/*

 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.tools.jarsigner;

import java.io.*;

import java.net.UnknownHostException;

import java.security.cert.CertPathValidatorException;

import java.security.cert.PKIXBuilderParameters;

import java.util.*;

import java.util.stream.Collectors;

import java.util.zip.*;

import java.util.jar.*;

import java.net.URI;

import java.text.Collator;

import java.text.MessageFormat;

import java.security.cert.Certificate;

import java.security.cert.X509Certificate;

import java.security.cert.CertificateException;

import java.security.*;

import java.net.SocketTimeoutException;

import java.net.URL;

import java.security.cert.CertPath;

import java.security.cert.CertificateExpiredException;

import java.security.cert.CertificateFactory;

import java.security.cert.CertificateNotYetValidException;

import java.security.cert.TrustAnchor;

import java.util.Map.Entry;

import jdk.security.jarsigner.JarSigner;

import jdk.security.jarsigner.JarSignerException;

import sun.security.pkcs.PKCS7;

import sun.security.pkcs.SignerInfo;

import sun.security.timestamp.TimestampToken;

import sun.security.tools.KeyStoreUtil;

import sun.security.validator.Validator;

import sun.security.validator.ValidatorException;

import sun.security.x509.*;

import sun.security.util.*;

/**

 * <p>The jarsigner utility.

 *

 * The exit codes for the main method are:

 *

 * 0: success

 * 1: any error that the jar cannot be signed or verified, including:

 *      keystore loading error

 *      TSP communication error

 *      jarsigner command line error...

 * otherwise: error codes from -strict

 *

 * @author Roland Schemers

 * @author Jan Luehe

 */

public class Main {

    // for i18n

    private static final java.util.ResourceBundle rb =

        java.util.ResourceBundle.getBundle

        ("sun.security.tools.jarsigner.Resources");

    private static final Collator collator = Collator.getInstance();

    static {

        // this is for case insensitive string comparisions

        collator.setStrength(Collator.PRIMARY);

    }

    private static final String NONE = "NONE";

    private static final String P11KEYSTORE = "PKCS11";

    private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds

    private static final long ONE_YEAR = 366*24*60*60*1000L;

    private static final DisabledAlgorithmConstraints DISABLED_CHECK =

            new DisabledAlgorithmConstraints(

                    DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);

    private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections

            .unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));

    private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections

            .unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));

    static final String VERSION = "1.0";

    static final int IN_KEYSTORE = 0x01;        // signer is in keystore

    static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and

    // signer is not in alias list

    static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list

    // Attention:

    // This is the entry that get launched by the security tool jarsigner.

    public static void main(String args[]) throws Exception {

        Main js = new Main();

        js.run(args);

    }

    X509Certificate[] certChain;    // signer's cert chain (when composing)

    PrivateKey privateKey;          // private key

    KeyStore store;                 // the keystore specified by -keystore

                                    // or the default keystore, never null

    String keystore; // key store file

    boolean nullStream = false; // null keystore input stream (NONE)

    boolean token = false; // token-based keystore

    String jarfile;  // jar files to sign or verify

    String alias;    // alias to sign jar with

    List<String> ckaliases = new ArrayList<>(); // aliases in -verify

    char[] storepass; // keystore password

    boolean protectedPath; // protected authentication path

    String storetype; // keystore type

    String providerName; // provider name

    List<String> providers = null; // list of provider names

    List<String> providerClasses = null; // list of provider classes

    // arguments for provider constructors

    HashMap<String,String> providerArgs = new HashMap<>();

    char[] keypass; // private key password

    String sigfile; // name of .SF file

    String sigalg; // name of signature algorithm

    String digestalg; // name of digest algorithm

    String signedjar; // output filename

    String tsaUrl; // location of the Timestamping Authority

    String tsaAlias; // alias for the Timestamping Authority's certificate

    String altCertChain; // file to read alternative cert chain from

    String tSAPolicyID;

