |
if (keystore == null) { |
|
506 |
keystore = NONE; |
|
507 |
} |
|
508 |
} |
|
509 |
||
510 |
if (NONE.equals(keystore)) { |
|
511 |
nullStream = true; |
|
512 |
} |
|
513 |
||
514 |
if (token && !nullStream) { |
|
515 |
System.err.println(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
516 |
(".keystore.must.be.NONE.if.storetype.is.{0}"), storetype)); |
2 | 517 |
usage(); |
518 |
} |
|
519 |
||
520 |
if (token && keypass != null) { |
|
521 |
System.err.println(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
522 |
(".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype)); |
2 | 523 |
usage(); |
524 |
} |
|
525 |
||
526 |
if (protectedPath) { |
|
527 |
if (storepass != null || keypass != null) { |
|
528 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
529 |
("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified")); |
2 | 530 |
usage(); |
531 |
} |
|
532 |
} |
|
533 |
if (KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
534 |
if (storepass != null || keypass != null) { |
|
535 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
536 |
("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified")); |
2 | 537 |
usage(); |
538 |
} |
|
539 |
} |
|
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
540 |
return args; |
2 | 541 |
} |
542 |
||
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
543 |
static char[] getPass(String modifier, String arg) { |
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
544 |
char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
545 |
if (output != null) return output; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
546 |
usage(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
547 |
return null; // Useless, usage() already exit |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
548 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
549 |
|
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
550 |
static void usageNoArg() { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
551 |
System.out.println(rb.getString("Option.lacks.argument")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
552 |
usage(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
553 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
554 |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
555 |
static void usage() { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
556 |
System.out.println(); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
557 |
System.out.println(rb.getString("Please.type.jarsigner.help.for.usage")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
558 |
System.exit(1); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
559 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
560 |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
561 |
static void fullusage() { |
2 | 562 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
563 |
("Usage.jarsigner.options.jar.file.alias")); |
2 | 564 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
565 |
(".jarsigner.verify.options.jar.file.alias.")); |
2 | 566 |
System.out.println(); |
567 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
568 |
(".keystore.url.keystore.location")); |
2 | 569 |
System.out.println(); |
570 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
571 |
(".storepass.password.password.for.keystore.integrity")); |
2 | 572 |
System.out.println(); |
573 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
574 |
(".storetype.type.keystore.type")); |
2 | 575 |
System.out.println(); |
576 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
577 |
(".keypass.password.password.for.private.key.if.different.")); |
2 | 578 |
System.out.println(); |
579 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
580 |
(".certchain.file.name.of.alternative.certchain.file")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
581 |
System.out.println(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
582 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
583 |
(".sigfile.file.name.of.SF.DSA.file")); |
2 | 584 |
System.out.println(); |
585 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
586 |
(".signedjar.file.name.of.signed.JAR.file")); |
2 | 587 |
System.out.println(); |
588 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
589 |
(".digestalg.algorithm.name.of.digest.algorithm")); |
2 | 590 |
System.out.println(); |
591 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
592 |
(".sigalg.algorithm.name.of.signature.algorithm")); |
2 | 593 |
System.out.println(); |
594 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
595 |
(".verify.verify.a.signed.JAR.file")); |
2 | 596 |
System.out.println(); |
597 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
598 |
(".verbose.suboptions.verbose.output.when.signing.verifying.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
599 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
600 |
(".suboptions.can.be.all.grouped.or.summary")); |
2 | 601 |
System.out.println(); |
602 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
603 |
(".certs.display.certificates.when.verbose.and.verifying")); |
2 | 604 |
System.out.println(); |
605 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
606 |
(".tsa.url.location.of.the.Timestamping.Authority")); |
2 | 607 |
System.out.println(); |
608 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
609 |
(".tsacert.alias.public.key.certificate.for.Timestamping.Authority")); |
2 | 610 |
System.out.println(); |
611 |
System.out.println(rb.getString |
|
17161
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
612 |
(".tsapolicyid.tsapolicyid.for.Timestamping.Authority")); |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
613 |
System.out.println(); |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
614 |
System.out.println(rb.getString |
24034
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
615 |
(".tsadigestalg.algorithm.of.digest.data.in.timestamping.request")); |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
616 |
System.out.println(); |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
617 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
618 |
(".altsigner.class.class.name.of.an.alternative.signing.mechanism")); |
2 | 619 |
System.out.println(); |
620 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
621 |
(".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism")); |
2 | 622 |
System.out.println(); |
623 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
624 |
(".internalsf.include.the.SF.file.inside.the.signature.block")); |
2 | 625 |
System.out.println(); |
626 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
627 |
(".sectionsonly.don.t.compute.hash.of.entire.manifest")); |
2 | 628 |
System.out.println(); |
629 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
630 |
(".protected.keystore.has.protected.authentication.path")); |
2 | 631 |
System.out.println(); |
632 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
633 |
(".providerName.name.provider.name")); |
2 | 634 |
System.out.println(); |
635 |
System.out.println(rb.getString |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
636 |
(".add.provider.option")); |
2 | 637 |
System.out.println(rb.getString |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
638 |
(".providerArg.option.1")); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
639 |
System.out.println(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
640 |
System.out.println(rb.getString |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
641 |
(".providerClass.option")); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
642 |
System.out.println(rb.getString |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
643 |
(".providerArg.option.2")); |
2 | 644 |
System.out.println(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
645 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
646 |
(".strict.treat.warnings.as.errors")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
647 |
System.out.println(); |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
648 |
System.out.println(rb.getString |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
649 |
(".conf.url.specify.a.pre.configured.options.file")); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
650 |
System.out.println(); |
2 | 651 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
652 |
System.exit(0); |
2 | 653 |
} |
654 |
||
655 |
void verifyJar(String jarName) |
|
656 |
throws Exception |
|
657 |
{ |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
658 |
boolean anySigned = false; // if there exists entry inside jar signed |
2 | 659 |
JarFile jf = null; |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
660 |
Map<String,String> digestMap = new HashMap<>(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
661 |
Map<String,PKCS7> sigMap = new HashMap<>(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
662 |
Map<String,String> sigNameMap = new HashMap<>(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
663 |
Map<String,String> unparsableSignatures = new HashMap<>(); |
2 | 664 |
|
665 |
try { |
|
666 |
jf = new JarFile(jarName, true); |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
667 |
Vector<JarEntry> entriesVec = new Vector<>(); |
2 | 668 |
byte[] buffer = new byte[8192]; |
669 |
||
670 |
Enumeration<JarEntry> entries = jf.entries(); |
|
671 |
while (entries.hasMoreElements()) { |
|
672 |
JarEntry je = entries.nextElement(); |
|
673 |
entriesVec.addElement(je); |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
674 |
try (InputStream is = jf.getInputStream(je)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
675 |
String name = je.getName(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
676 |
if (signatureRelated(name) |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
677 |
&& SignatureFileVerifier.isBlockOrSF(name)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
678 |
String alias = name.substring(name.lastIndexOf('/') + 1, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
679 |
name.lastIndexOf('.')); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
680 |
try { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
681 |
if (name.endsWith(".SF")) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
682 |
Manifest sf = new Manifest(is); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
683 |
boolean found = false; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
684 |
for (Object obj : sf.getMainAttributes().keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
685 |
String key = obj.toString(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
686 |
if (key.endsWith("-Digest-Manifest")) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
687 |
digestMap.put(alias, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
688 |
key.substring(0, key.length() - 16)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
689 |
found = true; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
690 |
break; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
691 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
692 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
693 |
if (!found) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
694 |
unparsableSignatures.putIfAbsent(alias, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
695 |
String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
696 |
rb.getString("history.unparsable"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
697 |
name)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
698 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
699 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
700 |
sigNameMap.put(alias, name); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
701 |
sigMap.put(alias, new PKCS7(is)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
702 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
703 |
} catch (IOException ioe) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
704 |
