jdk-sandbox: jdk/src/share/classes/sun/security/tools/jarsigner/Main.java@afa6934dd8e8 (annotated)

2 90ce3da70b43 Initial load duke parents: diff changeset	1	/*
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	2	* Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
2 90ce3da70b43 Initial load duke parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load duke parents: diff changeset	4	*
90ce3da70b43 Initial load duke parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load duke parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5462 diff changeset	7	* published by the Free Software Foundation. Oracle designates this
2 90ce3da70b43 Initial load duke parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5462 diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
2 90ce3da70b43 Initial load duke parents: diff changeset	10	*
90ce3da70b43 Initial load duke parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load duke parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load duke parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
90ce3da70b43 Initial load duke parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load duke parents: diff changeset	15	* accompanied this code).
90ce3da70b43 Initial load duke parents: diff changeset	16	*
90ce3da70b43 Initial load duke parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load duke parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load duke parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load duke parents: diff changeset	20	*
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5462 diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5462 diff changeset	22	* or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5462 diff changeset	23	* questions.
2 90ce3da70b43 Initial load duke parents: diff changeset	24	*/
90ce3da70b43 Initial load duke parents: diff changeset	25
14182 3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	26	package sun.security.tools.jarsigner;
2 90ce3da70b43 Initial load duke parents: diff changeset	27
90ce3da70b43 Initial load duke parents: diff changeset	28	import java.io.*;
90ce3da70b43 Initial load duke parents: diff changeset	29	import java.util.*;
90ce3da70b43 Initial load duke parents: diff changeset	30	import java.util.zip.*;
90ce3da70b43 Initial load duke parents: diff changeset	31	import java.util.jar.*;
90ce3da70b43 Initial load duke parents: diff changeset	32	import java.math.BigInteger;
90ce3da70b43 Initial load duke parents: diff changeset	33	import java.net.URI;
90ce3da70b43 Initial load duke parents: diff changeset	34	import java.net.URISyntaxException;
90ce3da70b43 Initial load duke parents: diff changeset	35	import java.text.Collator;
90ce3da70b43 Initial load duke parents: diff changeset	36	import java.text.MessageFormat;
90ce3da70b43 Initial load duke parents: diff changeset	37	import java.security.cert.Certificate;
90ce3da70b43 Initial load duke parents: diff changeset	38	import java.security.cert.X509Certificate;
90ce3da70b43 Initial load duke parents: diff changeset	39	import java.security.cert.CertificateException;
90ce3da70b43 Initial load duke parents: diff changeset	40	import java.security.*;
90ce3da70b43 Initial load duke parents: diff changeset	41	import java.lang.reflect.Constructor;
90ce3da70b43 Initial load duke parents: diff changeset	42
90ce3da70b43 Initial load duke parents: diff changeset	43	import com.sun.jarsigner.ContentSigner;
90ce3da70b43 Initial load duke parents: diff changeset	44	import com.sun.jarsigner.ContentSignerParameters;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	45	import java.net.SocketTimeoutException;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	46	import java.net.URL;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	47	import java.net.URLClassLoader;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	48	import java.security.cert.CertPath;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	49	import java.security.cert.CertPathValidator;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	50	import java.security.cert.CertificateExpiredException;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	51	import java.security.cert.CertificateFactory;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	52	import java.security.cert.CertificateNotYetValidException;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	53	import java.security.cert.PKIXParameters;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	54	import java.security.cert.TrustAnchor;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	55	import java.util.Map.Entry;
14182 3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	56	import sun.security.tools.KeyStoreUtil;
3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	57	import sun.security.tools.PathList;
2 90ce3da70b43 Initial load duke parents: diff changeset	58	import sun.security.x509.*;
90ce3da70b43 Initial load duke parents: diff changeset	59	import sun.security.util.*;
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	60	import java.util.Base64;
2 90ce3da70b43 Initial load duke parents: diff changeset	61
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	62
2 90ce3da70b43 Initial load duke parents: diff changeset	63	/**
90ce3da70b43 Initial load duke parents: diff changeset	64	* <p>The jarsigner utility.
90ce3da70b43 Initial load duke parents: diff changeset	65	*
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	66	* The exit codes for the main method are:
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	67	*
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	68	* 0: success
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	69	* 1: any error that the jar cannot be signed or verified, including:
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	70	* keystore loading error
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	71	* TSP communication error
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	72	* jarsigner command line error...
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	73	* otherwise: error codes from -strict
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	74	*
2 90ce3da70b43 Initial load duke parents: diff changeset	75	* @author Roland Schemers
90ce3da70b43 Initial load duke parents: diff changeset	76	* @author Jan Luehe
90ce3da70b43 Initial load duke parents: diff changeset	77	*/
90ce3da70b43 Initial load duke parents: diff changeset	78
14182 3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	79	public class Main {
2 90ce3da70b43 Initial load duke parents: diff changeset	80
90ce3da70b43 Initial load duke parents: diff changeset	81	// for i18n
90ce3da70b43 Initial load duke parents: diff changeset	82	private static final java.util.ResourceBundle rb =
90ce3da70b43 Initial load duke parents: diff changeset	83	java.util.ResourceBundle.getBundle
14182 3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	84	("sun.security.tools.jarsigner.Resources");
2 90ce3da70b43 Initial load duke parents: diff changeset	85	private static final Collator collator = Collator.getInstance();
90ce3da70b43 Initial load duke parents: diff changeset	86	static {
90ce3da70b43 Initial load duke parents: diff changeset	87	// this is for case insensitive string comparisions
90ce3da70b43 Initial load duke parents: diff changeset	88	collator.setStrength(Collator.PRIMARY);
90ce3da70b43 Initial load duke parents: diff changeset	89	}
90ce3da70b43 Initial load duke parents: diff changeset	90
90ce3da70b43 Initial load duke parents: diff changeset	91	private static final String META_INF = "META-INF/";
90ce3da70b43 Initial load duke parents: diff changeset	92
20754 3d7b2fafc34b 8025967: addition of -Werror broke the old build valeriep parents: 19189 diff changeset	93	private static final Class<?>[] PARAM_STRING = { String.class };
2 90ce3da70b43 Initial load duke parents: diff changeset	94
90ce3da70b43 Initial load duke parents: diff changeset	95	private static final String NONE = "NONE";
90ce3da70b43 Initial load duke parents: diff changeset	96	private static final String P11KEYSTORE = "PKCS11";
90ce3da70b43 Initial load duke parents: diff changeset	97
90ce3da70b43 Initial load duke parents: diff changeset	98	private static final long SIX_MONTHS = 1802460601000L; //milliseconds
90ce3da70b43 Initial load duke parents: diff changeset	99
90ce3da70b43 Initial load duke parents: diff changeset	100	// Attention:
90ce3da70b43 Initial load duke parents: diff changeset	101	// This is the entry that get launched by the security tool jarsigner.
90ce3da70b43 Initial load duke parents: diff changeset	102	public static void main(String args[]) throws Exception {
14182 3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	103	Main js = new Main();
2 90ce3da70b43 Initial load duke parents: diff changeset	104	js.run(args);
90ce3da70b43 Initial load duke parents: diff changeset	105	}
90ce3da70b43 Initial load duke parents: diff changeset	106
90ce3da70b43 Initial load duke parents: diff changeset	107	static final String VERSION = "1.0";
90ce3da70b43 Initial load duke parents: diff changeset	108
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	109	static final int IN_KEYSTORE = 0x01; // signer is in keystore
2 90ce3da70b43 Initial load duke parents: diff changeset	110	static final int IN_SCOPE = 0x02;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	111	static final int NOT_ALIAS = 0x04; // alias list is NOT empty and
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	112	// signer is not in alias list
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	113	static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list
2 90ce3da70b43 Initial load duke parents: diff changeset	114
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	115	X509Certificate[] certChain; // signer's cert chain (when composing)
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	116	PrivateKey privateKey; // private key
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	117	KeyStore store; // the keystore specified by -keystore
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	118	// or the default keystore, never null
2 90ce3da70b43 Initial load duke parents: diff changeset	119
90ce3da70b43 Initial load duke parents: diff changeset	120	String keystore; // key store file
90ce3da70b43 Initial load duke parents: diff changeset	121	boolean nullStream = false; // null keystore input stream (NONE)
90ce3da70b43 Initial load duke parents: diff changeset	122	boolean token = false; // token-based keystore
5462 cb614e59f7f9 6890876: jarsigner can add CRL info into signed jar weijun parents: 5461 diff changeset	123	String jarfile; // jar files to sign or verify
2 90ce3da70b43 Initial load duke parents: diff changeset	124	String alias; // alias to sign jar with
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	125	List<String> ckaliases = new ArrayList<>(); // aliases in -verify
2 90ce3da70b43 Initial load duke parents: diff changeset	126	char[] storepass; // keystore password
90ce3da70b43 Initial load duke parents: diff changeset	127	boolean protectedPath; // protected authentication path
90ce3da70b43 Initial load duke parents: diff changeset	128	String storetype; // keystore type
90ce3da70b43 Initial load duke parents: diff changeset	129	String providerName; // provider name
90ce3da70b43 Initial load duke parents: diff changeset	130	Vector<String> providers = null; // list of providers
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	131	// arguments for provider constructors
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	132	HashMap<String,String> providerArgs = new HashMap<>();
2 90ce3da70b43 Initial load duke parents: diff changeset	133	char[] keypass; // private key password
90ce3da70b43 Initial load duke parents: diff changeset	134	String sigfile; // name of .SF file
90ce3da70b43 Initial load duke parents: diff changeset	135	String sigalg; // name of signature algorithm
3318 dade78e63c92 6561126: keytool should use larger default keysize for keypairs weijun parents: 3047 diff changeset	136	String digestalg = "SHA-256"; // name of digest algorithm
2 90ce3da70b43 Initial load duke parents: diff changeset	137	String signedjar; // output filename
90ce3da70b43 Initial load duke parents: diff changeset	138	String tsaUrl; // location of the Timestamping Authority
90ce3da70b43 Initial load duke parents: diff changeset	139	String tsaAlias; // alias for the Timestamping Authority's certificate
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	140	String altCertChain; // file to read alternative cert chain from
17161 df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	141	String tSAPolicyID;
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	142	String tSADigestAlg = "SHA-256";
2 90ce3da70b43 Initial load duke parents: diff changeset	143	boolean verify = false; // verify the jar
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	144	String verbose = null; // verbose output when signing/verifying
2 90ce3da70b43 Initial load duke parents: diff changeset	145	boolean showcerts = false; // show certs when verifying
90ce3da70b43 Initial load duke parents: diff changeset	146	boolean debug = false; // debug
90ce3da70b43 Initial load duke parents: diff changeset	147	boolean signManifest = true; // "sign" the whole manifest
90ce3da70b43 Initial load duke parents: diff changeset	148	boolean externalSF = true; // leave the .SF out of the PKCS7 block
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	149	boolean strict = false; // treat warnings as error
2 90ce3da70b43 Initial load duke parents: diff changeset	150
90ce3da70b43 Initial load duke parents: diff changeset	151	// read zip entry raw bytes
90ce3da70b43 Initial load duke parents: diff changeset	152	private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
90ce3da70b43 Initial load duke parents: diff changeset	153	private byte[] buffer = new byte[8192];
90ce3da70b43 Initial load duke parents: diff changeset	154	private ContentSigner signingMechanism = null;
90ce3da70b43 Initial load duke parents: diff changeset	155	private String altSignerClass = null;
90ce3da70b43 Initial load duke parents: diff changeset	156	private String altSignerClasspath = null;
90ce3da70b43 Initial load duke parents: diff changeset	157	private ZipFile zipFile = null;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	158
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	159	// Informational warnings
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	160	private boolean hasExpiringCert = false;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	161	private boolean noTimestamp = false;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	162	private Date expireDate = new Date(0L); // used in noTimestamp warning
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	163
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	164	// Severe warnings
2 90ce3da70b43 Initial load duke parents: diff changeset	165	private boolean hasExpiredCert = false;
90ce3da70b43 Initial load duke parents: diff changeset	166	private boolean notYetValidCert = false;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	167	private boolean chainNotValidated = false;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	168	private boolean notSignedByAlias = false;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	169	private boolean aliasNotInStore = false;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	170	private boolean hasUnsignedEntry = false;
2 90ce3da70b43 Initial load duke parents: diff changeset	171	private boolean badKeyUsage = false;
90ce3da70b43 Initial load duke parents: diff changeset	172	private boolean badExtendedKeyUsage = false;
90ce3da70b43 Initial load duke parents: diff changeset	173	private boolean badNetscapeCertType = false;
90ce3da70b43 Initial load duke parents: diff changeset	174
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	175	CertificateFactory certificateFactory;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	176	CertPathValidator validator;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	177	PKIXParameters pkixParameters;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	178
2 90ce3da70b43 Initial load duke parents: diff changeset	179	public void run(String args[]) {
90ce3da70b43 Initial load duke parents: diff changeset	180	try {
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	181	args = parseArgs(args);
2 90ce3da70b43 Initial load duke parents: diff changeset	182
90ce3da70b43 Initial load duke parents: diff changeset	183	// Try to load and install the specified providers
90ce3da70b43 Initial load duke parents: diff changeset	184	if (providers != null) {
90ce3da70b43 Initial load duke parents: diff changeset	185	ClassLoader cl = ClassLoader.getSystemClassLoader();
90ce3da70b43 Initial load duke parents: diff changeset	186	Enumeration<String> e = providers.elements();
90ce3da70b43 Initial load duke parents: diff changeset	187	while (e.hasMoreElements()) {
90ce3da70b43 Initial load duke parents: diff changeset	188	String provName = e.nextElement();
90ce3da70b43 Initial load duke parents: diff changeset	189	Class<?> provClass;
90ce3da70b43 Initial load duke parents: diff changeset	190	if (cl != null) {
90ce3da70b43 Initial load duke parents: diff changeset	191	provClass = cl.loadClass(provName);
90ce3da70b43 Initial load duke parents: diff changeset	192	} else {
90ce3da70b43 Initial load duke parents: diff changeset	193	provClass = Class.forName(provName);
90ce3da70b43 Initial load duke parents: diff changeset	194	}
90ce3da70b43 Initial load duke parents: diff changeset	195
90ce3da70b43 Initial load duke parents: diff changeset	196	String provArg = providerArgs.get(provName);
90ce3da70b43 Initial load duke parents: diff changeset	197	Object obj;
90ce3da70b43 Initial load duke parents: diff changeset	198	if (provArg == null) {
90ce3da70b43 Initial load duke parents: diff changeset	199	obj = provClass.newInstance();
90ce3da70b43 Initial load duke parents: diff changeset	200	} else {
90ce3da70b43 Initial load duke parents: diff changeset	201	Constructor<?> c =
90ce3da70b43 Initial load duke parents: diff changeset	202	provClass.getConstructor(PARAM_STRING);
90ce3da70b43 Initial load duke parents: diff changeset	203	obj = c.newInstance(provArg);
90ce3da70b43 Initial load duke parents: diff changeset	204	}
90ce3da70b43 Initial load duke parents: diff changeset	205
90ce3da70b43 Initial load duke parents: diff changeset	206	if (!(obj instanceof Provider)) {
90ce3da70b43 Initial load duke parents: diff changeset	207	MessageFormat form = new MessageFormat(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	208	("provName.not.a.provider"));
2 90ce3da70b43 Initial load duke parents: diff changeset	209	Object[] source = {provName};
90ce3da70b43 Initial load duke parents: diff changeset	210	throw new Exception(form.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	211	}
90ce3da70b43 Initial load duke parents: diff changeset	212	Security.addProvider((Provider)obj);
90ce3da70b43 Initial load duke parents: diff changeset	213	}
90ce3da70b43 Initial load duke parents: diff changeset	214	}
90ce3da70b43 Initial load duke parents: diff changeset	215
90ce3da70b43 Initial load duke parents: diff changeset	216	if (verify) {
90ce3da70b43 Initial load duke parents: diff changeset	217	try {
90ce3da70b43 Initial load duke parents: diff changeset	218	loadKeyStore(keystore, false);
90ce3da70b43 Initial load duke parents: diff changeset	219	} catch (Exception e) {