    String tSADigestAlg;

    boolean verify = false; // verify the jar

    String verbose = null; // verbose output when signing/verifying

    boolean showcerts = false; // show certs when verifying

    boolean debug = false; // debug

    boolean signManifest = true; // "sign" the whole manifest

    boolean externalSF = true; // leave the .SF out of the PKCS7 block

    boolean strict = false;  // treat warnings as error

    // read zip entry raw bytes

    private String altSignerClass = null;

    private String altSignerClasspath = null;

    private ZipFile zipFile = null;

    // Informational warnings

    private boolean hasExpiringCert = false;

    private boolean hasExpiringTsaCert = false;

    private boolean noTimestamp = true;

    // Expiration date. The value could be null if signed by a trusted cert.

    private Date expireDate = null;

    private Date tsaExpireDate = null;

    // If there is a time stamp block inside the PKCS7 block file

    boolean hasTimestampBlock = false;

    // Severe warnings.

    // jarsigner used to check signer cert chain validity and key usages

    // itself and set various warnings. Later CertPath validation is

    // added but chainNotValidated is only flagged when no other existing

    // warnings are set. TSA cert chain check is added separately and

    // only tsaChainNotValidated is set, i.e. has no affect on hasExpiredCert,

    // notYetValidCert, or any badXyzUsage.

    private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg

    private boolean hasExpiredCert = false;

    private boolean hasExpiredTsaCert = false;

    private boolean notYetValidCert = false;

    private boolean chainNotValidated = false;

    private boolean tsaChainNotValidated = false;

    private boolean notSignedByAlias = false;

    private boolean aliasNotInStore = false;

    private boolean hasUnsignedEntry = false;

    private boolean badKeyUsage = false;

    private boolean badExtendedKeyUsage = false;

    private boolean badNetscapeCertType = false;

    private boolean signerSelfSigned = false;

    private Throwable chainNotValidatedReason = null;

    private Throwable tsaChainNotValidatedReason = null;

    private boolean seeWeak = false;

    PKIXBuilderParameters pkixParameters;

    Set<X509Certificate> trustedCerts = new HashSet<>();

    public void run(String args[]) {

        try {

            args = parseArgs(args);

            // Try to load and install the specified providers

            if (providers != null) {

                for (String provName: providers) {

                    try {

                        KeyStoreUtil.loadProviderByName(provName,

                                providerArgs.get(provName));

                        if (debug) {

                            System.out.println("loadProviderByName: " + provName);

                        }

                    } catch (IllegalArgumentException e) {

                        throw new Exception(String.format(rb.getString(

                                "provider.name.not.found"), provName));

                    }

                }

            }

            if (providerClasses != null) {

                ClassLoader cl = ClassLoader.getSystemClassLoader();

                for (String provClass: providerClasses) {

                    try {

                        KeyStoreUtil.loadProviderByClass(provClass,

                                providerArgs.get(provClass), cl);

                        if (debug) {

                            System.out.println("loadProviderByClass: " + provClass);

                        }

                    } catch (ClassCastException cce) {

                        throw new Exception(String.format(rb.getString(

                                "provclass.not.a.provider"), provClass));

                    } catch (IllegalArgumentException e) {

                        throw new Exception(String.format(rb.getString(

                                "provider.class.not.found"), provClass), e.getCause());

                    }

                }

            }

            if (verify) {

                try {

                    loadKeyStore(keystore, false);

                } catch (Exception e) {

                    if ((keystore != null) || (storepass != null)) {

                        System.out.println(rb.getString("jarsigner.error.") +

                                        e.getMessage());

                        if (debug) {

                            e.printStackTrace();

                        }

                        System.exit(1);

                    }

                }

                /*              if (debug) {

                    SignatureFileVerifier.setDebug(true);

                    ManifestEntryVerifier.setDebug(true);

                }

                */

                verifyJar(jarfile);