unparsableSignatures.putIfAbsent(alias, String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
705 |
rb.getString("history.unparsable"), name)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
706 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
707 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
708 |
while (is.read(buffer, 0, buffer.length) != -1) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
709 |
// we just read. this will throw a SecurityException |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
710 |
// if a signature/digest check fails. |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
711 |
} |
2 | 712 |
} |
713 |
} |
|
714 |
} |
|
715 |
||
716 |
Manifest man = jf.getManifest(); |
|
41582
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
717 |
boolean hasSignature = false; |
2 | 718 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
719 |
// The map to record display info, only used when -verbose provided |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
720 |
// key: signer info string |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
721 |
// value: the list of files with common key |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
722 |
Map<String,List<String>> output = new LinkedHashMap<>(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
723 |
|
2 | 724 |
if (man != null) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
725 |
if (verbose != null) System.out.println(); |
2 | 726 |
Enumeration<JarEntry> e = entriesVec.elements(); |
727 |
||
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
728 |
String tab = rb.getString("6SPACE"); |
2 | 729 |
|
730 |
while (e.hasMoreElements()) { |
|
731 |
JarEntry je = e.nextElement(); |
|
732 |
String name = je.getName(); |
|
41582
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
733 |
|
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
734 |
hasSignature = hasSignature |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
735 |
|| SignatureFileVerifier.isBlockOrSF(name); |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
736 |
|
2 | 737 |
CodeSigner[] signers = je.getCodeSigners(); |
738 |
boolean isSigned = (signers != null); |
|
739 |
anySigned |= isSigned; |
|
740 |
hasUnsignedEntry |= !je.isDirectory() && !isSigned |
|
741 |
&& !signatureRelated(name); |
|
742 |
||
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
743 |
int inStoreWithAlias = inKeyStore(signers); |
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
744 |
|
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
745 |
boolean inStore = (inStoreWithAlias & IN_KEYSTORE) != 0; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
746 |
|
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
747 |
notSignedByAlias |= (inStoreWithAlias & NOT_ALIAS) != 0; |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
748 |
if (keystore != null) { |
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
749 |
aliasNotInStore |= isSigned && !inStore; |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
750 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
751 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
752 |
// Only used when -verbose provided |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
753 |
StringBuffer sb = null; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
754 |
if (verbose != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
755 |
sb = new StringBuffer(); |
2 | 756 |
boolean inManifest = |
757 |
((man.getAttributes(name) != null) || |
|
758 |
(man.getAttributes("./"+name) != null) || |
|
759 |
(man.getAttributes("/"+name) != null)); |
|
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
760 |
sb.append(isSigned ? rb.getString("s") : rb.getString("SPACE")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
761 |
.append(inManifest ? rb.getString("m") : rb.getString("SPACE")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
762 |
.append(inStore ? rb.getString("k") : rb.getString("SPACE")) |
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
763 |
.append((inStoreWithAlias & NOT_ALIAS) != 0 ? 'X' : ' ') |
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
764 |
.append(rb.getString("SPACE")); |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
765 |
sb.append('|'); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
766 |
} |
2 | 767 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
768 |
// When -certs provided, display info has extra empty |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
769 |
// lines at the beginning and end. |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
770 |
if (isSigned) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
771 |
if (showcerts) sb.append('\n'); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
772 |
for (CodeSigner signer: signers) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
773 |
// signerInfo() must be called even if -verbose |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
774 |
// not provided. The method updates various |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
775 |
// warning flags. |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
776 |
String si = signerInfo(signer, tab); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
777 |
if (showcerts) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
778 |
sb.append(si); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
779 |
sb.append('\n'); |
2 | 780 |
} |
781 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
782 |
} else if (showcerts && !verbose.equals("all")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
783 |
// Print no info for unsigned entries when -verbose:all, |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
784 |
// to be consistent with old behavior. |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
785 |
if (signatureRelated(name)) { |
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
786 |
sb.append('\n') |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
787 |
.append(tab) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
788 |
.append(rb |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
789 |
.getString(".Signature.related.entries.")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
790 |
.append("\n\n"); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
791 |
} else { |
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
792 |
sb.append('\n').append(tab) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
793 |
.append(rb.getString(".Unsigned.entries.")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
794 |
.append("\n\n"); |
2 | 795 |
} |
796 |
} |
|
797 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
798 |
if (verbose != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
799 |
String label = sb.toString(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
800 |
if (signatureRelated(name)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
801 |
// Entries inside META-INF and other unsigned |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
802 |
// entries are grouped separately. |
7524
ec12e1e6fa20
7004035: signed jar with only META-INF/* inside is not verifiable
weijun
parents:
7179
diff
changeset
|
803 |
label = "-" + label; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
804 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
805 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
806 |
// The label finally contains 2 parts separated by '|': |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
807 |
// The legend displayed before the entry names, and |
21278 | 808 |
// the cert info (if -certs specified). |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
809 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
810 |
if (!output.containsKey(label)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
811 |
output.put(label, new ArrayList<String>()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
812 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
813 |
|
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
814 |
StringBuilder fb = new StringBuilder(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
815 |
String s = Long.toString(je.getSize()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
816 |
for (int i = 6 - s.length(); i > 0; --i) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
817 |
fb.append(' '); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
818 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
819 |
fb.append(s).append(' '). |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
820 |
append(new Date(je.getTime()).toString()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
821 |
fb.append(' ').append(name); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
822 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
823 |
output.get(label).add(fb.toString()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
824 |
} |
2 | 825 |
} |
826 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
827 |
if (verbose != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
828 |
for (Entry<String,List<String>> s: output.entrySet()) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
829 |
List<String> files = s.getValue(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
830 |
String key = s.getKey(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
831 |
if (key.charAt(0) == '-') { // the signature-related group |
7524
ec12e1e6fa20
7004035: signed jar with only META-INF/* inside is not verifiable
weijun
parents:
7179
diff
changeset
|
832 |
key = key.substring(1); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
833 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
834 |
int pipe = key.indexOf('|'); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
835 |
if (verbose.equals("all")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
836 |
for (String f: files) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
837 |
System.out.println(key.substring(0, pipe) + f); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
838 |
System.out.printf(key.substring(pipe+1)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
839 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
840 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
841 |
if (verbose.equals("grouped")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
842 |
for (String f: files) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
843 |
System.out.println(key.substring(0, pipe) + f); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
844 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
845 |
} else if (verbose.equals("summary")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
846 |
System.out.print(key.substring(0, pipe)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
847 |
if (files.size() > 1) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
848 |
System.out.println(files.get(0) + " " + |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
849 |
String.format(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
850 |
".and.d.more."), files.size()-1)); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
851 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
852 |
System.out.println(files.get(0)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
853 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
854 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
855 |
System.out.printf(key.substring(pipe+1)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
856 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
857 |
} |
2 | 858 |
System.out.println(); |
859 |
System.out.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
860 |
".s.signature.was.verified.")); |
2 | 861 |
System.out.println(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
862 |
".m.entry.is.listed.in.manifest")); |
2 | 863 |
System.out.println(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
864 |
".k.at.least.one.certificate.was.found.in.keystore")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