90ce3da70b43 Initial load duke parents: diff changeset	220	if ((keystore != null) \|\| (storepass != null)) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	221	System.out.println(rb.getString("jarsigner.error.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	222	e.getMessage());
90ce3da70b43 Initial load duke parents: diff changeset	223	System.exit(1);
90ce3da70b43 Initial load duke parents: diff changeset	224	}
90ce3da70b43 Initial load duke parents: diff changeset	225	}
90ce3da70b43 Initial load duke parents: diff changeset	226	/* if (debug) {
90ce3da70b43 Initial load duke parents: diff changeset	227	SignatureFileVerifier.setDebug(true);
90ce3da70b43 Initial load duke parents: diff changeset	228	ManifestEntryVerifier.setDebug(true);
90ce3da70b43 Initial load duke parents: diff changeset	229	}
90ce3da70b43 Initial load duke parents: diff changeset	230	*/
90ce3da70b43 Initial load duke parents: diff changeset	231	verifyJar(jarfile);
90ce3da70b43 Initial load duke parents: diff changeset	232	} else {
90ce3da70b43 Initial load duke parents: diff changeset	233	loadKeyStore(keystore, true);
90ce3da70b43 Initial load duke parents: diff changeset	234	getAliasInfo(alias);
90ce3da70b43 Initial load duke parents: diff changeset	235
90ce3da70b43 Initial load duke parents: diff changeset	236	// load the alternative signing mechanism
90ce3da70b43 Initial load duke parents: diff changeset	237	if (altSignerClass != null) {
90ce3da70b43 Initial load duke parents: diff changeset	238	signingMechanism = loadSigningMechanism(altSignerClass,
90ce3da70b43 Initial load duke parents: diff changeset	239	altSignerClasspath);
90ce3da70b43 Initial load duke parents: diff changeset	240	}
90ce3da70b43 Initial load duke parents: diff changeset	241	signJar(jarfile, alias, args);
90ce3da70b43 Initial load duke parents: diff changeset	242	}
90ce3da70b43 Initial load duke parents: diff changeset	243	} catch (Exception e) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	244	System.out.println(rb.getString("jarsigner.error.") + e);
2 90ce3da70b43 Initial load duke parents: diff changeset	245	if (debug) {
90ce3da70b43 Initial load duke parents: diff changeset	246	e.printStackTrace();
90ce3da70b43 Initial load duke parents: diff changeset	247	}
90ce3da70b43 Initial load duke parents: diff changeset	248	System.exit(1);
90ce3da70b43 Initial load duke parents: diff changeset	249	} finally {
90ce3da70b43 Initial load duke parents: diff changeset	250	// zero-out private key password
90ce3da70b43 Initial load duke parents: diff changeset	251	if (keypass != null) {
90ce3da70b43 Initial load duke parents: diff changeset	252	Arrays.fill(keypass, ' ');
90ce3da70b43 Initial load duke parents: diff changeset	253	keypass = null;
90ce3da70b43 Initial load duke parents: diff changeset	254	}
90ce3da70b43 Initial load duke parents: diff changeset	255	// zero-out keystore password
90ce3da70b43 Initial load duke parents: diff changeset	256	if (storepass != null) {
90ce3da70b43 Initial load duke parents: diff changeset	257	Arrays.fill(storepass, ' ');
90ce3da70b43 Initial load duke parents: diff changeset	258	storepass = null;
90ce3da70b43 Initial load duke parents: diff changeset	259	}
90ce3da70b43 Initial load duke parents: diff changeset	260	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	261
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	262	if (strict) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	263	int exitCode = 0;
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	264	if (chainNotValidated \|\| hasExpiredCert \|\| notYetValidCert) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	265	exitCode \|= 4;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	266	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	267	if (badKeyUsage \|\| badExtendedKeyUsage \|\| badNetscapeCertType) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	268	exitCode \|= 8;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	269	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	270	if (hasUnsignedEntry) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	271	exitCode \|= 16;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	272	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	273	if (notSignedByAlias \|\| aliasNotInStore) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	274	exitCode \|= 32;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	275	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	276	if (exitCode != 0) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	277	System.exit(exitCode);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	278	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	279	}
2 90ce3da70b43 Initial load duke parents: diff changeset	280	}
90ce3da70b43 Initial load duke parents: diff changeset	281
90ce3da70b43 Initial load duke parents: diff changeset	282	/*
90ce3da70b43 Initial load duke parents: diff changeset	283	* Parse command line arguments.
90ce3da70b43 Initial load duke parents: diff changeset	284	*/
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	285	String[] parseArgs(String args[]) throws Exception {
2 90ce3da70b43 Initial load duke parents: diff changeset	286	/* parse flags */
90ce3da70b43 Initial load duke parents: diff changeset	287	int n = 0;
90ce3da70b43 Initial load duke parents: diff changeset	288
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	289	if (args.length == 0) fullusage();
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	290
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	291	String confFile = null;
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	292	String command = "-sign";
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	293	for (n=0; n < args.length; n++) {
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	294	if (collator.compare(args[n], "-verify") == 0) {
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	295	command = "-verify";
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	296	} else if (collator.compare(args[n], "-conf") == 0) {
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	297	if (n == args.length - 1) {
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	298	usageNoArg();
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	299	}
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	300	confFile = args[++n];
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	301	}
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	302	}
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	303
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	304	if (confFile != null) {
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	305	args = KeyStoreUtil.expandArgs(
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	306	"jarsigner", confFile, command, null, args);
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	307	}
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	308
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	309	debug = Arrays.stream(args).anyMatch(
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	310	x -> collator.compare(x, "-debug") == 0);
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	311
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	312	if (debug) {
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	313	// No need to localize debug output
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	314	System.out.println("Command line args: " +
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	315	Arrays.toString(args));
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	316	}
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	317
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	318	for (n=0; n < args.length; n++) {
2 90ce3da70b43 Initial load duke parents: diff changeset	319
90ce3da70b43 Initial load duke parents: diff changeset	320	String flags = args[n];
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	321	String modifier = null;
19189 a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	322
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	323	if (flags.startsWith("-")) {
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	324	int pos = flags.indexOf(':');
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	325	if (pos > 0) {
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	326	modifier = flags.substring(pos+1);
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	327	flags = flags.substring(0, pos);
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	328	}
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	329	}
2 90ce3da70b43 Initial load duke parents: diff changeset	330
19189 a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	331	if (!flags.startsWith("-")) {
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	332	if (jarfile == null) {
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	333	jarfile = flags;
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	334	} else {
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	335	alias = flags;
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	336	ckaliases.add(alias);
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	337	}
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	338	} else if (collator.compare(flags, "-conf") == 0) {
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	339	if (++n == args.length) usageNoArg();
19189 a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	340	} else if (collator.compare(flags, "-keystore") == 0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	341	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	342	keystore = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	343	} else if (collator.compare(flags, "-storepass") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	344	if (++n == args.length) usageNoArg();
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	345	storepass = getPass(modifier, args[n]);
2 90ce3da70b43 Initial load duke parents: diff changeset	346	} else if (collator.compare(flags, "-storetype") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	347	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	348	storetype = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	349	} else if (collator.compare(flags, "-providerName") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	350	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	351	providerName = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	352	} else if ((collator.compare(flags, "-provider") == 0) \|\|
90ce3da70b43 Initial load duke parents: diff changeset	353	(collator.compare(flags, "-providerClass") == 0)) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	354	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	355	if (providers == null) {
90ce3da70b43 Initial load duke parents: diff changeset	356	providers = new Vector<String>(3);
90ce3da70b43 Initial load duke parents: diff changeset	357	}
90ce3da70b43 Initial load duke parents: diff changeset	358	providers.add(args[n]);
90ce3da70b43 Initial load duke parents: diff changeset	359
90ce3da70b43 Initial load duke parents: diff changeset	360	if (args.length > (n+1)) {
90ce3da70b43 Initial load duke parents: diff changeset	361	flags = args[n+1];
90ce3da70b43 Initial load duke parents: diff changeset	362	if (collator.compare(flags, "-providerArg") == 0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	363	if (args.length == (n+2)) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	364	providerArgs.put(args[n], args[n+2]);
90ce3da70b43 Initial load duke parents: diff changeset	365	n += 2;
90ce3da70b43 Initial load duke parents: diff changeset	366	}
90ce3da70b43 Initial load duke parents: diff changeset	367	}
90ce3da70b43 Initial load duke parents: diff changeset	368	} else if (collator.compare(flags, "-protected") ==0) {
90ce3da70b43 Initial load duke parents: diff changeset	369	protectedPath = true;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	370	} else if (collator.compare(flags, "-certchain") ==0) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	371	if (++n == args.length) usageNoArg();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	372	altCertChain = args[n];
17161 df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	373	} else if (collator.compare(flags, "-tsapolicyid") ==0) {
df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	374	if (++n == args.length) usageNoArg();
df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	375	tSAPolicyID = args[n];
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	376	} else if (collator.compare(flags, "-tsadigestalg") ==0) {
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	377	if (++n == args.length) usageNoArg();
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	378	tSADigestAlg = args[n];
2 90ce3da70b43 Initial load duke parents: diff changeset	379	} else if (collator.compare(flags, "-debug") ==0) {
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	380	// Already processed
2 90ce3da70b43 Initial load duke parents: diff changeset	381	} else if (collator.compare(flags, "-keypass") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	382	if (++n == args.length) usageNoArg();
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	383	keypass = getPass(modifier, args[n]);
2 90ce3da70b43 Initial load duke parents: diff changeset	384	} else if (collator.compare(flags, "-sigfile") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	385	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	386	sigfile = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	387	} else if (collator.compare(flags, "-signedjar") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	388	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	389	signedjar = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	390	} else if (collator.compare(flags, "-tsa") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	391	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	392	tsaUrl = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	393	} else if (collator.compare(flags, "-tsacert") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	394	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	395	tsaAlias = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	396	} else if (collator.compare(flags, "-altsigner") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	397	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	398	altSignerClass = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	399	} else if (collator.compare(flags, "-altsignerpath") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	400	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	401	altSignerClasspath = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	402	} else if (collator.compare(flags, "-sectionsonly") ==0) {
90ce3da70b43 Initial load duke parents: diff changeset	403	signManifest = false;
90ce3da70b43 Initial load duke parents: diff changeset	404	} else if (collator.compare(flags, "-internalsf") ==0) {
90ce3da70b43 Initial load duke parents: diff changeset	405	externalSF = false;
90ce3da70b43 Initial load duke parents: diff changeset	406	} else if (collator.compare(flags, "-verify") ==0) {
90ce3da70b43 Initial load duke parents: diff changeset	407	verify = true;
90ce3da70b43 Initial load duke parents: diff changeset	408	} else if (collator.compare(flags, "-verbose") ==0) {
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	409	verbose = (modifier != null) ? modifier : "all";
2 90ce3da70b43 Initial load duke parents: diff changeset	410	} else if (collator.compare(flags, "-sigalg") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	411	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	412	sigalg = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	413	} else if (collator.compare(flags, "-digestalg") ==0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	414	if (++n == args.length) usageNoArg();
2 90ce3da70b43 Initial load duke parents: diff changeset	415	digestalg = args[n];
90ce3da70b43 Initial load duke parents: diff changeset	416	} else if (collator.compare(flags, "-certs") ==0) {
90ce3da70b43 Initial load duke parents: diff changeset	417	showcerts = true;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	418	} else if (collator.compare(flags, "-strict") ==0) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	419	strict = true;
2 90ce3da70b43 Initial load duke parents: diff changeset	420	} else if (collator.compare(flags, "-h") == 0 \|\|
90ce3da70b43 Initial load duke parents: diff changeset	421	collator.compare(flags, "-help") == 0) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	422	fullusage();
2 90ce3da70b43 Initial load duke parents: diff changeset	423	} else {
19189 a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	424	System.err.println(
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	425	rb.getString("Illegal.option.") + flags);
a4b8478a2bc5 8021789: jarsigner parses alias as command line option (depending on locale) weijun parents: 17161 diff changeset	426	usage();
2 90ce3da70b43 Initial load duke parents: diff changeset	427	}
90ce3da70b43 Initial load duke parents: diff changeset	428	}
90ce3da70b43 Initial load duke parents: diff changeset	429
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	430	// -certs must always be specified with -verbose
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	431	if (verbose == null) showcerts = false;
2 90ce3da70b43 Initial load duke parents: diff changeset	432
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	433	if (jarfile == null) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	434	System.err.println(rb.getString("Please.specify.jarfile.name"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	435	usage();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	436	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	437	if (!verify && alias == null) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	438	System.err.println(rb.getString("Please.specify.alias.name"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	439	usage();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	440	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	441	if (!verify && ckaliases.size() > 1) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	442	System.err.println(rb.getString("Only.one.alias.can.be.specified"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	443	usage();
2 90ce3da70b43 Initial load duke parents: diff changeset	444	}
90ce3da70b43 Initial load duke parents: diff changeset	445
90ce3da70b43 Initial load duke parents: diff changeset	446	if (storetype == null) {
90ce3da70b43 Initial load duke parents: diff changeset	447	storetype = KeyStore.getDefaultType();
90ce3da70b43 Initial load duke parents: diff changeset	448	}
90ce3da70b43 Initial load duke parents: diff changeset	449	storetype = KeyStoreUtil.niceStoreTypeName(storetype);
90ce3da70b43 Initial load duke parents: diff changeset	450
3481 6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	451	try {
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	452	if (signedjar != null && new File(signedjar).getCanonicalPath().equals(
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	453	new File(jarfile).getCanonicalPath())) {
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	454	signedjar = null;
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	455	}
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	456	} catch (IOException ioe) {
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	457	// File system error?