            } else {

                loadKeyStore(keystore, true);

                getAliasInfo(alias);

                signJar(jarfile, alias);

            }

        } catch (Exception e) {

            System.out.println(rb.getString("jarsigner.error.") + e);

            if (debug) {

                e.printStackTrace();

            }

            System.exit(1);

        } finally {

            // zero-out private key password

            if (keypass != null) {

                Arrays.fill(keypass, ' ');

                keypass = null;

            }

            // zero-out keystore password

            if (storepass != null) {

                Arrays.fill(storepass, ' ');

                storepass = null;

            }

        }

        if (strict) {

            int exitCode = 0;

            if (weakAlg != 0 || chainNotValidated || hasExpiredCert

                    || hasExpiredTsaCert || notYetValidCert || signerSelfSigned) {

                exitCode |= 4;

            }

            if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {

                exitCode |= 8;

            }

            if (hasUnsignedEntry) {

                exitCode |= 16;

            }

            if (notSignedByAlias || aliasNotInStore) {

                exitCode |= 32;

            }

            if (tsaChainNotValidated) {

                exitCode |= 64;

            }

            if (exitCode != 0) {

                System.exit(exitCode);

            }

        }

    }

    /*

     * Parse command line arguments.

     */

    String[] parseArgs(String args[]) throws Exception {

        /* parse flags */

        int n = 0;

        if (args.length == 0) fullusage();

        String confFile = null;

        String command = "-sign";

        for (n=0; n < args.length; n++) {

            if (collator.compare(args[n], "-verify") == 0) {

                command = "-verify";

            } else if (collator.compare(args[n], "-conf") == 0) {

                if (n == args.length - 1) {

                    usageNoArg();

                }

                confFile = args[++n];

            }

        }

        if (confFile != null) {

            args = KeyStoreUtil.expandArgs(

                    "jarsigner", confFile, command, null, args);

        }

        debug = Arrays.stream(args).anyMatch(

                x -> collator.compare(x, "-debug") == 0);

        if (debug) {

            // No need to localize debug output

            System.out.println("Command line args: " +

                    Arrays.toString(args));

        }

        for (n=0; n < args.length; n++) {

            String flags = args[n];

            String modifier = null;

            if (flags.startsWith("-")) {

                int pos = flags.indexOf(':');

                if (pos > 0) {

                    modifier = flags.substring(pos+1);

                    flags = flags.substring(0, pos);

                }

            }

            if (!flags.startsWith("-")) {

                if (jarfile == null) {

                    jarfile = flags;

                } else {

                    alias = flags;

                    ckaliases.add(alias);

                }

            } else if (collator.compare(flags, "-conf") == 0) {

                if (++n == args.length) usageNoArg();

            } else if (collator.compare(flags, "-keystore") == 0) {

                if (++n == args.length) usageNoArg();

                keystore = args[n];

            } else if (collator.compare(flags, "-storepass") ==0) {

                if (++n == args.length) usageNoArg();

                storepass = getPass(modifier, args[n]);

            } else if (collator.compare(flags, "-storetype") ==0) {

                if (++n == args.length) usageNoArg();

                storetype = args[n];

            } else if (collator.compare(flags, "-providerName") ==0) {

                if (++n == args.length) usageNoArg();

                providerName = args[n];

            } else if (collator.compare(flags, "-provider") == 0 ||

                        collator.compare(flags, "-providerClass") == 0) {

                if (++n == args.length) usageNoArg();

                if (providerClasses == null) {

                    providerClasses = new ArrayList<>(3);

                }

                providerClasses.add(args[n]);

                if (args.length > (n+1)) {

                    flags = args[n+1];

                    if (collator.compare(flags, "-providerArg") == 0) {

                        if (args.length == (n+2)) usageNoArg();

                        providerArgs.put(args[n], args[n+2]);

                        n += 2;