865 |
if (ckaliases.size() > 0) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
866 |
System.out.println(rb.getString( |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
867 |
".X.not.signed.by.specified.alias.es.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
868 |
} |
2 | 869 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
870 |
if (man == null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
871 |
System.out.println(); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
872 |
System.out.println(rb.getString("no.manifest.")); |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
873 |
} |
2 | 874 |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
875 |
// If signer is a trusted cert or private entry in user's own |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
876 |
// keystore, it can be self-signed. |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
877 |
if (!aliasNotInStore) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
878 |
signerSelfSigned = false; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
879 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
880 |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
881 |
// If there is a time stamp block inside the PKCS7 block file |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
882 |
boolean hasTimestampBlock = false; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
883 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
884 |
// Even if the verbose option is not specified, all out strings |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
885 |
// must be generated so seeWeak can be updated. |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
886 |
if (!digestMap.isEmpty() |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
887 |
|| !sigMap.isEmpty() |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
888 |
|| !unparsableSignatures.isEmpty()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
889 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
890 |
System.out.println(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
891 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
892 |
for (String s : sigMap.keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
893 |
if (!digestMap.containsKey(s)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
894 |
unparsableSignatures.putIfAbsent(s, String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
895 |
rb.getString("history.nosf"), s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
896 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
897 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
898 |
for (String s : digestMap.keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
899 |
PKCS7 p7 = sigMap.get(s); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
900 |
if (p7 != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
901 |
String history; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
902 |
try { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
903 |
SignerInfo si = p7.getSignerInfos()[0]; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
904 |
X509Certificate signer = si.getCertificate(p7); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
905 |
String digestAlg = digestMap.get(s); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
906 |
String sigAlg = AlgorithmId.makeSigAlg( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
907 |
si.getDigestAlgorithmId().getName(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
908 |
si.getDigestEncryptionAlgorithmId().getName()); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
909 |
PublicKey key = signer.getPublicKey(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
910 |
PKCS7 tsToken = si.getTsToken(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
911 |
if (tsToken != null) { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
912 |
hasTimestampBlock = true; |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
913 |
SignerInfo tsSi = tsToken.getSignerInfos()[0]; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
914 |
X509Certificate tsSigner = tsSi.getCertificate(tsToken); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
915 |
byte[] encTsTokenInfo = tsToken.getContentInfo().getData(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
916 |
TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
917 |
PublicKey tsKey = tsSigner.getPublicKey(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
918 |
String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
919 |
String tsSigAlg = AlgorithmId.makeSigAlg( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
920 |
tsSi.getDigestAlgorithmId().getName(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
921 |
tsSi.getDigestEncryptionAlgorithmId().getName()); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
922 |
Calendar c = Calendar.getInstance( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
923 |
TimeZone.getTimeZone("UTC"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
924 |
Locale.getDefault(Locale.Category.FORMAT)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
925 |
c.setTime(tsTokenInfo.getDate()); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
926 |
history = String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
927 |
rb.getString("history.with.ts"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
928 |
signer.getSubjectX500Principal(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
929 |
withWeak(digestAlg, DIGEST_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
930 |
withWeak(sigAlg, SIG_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
931 |
withWeak(key), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
932 |
c, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
933 |
tsSigner.getSubjectX500Principal(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
934 |
withWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
935 |
withWeak(tsSigAlg, SIG_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
936 |
withWeak(tsKey)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
937 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
938 |
history = String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
939 |
rb.getString("history.without.ts"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
940 |
signer.getSubjectX500Principal(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
941 |
withWeak(digestAlg, DIGEST_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
942 |
withWeak(sigAlg, SIG_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
943 |
withWeak(key)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
944 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
945 |
} catch (Exception e) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
946 |
// The only usage of sigNameMap, remember the name |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
947 |
// of the block file if it's invalid. |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
948 |
history = String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
949 |
rb.getString("history.unparsable"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
950 |
sigNameMap.get(s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
951 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
952 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
953 |
System.out.println(history); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
954 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
955 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
956 |
unparsableSignatures.putIfAbsent(s, String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
957 |
rb.getString("history.nobk"), s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
958 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
959 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
960 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
961 |
for (String s : unparsableSignatures.keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
962 |
System.out.println(unparsableSignatures.get(s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
963 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
964 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
965 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
966 |
System.out.println(); |
2 | 967 |
if (!anySigned) { |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
968 |
if (seeWeak) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
969 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
970 |
System.out.println(rb.getString("jar.treated.unsigned.see.weak.verbose")); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
971 |
System.out.println("\n " + |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
972 |
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS + |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
973 |
"=" + Security.getProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
974 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
975 |
System.out.println(rb.getString("jar.treated.unsigned.see.weak")); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
976 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
977 |
} else if (hasSignature) { |
41582
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
978 |
System.out.println(rb.getString("jar.treated.unsigned")); |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
979 |
} else { |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
980 |
System.out.println(rb.getString("jar.is.unsigned")); |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
981 |
} |
2 | 982 |
} else { |
22315 | 983 |
boolean warningAppeared = false; |
984 |
boolean errorAppeared = false; |
|
985 |
if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || |
|
986 |
notYetValidCert || chainNotValidated || hasExpiredCert || |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
987 |
hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) || |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
988 |
aliasNotInStore || notSignedByAlias || tsaChainNotValidated) { |
2 | 989 |
|
22315 | 990 |
if (strict) { |
991 |
System.out.println(rb.getString("jar.verified.with.signer.errors.")); |
|
992 |
System.out.println(); |
|
993 |
System.out.println(rb.getString("Error.")); |
|
994 |
errorAppeared = true; |
|
995 |
} else { |
|
996 |
System.out.println(rb.getString("jar.verified.")); |
|
997 |
System.out.println(); |
|
998 |
System.out.println(rb.getString("Warning.")); |
|
999 |
warningAppeared = true; |
|
1000 |
} |
|
1001 |
||
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1002 |
if (weakAlg != 0) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1003 |
// In fact, jarsigner verification did not catch this |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1004 |
// since it has not read the JarFile content itself. |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1005 |
// Everything is done with JarFile API. The signing |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1006 |
// history (digestMap etc) will show these info and |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1007 |
// print out proper warnings. |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1008 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1009 |
|
2 | 1010 |
if (badKeyUsage) { |
1011 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1012 |
rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.")); |
2 | 1013 |
} |
1014 |
||
1015 |
if (badExtendedKeyUsage) { |
|
1016 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1017 |
rb.getString("This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.")); |
2 | 1018 |
} |
1019 |
||
1020 |
if (badNetscapeCertType) { |
|
1021 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1022 |
rb.getString("This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.")); |
2 | 1023 |
} |
1024 |
||
1025 |