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	458	// Just ignore it.
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	459	}
6ae7a2a6c956 6866479: libzip.so caused JVM to crash when running jarsigner weijun parents: 3318 diff changeset	460
2 90ce3da70b43 Initial load duke parents: diff changeset	461	if (P11KEYSTORE.equalsIgnoreCase(storetype) \|\|
90ce3da70b43 Initial load duke parents: diff changeset	462	KeyStoreUtil.isWindowsKeyStore(storetype)) {
90ce3da70b43 Initial load duke parents: diff changeset	463	token = true;
90ce3da70b43 Initial load duke parents: diff changeset	464	if (keystore == null) {
90ce3da70b43 Initial load duke parents: diff changeset	465	keystore = NONE;
90ce3da70b43 Initial load duke parents: diff changeset	466	}
90ce3da70b43 Initial load duke parents: diff changeset	467	}
90ce3da70b43 Initial load duke parents: diff changeset	468
90ce3da70b43 Initial load duke parents: diff changeset	469	if (NONE.equals(keystore)) {
90ce3da70b43 Initial load duke parents: diff changeset	470	nullStream = true;
90ce3da70b43 Initial load duke parents: diff changeset	471	}
90ce3da70b43 Initial load duke parents: diff changeset	472
90ce3da70b43 Initial load duke parents: diff changeset	473	if (token && !nullStream) {
90ce3da70b43 Initial load duke parents: diff changeset	474	System.err.println(MessageFormat.format(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	475	(".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
2 90ce3da70b43 Initial load duke parents: diff changeset	476	usage();
90ce3da70b43 Initial load duke parents: diff changeset	477	}
90ce3da70b43 Initial load duke parents: diff changeset	478
90ce3da70b43 Initial load duke parents: diff changeset	479	if (token && keypass != null) {
90ce3da70b43 Initial load duke parents: diff changeset	480	System.err.println(MessageFormat.format(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	481	(".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype));
2 90ce3da70b43 Initial load duke parents: diff changeset	482	usage();
90ce3da70b43 Initial load duke parents: diff changeset	483	}
90ce3da70b43 Initial load duke parents: diff changeset	484
90ce3da70b43 Initial load duke parents: diff changeset	485	if (protectedPath) {
90ce3da70b43 Initial load duke parents: diff changeset	486	if (storepass != null \|\| keypass != null) {
90ce3da70b43 Initial load duke parents: diff changeset	487	System.err.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	488	("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified"));
2 90ce3da70b43 Initial load duke parents: diff changeset	489	usage();
90ce3da70b43 Initial load duke parents: diff changeset	490	}
90ce3da70b43 Initial load duke parents: diff changeset	491	}
90ce3da70b43 Initial load duke parents: diff changeset	492	if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
90ce3da70b43 Initial load duke parents: diff changeset	493	if (storepass != null \|\| keypass != null) {
90ce3da70b43 Initial load duke parents: diff changeset	494	System.err.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	495	("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified"));
2 90ce3da70b43 Initial load duke parents: diff changeset	496	usage();
90ce3da70b43 Initial load duke parents: diff changeset	497	}
90ce3da70b43 Initial load duke parents: diff changeset	498	}
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	499	return args;
2 90ce3da70b43 Initial load duke parents: diff changeset	500	}
90ce3da70b43 Initial load duke parents: diff changeset	501
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	502	static char[] getPass(String modifier, String arg) {
14182 3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	503	char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb);
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	504	if (output != null) return output;
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	505	usage();
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	506	return null; // Useless, usage() already exit
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	507	}
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	508
e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	509	static void usageNoArg() {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	510	System.out.println(rb.getString("Option.lacks.argument"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	511	usage();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	512	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	513
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	514	static void usage() {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	515	System.out.println();
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	516	System.out.println(rb.getString("Please.type.jarsigner.help.for.usage"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	517	System.exit(1);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	518	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	519
3951 e821908c953e 6868579: RFE: jarsigner to support reading password from environment variable weijun parents: 3716 diff changeset	520	static void fullusage() {
2 90ce3da70b43 Initial load duke parents: diff changeset	521	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	522	("Usage.jarsigner.options.jar.file.alias"));
2 90ce3da70b43 Initial load duke parents: diff changeset	523	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	524	(".jarsigner.verify.options.jar.file.alias."));
2 90ce3da70b43 Initial load duke parents: diff changeset	525	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	526	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	527	(".keystore.url.keystore.location"));
2 90ce3da70b43 Initial load duke parents: diff changeset	528	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	529	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	530	(".storepass.password.password.for.keystore.integrity"));
2 90ce3da70b43 Initial load duke parents: diff changeset	531	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	532	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	533	(".storetype.type.keystore.type"));
2 90ce3da70b43 Initial load duke parents: diff changeset	534	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	535	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	536	(".keypass.password.password.for.private.key.if.different."));
2 90ce3da70b43 Initial load duke parents: diff changeset	537	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	538	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	539	(".certchain.file.name.of.alternative.certchain.file"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	540	System.out.println();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	541	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	542	(".sigfile.file.name.of.SF.DSA.file"));
2 90ce3da70b43 Initial load duke parents: diff changeset	543	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	544	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	545	(".signedjar.file.name.of.signed.JAR.file"));
2 90ce3da70b43 Initial load duke parents: diff changeset	546	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	547	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	548	(".digestalg.algorithm.name.of.digest.algorithm"));
2 90ce3da70b43 Initial load duke parents: diff changeset	549	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	550	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	551	(".sigalg.algorithm.name.of.signature.algorithm"));
2 90ce3da70b43 Initial load duke parents: diff changeset	552	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	553	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	554	(".verify.verify.a.signed.JAR.file"));
2 90ce3da70b43 Initial load duke parents: diff changeset	555	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	556	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	557	(".verbose.suboptions.verbose.output.when.signing.verifying."));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	558	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	559	(".suboptions.can.be.all.grouped.or.summary"));
2 90ce3da70b43 Initial load duke parents: diff changeset	560	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	561	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	562	(".certs.display.certificates.when.verbose.and.verifying"));
2 90ce3da70b43 Initial load duke parents: diff changeset	563	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	564	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	565	(".tsa.url.location.of.the.Timestamping.Authority"));
2 90ce3da70b43 Initial load duke parents: diff changeset	566	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	567	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	568	(".tsacert.alias.public.key.certificate.for.Timestamping.Authority"));
2 90ce3da70b43 Initial load duke parents: diff changeset	569	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	570	System.out.println(rb.getString
17161 df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	571	(".tsapolicyid.tsapolicyid.for.Timestamping.Authority"));
df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	572	System.out.println();
df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	573	System.out.println(rb.getString
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	574	(".tsadigestalg.algorithm.of.digest.data.in.timestamping.request"));
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	575	System.out.println();
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	576	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	577	(".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
2 90ce3da70b43 Initial load duke parents: diff changeset	578	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	579	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	580	(".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism"));
2 90ce3da70b43 Initial load duke parents: diff changeset	581	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	582	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	583	(".internalsf.include.the.SF.file.inside.the.signature.block"));
2 90ce3da70b43 Initial load duke parents: diff changeset	584	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	585	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	586	(".sectionsonly.don.t.compute.hash.of.entire.manifest"));
2 90ce3da70b43 Initial load duke parents: diff changeset	587	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	588	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	589	(".protected.keystore.has.protected.authentication.path"));
2 90ce3da70b43 Initial load duke parents: diff changeset	590	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	591	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	592	(".providerName.name.provider.name"));
2 90ce3da70b43 Initial load duke parents: diff changeset	593	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	594	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	595	(".providerClass.class.name.of.cryptographic.service.provider.s"));
2 90ce3da70b43 Initial load duke parents: diff changeset	596	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	597	(".providerArg.arg.master.class.file.and.constructor.argument"));
2 90ce3da70b43 Initial load duke parents: diff changeset	598	System.out.println();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	599	System.out.println(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	600	(".strict.treat.warnings.as.errors"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	601	System.out.println();
24868 89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	602	System.out.println(rb.getString
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	603	(".conf.url.specify.a.pre.configured.options.file"));
89d9bd9eba96 8023197: Pre-configured command line options for keytool and jarsigner weijun parents: 24625 diff changeset	604	System.out.println();
2 90ce3da70b43 Initial load duke parents: diff changeset	605
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	606	System.exit(0);
2 90ce3da70b43 Initial load duke parents: diff changeset	607	}
90ce3da70b43 Initial load duke parents: diff changeset	608
90ce3da70b43 Initial load duke parents: diff changeset	609	void verifyJar(String jarName)
90ce3da70b43 Initial load duke parents: diff changeset	610	throws Exception
90ce3da70b43 Initial load duke parents: diff changeset	611	{
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	612	boolean anySigned = false; // if there exists entry inside jar signed
2 90ce3da70b43 Initial load duke parents: diff changeset	613	JarFile jf = null;
90ce3da70b43 Initial load duke parents: diff changeset	614
90ce3da70b43 Initial load duke parents: diff changeset	615	try {
90ce3da70b43 Initial load duke parents: diff changeset	616	jf = new JarFile(jarName, true);
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	617	Vector<JarEntry> entriesVec = new Vector<>();
2 90ce3da70b43 Initial load duke parents: diff changeset	618	byte[] buffer = new byte[8192];
90ce3da70b43 Initial load duke parents: diff changeset	619
90ce3da70b43 Initial load duke parents: diff changeset	620	Enumeration<JarEntry> entries = jf.entries();
90ce3da70b43 Initial load duke parents: diff changeset	621	while (entries.hasMoreElements()) {
90ce3da70b43 Initial load duke parents: diff changeset	622	JarEntry je = entries.nextElement();
90ce3da70b43 Initial load duke parents: diff changeset	623	entriesVec.addElement(je);
90ce3da70b43 Initial load duke parents: diff changeset	624	InputStream is = null;
90ce3da70b43 Initial load duke parents: diff changeset	625	try {
90ce3da70b43 Initial load duke parents: diff changeset	626	is = jf.getInputStream(je);
90ce3da70b43 Initial load duke parents: diff changeset	627	int n;
90ce3da70b43 Initial load duke parents: diff changeset	628	while ((n = is.read(buffer, 0, buffer.length)) != -1) {
90ce3da70b43 Initial load duke parents: diff changeset	629	// we just read. this will throw a SecurityException
90ce3da70b43 Initial load duke parents: diff changeset	630	// if a signature/digest check fails.