                    }

                }

            } else if (collator.compare(flags, "-addprovider") == 0) {

                if (++n == args.length) usageNoArg();

                if (providers == null) {

                    providers = new ArrayList<>(3);

                }

                providers.add(args[n]);

                if (args.length > (n+1)) {

                    flags = args[n+1];

                    if (collator.compare(flags, "-providerArg") == 0) {

                        if (args.length == (n+2)) usageNoArg();

                        providerArgs.put(args[n], args[n+2]);

                        n += 2;

                    }

                }

            } else if (collator.compare(flags, "-protected") ==0) {

                protectedPath = true;

            } else if (collator.compare(flags, "-certchain") ==0) {

                if (++n == args.length) usageNoArg();

                altCertChain = args[n];

            } else if (collator.compare(flags, "-tsapolicyid") ==0) {

                if (++n == args.length) usageNoArg();

                tSAPolicyID = args[n];

            } else if (collator.compare(flags, "-tsadigestalg") ==0) {

                if (++n == args.length) usageNoArg();

                tSADigestAlg = args[n];

            } else if (collator.compare(flags, "-debug") ==0) {

                // Already processed

            } else if (collator.compare(flags, "-keypass") ==0) {

                if (++n == args.length) usageNoArg();

                keypass = getPass(modifier, args[n]);

            } else if (collator.compare(flags, "-sigfile") ==0) {

                if (++n == args.length) usageNoArg();

                sigfile = args[n];

            } else if (collator.compare(flags, "-signedjar") ==0) {

                if (++n == args.length) usageNoArg();

                signedjar = args[n];

            } else if (collator.compare(flags, "-tsa") ==0) {

                if (++n == args.length) usageNoArg();

                tsaUrl = args[n];

            } else if (collator.compare(flags, "-tsacert") ==0) {

                if (++n == args.length) usageNoArg();

                tsaAlias = args[n];

            } else if (collator.compare(flags, "-altsigner") ==0) {

                if (++n == args.length) usageNoArg();

                altSignerClass = args[n];

                System.err.println(

                        rb.getString("This.option.is.deprecated") +

                                "-altsigner");

            } else if (collator.compare(flags, "-altsignerpath") ==0) {

                if (++n == args.length) usageNoArg();

                altSignerClasspath = args[n];

                System.err.println(

                        rb.getString("This.option.is.deprecated") +

                                "-altsignerpath");

            } else if (collator.compare(flags, "-sectionsonly") ==0) {

                signManifest = false;

            } else if (collator.compare(flags, "-internalsf") ==0) {

                externalSF = false;

            } else if (collator.compare(flags, "-verify") ==0) {

                verify = true;

            } else if (collator.compare(flags, "-verbose") ==0) {

                verbose = (modifier != null) ? modifier : "all";

            } else if (collator.compare(flags, "-sigalg") ==0) {

                if (++n == args.length) usageNoArg();

                sigalg = args[n];

            } else if (collator.compare(flags, "-digestalg") ==0) {

                if (++n == args.length) usageNoArg();

                digestalg = args[n];

            } else if (collator.compare(flags, "-certs") ==0) {

                showcerts = true;

            } else if (collator.compare(flags, "-strict") ==0) {

                strict = true;

            } else if (collator.compare(flags, "-?") == 0 ||

                       collator.compare(flags, "-h") == 0 ||

                       collator.compare(flags, "--help") == 0 ||

                       // -help: legacy.

                       collator.compare(flags, "-help") == 0) {

                fullusage();

            } else {

                System.err.println(

                        rb.getString("Illegal.option.") + flags);

                usage();

            }

        }

        // -certs must always be specified with -verbose

        if (verbose == null) showcerts = false;

        if (jarfile == null) {

            System.err.println(rb.getString("Please.specify.jarfile.name"));

            usage();

        }

        if (!verify && alias == null) {

            System.err.println(rb.getString("Please.specify.alias.name"));

            usage();

        }

        if (!verify && ckaliases.size() > 1) {