if (hasUnsignedEntry) { |
|
1026 |
System.out.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1027 |
"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.")); |
2 | 1028 |
} |
1029 |
if (hasExpiredCert) { |
|
1030 |
System.out.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1031 |
"This.jar.contains.entries.whose.signer.certificate.has.expired.")); |
2 | 1032 |
} |
1033 |
if (notYetValidCert) { |
|
1034 |
System.out.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1035 |
"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.")); |
2 | 1036 |
} |
1037 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1038 |
if (chainNotValidated) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1039 |
System.out.println(String.format( |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1040 |
rb.getString("This.jar.contains.entries.whose.certificate.chain.is.invalid.reason.1"), |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1041 |
chainNotValidatedReason.getLocalizedMessage())); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1042 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1043 |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1044 |
if (tsaChainNotValidated) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1045 |
System.out.println(String.format( |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1046 |
rb.getString("This.jar.contains.entries.whose.tsa.certificate.chain.is.invalid.reason.1"), |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1047 |
tsaChainNotValidatedReason.getLocalizedMessage())); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1048 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1049 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1050 |
if (notSignedByAlias) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1051 |
System.out.println( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1052 |
rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1053 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1054 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1055 |
if (aliasNotInStore) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1056 |
System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1057 |
} |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1058 |
|
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1059 |
if (signerSelfSigned) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1060 |
System.out.println(rb.getString( |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1061 |
"This.jar.contains.entries.whose.signer.certificate.is.self.signed.")); |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1062 |
} |
22315 | 1063 |
} else { |
1064 |
System.out.println(rb.getString("jar.verified.")); |
|
1065 |
} |
|
1066 |
if (hasExpiringCert || noTimestamp) { |
|
1067 |
if (!warningAppeared) { |
|
1068 |
System.out.println(); |
|
1069 |
System.out.println(rb.getString("Warning.")); |
|
1070 |
warningAppeared = true; |
|
1071 |
} |
|
1072 |
if (hasExpiringCert) { |
|
1073 |
System.out.println(rb.getString( |
|
1074 |
"This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.")); |
|
1075 |
} |
|
1076 |
if (noTimestamp) { |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1077 |
if (hasTimestampBlock) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1078 |
// JarSigner API has not seen the timestamp, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1079 |
// might have ignored it due to weak alg, etc. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1080 |
System.out.println( |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1081 |
String.format(rb.getString("bad.timestamp.verifying"), expireDate)); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1082 |
} else { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1083 |
System.out.println( |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1084 |
String.format(rb.getString("no.timestamp.verifying"), expireDate)); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1085 |
} |
22315 | 1086 |
} |
1087 |
} |
|
1088 |
if (warningAppeared || errorAppeared) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1089 |
if (! (verbose != null && showcerts)) { |
2 | 1090 |
System.out.println(); |
1091 |
System.out.println(rb.getString( |
|
22315 | 1092 |
"Re.run.with.the.verbose.and.certs.options.for.more.details.")); |
2 | 1093 |
} |
1094 |
} |
|
1095 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1096 |
return; |
2 | 1097 |
} catch (Exception e) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1098 |
System.out.println(rb.getString("jarsigner.") + e); |
2 | 1099 |
if (debug) { |
1100 |
e.printStackTrace(); |
|
1101 |
} |
|
1102 |
} finally { // close the resource |
|
1103 |
if (jf != null) { |
|
1104 |
jf.close(); |
|
1105 |
} |
|
1106 |
} |
|
1107 |
||
1108 |
System.exit(1); |
|
1109 |
} |
|
1110 |
||
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1111 |
private String withWeak(String alg, Set<CryptoPrimitive> primitiveSet) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1112 |
if (DISABLED_CHECK.permits(primitiveSet, alg, null)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1113 |
return alg; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1114 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1115 |
seeWeak = true; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1116 |
return String.format(rb.getString("with.weak"), alg); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1117 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1118 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1119 |
|
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1120 |
private String withWeak(PublicKey key) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1121 |
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { |
46139
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1122 |
int kLen = KeyUtil.getKeySize(key); |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1123 |
if (kLen >= 0) { |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1124 |
return String.format(rb.getString("key.bit"), kLen); |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1125 |
} else { |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1126 |
return rb.getString("unknown.size"); |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1127 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1128 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1129 |
seeWeak = true; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1130 |
return String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1131 |
rb.getString("key.bit.weak"), KeyUtil.getKeySize(key)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1132 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1133 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1134 |
|
2 | 1135 |
private static MessageFormat validityTimeForm = null; |
1136 |
private static MessageFormat notYetTimeForm = null; |
|
1137 |
private static MessageFormat expiredTimeForm = null; |
|
1138 |
private static MessageFormat expiringTimeForm = null; |
|
1139 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1140 |
/** |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1141 |
* Returns a string about a certificate: |
2 | 1142 |
* |
1143 |
* [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"] |
|
1144 |
* [<validity-period> | <expiry-warning>] |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1145 |
* [<key-usage-warning>] |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1146 |
* |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1147 |
* Note: no newline character at the end. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1148 |
* |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1149 |
* When isTsCert is true, this method sets global flags like hasExpiredCert, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1150 |
* notYetValidCert, badKeyUsage, badExtendedKeyUsage, badNetscapeCertType. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1151 |
* |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1152 |
* @param isTsCert true if c is in the TSA cert chain, false otherwise. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1153 |
* @param checkUsage true to check code signer keyUsage |
2 | 1154 |
*/ |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1155 |
String printCert(boolean isTsCert, String tab, Certificate c, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1156 |
Date timestamp, boolean checkUsage) throws Exception { |
2 | 1157 |
|
1158 |
StringBuilder certStr = new StringBuilder(); |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1159 |
String space = rb.getString("SPACE"); |
2 | 1160 |
X509Certificate x509Cert = null; |
1161 |
||
1162 |
if (c instanceof X509Certificate) { |
|
1163 |
x509Cert = (X509Certificate) c; |
|
1164 |
certStr.append(tab).append(x509Cert.getType()) |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1165 |
.append(rb.getString("COMMA")) |
2 | 1166 |
.append(x509Cert.getSubjectDN().getName()); |
1167 |
} else { |
|
1168 |
certStr.append(tab).append(c.getType()); |
|
1169 |
} |
|
1170 |
||
1171 |
String alias = storeHash.get(c); |
|
1172 |
if (alias != null) { |
|
1173 |
certStr.append(space).append(alias); |
|
1174 |
} |
|
1175 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1176 |
if (x509Cert != null) { |
2 | 1177 |
|
1178 |
certStr.append("\n").append(tab).append("["); |
|
1179 |
Date notAfter = x509Cert.getNotAfter(); |
|
1180 |
try { |
|
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1181 |
boolean printValidity = true; |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1182 |
if (timestamp == null) { |
22315 | 1183 |
if (expireDate.getTime() == 0 || expireDate.after(notAfter)) { |
1184 |
expireDate = notAfter; |
|
1185 |
} |
|
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1186 |
x509Cert.checkValidity(); |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1187 |
// test if cert will expire within six months |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1188 |
if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1189 |
if (!isTsCert) hasExpiringCert = true; |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1190 |
if (expiringTimeForm == null) { |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1191 |
expiringTimeForm = new MessageFormat( |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1192 |
rb.getString("certificate.will.expire.on")); |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1193 |
} |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1194 |
Object[] source = { notAfter }; |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1195 |
certStr.append(expiringTimeForm.format(source)); |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1196 |
printValidity = false; |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1197 |
} |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1198 |
} else { |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1199 |
x509Cert.checkValidity(timestamp); |
2 | 1200 |
} |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1201 |
if (printValidity) { |
2 | 1202 |
if (validityTimeForm == null) { |
1203 |
validityTimeForm = new MessageFormat( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1204 |
rb.getString("certificate.is.valid.from")); |
2 | 1205 |
} |
1206 |
Object[] source = { x509Cert.getNotBefore(), notAfter }; |
|
1207 |
certStr.append(validityTimeForm.format(source)); |
|
1208 |
} |
|
1209 |
} catch (CertificateExpiredException cee) { |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1210 |
if (!isTsCert) hasExpiredCert = true; |
2 | 1211 |
|
1212 |
if (expiredTimeForm == null) { |
|
1213 |
expiredTimeForm = new MessageFormat( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1214 |
rb.getString("certificate.expired.on")); |
2 | 1215 |
} |
1216 |
Object[] source = { notAfter }; |
|
1217 |
certStr.append(expiredTimeForm.format(source)); |
|
1218 |
||
1219 |