90ce3da70b43 Initial load duke parents: diff changeset	631	}
90ce3da70b43 Initial load duke parents: diff changeset	632	} finally {
90ce3da70b43 Initial load duke parents: diff changeset	633	if (is != null) {
90ce3da70b43 Initial load duke parents: diff changeset	634	is.close();
90ce3da70b43 Initial load duke parents: diff changeset	635	}
90ce3da70b43 Initial load duke parents: diff changeset	636	}
90ce3da70b43 Initial load duke parents: diff changeset	637	}
90ce3da70b43 Initial load duke parents: diff changeset	638
90ce3da70b43 Initial load duke parents: diff changeset	639	Manifest man = jf.getManifest();
90ce3da70b43 Initial load duke parents: diff changeset	640
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	641	// The map to record display info, only used when -verbose provided
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	642	// key: signer info string
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	643	// value: the list of files with common key
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	644	Map<String,List<String>> output = new LinkedHashMap<>();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	645
2 90ce3da70b43 Initial load duke parents: diff changeset	646	if (man != null) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	647	if (verbose != null) System.out.println();
2 90ce3da70b43 Initial load duke parents: diff changeset	648	Enumeration<JarEntry> e = entriesVec.elements();
90ce3da70b43 Initial load duke parents: diff changeset	649
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	650	String tab = rb.getString("6SPACE");
2 90ce3da70b43 Initial load duke parents: diff changeset	651
90ce3da70b43 Initial load duke parents: diff changeset	652	while (e.hasMoreElements()) {
90ce3da70b43 Initial load duke parents: diff changeset	653	JarEntry je = e.nextElement();
90ce3da70b43 Initial load duke parents: diff changeset	654	String name = je.getName();
90ce3da70b43 Initial load duke parents: diff changeset	655	CodeSigner[] signers = je.getCodeSigners();
90ce3da70b43 Initial load duke parents: diff changeset	656	boolean isSigned = (signers != null);
90ce3da70b43 Initial load duke parents: diff changeset	657	anySigned \|= isSigned;
90ce3da70b43 Initial load duke parents: diff changeset	658	hasUnsignedEntry \|= !je.isDirectory() && !isSigned
90ce3da70b43 Initial load duke parents: diff changeset	659	&& !signatureRelated(name);
90ce3da70b43 Initial load duke parents: diff changeset	660
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	661	int inStoreOrScope = inKeyStore(signers);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	662
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	663	boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	664	boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	665
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	666	notSignedByAlias \|= (inStoreOrScope & NOT_ALIAS) != 0;
7525 16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	667	if (keystore != null) {
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	668	aliasNotInStore \|= isSigned && (!inStore && !inScope);
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	669	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	670
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	671	// Only used when -verbose provided
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	672	StringBuffer sb = null;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	673	if (verbose != null) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	674	sb = new StringBuffer();
2 90ce3da70b43 Initial load duke parents: diff changeset	675	boolean inManifest =
90ce3da70b43 Initial load duke parents: diff changeset	676	((man.getAttributes(name) != null) \|\|
90ce3da70b43 Initial load duke parents: diff changeset	677	(man.getAttributes("./"+name) != null) \|\|
90ce3da70b43 Initial load duke parents: diff changeset	678	(man.getAttributes("/"+name) != null));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	679	sb.append(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	680	(isSigned ? rb.getString("s") : rb.getString("SPACE")) +
4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	681	(inManifest ? rb.getString("m") : rb.getString("SPACE")) +
4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	682	(inStore ? rb.getString("k") : rb.getString("SPACE")) +
4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	683	(inScope ? rb.getString("i") : rb.getString("SPACE")) +
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	684	((inStoreOrScope & NOT_ALIAS) != 0 ?"X":" ") +
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	685	rb.getString("SPACE"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	686	sb.append("\|");
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	687	}
2 90ce3da70b43 Initial load duke parents: diff changeset	688
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	689	// When -certs provided, display info has extra empty
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	690	// lines at the beginning and end.
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	691	if (isSigned) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	692	if (showcerts) sb.append('\n');
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	693	for (CodeSigner signer: signers) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	694	// signerInfo() must be called even if -verbose
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	695	// not provided. The method updates various
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	696	// warning flags.
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	697	String si = signerInfo(signer, tab);
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	698	if (showcerts) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	699	sb.append(si);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	700	sb.append('\n');
2 90ce3da70b43 Initial load duke parents: diff changeset	701	}
90ce3da70b43 Initial load duke parents: diff changeset	702	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	703	} else if (showcerts && !verbose.equals("all")) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	704	// Print no info for unsigned entries when -verbose:all,
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	705	// to be consistent with old behavior.
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	706	if (signatureRelated(name)) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	707	sb.append("\n" + tab + rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	708	".Signature.related.entries.") + "\n\n");
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	709	} else {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	710	sb.append("\n" + tab + rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	711	".Unsigned.entries.") + "\n\n");
2 90ce3da70b43 Initial load duke parents: diff changeset	712	}
90ce3da70b43 Initial load duke parents: diff changeset	713	}
90ce3da70b43 Initial load duke parents: diff changeset	714
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	715	if (verbose != null) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	716	String label = sb.toString();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	717	if (signatureRelated(name)) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	718	// Entries inside META-INF and other unsigned
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	719	// entries are grouped separately.
7524 ec12e1e6fa20 7004035: signed jar with only META-INF/* inside is not verifiable weijun parents: 7179 diff changeset	720	label = "-" + label;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	721	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	722
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	723	// The label finally contains 2 parts separated by '\|':
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	724	// The legend displayed before the entry names, and
21278 ef8a3a2a72f2 8022746: List of spelling errors in API doc malenkov parents: 20754 diff changeset	725	// the cert info (if -certs specified).
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	726
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	727	if (!output.containsKey(label)) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	728	output.put(label, new ArrayList<String>());
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	729	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	730
24969 afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	731	StringBuilder fb = new StringBuilder();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	732	String s = Long.toString(je.getSize());
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	733	for (int i = 6 - s.length(); i > 0; --i) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	734	fb.append(' ');
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	735	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	736	fb.append(s).append(' ').
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	737	append(new Date(je.getTime()).toString());
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	738	fb.append(' ').append(name);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	739
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	740	output.get(label).add(fb.toString());
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	741	}
2 90ce3da70b43 Initial load duke parents: diff changeset	742	}
90ce3da70b43 Initial load duke parents: diff changeset	743	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	744	if (verbose != null) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	745	for (Entry<String,List<String>> s: output.entrySet()) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	746	List<String> files = s.getValue();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	747	String key = s.getKey();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	748	if (key.charAt(0) == '-') { // the signature-related group
7524 ec12e1e6fa20 7004035: signed jar with only META-INF/* inside is not verifiable weijun parents: 7179 diff changeset	749	key = key.substring(1);
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	750	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	751	int pipe = key.indexOf('\|');
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	752	if (verbose.equals("all")) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	753	for (String f: files) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	754	System.out.println(key.substring(0, pipe) + f);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	755	System.out.printf(key.substring(pipe+1));
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	756	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	757	} else {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	758	if (verbose.equals("grouped")) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	759	for (String f: files) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	760	System.out.println(key.substring(0, pipe) + f);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	761	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	762	} else if (verbose.equals("summary")) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	763	System.out.print(key.substring(0, pipe));
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	764	if (files.size() > 1) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	765	System.out.println(files.get(0) + " " +
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	766	String.format(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	767	".and.d.more."), files.size()-1));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	768	} else {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	769	System.out.println(files.get(0));
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	770	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	771	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	772	System.out.printf(key.substring(pipe+1));
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	773	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	774	}
2 90ce3da70b43 Initial load duke parents: diff changeset	775	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	776	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	777	".s.signature.was.verified."));
2 90ce3da70b43 Initial load duke parents: diff changeset	778	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	779	".m.entry.is.listed.in.manifest"));
2 90ce3da70b43 Initial load duke parents: diff changeset	780	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	781	".k.at.least.one.certificate.was.found.in.keystore"));
2 90ce3da70b43 Initial load duke parents: diff changeset	782	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	783	".i.at.least.one.certificate.was.found.in.identity.scope"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	784	if (ckaliases.size() > 0) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	785	System.out.println(rb.getString(
4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	786	".X.not.signed.by.specified.alias.es."));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	787	}
2 90ce3da70b43 Initial load duke parents: diff changeset	788	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	789	}
90ce3da70b43 Initial load duke parents: diff changeset	790	if (man == null)
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	791	System.out.println(rb.getString("no.manifest."));
2 90ce3da70b43 Initial load duke parents: diff changeset	792
90ce3da70b43 Initial load duke parents: diff changeset	793	if (!anySigned) {
90ce3da70b43 Initial load duke parents: diff changeset	794	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	795	"jar.is.unsigned.signatures.missing.or.not.parsable."));
2 90ce3da70b43 Initial load duke parents: diff changeset	796	} else {
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	797	boolean warningAppeared = false;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	798	boolean errorAppeared = false;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	799	if (badKeyUsage \|\| badExtendedKeyUsage \|\| badNetscapeCertType \|\|
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	800	notYetValidCert \|\| chainNotValidated \|\| hasExpiredCert \|\|
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	801	hasUnsignedEntry \|\|
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	802	aliasNotInStore \|\| notSignedByAlias) {
2 90ce3da70b43 Initial load duke parents: diff changeset	803
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	804	if (strict) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	805	System.out.println(rb.getString("jar.verified.with.signer.errors."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	806	System.out.println();
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	807	System.out.println(rb.getString("Error."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	808	errorAppeared = true;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	809	} else {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	810	System.out.println(rb.getString("jar.verified."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	811	System.out.println();
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	812	System.out.println(rb.getString("Warning."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	813	warningAppeared = true;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	814	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	815
2 90ce3da70b43 Initial load duke parents: diff changeset	816	if (badKeyUsage) {
90ce3da70b43 Initial load duke parents: diff changeset	817	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	818	rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
2 90ce3da70b43 Initial load duke parents: diff changeset	819	}
90ce3da70b43 Initial load duke parents: diff changeset	820
90ce3da70b43 Initial load duke parents: diff changeset	821	if (badExtendedKeyUsage) {
90ce3da70b43 Initial load duke parents: diff changeset	822	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	823	rb.getString("This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
2 90ce3da70b43 Initial load duke parents: diff changeset	824	}
90ce3da70b43 Initial load duke parents: diff changeset	825
90ce3da70b43 Initial load duke parents: diff changeset	826	if (badNetscapeCertType) {
90ce3da70b43 Initial load duke parents: diff changeset	827	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	828	rb.getString("This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
2 90ce3da70b43 Initial load duke parents: diff changeset	829	}
90ce3da70b43 Initial load duke parents: diff changeset	830
90ce3da70b43 Initial load duke parents: diff changeset	831	if (hasUnsignedEntry) {
90ce3da70b43 Initial load duke parents: diff changeset	832	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	833	"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked."));
2 90ce3da70b43 Initial load duke parents: diff changeset	834	}
90ce3da70b43 Initial load duke parents: diff changeset	835	if (hasExpiredCert) {
90ce3da70b43 Initial load duke parents: diff changeset	836	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	837	"This.jar.contains.entries.whose.signer.certificate.has.expired."));
2 90ce3da70b43 Initial load duke parents: diff changeset	838	}
90ce3da70b43 Initial load duke parents: diff changeset	839	if (notYetValidCert) {
90ce3da70b43 Initial load duke parents: diff changeset	840	System.out.println(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	841	"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
2 90ce3da70b43 Initial load duke parents: diff changeset	842	}
90ce3da70b43 Initial load duke parents: diff changeset	843
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	844	if (chainNotValidated) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	845	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	846	rb.getString("This.jar.contains.entries.whose.certificate.chain.is.not.validated."));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	847	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	848
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	849	if (notSignedByAlias) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	850	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	851	rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es."));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	852	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	853
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	854	if (aliasNotInStore) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	855	System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	856	}
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	857	} else {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	858	System.out.println(rb.getString("jar.verified."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	859	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	860	if (hasExpiringCert \|\| noTimestamp) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	861	if (!warningAppeared) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	862	System.out.println();
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	863	System.out.println(rb.getString("Warning."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	864	warningAppeared = true;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	865	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	866	if (hasExpiringCert) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	867	System.out.println(rb.getString(
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	868	"This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	869	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	870	if (noTimestamp) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	871	System.out.println(
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	872	String.format(rb.getString("no.timestamp.verifying"), expireDate));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	873	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	874	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	875	if (warningAppeared \|\| errorAppeared) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	876	if (! (verbose != null && showcerts)) {
2 90ce3da70b43 Initial load duke parents: diff changeset	877	System.out.println();
90ce3da70b43 Initial load duke parents: diff changeset	878	System.out.println(rb.getString(
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	879	"Re.run.with.the.verbose.and.certs.options.for.more.details."));
2 90ce3da70b43 Initial load duke parents: diff changeset	880	}
90ce3da70b43 Initial load duke parents: diff changeset	881	}
90ce3da70b43 Initial load duke parents: diff changeset	882	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	883	return;
2 90ce3da70b43 Initial load duke parents: diff changeset	884	} catch (Exception e) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	885	System.out.println(rb.getString("jarsigner.") + e);
2 90ce3da70b43 Initial load duke parents: diff changeset	886	if (debug) {
90ce3da70b43 Initial load duke parents: diff changeset	887	e.printStackTrace();
90ce3da70b43 Initial load duke parents: diff changeset	888	}
90ce3da70b43 Initial load duke parents: diff changeset	889	} finally { // close the resource
90ce3da70b43 Initial load duke parents: diff changeset	890	if (jf != null) {
90ce3da70b43 Initial load duke parents: diff changeset	891	jf.close();
90ce3da70b43 Initial load duke parents: diff changeset	892	}
90ce3da70b43 Initial load duke parents: diff changeset	893	}
90ce3da70b43 Initial load duke parents: diff changeset	894
90ce3da70b43 Initial load duke parents: diff changeset	895	System.exit(1);
90ce3da70b43 Initial load duke parents: diff changeset	896	}
90ce3da70b43 Initial load duke parents: diff changeset	897
90ce3da70b43 Initial load duke parents: diff changeset	898	private static MessageFormat validityTimeForm = null;
90ce3da70b43 Initial load duke parents: diff changeset	899	private static MessageFormat notYetTimeForm = null;
90ce3da70b43 Initial load duke parents: diff changeset	900	private static MessageFormat expiredTimeForm = null;
90ce3da70b43 Initial load duke parents: diff changeset	901	private static MessageFormat expiringTimeForm = null;
90ce3da70b43 Initial load duke parents: diff changeset	902
90ce3da70b43 Initial load duke parents: diff changeset	903	/*
90ce3da70b43 Initial load duke parents: diff changeset	904	* Display some details about a certificate:
90ce3da70b43 Initial load duke parents: diff changeset	905	*
90ce3da70b43 Initial load duke parents: diff changeset	906	* [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"]
90ce3da70b43 Initial load duke parents: diff changeset	907	* [<validity-period> \| <expiry-warning>]
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	908	*
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	909	* Note: no newline character at the end
2 90ce3da70b43 Initial load duke parents: diff changeset	910	*/
90ce3da70b43 Initial load duke parents: diff changeset	911	String printCert(String tab, Certificate c, boolean checkValidityPeriod,
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	912	Date timestamp, boolean checkUsage) {
2 90ce3da70b43 Initial load duke parents: diff changeset	913
90ce3da70b43 Initial load duke parents: diff changeset	914	StringBuilder certStr = new StringBuilder();
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	915	String space = rb.getString("SPACE");
2 90ce3da70b43 Initial load duke parents: diff changeset	916	X509Certificate x509Cert = null;
90ce3da70b43 Initial load duke parents: diff changeset	917
90ce3da70b43 Initial load duke parents: diff changeset	918	if (c instanceof X509Certificate) {
90ce3da70b43 Initial load duke parents: diff changeset	919	x509Cert = (X509Certificate) c;
90ce3da70b43 Initial load duke parents: diff changeset	920	certStr.append(tab).append(x509Cert.getType())
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	921	.append(rb.getString("COMMA"))
2 90ce3da70b43 Initial load duke parents: diff changeset	922	.append(x509Cert.getSubjectDN().getName());
90ce3da70b43 Initial load duke parents: diff changeset	923	} else {
90ce3da70b43 Initial load duke parents: diff changeset	924	certStr.append(tab).append(c.getType());
90ce3da70b43 Initial load duke parents: diff changeset	925	}
90ce3da70b43 Initial load duke parents: diff changeset	926
90ce3da70b43 Initial load duke parents: diff changeset	927	String alias = storeHash.get(c);
90ce3da70b43 Initial load duke parents: diff changeset	928	if (alias != null) {
90ce3da70b43 Initial load duke parents: diff changeset	929	certStr.append(space).append(alias);
90ce3da70b43 Initial load duke parents: diff changeset	930	}
90ce3da70b43 Initial load duke parents: diff changeset	931
90ce3da70b43 Initial load duke parents: diff changeset	932	if (checkValidityPeriod && x509Cert != null) {
90ce3da70b43 Initial load duke parents: diff changeset	933
90ce3da70b43 Initial load duke parents: diff changeset	934	certStr.append("\n").append(tab).append("[");
90ce3da70b43 Initial load duke parents: diff changeset	935	Date notAfter = x509Cert.getNotAfter();
90ce3da70b43 Initial load duke parents: diff changeset	936	try {
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	937	boolean printValidity = true;
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	938	if (timestamp == null) {
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	939	if (expireDate.getTime() == 0 \|\| expireDate.after(notAfter)) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	940	expireDate = notAfter;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	941	}
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	942	x509Cert.checkValidity();
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	943	// test if cert will expire within six months
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	944	if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	945	hasExpiringCert = true;
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	946	if (expiringTimeForm == null) {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	947	expiringTimeForm = new MessageFormat(
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	948	rb.getString("certificate.will.expire.on"));
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	949	}
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	950	Object[] source = { notAfter };
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	951	certStr.append(expiringTimeForm.format(source));
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	952	printValidity = false;
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	953	}
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	954	} else {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	955	x509Cert.checkValidity(timestamp);
2 90ce3da70b43 Initial load duke parents: diff changeset	956	}
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	957	if (printValidity) {
2 90ce3da70b43 Initial load duke parents: diff changeset	958	if (validityTimeForm == null) {
90ce3da70b43 Initial load duke parents: diff changeset	959	validityTimeForm = new MessageFormat(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	960	rb.getString("certificate.is.valid.from"));
2 90ce3da70b43 Initial load duke parents: diff changeset	961	}
90ce3da70b43 Initial load duke parents: diff changeset	962	Object[] source = { x509Cert.getNotBefore(), notAfter };
90ce3da70b43 Initial load duke parents: diff changeset	963	certStr.append(validityTimeForm.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	964	}
90ce3da70b43 Initial load duke parents: diff changeset	965	} catch (CertificateExpiredException cee) {
90ce3da70b43 Initial load duke parents: diff changeset	966	hasExpiredCert = true;
90ce3da70b43 Initial load duke parents: diff changeset	967
90ce3da70b43 Initial load duke parents: diff changeset	968	if (expiredTimeForm == null) {
90ce3da70b43 Initial load duke parents: diff changeset	969	expiredTimeForm = new MessageFormat(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	970	rb.getString("certificate.expired.on"));
2 90ce3da70b43 Initial load duke parents: diff changeset	971	}
90ce3da70b43 Initial load duke parents: diff changeset	972	Object[] source = { notAfter };
90ce3da70b43 Initial load duke parents: diff changeset	973	certStr.append(expiredTimeForm.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	974
90ce3da70b43 Initial load duke parents: diff changeset	975	} catch (CertificateNotYetValidException cnyve) {
90ce3da70b43 Initial load duke parents: diff changeset	976	notYetValidCert = true;
90ce3da70b43 Initial load duke parents: diff changeset	977
90ce3da70b43 Initial load duke parents: diff changeset	978	if (notYetTimeForm == null) {
90ce3da70b43 Initial load duke parents: diff changeset	979	notYetTimeForm = new MessageFormat(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	980	rb.getString("certificate.is.not.valid.until"));
2 90ce3da70b43 Initial load duke parents: diff changeset	981	}
90ce3da70b43 Initial load duke parents: diff changeset	982	Object[] source = { x509Cert.getNotBefore() };
90ce3da70b43 Initial load duke parents: diff changeset	983	certStr.append(notYetTimeForm.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	984	}
90ce3da70b43 Initial load duke parents: diff changeset	985	certStr.append("]");
90ce3da70b43 Initial load duke parents: diff changeset	986
7525 16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	987	if (checkUsage) {
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	988	boolean[] bad = new boolean[3];
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	989	checkCertUsage(x509Cert, bad);
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	990	if (bad[0] \|\| bad[1] \|\| bad[2]) {
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	991	String x = "";
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	992	if (bad[0]) {
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	993	x ="KeyUsage";
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	994	}
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	995	if (bad[1]) {
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	996	if (x.length() > 0) x = x + ", ";
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	997	x = x + "ExtendedKeyUsage";
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	998	}
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	999	if (bad[2]) {
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1000	if (x.length() > 0) x = x + ", ";
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1001	x = x + "NetscapeCertType";
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1002	}
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1003	certStr.append("\n").append(tab)
2 90ce3da70b43 Initial load duke parents: diff changeset	1004	.append(MessageFormat.format(rb.getString(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1005	".{0}.extension.does.not.support.code.signing."), x));
7525 16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1006	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1007	}
90ce3da70b43 Initial load duke parents: diff changeset	1008	}
90ce3da70b43 Initial load duke parents: diff changeset	1009	return certStr.toString();
90ce3da70b43 Initial load duke parents: diff changeset	1010	}
90ce3da70b43 Initial load duke parents: diff changeset	1011
90ce3da70b43 Initial load duke parents: diff changeset	1012	private static MessageFormat signTimeForm = null;
90ce3da70b43 Initial load duke parents: diff changeset	1013
90ce3da70b43 Initial load duke parents: diff changeset	1014	private String printTimestamp(String tab, Timestamp timestamp) {
90ce3da70b43 Initial load duke parents: diff changeset	1015
90ce3da70b43 Initial load duke parents: diff changeset	1016	if (signTimeForm == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1017	signTimeForm =
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1018	new MessageFormat(rb.getString("entry.was.signed.on"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1019	}
90ce3da70b43 Initial load duke parents: diff changeset	1020	Object[] source = { timestamp.getTimestamp() };
90ce3da70b43 Initial load duke parents: diff changeset	1021
90ce3da70b43 Initial load duke parents: diff changeset	1022	return new StringBuilder().append(tab).append("[")
90ce3da70b43 Initial load duke parents: diff changeset	1023	.append(signTimeForm.format(source)).append("]").toString();
90ce3da70b43 Initial load duke parents: diff changeset	1024	}
90ce3da70b43 Initial load duke parents: diff changeset	1025
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	1026	private Map<CodeSigner,Integer> cacheForInKS = new IdentityHashMap<>();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1027
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1028	private int inKeyStoreForOneSigner(CodeSigner signer) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1029	if (cacheForInKS.containsKey(signer)) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1030	return cacheForInKS.get(signer);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1031	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1032
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1033	boolean found = false;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1034	int result = 0;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1035	List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1036	for (Certificate c : certs) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1037	String alias = storeHash.get(c);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1038	if (alias != null) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1039	if (alias.startsWith("(")) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1040	result \|= IN_KEYSTORE;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1041	} else if (alias.startsWith("[")) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1042	result \|= IN_SCOPE;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1043	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1044	if (ckaliases.contains(alias.substring(1, alias.length() - 1))) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1045	result \|= SIGNED_BY_ALIAS;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1046	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1047	} else {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1048	if (store != null) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1049	try {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1050	alias = store.getCertificateAlias(c);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1051	} catch (KeyStoreException kse) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1052	// never happens, because keystore has been loaded
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1053	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1054	if (alias != null) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1055	storeHash.put(c, "(" + alias + ")");
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1056	found = true;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1057	result \|= IN_KEYSTORE;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1058	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1059	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1060	if (ckaliases.contains(alias)) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1061	result \|= SIGNED_BY_ALIAS;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1062	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1063	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1064	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1065	cacheForInKS.put(signer, result);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1066	return result;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1067	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1068
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	1069	Hashtable<Certificate, String> storeHash = new Hashtable<>();
2 90ce3da70b43 Initial load duke parents: diff changeset	1070
90ce3da70b43 Initial load duke parents: diff changeset	1071	int inKeyStore(CodeSigner[] signers) {
90ce3da70b43 Initial load duke parents: diff changeset	1072
90ce3da70b43 Initial load duke parents: diff changeset	1073	if (signers == null)
90ce3da70b43 Initial load duke parents: diff changeset	1074	return 0;
90ce3da70b43 Initial load duke parents: diff changeset	1075
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1076	int output = 0;
2 90ce3da70b43 Initial load duke parents: diff changeset	1077
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1078	for (CodeSigner signer: signers) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1079	int result = inKeyStoreForOneSigner(signer);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1080	output \|= result;
2 90ce3da70b43 Initial load duke parents: diff changeset	1081	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1082	if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1083	output \|= NOT_ALIAS;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1084	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1085	return output;
2 90ce3da70b43 Initial load duke parents: diff changeset	1086	}
90ce3da70b43 Initial load duke parents: diff changeset	1087
90ce3da70b43 Initial load duke parents: diff changeset	1088	void signJar(String jarName, String alias, String[] args)
90ce3da70b43 Initial load duke parents: diff changeset	1089	throws Exception {
90ce3da70b43 Initial load duke parents: diff changeset	1090	boolean aliasUsed = false;
90ce3da70b43 Initial load duke parents: diff changeset	1091	X509Certificate tsaCert = null;
90ce3da70b43 Initial load duke parents: diff changeset	1092
90ce3da70b43 Initial load duke parents: diff changeset	1093	if (sigfile == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1094	sigfile = alias;
90ce3da70b43 Initial load duke parents: diff changeset	1095	aliasUsed = true;
90ce3da70b43 Initial load duke parents: diff changeset	1096	}
90ce3da70b43 Initial load duke parents: diff changeset	1097
90ce3da70b43 Initial load duke parents: diff changeset	1098	if (sigfile.length() > 8) {
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	1099	sigfile = sigfile.substring(0, 8).toUpperCase(Locale.ENGLISH);
2 90ce3da70b43 Initial load duke parents: diff changeset	1100	} else {
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	1101	sigfile = sigfile.toUpperCase(Locale.ENGLISH);
2 90ce3da70b43 Initial load duke parents: diff changeset	1102	}
90ce3da70b43 Initial load duke parents: diff changeset	1103
90ce3da70b43 Initial load duke parents: diff changeset	1104	StringBuilder tmpSigFile = new StringBuilder(sigfile.length());
90ce3da70b43 Initial load duke parents: diff changeset	1105	for (int j = 0; j < sigfile.length(); j++) {
90ce3da70b43 Initial load duke parents: diff changeset	1106	char c = sigfile.charAt(j);
90ce3da70b43 Initial load duke parents: diff changeset	1107	if (!