} catch (CertificateNotYetValidException cnyve) { |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1220 |
if (!isTsCert) notYetValidCert = true; |
2 | 1221 |
|
1222 |
if (notYetTimeForm == null) { |
|
1223 |
notYetTimeForm = new MessageFormat( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1224 |
rb.getString("certificate.is.not.valid.until")); |
2 | 1225 |
} |
1226 |
Object[] source = { x509Cert.getNotBefore() }; |
|
1227 |
certStr.append(notYetTimeForm.format(source)); |
|
1228 |
} |
|
1229 |
certStr.append("]"); |
|
1230 |
||
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1231 |
if (checkUsage) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1232 |
boolean[] bad = new boolean[3]; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1233 |
checkCertUsage(x509Cert, bad); |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1234 |
if (bad[0] || bad[1] || bad[2]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1235 |
String x = ""; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1236 |
if (bad[0]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1237 |
x ="KeyUsage"; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1238 |
} |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1239 |
if (bad[1]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1240 |
if (x.length() > 0) x = x + ", "; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1241 |
x = x + "ExtendedKeyUsage"; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1242 |
} |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1243 |
if (bad[2]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1244 |
if (x.length() > 0) x = x + ", "; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1245 |
x = x + "NetscapeCertType"; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1246 |
} |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1247 |
certStr.append("\n").append(tab) |
2 | 1248 |
.append(MessageFormat.format(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1249 |
".{0}.extension.does.not.support.code.signing."), x)); |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1250 |
} |
2 | 1251 |
} |
1252 |
} |
|
1253 |
return certStr.toString(); |
|
1254 |
} |
|
1255 |
||
1256 |
private static MessageFormat signTimeForm = null; |
|
1257 |
||
1258 |
private String printTimestamp(String tab, Timestamp timestamp) { |
|
1259 |
||
1260 |
if (signTimeForm == null) { |
|
1261 |
signTimeForm = |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1262 |
new MessageFormat(rb.getString("entry.was.signed.on")); |
2 | 1263 |
} |
1264 |
Object[] source = { timestamp.getTimestamp() }; |
|
1265 |
||
1266 |
return new StringBuilder().append(tab).append("[") |
|
1267 |
.append(signTimeForm.format(source)).append("]").toString(); |
|
1268 |
} |
|
1269 |
||
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
1270 |
private Map<CodeSigner,Integer> cacheForInKS = new IdentityHashMap<>(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1271 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1272 |
private int inKeyStoreForOneSigner(CodeSigner signer) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1273 |
if (cacheForInKS.containsKey(signer)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1274 |
return cacheForInKS.get(signer); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1275 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1276 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1277 |
int result = 0; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1278 |
List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1279 |
for (Certificate c : certs) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1280 |
String alias = storeHash.get(c); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1281 |
if (alias != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1282 |
if (alias.startsWith("(")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1283 |
result |= IN_KEYSTORE; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1284 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1285 |
if (ckaliases.contains(alias.substring(1, alias.length() - 1))) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1286 |
result |= SIGNED_BY_ALIAS; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1287 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1288 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1289 |
if (store != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1290 |
try { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1291 |
alias = store.getCertificateAlias(c); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1292 |
} catch (KeyStoreException kse) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1293 |
// never happens, because keystore has been loaded |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1294 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1295 |
if (alias != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1296 |
storeHash.put(c, "(" + alias + ")"); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1297 |
result |= IN_KEYSTORE; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1298 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1299 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1300 |
if (ckaliases.contains(alias)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1301 |
result |= SIGNED_BY_ALIAS; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1302 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1303 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1304 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1305 |
cacheForInKS.put(signer, result); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1306 |
return result; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1307 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1308 |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
1309 |
Hashtable<Certificate, String> storeHash = new Hashtable<>(); |
2 | 1310 |
|
1311 |
int inKeyStore(CodeSigner[] signers) { |
|
1312 |
||
1313 |
if (signers == null) |
|
1314 |
return 0; |
|
1315 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1316 |
int output = 0; |
2 | 1317 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1318 |
for (CodeSigner signer: signers) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1319 |
int result = inKeyStoreForOneSigner(signer); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1320 |
output |= result; |
2 | 1321 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1322 |
if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1323 |
output |= NOT_ALIAS; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1324 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1325 |
return output; |
2 | 1326 |
} |
1327 |
||
33872 | 1328 |
void signJar(String jarName, String alias) |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1329 |
throws Exception { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1330 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1331 |
if (digestalg != null && !DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1332 |
DIGEST_PRIMITIVE_SET, digestalg, null)) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1333 |
weakAlg |= 1; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1334 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1335 |
if (tSADigestAlg != null && !DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1336 |
DIGEST_PRIMITIVE_SET, tSADigestAlg, null)) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1337 |
weakAlg |= 4; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1338 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1339 |
if (sigalg != null && !DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1340 |
SIG_PRIMITIVE_SET , sigalg, null)) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1341 |
weakAlg |= 2; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1342 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1343 |
if (!DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1344 |
SIG_PRIMITIVE_SET, privateKey)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1345 |
weakAlg |= 8; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1346 |
} |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1347 |
|
2 | 1348 |
boolean aliasUsed = false; |
1349 |
X509Certificate tsaCert = null; |
|
1350 |
||
1351 |
if (sigfile == null) { |
|
1352 |
sigfile = alias; |
|
1353 |
aliasUsed = true; |
|
1354 |
} |
|
1355 |
||
1356 |
if (sigfile.length() > 8) { |
|
4152
bc36a9f01ac6
6870812: enhance security tools to use ECC algorithms
weijun
parents:
3951
diff
changeset
|
1357 |
sigfile = sigfile.substring(0, 8).toUpperCase(Locale.ENGLISH); |
2 | 1358 |
} else { |
4152
bc36a9f01ac6
6870812: enhance security tools to use ECC algorithms
weijun
parents:
3951
diff
changeset
|
1359 |
sigfile = sigfile.toUpperCase(Locale.ENGLISH); |
2 | 1360 |
} |
1361 |
||
1362 |
StringBuilder tmpSigFile = new StringBuilder(sigfile.length()); |
|
1363 |
for (int j = 0; j < sigfile.length(); j++) { |
|
1364 |
char c = sigfile.charAt(j); |
|
1365 |
if (! |
|
33872 | 1366 |
((c>= 'A' && c<= 'Z') || |
1367 |
(c>= '0' && c<= '9') || |
|
1368 |
(c == '-') || |
|
1369 |
(c == '_'))) { |
|
2 | 1370 |
if (aliasUsed) { |
1371 |
// convert illegal characters from the alias to be _'s |
|
1372 |
c = '_'; |
|
1373 |
} else { |
|
33872 | 1374 |
throw new |
1375 |
RuntimeException(rb.getString |
|
1376 |
("signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.")); |
|
2 | 1377 |
} |
1378 |
} |
|
1379 |
tmpSigFile.append(c); |
|
1380 |
} |
|
1381 |
||
1382 |
sigfile = tmpSigFile.toString(); |
|
1383 |
||
1384 |
String tmpJarName; |
|
1385 |
if (signedjar == null) tmpJarName = jarName+".sig"; |
|
1386 |
else tmpJarName = signedjar; |
|
1387 |
||
1388 |
File jarFile = new File(jarName); |
|
1389 |
File signedJarFile = new File(tmpJarName); |
|
1390 |
||
1391 |
// Open the jar (zip) file |
|
1392 |
try { |
|
1393 |
zipFile = new ZipFile(jarName); |
|
1394 |
} catch (IOException ioe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1395 |
error(rb.getString("unable.to.open.jar.file.")+jarName, ioe); |
2 | 1396 |
} |
1397 |
||
1398 |
FileOutputStream fos = null; |
|
1399 |
try { |
|
1400 |
fos = new FileOutputStream(signedJarFile); |
|
1401 |
} catch (IOException ioe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1402 |
error(rb.getString("unable.to.create.")+tmpJarName, ioe); |
2 | 1403 |
} |
1404 |
||
33872 | 1405 |
CertPath cp = CertificateFactory.getInstance("X.509") |
1406 |
.generateCertPath(Arrays.asList(certChain)); |
|
1407 |
JarSigner.Builder builder = new JarSigner.Builder(privateKey, cp); |
|
2 | 1408 |
|
33872 | 1409 |
if (verbose != null) { |
1410 |
builder.eventHandler((action, file) -> { |
|
1411 |
System.out.println(rb.getString("." + action + ".") + file); |
|
1412 |
}); |
|
1413 |
} |
|
1414 |
||
1415 |
if (digestalg != null) { |
|
1416 |
builder.digestAlgorithm(digestalg); |
|
1417 |
} |
|
1418 |
if (sigalg != null) { |
|
1419 |
builder.signatureAlgorithm(sigalg); |
|
1420 |
} |
|
2 | 1421 |
|
33872 | 1422 |
URI tsaURI = null; |
2 | 1423 |
|
33872 | 1424 |
if (tsaUrl != null) { |
1425 |
tsaURI = new URI(tsaUrl); |
|
1426 |
} else if (tsaAlias != null) { |
|
1427 |
tsaCert = getTsaCert(tsaAlias); |
|
1428 |
tsaURI = TimestampedSigner.getTimestampingURI(tsaCert); |
|
1429 |
} |
|
2 | 1430 |
|
33872 | 1431 |
if (tsaURI != null) { |
1432 |
if (verbose != null) { |
|
1433 |
System.out.println( |
|
1434 |
rb.getString("requesting.a.signature.timestamp")); |
|
1435 |
if (tsaUrl != null) { |
|
1436 |
System.out.println(rb.getString("TSA.location.") + tsaUrl); |
|
1437 |
} else if (tsaCert != null) { |
|
1438 |
System.out.println(rb.getString("TSA.certificate.") + |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1439 |
printCert(true, "", tsaCert, null, false)); |
2 | 1440 |
} |
1441 |
} |
|
33872 | 1442 |
builder.tsa(tsaURI); |
1443 |
if (tSADigestAlg != null) { |
|
1444 |
builder.setProperty("tsaDigestAlg", tSADigestAlg); |
|
2 | 1445 |