90ce3da70b43 Initial load duke parents: diff changeset	1108	((c>= 'A' && c<= 'Z') \|\|
90ce3da70b43 Initial load duke parents: diff changeset	1109	(c>= '0' && c<= '9') \|\|
90ce3da70b43 Initial load duke parents: diff changeset	1110	(c == '-') \|\|
90ce3da70b43 Initial load duke parents: diff changeset	1111	(c == '_'))) {
90ce3da70b43 Initial load duke parents: diff changeset	1112	if (aliasUsed) {
90ce3da70b43 Initial load duke parents: diff changeset	1113	// convert illegal characters from the alias to be _'s
90ce3da70b43 Initial load duke parents: diff changeset	1114	c = '_';
90ce3da70b43 Initial load duke parents: diff changeset	1115	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1116	throw new
90ce3da70b43 Initial load duke parents: diff changeset	1117	RuntimeException(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1118	("signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1119	}
90ce3da70b43 Initial load duke parents: diff changeset	1120	}
90ce3da70b43 Initial load duke parents: diff changeset	1121	tmpSigFile.append(c);
90ce3da70b43 Initial load duke parents: diff changeset	1122	}
90ce3da70b43 Initial load duke parents: diff changeset	1123
90ce3da70b43 Initial load duke parents: diff changeset	1124	sigfile = tmpSigFile.toString();
90ce3da70b43 Initial load duke parents: diff changeset	1125
90ce3da70b43 Initial load duke parents: diff changeset	1126	String tmpJarName;
90ce3da70b43 Initial load duke parents: diff changeset	1127	if (signedjar == null) tmpJarName = jarName+".sig";
90ce3da70b43 Initial load duke parents: diff changeset	1128	else tmpJarName = signedjar;
90ce3da70b43 Initial load duke parents: diff changeset	1129
90ce3da70b43 Initial load duke parents: diff changeset	1130	File jarFile = new File(jarName);
90ce3da70b43 Initial load duke parents: diff changeset	1131	File signedJarFile = new File(tmpJarName);
90ce3da70b43 Initial load duke parents: diff changeset	1132
90ce3da70b43 Initial load duke parents: diff changeset	1133	// Open the jar (zip) file
90ce3da70b43 Initial load duke parents: diff changeset	1134	try {
90ce3da70b43 Initial load duke parents: diff changeset	1135	zipFile = new ZipFile(jarName);
90ce3da70b43 Initial load duke parents: diff changeset	1136	} catch (IOException ioe) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1137	error(rb.getString("unable.to.open.jar.file.")+jarName, ioe);
2 90ce3da70b43 Initial load duke parents: diff changeset	1138	}
90ce3da70b43 Initial load duke parents: diff changeset	1139
90ce3da70b43 Initial load duke parents: diff changeset	1140	FileOutputStream fos = null;
90ce3da70b43 Initial load duke parents: diff changeset	1141	try {
90ce3da70b43 Initial load duke parents: diff changeset	1142	fos = new FileOutputStream(signedJarFile);
90ce3da70b43 Initial load duke parents: diff changeset	1143	} catch (IOException ioe) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1144	error(rb.getString("unable.to.create.")+tmpJarName, ioe);
2 90ce3da70b43 Initial load duke parents: diff changeset	1145	}
90ce3da70b43 Initial load duke parents: diff changeset	1146
90ce3da70b43 Initial load duke parents: diff changeset	1147	PrintStream ps = new PrintStream(fos);
90ce3da70b43 Initial load duke parents: diff changeset	1148	ZipOutputStream zos = new ZipOutputStream(ps);
90ce3da70b43 Initial load duke parents: diff changeset	1149
90ce3da70b43 Initial load duke parents: diff changeset	1150	/* First guess at what they might be - we don't xclude RSA ones. */
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	1151	String sfFilename = (META_INF + sigfile + ".SF").toUpperCase(Locale.ENGLISH);
bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	1152	String bkFilename = (META_INF + sigfile + ".DSA").toUpperCase(Locale.ENGLISH);
2 90ce3da70b43 Initial load duke parents: diff changeset	1153
90ce3da70b43 Initial load duke parents: diff changeset	1154	Manifest manifest = new Manifest();
90ce3da70b43 Initial load duke parents: diff changeset	1155	Map<String,Attributes> mfEntries = manifest.getEntries();
90ce3da70b43 Initial load duke parents: diff changeset	1156
90ce3da70b43 Initial load duke parents: diff changeset	1157	// The Attributes of manifest before updating
90ce3da70b43 Initial load duke parents: diff changeset	1158	Attributes oldAttr = null;
90ce3da70b43 Initial load duke parents: diff changeset	1159
90ce3da70b43 Initial load duke parents: diff changeset	1160	boolean mfModified = false;
90ce3da70b43 Initial load duke parents: diff changeset	1161	boolean mfCreated = false;
90ce3da70b43 Initial load duke parents: diff changeset	1162	byte[] mfRawBytes = null;
90ce3da70b43 Initial load duke parents: diff changeset	1163
90ce3da70b43 Initial load duke parents: diff changeset	1164	try {
90ce3da70b43 Initial load duke parents: diff changeset	1165	MessageDigest digests[] = { MessageDigest.getInstance(digestalg) };
90ce3da70b43 Initial load duke parents: diff changeset	1166
90ce3da70b43 Initial load duke parents: diff changeset	1167	// Check if manifest exists
90ce3da70b43 Initial load duke parents: diff changeset	1168	ZipEntry mfFile;
90ce3da70b43 Initial load duke parents: diff changeset	1169	if ((mfFile = getManifestFile(zipFile)) != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1170	// Manifest exists. Read its raw bytes.
90ce3da70b43 Initial load duke parents: diff changeset	1171	mfRawBytes = getBytes(zipFile, mfFile);
90ce3da70b43 Initial load duke parents: diff changeset	1172	manifest.read(new ByteArrayInputStream(mfRawBytes));
90ce3da70b43 Initial load duke parents: diff changeset	1173	oldAttr = (Attributes)(manifest.getMainAttributes().clone());
90ce3da70b43 Initial load duke parents: diff changeset	1174	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1175	// Create new manifest
90ce3da70b43 Initial load duke parents: diff changeset	1176	Attributes mattr = manifest.getMainAttributes();
90ce3da70b43 Initial load duke parents: diff changeset	1177	mattr.putValue(Attributes.Name.MANIFEST_VERSION.toString(),
90ce3da70b43 Initial load duke parents: diff changeset	1178	"1.0");
90ce3da70b43 Initial load duke parents: diff changeset	1179	String javaVendor = System.getProperty("java.vendor");
90ce3da70b43 Initial load duke parents: diff changeset	1180	String jdkVersion = System.getProperty("java.version");
90ce3da70b43 Initial load duke parents: diff changeset	1181	mattr.putValue("Created-By", jdkVersion + " (" +javaVendor
90ce3da70b43 Initial load duke parents: diff changeset	1182	+ ")");
90ce3da70b43 Initial load duke parents: diff changeset	1183	mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
90ce3da70b43 Initial load duke parents: diff changeset	1184	mfCreated = true;
90ce3da70b43 Initial load duke parents: diff changeset	1185	}
90ce3da70b43 Initial load duke parents: diff changeset	1186
90ce3da70b43 Initial load duke parents: diff changeset	1187	/*
90ce3da70b43 Initial load duke parents: diff changeset	1188	* For each entry in jar
90ce3da70b43 Initial load duke parents: diff changeset	1189	* (except for signature-related META-INF entries),
90ce3da70b43 Initial load duke parents: diff changeset	1190	* do the following:
90ce3da70b43 Initial load duke parents: diff changeset	1191	*
90ce3da70b43 Initial load duke parents: diff changeset	1192	* - if entry is not contained in manifest, add it to manifest;
90ce3da70b43 Initial load duke parents: diff changeset	1193	* - if entry is contained in manifest, calculate its hash and
90ce3da70b43 Initial load duke parents: diff changeset	1194	* compare it with the one in the manifest; if they are
90ce3da70b43 Initial load duke parents: diff changeset	1195	* different, replace the hash in the manifest with the newly
90ce3da70b43 Initial load duke parents: diff changeset	1196	* generated one. (This may invalidate existing signatures!)
90ce3da70b43 Initial load duke parents: diff changeset	1197	*/
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	1198	Vector<ZipEntry> mfFiles = new Vector<>();
2 90ce3da70b43 Initial load duke parents: diff changeset	1199
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1200	boolean wasSigned = false;
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1201
2 90ce3da70b43 Initial load duke parents: diff changeset	1202	for (Enumeration<? extends ZipEntry> enum_=zipFile.entries();
90ce3da70b43 Initial load duke parents: diff changeset	1203	enum_.hasMoreElements();) {
90ce3da70b43 Initial load duke parents: diff changeset	1204	ZipEntry ze = enum_.nextElement();
90ce3da70b43 Initial load duke parents: diff changeset	1205
90ce3da70b43 Initial load duke parents: diff changeset	1206	if (ze.getName().startsWith(META_INF)) {
90ce3da70b43 Initial load duke parents: diff changeset	1207	// Store META-INF files in vector, so they can be written
90ce3da70b43 Initial load duke parents: diff changeset	1208	// out first
90ce3da70b43 Initial load duke parents: diff changeset	1209	mfFiles.addElement(ze);
90ce3da70b43 Initial load duke parents: diff changeset	1210
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1211	if (SignatureFileVerifier.isBlockOrSF(
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1212	ze.getName().toUpperCase(Locale.ENGLISH))) {
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1213	wasSigned = true;
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1214	}
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1215
2 90ce3da70b43 Initial load duke parents: diff changeset	1216	if (signatureRelated(ze.getName())) {
90ce3da70b43 Initial load duke parents: diff changeset	1217	// ignore signature-related and manifest files
90ce3da70b43 Initial load duke parents: diff changeset	1218	continue;
90ce3da70b43 Initial load duke parents: diff changeset	1219	}
90ce3da70b43 Initial load duke parents: diff changeset	1220	}
90ce3da70b43 Initial load duke parents: diff changeset	1221
90ce3da70b43 Initial load duke parents: diff changeset	1222	if (manifest.getAttributes(ze.getName()) != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1223	// jar entry is contained in manifest, check and
90ce3da70b43 Initial load duke parents: diff changeset	1224	// possibly update its digest attributes
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	1225	if (updateDigests(ze, zipFile, digests,
2 90ce3da70b43 Initial load duke parents: diff changeset	1226	manifest) == true) {
90ce3da70b43 Initial load duke parents: diff changeset	1227	mfModified = true;
90ce3da70b43 Initial load duke parents: diff changeset	1228	}
90ce3da70b43 Initial load duke parents: diff changeset	1229	} else if (!ze.isDirectory()) {
90ce3da70b43 Initial load duke parents: diff changeset	1230	// Add entry to manifest
90ce3da70b43 Initial load duke parents: diff changeset	1231	Attributes attrs = getDigestAttributes(ze, zipFile,
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	1232	digests);
2 90ce3da70b43 Initial load duke parents: diff changeset	1233	mfEntries.put(ze.getName(), attrs);
90ce3da70b43 Initial load duke parents: diff changeset	1234	mfModified = true;
90ce3da70b43 Initial load duke parents: diff changeset	1235	}
90ce3da70b43 Initial load duke parents: diff changeset	1236	}
90ce3da70b43 Initial load duke parents: diff changeset	1237
90ce3da70b43 Initial load duke parents: diff changeset	1238	// Recalculate the manifest raw bytes if necessary
90ce3da70b43 Initial load duke parents: diff changeset	1239	if (mfModified) {
90ce3da70b43 Initial load duke parents: diff changeset	1240	ByteArrayOutputStream baos = new ByteArrayOutputStream();
90ce3da70b43 Initial load duke parents: diff changeset	1241	manifest.write(baos);
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1242	if (wasSigned) {
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1243	byte[] newBytes = baos.toByteArray();
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1244	if (mfRawBytes != null
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1245	&& oldAttr.equals(manifest.getMainAttributes())) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1246
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1247	/*
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1248	* Note:
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1249	*
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1250	* The Attributes object is based on HashMap and can handle
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1251	* continuation columns. Therefore, even if the contents are
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1252	* not changed (in a Map view), the bytes that it write()
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1253	* may be different from the original bytes that it read()
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1254	* from. Since the signature on the main attributes is based
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1255	* on raw bytes, we must retain the exact bytes.