} |
1446 |
||
33872 | 1447 |
if (tSAPolicyID != null) { |
1448 |
builder.setProperty("tsaPolicyId", tSAPolicyID); |
|
2 | 1449 |
} |
33872 | 1450 |
} else { |
1451 |
noTimestamp = true; |
|
1452 |
} |
|
1453 |
||
1454 |
if (altSignerClass != null) { |
|
1455 |
builder.setProperty("altSigner", altSignerClass); |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1456 |
if (verbose != null) { |
33872 | 1457 |
System.out.println( |
1458 |
rb.getString("using.an.alternative.signing.mechanism")); |
|
2 | 1459 |
} |
33872 | 1460 |
} |
2 | 1461 |
|
33872 | 1462 |
if (altSignerClasspath != null) { |
1463 |
builder.setProperty("altSignerPath", altSignerClasspath); |
|
1464 |
} |
|
2 | 1465 |
|
33872 | 1466 |
builder.signerName(sigfile); |
2 | 1467 |
|
33872 | 1468 |
builder.setProperty("sectionsOnly", Boolean.toString(!signManifest)); |
1469 |
builder.setProperty("internalSF", Boolean.toString(!externalSF)); |
|
2 | 1470 |
|
33872 | 1471 |
try { |
1472 |
builder.build().sign(zipFile, fos); |
|
1473 |
} catch (JarSignerException e) { |
|
1474 |
Throwable cause = e.getCause(); |
|
1475 |
if (cause != null && cause instanceof SocketTimeoutException) { |
|
2 | 1476 |
// Provide a helpful message when TSA is beyond a firewall |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1477 |
error(rb.getString("unable.to.sign.jar.") + |
33872 | 1478 |
rb.getString("no.response.from.the.Timestamping.Authority.") + |
1479 |
"\n -J-Dhttp.proxyHost=<hostname>" + |
|
1480 |
"\n -J-Dhttp.proxyPort=<portnumber>\n" + |
|
1481 |
rb.getString("or") + |
|
1482 |
"\n -J-Dhttps.proxyHost=<hostname> " + |
|
1483 |
"\n -J-Dhttps.proxyPort=<portnumber> ", e); |
|
1484 |
} else { |
|
1485 |
error(rb.getString("unable.to.sign.jar.")+e.getCause(), e.getCause()); |
|
2 | 1486 |
} |
1487 |
} finally { |
|
1488 |
// close the resouces |
|
1489 |
if (zipFile != null) { |
|
1490 |
zipFile.close(); |
|
1491 |
zipFile = null; |
|
1492 |
} |
|
1493 |
||
33872 | 1494 |
if (fos != null) { |
1495 |
fos.close(); |
|
2 | 1496 |
} |
1497 |
} |
|
1498 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1499 |
// The JarSigner API always accepts the timestamp received. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1500 |
// We need to extract the certs from the signed jar to |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1501 |
// validate it. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1502 |
if (!noTimestamp) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1503 |
try (JarFile check = new JarFile(signedJarFile)) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1504 |
PKCS7 p7 = new PKCS7(check.getInputStream(check.getEntry( |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1505 |
"META-INF/" + sigfile + "." + privateKey.getAlgorithm()))); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1506 |
SignerInfo si = p7.getSignerInfos()[0]; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1507 |
PKCS7 tsToken = si.getTsToken(); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1508 |
SignerInfo tsSi = tsToken.getSignerInfos()[0]; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1509 |
try { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1510 |
validateCertChain(Validator.VAR_TSA_SERVER, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1511 |
tsSi.getCertificateChain(tsToken), null); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1512 |
} catch (Exception e) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1513 |
tsaChainNotValidated = true; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1514 |
tsaChainNotValidatedReason = e; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1515 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1516 |
} catch (Exception e) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1517 |
if (debug) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1518 |
e.printStackTrace(); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1519 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1520 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1521 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1522 |
|
2 | 1523 |
// no IOException thrown in the follow try clause, so disable |
1524 |
// the try clause. |
|
1525 |
// try { |
|
1526 |
if (signedjar == null) { |
|
1527 |
// attempt an atomic rename. If that fails, |
|
1528 |
// rename the original jar file, then the signed |
|
1529 |
// one, then delete the original. |
|
1530 |
if (!signedJarFile.renameTo(jarFile)) { |
|
1531 |
File origJar = new File(jarName+".orig"); |
|
1532 |
||
1533 |
if (jarFile.renameTo(origJar)) { |
|
1534 |
if (signedJarFile.renameTo(jarFile)) { |
|
1535 |
origJar.delete(); |
|
1536 |
} else { |
|
1537 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1538 |
("attempt.to.rename.signedJarFile.to.jarFile.failed")); |
2 | 1539 |
Object[] source = {signedJarFile, jarFile}; |
1540 |
error(form.format(source)); |
|
1541 |
} |
|
1542 |
} else { |
|
1543 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1544 |
("attempt.to.rename.jarFile.to.origJar.failed")); |
2 | 1545 |
Object[] source = {jarFile, origJar}; |
1546 |
error(form.format(source)); |
|
1547 |
} |
|
1548 |
} |
|
1549 |
} |
|
1550 |
||
22315 | 1551 |
boolean warningAppeared = false; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1552 |
if (weakAlg != 0 || badKeyUsage || badExtendedKeyUsage |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1553 |
|| badNetscapeCertType || notYetValidCert |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1554 |
|| chainNotValidated || tsaChainNotValidated |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1555 |
|| hasExpiredCert || signerSelfSigned) { |
22315 | 1556 |
if (strict) { |
1557 |
System.out.println(rb.getString("jar.signed.with.signer.errors.")); |
|
1558 |
System.out.println(); |
|
1559 |
System.out.println(rb.getString("Error.")); |
|
1560 |
} else { |
|
1561 |
System.out.println(rb.getString("jar.signed.")); |
|
1562 |
System.out.println(); |
|
1563 |
System.out.println(rb.getString("Warning.")); |
|
1564 |
warningAppeared = true; |
|
1565 |
} |
|
2 | 1566 |
|
1567 |
if (badKeyUsage) { |
|
1568 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1569 |
rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.")); |
2 | 1570 |
} |
1571 |
||
1572 |
if (badExtendedKeyUsage) { |
|
1573 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1574 |
rb.getString("The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.")); |
2 | 1575 |
} |
1576 |
||
1577 |
if (badNetscapeCertType) { |
|
1578 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1579 |
rb.getString("The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.")); |
2 | 1580 |
} |
1581 |
||
1582 |
if (hasExpiredCert) { |
|
1583 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1584 |
rb.getString("The.signer.certificate.has.expired.")); |
2 | 1585 |
} else if (notYetValidCert) { |
1586 |
System.out.println( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1587 |
rb.getString("The.signer.certificate.is.not.yet.valid.")); |
2 | 1588 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1589 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1590 |
if (chainNotValidated) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1591 |
System.out.println(String.format( |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1592 |
rb.getString("The.signer.s.certificate.chain.is.invalid.reason.1"), |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1593 |
chainNotValidatedReason.getLocalizedMessage())); |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1594 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1595 |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1596 |
if (tsaChainNotValidated) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1597 |
System.out.println(String.format( |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1598 |
rb.getString("The.tsa.certificate.chain.is.invalid.reason.1"), |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1599 |
tsaChainNotValidatedReason.getLocalizedMessage())); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1600 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1601 |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1602 |
if (signerSelfSigned) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1603 |
System.out.println( |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1604 |
rb.getString("The.signer.s.certificate.is.self.signed.")); |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1605 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1606 |
|
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1607 |
if ((weakAlg & 1) == 1) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1608 |
System.out.println(String.format( |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1609 |
rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."), |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1610 |
digestalg, "-digestalg")); |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1611 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1612 |
|
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1613 |
if ((weakAlg & 2) == 2) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1614 |
System.out.println(String.format( |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1615 |
rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."), |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1616 |
sigalg, "-sigalg")); |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1617 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1618 |
if ((weakAlg & 4) == 4) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1619 |
System.out.println(String.format( |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1620 |
rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."), |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1621 |
tSADigestAlg, "-tsadigestalg")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1622 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1623 |
if ((weakAlg & 8) == 8) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1624 |
System.out.println(String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1625 |
rb.getString("The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk."), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1626 |
privateKey.getAlgorithm(), KeyUtil.getKeySize(privateKey))); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1627 |
} |
22315 | 1628 |
} else { |
1629 |
System.out.println(rb.getString("jar.signed.")); |
|
1630 |
} |
|
1631 |
if (hasExpiringCert || noTimestamp) { |
|
1632 |
if (!warningAppeared) { |
|
1633 |
System.out.println(); |
|
1634 |
System.out.println(rb.getString("Warning.")); |
|
1635 |
} |
|
1636 |
||
1637 |
if (hasExpiringCert) { |
|
1638 |
System.out.println( |
|
1639 |
rb.getString("The.signer.certificate.will.expire.within.six.months.")); |
|
1640 |
} |
|
1641 |
||
1642 |
if (noTimestamp) { |
|
1643 |
System.out.println( |
|
1644 |
String.format(rb.getString("no.timestamp.signing"), expireDate)); |
|
1645 |
} |
|
2 | 1646 |
} |
1647 |
||
1648 |
// no IOException thrown in the above try clause, so disable |
|
1649 |
// the catch clause. |
|
1650 |
// } catch(IOException ioe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1651 |
// error(rb.getString("unable.to.sign.jar.")+ioe, ioe); |
2 | 1652 |
// } |
1653 |
} |
|
1654 |
||
1655 |
/** |
|
1656 |
* signature-related files include: |
|
1657 |
* . META-INF/MANIFEST.MF |
|
1658 |
* . META-INF/SIG-* |
|
1659 |
* . META-INF/*.SF |
|
1660 |
* . META-INF/*.DSA |
|
1661 |
* . META-INF/*.RSA |
|
4152
bc36a9f01ac6
6870812: enhance security tools to use ECC algorithms
weijun
parents:
3951
diff
changeset
|
1662 |
* . META-INF/*.EC |
2 | 1663 |
*/ |
1664 |
private boolean signatureRelated(String name) { |
|
23912 | 1665 |
return SignatureFileVerifier.isSigningRelated(name); |
2 | 1666 |
} |
1667 |
||
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
1668 |
Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1669 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1670 |
/** |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1671 |
* Returns a string of singer info, with a newline at the end |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1672 |
*/ |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1673 |
private String signerInfo(CodeSigner signer, String tab) throws Exception { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1674 |
if (cacheForSignerInfo.containsKey(signer)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1675 |
return cacheForSignerInfo.get(signer); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1676 |
} |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1677 |
StringBuilder sb = new StringBuilder(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1678 |
List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1679 |
// display the signature timestamp, if present |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1680 |
Date timestamp; |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1681 |
Timestamp ts = signer.getTimestamp(); |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1682 |
if (ts != null) { |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1683 |
sb.append(printTimestamp(tab, ts)); |
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1684 |
sb.append('\n'); |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1685 |
timestamp = ts.getTimestamp(); |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1686 |
} else { |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1687 |
timestamp = null; |
22315 | 1688 |
noTimestamp = true; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1689 |
} |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1690 |
// display the certificate(sb). The first one is end-entity cert and |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1691 |
// its KeyUsage should be checked. |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1692 |
boolean first = true; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1693 |
sb.append(tab).append(rb.getString("...Signer")).append('\n'); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1694 |
for (Certificate c : certs) { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1695 |
sb.append(printCert(false, tab, c, timestamp, first)); |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1696 |
sb.append('\n'); |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1697 |
first = false; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1698 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1699 |
try { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1700 |
validateCertChain(Validator.VAR_CODE_SIGNING, certs, ts); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1701 |
} catch (Exception e) { |
43183 | 1702 |
chainNotValidated = true; |
1703 |
chainNotValidatedReason = e; |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1704 |
sb.append(tab).append(rb.getString(".Invalid.certificate.chain.")) |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1705 |
.append(e.getLocalizedMessage()).append("]\n"); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1706 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1707 |
if (ts != null) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1708 |
sb.append(tab).append(rb.getString("...TSA")).append('\n'); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1709 |
for (Certificate c : ts.getSignerCertPath().getCertificates()) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1710 |
sb.append(printCert(true, tab, c, timestamp, false)); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1711 |
sb.append('\n'); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1712 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1713 |
try { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1714 |
validateCertChain(Validator.VAR_TSA_SERVER, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1715 |
ts.getSignerCertPath().getCertificates(), null); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1716 |
} catch (Exception e) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1717 |
tsaChainNotValidated = true; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1718 |
tsaChainNotValidatedReason = e; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1719 |
sb.append(tab).append(rb.getString(".Invalid.TSA.certificate.chain.")) |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1720 |
.append(e.getLocalizedMessage()).append("]\n"); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1721 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1722 |
} |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1723 |
if (certs.size() == 1 |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1724 |
&& KeyStoreUtil.isSelfSigned((X509Certificate)certs.get(0))) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1725 |
signerSelfSigned = true; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1726 |
} |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1727 |
String result = sb.toString(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1728 |
cacheForSignerInfo.put(signer, result); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1729 |
return result; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1730 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1731 |
|
2 | 1732 |
void loadKeyStore(String keyStoreName, boolean prompt) { |
1733 |
||
1734 |
if (!nullStream && keyStoreName == null) { |
|
1735 |
keyStoreName = System.getProperty("user.home") + File.separator |
|
1736 |
+ ".keystore"; |
|
1737 |
} |
|
1738 |
||
1739 |
try { |
|
10427 | 1740 |
Set<TrustAnchor> tas = new HashSet<>(); |
1741 |
try { |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
1742 |
KeyStore caks = KeyStoreUtil.getCacertsKeyStore(); |
10427 | 1743 |
if (caks != null) { |
1744 |
Enumeration<String> aliases = caks.aliases(); |
|
1745 |
while (aliases.hasMoreElements()) { |
|
1746 |
String a = aliases.nextElement(); |
|
1747 |
try { |
|
1748 |
tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null)); |
|
1749 |
} catch (Exception e2) { |
|
1750 |
// ignore, when a SecretkeyEntry does not include a cert |
|
1751 |
} |
|
1752 |
} |
|
1753 |
} |
|
1754 |
} catch (Exception e) { |
|
1755 |
// Ignore, if cacerts cannot be loaded |
|
1756 |
} |
|
1757 |
||
2 | 1758 |
if (providerName == null) { |
1759 |
store = KeyStore.getInstance(storetype); |
|
1760 |
} else { |
|
1761 |
store = KeyStore.getInstance(storetype, providerName); |
|
1762 |
} |
|
1763 |
||
1764 |
// Get pass phrase |
|
1765 |
// XXX need to disable echo; on UNIX, call getpass(char *prompt)Z |
|
1766 |
// and on NT call ?? |
|
1767 |
if (token && storepass == null && !protectedPath |
|
1768 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1769 |
storepass = getPass |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1770 |
(rb.getString("Enter.Passphrase.for.keystore.")); |
2 | 1771 |
} else if (!token && storepass == null && prompt) { |
1772 |
storepass = getPass |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1773 |
(rb.getString("Enter.Passphrase.for.keystore.")); |
2 | 1774 |
} |
1775 |
||
10427 | 1776 |
try { |
1777 |
if (nullStream) { |
|
1778 |
store.load(null, storepass); |
|
1779 |
} else { |
|
1780 |
keyStoreName = keyStoreName.replace(File.separatorChar, '/'); |
|
1781 |
URL url = null; |
|
1782 |
try { |
|
1783 |
url = new URL(keyStoreName); |
|
1784 |
} catch (java.net.MalformedURLException e) { |
|
1785 |
// try as file |
|
1786 |
url = new File(keyStoreName).toURI().toURL(); |
|
2 | 1787 |
} |
10427 | 1788 |
InputStream is = null; |
1789 |
try { |
|
1790 |
is = url.openStream(); |
|
1791 |
store.load(is, storepass); |
|
1792 |
} finally { |
|
1793 |
if (is != null) { |
|
1794 |
is.close(); |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1795 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1796 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1797 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1798 |
Enumeration<String> aliases = store.aliases(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1799 |
while (aliases.hasMoreElements()) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1800 |
String a = aliases.nextElement(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1801 |
try { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1802 |
X509Certificate c = (X509Certificate)store.getCertificate(a); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1803 |
// Only add TrustedCertificateEntry and self-signed |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1804 |
// PrivateKeyEntry |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1805 |
if (store.isCertificateEntry(a) || |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1806 |
c.getSubjectDN().equals(c.getIssuerDN())) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1807 |
tas.add(new TrustAnchor(c, null)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1808 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1809 |
} catch (Exception e2) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1810 |
// ignore, when a SecretkeyEntry does not include a cert |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1811 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1812 |
} |
10427 | 1813 |
} finally { |
1814 |
try { |
|
43183 | 1815 |
pkixParameters = new PKIXBuilderParameters(tas, null); |
10427 | 1816 |
pkixParameters.setRevocationEnabled(false); |
1817 |
} catch (InvalidAlgorithmParameterException ex) { |
|
1818 |
// Only if tas is empty |
|
1819 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1820 |
} |
2 | 1821 |
} catch (IOException ioe) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1822 |
throw new RuntimeException(rb.getString("keystore.load.") + |
2 | 1823 |
ioe.getMessage()); |
1824 |
} catch (java.security.cert.CertificateException ce) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1825 |
throw new RuntimeException(rb.getString("certificate.exception.") + |
2 | 1826 |
ce.getMessage()); |
1827 |
} catch (NoSuchProviderException pe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1828 |
throw new RuntimeException(rb.getString("keystore.load.") + |
2 | 1829 |
pe.getMessage()); |
1830 |
} catch (NoSuchAlgorithmException nsae) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1831 |
throw new RuntimeException(rb.getString("keystore.load.") + |
2 | 1832 |
nsae.getMessage()); |
1833 |
} catch (KeyStoreException kse) { |
|
1834 |
throw new RuntimeException |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1835 |
(rb.getString("unable.to.instantiate.keystore.class.") + |
2 | 1836 |
kse.getMessage()); |
1837 |
} |
|
1838 |
} |
|
1839 |
||
1840 |
X509Certificate getTsaCert(String alias) { |
|
1841 |
||
1842 |
java.security.cert.Certificate cs = null; |
|
1843 |
||
1844 |
try { |
|
1845 |
cs = store.getCertificate(alias); |
|
1846 |
} catch (KeyStoreException kse) { |
|
1847 |
// this never happens, because keystore has been loaded |
|
1848 |
} |
|
1849 |
if (cs == null || (!(cs instanceof X509Certificate))) { |
|
1850 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1851 |
("Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the")); |
2 | 1852 |
Object[] source = {alias, alias}; |
1853 |
error(form.format(source)); |
|
1854 |
} |
|
1855 |
return (X509Certificate) cs; |
|
1856 |
} |
|
1857 |
||
1858 |
/** |
|
1859 |
* Check if userCert is designed to be a code signer |
|
1860 |
* @param userCert the certificate to be examined |
|
1861 |
* @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage, |
|
1862 |
* NetscapeCertType has codeSigning flag turned on. |
|
1863 |
* If null, the class field badKeyUsage, badExtendedKeyUsage, |
|
1864 |
* badNetscapeCertType will be set. |
|
1865 |
*/ |
|
1866 |
void checkCertUsage(X509Certificate userCert, boolean[] bad) { |
|
1867 |
||
1868 |
// Can act as a signer? |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1869 |