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1256	*/
2 90ce3da70b43 Initial load duke parents: diff changeset	1257
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1258	int newPos = findHeaderEnd(newBytes);
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1259	int oldPos = findHeaderEnd(mfRawBytes);
2 90ce3da70b43 Initial load duke parents: diff changeset	1260
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1261	if (newPos == oldPos) {
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1262	System.arraycopy(mfRawBytes, 0, newBytes, 0, oldPos);
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1263	} else {
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1264	// cat oldHead newTail > newBytes
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1265	byte[] lastBytes = new byte[oldPos +
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1266	newBytes.length - newPos];
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1267	System.arraycopy(mfRawBytes, 0, lastBytes, 0, oldPos);
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1268	System.arraycopy(newBytes, newPos, lastBytes, oldPos,
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1269	newBytes.length - newPos);
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1270	newBytes = lastBytes;
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1271	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1272	}
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1273	mfRawBytes = newBytes;
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1274	} else {
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1275	mfRawBytes = baos.toByteArray();
2 90ce3da70b43 Initial load duke parents: diff changeset	1276	}
90ce3da70b43 Initial load duke parents: diff changeset	1277	}
90ce3da70b43 Initial load duke parents: diff changeset	1278
90ce3da70b43 Initial load duke parents: diff changeset	1279	// Write out the manifest
90ce3da70b43 Initial load duke parents: diff changeset	1280	if (mfModified) {
90ce3da70b43 Initial load duke parents: diff changeset	1281	// manifest file has new length
90ce3da70b43 Initial load duke parents: diff changeset	1282	mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
90ce3da70b43 Initial load duke parents: diff changeset	1283	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1284	if (verbose != null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1285	if (mfCreated) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1286	System.out.println(rb.getString(".adding.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1287	mfFile.getName());
90ce3da70b43 Initial load duke parents: diff changeset	1288	} else if (mfModified) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1289	System.out.println(rb.getString(".updating.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1290	mfFile.getName());
90ce3da70b43 Initial load duke parents: diff changeset	1291	}
90ce3da70b43 Initial load duke parents: diff changeset	1292	}
90ce3da70b43 Initial load duke parents: diff changeset	1293	zos.putNextEntry(mfFile);
90ce3da70b43 Initial load duke parents: diff changeset	1294	zos.write(mfRawBytes);
90ce3da70b43 Initial load duke parents: diff changeset	1295
90ce3da70b43 Initial load duke parents: diff changeset	1296	// Calculate SignatureFile (".SF") and SignatureBlockFile
90ce3da70b43 Initial load duke parents: diff changeset	1297	ManifestDigester manDig = new ManifestDigester(mfRawBytes);
90ce3da70b43 Initial load duke parents: diff changeset	1298	SignatureFile sf = new SignatureFile(digests, manifest, manDig,
90ce3da70b43 Initial load duke parents: diff changeset	1299	sigfile, signManifest);
90ce3da70b43 Initial load duke parents: diff changeset	1300
90ce3da70b43 Initial load duke parents: diff changeset	1301	if (tsaAlias != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1302	tsaCert = getTsaCert(tsaAlias);
90ce3da70b43 Initial load duke parents: diff changeset	1303	}
90ce3da70b43 Initial load duke parents: diff changeset	1304
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1305	if (tsaUrl == null && tsaCert == null) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1306	noTimestamp = true;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1307	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1308
2 90ce3da70b43 Initial load duke parents: diff changeset	1309	SignatureFile.Block block = null;
90ce3da70b43 Initial load duke parents: diff changeset	1310
90ce3da70b43 Initial load duke parents: diff changeset	1311	try {
90ce3da70b43 Initial load duke parents: diff changeset	1312	block =
8556 d3d6e4643560 7021789: Remove jarsigner -crl option weijun parents: 7977 diff changeset	1313	sf.generateBlock(privateKey, sigalg, certChain,
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	1314	externalSF, tsaUrl, tsaCert, tSAPolicyID, tSADigestAlg,
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	1315	signingMechanism, args, zipFile);
2 90ce3da70b43 Initial load duke parents: diff changeset	1316	} catch (SocketTimeoutException e) {
90ce3da70b43 Initial load duke parents: diff changeset	1317	// Provide a helpful message when TSA is beyond a firewall
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1318	error(rb.getString("unable.to.sign.jar.") +
4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1319	rb.getString("no.response.from.the.Timestamping.Authority.") +
8994 ef946d820d04 7028490: better suggestion for jarsigner when TSA is not accessible weijun parents: 8556 diff changeset	1320	"\n -J-Dhttp.proxyHost=<hostname>" +
ef946d820d04 7028490: better suggestion for jarsigner when TSA is not accessible weijun parents: 8556 diff changeset	1321	"\n -J-Dhttp.proxyPort=<portnumber>\n" +
ef946d820d04 7028490: better suggestion for jarsigner when TSA is not accessible weijun parents: 8556 diff changeset	1322	rb.getString("or") +
ef946d820d04 7028490: better suggestion for jarsigner when TSA is not accessible weijun parents: 8556 diff changeset	1323	"\n -J-Dhttps.proxyHost=<hostname> " +
ef946d820d04 7028490: better suggestion for jarsigner when TSA is not accessible weijun parents: 8556 diff changeset	1324	"\n -J-Dhttps.proxyPort=<portnumber> ", e);
2 90ce3da70b43 Initial load duke parents: diff changeset	1325	}
90ce3da70b43 Initial load duke parents: diff changeset	1326
90ce3da70b43 Initial load duke parents: diff changeset	1327	sfFilename = sf.getMetaName();
90ce3da70b43 Initial load duke parents: diff changeset	1328	bkFilename = block.getMetaName();
90ce3da70b43 Initial load duke parents: diff changeset	1329
90ce3da70b43 Initial load duke parents: diff changeset	1330	ZipEntry sfFile = new ZipEntry(sfFilename);
90ce3da70b43 Initial load duke parents: diff changeset	1331	ZipEntry bkFile = new ZipEntry(bkFilename);
90ce3da70b43 Initial load duke parents: diff changeset	1332
90ce3da70b43 Initial load duke parents: diff changeset	1333	long time = System.currentTimeMillis();
90ce3da70b43 Initial load duke parents: diff changeset	1334	sfFile.setTime(time);
90ce3da70b43 Initial load duke parents: diff changeset	1335	bkFile.setTime(time);
90ce3da70b43 Initial load duke parents: diff changeset	1336
90ce3da70b43 Initial load duke parents: diff changeset	1337	// signature file
90ce3da70b43 Initial load duke parents: diff changeset	1338	zos.putNextEntry(sfFile);
90ce3da70b43 Initial load duke parents: diff changeset	1339	sf.write(zos);
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1340	if (verbose != null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1341	if (zipFile.getEntry(sfFilename) != null) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1342	System.out.println(rb.getString(".updating.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1343	sfFilename);
90ce3da70b43 Initial load duke parents: diff changeset	1344	} else {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1345	System.out.println(rb.getString(".adding.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1346	sfFilename);
90ce3da70b43 Initial load duke parents: diff changeset	1347	}
90ce3da70b43 Initial load duke parents: diff changeset	1348	}
90ce3da70b43 Initial load duke parents: diff changeset	1349
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1350	if (verbose != null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1351	if (tsaUrl != null \|\| tsaCert != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1352	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1353	rb.getString("requesting.a.signature.timestamp"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1354	}
90ce3da70b43 Initial load duke parents: diff changeset	1355	if (tsaUrl != null) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1356	System.out.println(rb.getString("TSA.location.") + tsaUrl);
2 90ce3da70b43 Initial load duke parents: diff changeset	1357	}
90ce3da70b43 Initial load duke parents: diff changeset	1358	if (tsaCert != null) {
10788 680a3dbfcaba 7102686: Restructure timestamp code so that jars and modules can more easily share the same code mullan parents: 10427 diff changeset	1359	URI tsaURI = TimestampedSigner.getTimestampingURI(tsaCert);
680a3dbfcaba 7102686: Restructure timestamp code so that jars and modules can more easily share the same code mullan parents: 10427 diff changeset	1360	if (tsaURI != null) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1361	System.out.println(rb.getString("TSA.location.") +
10788 680a3dbfcaba 7102686: Restructure timestamp code so that jars and modules can more easily share the same code mullan parents: 10427 diff changeset	1362	tsaURI);
2 90ce3da70b43 Initial load duke parents: diff changeset	1363	}
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1364	System.out.println(rb.getString("TSA.certificate.") +
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1365	printCert("", tsaCert, false, null, false));
2 90ce3da70b43 Initial load duke parents: diff changeset	1366	}
90ce3da70b43 Initial load duke parents: diff changeset	1367	if (signingMechanism != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1368	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1369	rb.getString("using.an.alternative.signing.mechanism"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1370	}
90ce3da70b43 Initial load duke parents: diff changeset	1371	}
90ce3da70b43 Initial load duke parents: diff changeset	1372
90ce3da70b43 Initial load duke parents: diff changeset	1373	// signature block file
90ce3da70b43 Initial load duke parents: diff changeset	1374	zos.putNextEntry(bkFile);
90ce3da70b43 Initial load duke parents: diff changeset	1375	block.write(zos);
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1376	if (verbose != null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1377	if (zipFile.getEntry(bkFilename) != null) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1378	System.out.println(rb.getString(".updating.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1379	bkFilename);
90ce3da70b43 Initial load duke parents: diff changeset	1380	} else {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1381	System.out.println(rb.getString(".adding.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1382	bkFilename);
90ce3da70b43 Initial load duke parents: diff changeset	1383	}
90ce3da70b43 Initial load duke parents: diff changeset	1384	}
90ce3da70b43 Initial load duke parents: diff changeset	1385
90ce3da70b43 Initial load duke parents: diff changeset	1386	// Write out all other META-INF files that we stored in the
90ce3da70b43 Initial load duke parents: diff changeset	1387	// vector
90ce3da70b43 Initial load duke parents: diff changeset	1388	for (int i=0; i<mfFiles.size(); i++) {
90ce3da70b43 Initial load duke parents: diff changeset	1389	ZipEntry ze = mfFiles.elementAt(i);
90ce3da70b43 Initial load duke parents: diff changeset	1390	if (!ze.getName().equalsIgnoreCase(JarFile.MANIFEST_NAME)
90ce3da70b43 Initial load duke parents: diff changeset	1391	&& !ze.getName().equalsIgnoreCase(sfFilename)
90ce3da70b43 Initial load duke parents: diff changeset	1392	&& !ze.getName().equalsIgnoreCase(bkFilename)) {
90ce3da70b43 Initial load duke parents: diff changeset	1393	writeEntry(zipFile, zos, ze);
90ce3da70b43 Initial load duke parents: diff changeset	1394	}
90ce3da70b43 Initial load duke parents: diff changeset	1395	}
90ce3da70b43 Initial load duke parents: diff changeset	1396
90ce3da70b43 Initial load duke parents: diff changeset	1397	// Write out all other files
90ce3da70b43 Initial load duke parents: diff changeset	1398	for (Enumeration<? extends ZipEntry> enum_=zipFile.entries();
90ce3da70b43 Initial load duke parents: diff changeset	1399	enum_.hasMoreElements();) {
90ce3da70b43 Initial load duke parents: diff changeset	1400	ZipEntry ze = enum_.nextElement();
90ce3da70b43 Initial load duke parents: diff changeset	1401
90ce3da70b43 Initial load duke parents: diff changeset	1402	if (!ze.getName().startsWith(META_INF)) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1403	if (verbose != null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1404	if (manifest.getAttributes(ze.getName()) != null)
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1405	System.out.println(rb.getString(".signing.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1406	ze.getName());
90ce3da70b43 Initial load duke parents: diff changeset	1407	else
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1408	System.out.println(rb.getString(".adding.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1409	ze.getName());
90ce3da70b43 Initial load duke parents: diff changeset	1410	}
90ce3da70b43 Initial load duke parents: diff changeset	1411	writeEntry(zipFile, zos, ze);
90ce3da70b43 Initial load duke parents: diff changeset	1412	}
90ce3da70b43 Initial load duke parents: diff changeset	1413	}
90ce3da70b43 Initial load duke parents: diff changeset	1414	} catch(IOException ioe) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1415	error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
2 90ce3da70b43 Initial load duke parents: diff changeset	1416	} finally {
90ce3da70b43 Initial load duke parents: diff changeset	1417	// close the resouces
90ce3da70b43 Initial load duke parents: diff changeset	1418	if (zipFile != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1419	zipFile.close();
90ce3da70b43 Initial load duke parents: diff changeset	1420	zipFile = null;
90ce3da70b43 Initial load duke parents: diff changeset	1421	}
90ce3da70b43 Initial load duke parents: diff changeset	1422
90ce3da70b43 Initial load duke parents: diff changeset	1423	if (zos != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1424	zos.close();
90ce3da70b43 Initial load duke parents: diff changeset	1425	}
90ce3da70b43 Initial load duke parents: diff changeset	1426	}
90ce3da70b43 Initial load duke parents: diff changeset	1427
90ce3da70b43 Initial load duke parents: diff changeset	1428	// no IOException thrown in the follow try clause, so disable
90ce3da70b43 Initial load duke parents: diff changeset	1429	// the try clause.