// 1. if KeyUsage, then [0:digitalSignature] or |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1870 |
// [1:nonRepudiation] should be true |
2 | 1871 |
// 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING |
1872 |
// 3. if NetscapeCertType, then should contains OBJECT_SIGNING |
|
1873 |
// 1,2,3 must be true |
|
1874 |
||
1875 |
if (bad != null) { |
|
1876 |
bad[0] = bad[1] = bad[2] = false; |
|
1877 |
} |
|
1878 |
||
1879 |
boolean[] keyUsage = userCert.getKeyUsage(); |
|
1880 |
if (keyUsage != null) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1881 |
keyUsage = Arrays.copyOf(keyUsage, 9); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1882 |
if (!keyUsage[0] && !keyUsage[1]) { |
2 | 1883 |
if (bad != null) { |
1884 |
bad[0] = true; |
|
1885 |
badKeyUsage = true; |
|
1886 |
} |
|
1887 |
} |
|
1888 |
} |
|
1889 |
||
1890 |
try { |
|
1891 |
List<String> xKeyUsage = userCert.getExtendedKeyUsage(); |
|
1892 |
if (xKeyUsage != null) { |
|
1893 |
if (!xKeyUsage.contains("2.5.29.37.0") // anyExtendedKeyUsage |
|
1894 |
&& !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning |
|
1895 |
if (bad != null) { |
|
1896 |
bad[1] = true; |
|
1897 |
badExtendedKeyUsage = true; |
|
1898 |
} |
|
1899 |
} |
|
1900 |
} |
|
1901 |
} catch (java.security.cert.CertificateParsingException e) { |
|
1902 |
// shouldn't happen |
|
1903 |
} |
|
1904 |
||
1905 |
try { |
|
1906 |
// OID_NETSCAPE_CERT_TYPE |
|
1907 |
byte[] netscapeEx = userCert.getExtensionValue |
|
1908 |
("2.16.840.1.113730.1.1"); |
|
1909 |
if (netscapeEx != null) { |
|
1910 |
DerInputStream in = new DerInputStream(netscapeEx); |
|
1911 |
byte[] encoded = in.getOctetString(); |
|
1912 |
encoded = new DerValue(encoded).getUnalignedBitString() |
|
1913 |
.toByteArray(); |
|
1914 |
||
1915 |
NetscapeCertTypeExtension extn = |
|
1916 |
new NetscapeCertTypeExtension(encoded); |
|
1917 |
||
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9011
diff
changeset
|
1918 |
Boolean val = extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING); |
2 | 1919 |
if (!val) { |
1920 |
if (bad != null) { |
|
1921 |
bad[2] = true; |
|
1922 |
badNetscapeCertType = true; |
|
1923 |
} |
|
1924 |
} |
|
1925 |
} |
|
1926 |
} catch (IOException e) { |
|
1927 |
// |
|
1928 |
} |
|
1929 |
} |
|
1930 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1931 |
void getAliasInfo(String alias) throws Exception { |
2 | 1932 |
|
1933 |
Key key = null; |
|
1934 |
||
1935 |
try { |
|
1936 |
java.security.cert.Certificate[] cs = null; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1937 |
if (altCertChain != null) { |
21642
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
1938 |
try (FileInputStream fis = new FileInputStream(altCertChain)) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1939 |
cs = CertificateFactory.getInstance("X.509"). |
21642
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
1940 |
generateCertificates(fis). |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1941 |
toArray(new Certificate[0]); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1942 |
} catch (FileNotFoundException ex) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1943 |
error(rb.getString("File.specified.by.certchain.does.not.exist")); |
21642
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
1944 |
} catch (CertificateException | IOException ex) { |
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
1945 |
error(rb.getString("Cannot.restore.certchain.from.file.specified")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1946 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1947 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1948 |
try { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1949 |
cs = store.getCertificateChain(alias); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1950 |
} catch (KeyStoreException kse) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1951 |
// this never happens, because keystore has been loaded |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1952 |
} |
2 | 1953 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1954 |
if (cs == null || cs.length == 0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1955 |
if (altCertChain != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1956 |
error(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1957 |
("Certificate.chain.not.found.in.the.file.specified.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1958 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1959 |
MessageFormat form = new MessageFormat(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1960 |
("Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1961 |
Object[] source = {alias, alias}; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1962 |
error(form.format(source)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1963 |
} |
2 | 1964 |
} |
1965 |
||
1966 |
certChain = new X509Certificate[cs.length]; |
|
1967 |
for (int i=0; i<cs.length; i++) { |
|
1968 |
if (!(cs[i] instanceof X509Certificate)) { |
|
1969 |
error(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1970 |
("found.non.X.509.certificate.in.signer.s.chain")); |
2 | 1971 |
} |
1972 |
certChain[i] = (X509Certificate)cs[i]; |
|
1973 |
} |
|
1974 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1975 |
// We don't meant to print anything, the next call |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1976 |
// checks validity and keyUsage etc |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1977 |
printCert(false, "", certChain[0], null, true); |
2 | 1978 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1979 |
try { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1980 |
validateCertChain(Validator.VAR_CODE_SIGNING, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1981 |
Arrays.asList(certChain), null); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1982 |
} catch (Exception e) { |
43183 | 1983 |
chainNotValidated = true; |
1984 |
chainNotValidatedReason = e; |
|
2 | 1985 |
} |
1986 |
||
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1987 |
if (KeyStoreUtil.isSelfSigned(certChain[0])) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1988 |
signerSelfSigned = true; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1989 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1990 |
|
2 | 1991 |
try { |
1992 |
if (!token && keypass == null) |
|
1993 |
key = store.getKey(alias, storepass); |
|
1994 |
else |
|
1995 |
key = store.getKey(alias, keypass); |
|
1996 |
} catch (UnrecoverableKeyException e) { |
|
1997 |
if (token) { |
|
1998 |
throw e; |
|
1999 |
} else if (keypass == null) { |
|
2000 |
// Did not work out, so prompt user for key password |
|
2001 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2002 |
("Enter.key.password.for.alias.")); |
2 | 2003 |
Object[] source = {alias}; |
2004 |
keypass = getPass(form.format(source)); |
|
2005 |
key = store.getKey(alias, keypass); |
|
2006 |
} |
|
2007 |
} |
|
2008 |
} catch (NoSuchAlgorithmException e) { |
|
2009 |
error(e.getMessage()); |
|
2010 |
} catch (UnrecoverableKeyException e) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2011 |
error(rb.getString("unable.to.recover.key.from.keystore")); |
2 | 2012 |
} catch (KeyStoreException kse) { |
2013 |
// this never happens, because keystore has been loaded |
|
2014 |
} |
|
2015 |
||
2016 |
if (!(key instanceof PrivateKey)) { |
|
2017 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2018 |
("key.associated.with.alias.not.a.private.key")); |
2 | 2019 |
Object[] source = {alias}; |
2020 |
error(form.format(source)); |
|
2021 |
} else { |
|
2022 |
privateKey = (PrivateKey)key; |
|
2023 |
} |
|
2024 |
} |
|
2025 |
||
33872 | 2026 |
void error(String message) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2027 |
System.out.println(rb.getString("jarsigner.")+message); |
2 | 2028 |
System.exit(1); |
2029 |
} |
|
2030 |
||
2031 |
||
33872 | 2032 |
void error(String message, Throwable e) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2033 |
System.out.println(rb.getString("jarsigner.")+message); |
2 | 2034 |
if (debug) { |
2035 |
e.printStackTrace(); |
|
2036 |
} |
|
2037 |
System.exit(1); |
|
2038 |
} |
|
2039 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2040 |
/** |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2041 |
* Validates a cert chain. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2042 |
* |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2043 |
* @param parameter this might be a timestamp |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2044 |
*/ |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2045 |
void validateCertChain(String variant, List<? extends Certificate> certs, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2046 |
Object parameter) |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2047 |
throws Exception { |
43183 | 2048 |
try { |
2049 |
Validator.getInstance(Validator.TYPE_PKIX, |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2050 |
variant, |
43183 | 2051 |
pkixParameters) |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2052 |
.validate(certs.toArray(new X509Certificate[certs.size()]), |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2053 |
null, parameter); |
43183 | 2054 |
} catch (Exception e) { |
2055 |
if (debug) { |
|
2056 |
e.printStackTrace(); |
|
2057 |
} |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2058 |
|
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2059 |
// Exception might be dismissed if another warning flag |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2060 |
// is already set by printCert. This is only done for |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2061 |
// code signing certs. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2062 |
|
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2063 |
if (variant.equals(Validator.VAR_CODE_SIGNING) && |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2064 |
e instanceof ValidatorException) { |
43183 | 2065 |
// Throw cause if it's CertPathValidatorException, |
2066 |
if (e.getCause() != null && |
|
2067 |
e.getCause() instanceof CertPathValidatorException) { |
|
2068 |
e = (Exception) e.getCause(); |
|
2069 |
Throwable t = e.getCause(); |
|
2070 |
if ((t instanceof CertificateExpiredException && |
|
2071 |
hasExpiredCert) || |
|
2072 |
(t instanceof CertificateNotYetValidException && |
|
2073 |
notYetValidCert)) { |
|
2074 |
// we already have hasExpiredCert and notYetValidCert |
|
2075 |
return; |
|
2076 |
} |
|
2077 |
} |
|
2078 |
if (e instanceof ValidatorException) { |
|
2079 |
ValidatorException ve = (ValidatorException)e; |
|
2080 |
if (ve.getErrorType() == ValidatorException.T_EE_EXTENSIONS && |
|
2081 |
(badKeyUsage || badExtendedKeyUsage || badNetscapeCertType)) { |
|
2082 |
// We already have badKeyUsage, badExtendedKeyUsage |
|
2083 |
// and badNetscapeCertType |
|
2084 |
return; |
|
2085 |
} |
|
24625
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2086 |
} |
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2087 |
} |
43183 | 2088 |
throw e; |
24625
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2089 |
} |
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2090 |
} |
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2091 |
|
33872 | 2092 |
char[] getPass(String prompt) { |
2 | 2093 |
System.err.print(prompt); |
2094 |
System.err.flush(); |
|
2095 |
try { |
|
2096 |
char[] pass = Password.readPassword(System.in); |
|
2097 |
||
2098 |
if (pass == null) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2099 |
error(rb.getString("you.must.enter.key.password")); |
2 | 2100 |
} else { |
2101 |
return pass; |
|
2102 |
} |
|
2103 |
} catch (IOException ioe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2104 |
error(rb.getString("unable.to.read.password.")+ioe.getMessage()); |
2 | 2105 |
} |
2106 |
// this shouldn't happen |
|
2107 |
return null; |
|
2108 |
} |
|
2109 |
} |