90ce3da70b43 Initial load duke parents: diff changeset	1430	// try {
90ce3da70b43 Initial load duke parents: diff changeset	1431	if (signedjar == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1432	// attempt an atomic rename. If that fails,
90ce3da70b43 Initial load duke parents: diff changeset	1433	// rename the original jar file, then the signed
90ce3da70b43 Initial load duke parents: diff changeset	1434	// one, then delete the original.
90ce3da70b43 Initial load duke parents: diff changeset	1435	if (!signedJarFile.renameTo(jarFile)) {
90ce3da70b43 Initial load duke parents: diff changeset	1436	File origJar = new File(jarName+".orig");
90ce3da70b43 Initial load duke parents: diff changeset	1437
90ce3da70b43 Initial load duke parents: diff changeset	1438	if (jarFile.renameTo(origJar)) {
90ce3da70b43 Initial load duke parents: diff changeset	1439	if (signedJarFile.renameTo(jarFile)) {
90ce3da70b43 Initial load duke parents: diff changeset	1440	origJar.delete();
90ce3da70b43 Initial load duke parents: diff changeset	1441	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1442	MessageFormat form = new MessageFormat(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1443	("attempt.to.rename.signedJarFile.to.jarFile.failed"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1444	Object[] source = {signedJarFile, jarFile};
90ce3da70b43 Initial load duke parents: diff changeset	1445	error(form.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	1446	}
90ce3da70b43 Initial load duke parents: diff changeset	1447	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1448	MessageFormat form = new MessageFormat(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1449	("attempt.to.rename.jarFile.to.origJar.failed"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1450	Object[] source = {jarFile, origJar};
90ce3da70b43 Initial load duke parents: diff changeset	1451	error(form.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	1452	}
90ce3da70b43 Initial load duke parents: diff changeset	1453	}
90ce3da70b43 Initial load duke parents: diff changeset	1454	}
90ce3da70b43 Initial load duke parents: diff changeset	1455
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1456	boolean warningAppeared = false;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1457	if (badKeyUsage \|\| badExtendedKeyUsage \|\| badNetscapeCertType \|\|
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1458	notYetValidCert \|\| chainNotValidated \|\| hasExpiredCert) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1459	if (strict) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1460	System.out.println(rb.getString("jar.signed.with.signer.errors."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1461	System.out.println();
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1462	System.out.println(rb.getString("Error."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1463	} else {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1464	System.out.println(rb.getString("jar.signed."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1465	System.out.println();
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1466	System.out.println(rb.getString("Warning."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1467	warningAppeared = true;
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1468	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1469
90ce3da70b43 Initial load duke parents: diff changeset	1470	if (badKeyUsage) {
90ce3da70b43 Initial load duke parents: diff changeset	1471	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1472	rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1473	}
90ce3da70b43 Initial load duke parents: diff changeset	1474
90ce3da70b43 Initial load duke parents: diff changeset	1475	if (badExtendedKeyUsage) {
90ce3da70b43 Initial load duke parents: diff changeset	1476	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1477	rb.getString("The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1478	}
90ce3da70b43 Initial load duke parents: diff changeset	1479
90ce3da70b43 Initial load duke parents: diff changeset	1480	if (badNetscapeCertType) {
90ce3da70b43 Initial load duke parents: diff changeset	1481	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1482	rb.getString("The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1483	}
90ce3da70b43 Initial load duke parents: diff changeset	1484
90ce3da70b43 Initial load duke parents: diff changeset	1485	if (hasExpiredCert) {
90ce3da70b43 Initial load duke parents: diff changeset	1486	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1487	rb.getString("The.signer.certificate.has.expired."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1488	} else if (notYetValidCert) {
90ce3da70b43 Initial load duke parents: diff changeset	1489	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1490	rb.getString("The.signer.certificate.is.not.yet.valid."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1491	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1492
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1493	if (chainNotValidated) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1494	System.out.println(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1495	rb.getString("The.signer.s.certificate.chain.is.not.validated."));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1496	}
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1497	} else {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1498	System.out.println(rb.getString("jar.signed."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1499	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1500	if (hasExpiringCert \|\| noTimestamp) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1501	if (!warningAppeared) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1502	System.out.println();
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1503	System.out.println(rb.getString("Warning."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1504	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1505
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1506	if (hasExpiringCert) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1507	System.out.println(
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1508	rb.getString("The.signer.certificate.will.expire.within.six.months."));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1509	}
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1510
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1511	if (noTimestamp) {
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1512	System.out.println(
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1513	String.format(rb.getString("no.timestamp.signing"), expireDate));
529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1514	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1515	}
90ce3da70b43 Initial load duke parents: diff changeset	1516
90ce3da70b43 Initial load duke parents: diff changeset	1517	// no IOException thrown in the above try clause, so disable
90ce3da70b43 Initial load duke parents: diff changeset	1518	// the catch clause.
90ce3da70b43 Initial load duke parents: diff changeset	1519	// } catch(IOException ioe) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1520	// error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
2 90ce3da70b43 Initial load duke parents: diff changeset	1521	// }
90ce3da70b43 Initial load duke parents: diff changeset	1522	}
90ce3da70b43 Initial load duke parents: diff changeset	1523
90ce3da70b43 Initial load duke parents: diff changeset	1524	/**
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1525	* Find the length of header inside bs. The header is a multiple (>=0)
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1526	* lines of attributes plus an empty line. The empty line is included
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1527	* in the header.
2 90ce3da70b43 Initial load duke parents: diff changeset	1528	*/
10336 0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 9011 diff changeset	1529	@SuppressWarnings("fallthrough")
2 90ce3da70b43 Initial load duke parents: diff changeset	1530	private int findHeaderEnd(byte[] bs) {
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1531	// Initial state true to deal with empty header
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1532	boolean newline = true; // just met a newline
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1533	int len = bs.length;
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1534	for (int i=0; i<len; i++) {
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1535	switch (bs[i]) {
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1536	case '\r':
5614 9b34aca7cd0c 6954621: small error in 6948909 weijun parents: 5462 diff changeset	1537	if (i < len - 1 && bs[i+1] == '\n') i++;
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1538	// fallthrough
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1539	case '\n':
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1540	if (newline) return i+1; //+1 to get length
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1541	newline = true;
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1542	break;
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1543	default:
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1544	newline = false;
2 90ce3da70b43 Initial load duke parents: diff changeset	1545	}
90ce3da70b43 Initial load duke parents: diff changeset	1546	}
5461 a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1547	// If header end is not found, it means the MANIFEST.MF has only
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1548	// the main attributes section and it does not end with 2 newlines.
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1549	// Returns the whole length so that it can be completely replaced.
a0e3063bc133 6948909: Jarsigner removes MANIFEST.MF info for badly packages jar's weijun parents: 4350 diff changeset	1550	return len;
2 90ce3da70b43 Initial load duke parents: diff changeset	1551	}
90ce3da70b43 Initial load duke parents: diff changeset	1552
90ce3da70b43 Initial load duke parents: diff changeset	1553	/**
90ce3da70b43 Initial load duke parents: diff changeset	1554	* signature-related files include:
90ce3da70b43 Initial load duke parents: diff changeset	1555	* . META-INF/MANIFEST.MF
90ce3da70b43 Initial load duke parents: diff changeset	1556	* . META-INF/SIG-*
90ce3da70b43 Initial load duke parents: diff changeset	1557	* . META-INF/*.SF
90ce3da70b43 Initial load duke parents: diff changeset	1558	* . META-INF/*.DSA
90ce3da70b43 Initial load duke parents: diff changeset	1559	* . META-INF/*.RSA
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	1560	* . META-INF/*.EC
2 90ce3da70b43 Initial load duke parents: diff changeset	1561	*/
90ce3da70b43 Initial load duke parents: diff changeset	1562	private boolean signatureRelated(String name) {
23912 9eab25093a89 8026067: Enhance signed jar verification weijun parents: 23010 diff changeset	1563	return SignatureFileVerifier.isSigningRelated(name);
2 90ce3da70b43 Initial load duke parents: diff changeset	1564	}
90ce3da70b43 Initial load duke parents: diff changeset	1565
7977 f47f211cd627 7008713: diamond conversion of kerberos5 and security tools smarks parents: 7525 diff changeset	1566	Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1567
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1568	/**
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1569	* Returns a string of singer info, with a newline at the end
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1570	*/
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1571	private String signerInfo(CodeSigner signer, String tab) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1572	if (cacheForSignerInfo.containsKey(signer)) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1573	return cacheForSignerInfo.get(signer);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1574	}
24969 afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1575	StringBuilder sb = new StringBuilder();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1576	List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1577	// display the signature timestamp, if present
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1578	Date timestamp;
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1579	Timestamp ts = signer.getTimestamp();
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1580	if (ts != null) {
24969 afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1581	sb.append(printTimestamp(tab, ts));
afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1582	sb.append('\n');
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1583	timestamp = ts.getTimestamp();
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1584	} else {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1585	timestamp = null;
22315 529f1cc322fc 8024302: Clarify jar verifications weijun parents: 19189 diff changeset	1586	noTimestamp = true;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1587	}
24969 afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1588	// display the certificate(sb). The first one is end-entity cert and
7525 16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1589	// its KeyUsage should be checked.
16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1590	boolean first = true;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1591	for (Certificate c : certs) {
24969 afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1592	sb.append(printCert(tab, c, true, timestamp, first));
afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1593	sb.append('\n');
7525 16d2b5e6517a 7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert weijun parents: 7524 diff changeset	1594	first = false;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1595	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1596	try {
24625 22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1597	validateCertChain(certs);
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1598	} catch (Exception e) {
10427 c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1599	if (debug) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1600	e.printStackTrace();
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1601	}
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1602	if (e.getCause() != null &&
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1603	(e.getCause() instanceof CertificateExpiredException \|\|
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1604	e.getCause() instanceof CertificateNotYetValidException)) {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1605	// No more warning, we alreay have hasExpiredCert or notYetValidCert
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1606	} else {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1607	chainNotValidated = true;
24969 afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1608	sb.append(tab + rb.getString(".CertPath.not.validated.") +
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1609	e.getLocalizedMessage() + "]\n"); // TODO
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1610	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1611	}
24969 afa6934dd8e8 8041679: Replace uses of StringBuffer with StringBuilder within core library classes psandoz parents: 24868 diff changeset	1612	String result = sb.toString();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1613	cacheForSignerInfo.put(signer, result);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1614	return result;
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1615	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1616
2 90ce3da70b43 Initial load duke parents: diff changeset	1617	private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
90ce3da70b43 Initial load duke parents: diff changeset	1618	throws IOException
90ce3da70b43 Initial load duke parents: diff changeset	1619	{
90ce3da70b43 Initial load duke parents: diff changeset	1620	ZipEntry ze2 = new ZipEntry(ze.getName());
90ce3da70b43 Initial load duke parents: diff changeset	1621	ze2.setMethod(ze.getMethod());
90ce3da70b43 Initial load duke parents: diff changeset	1622	ze2.setTime(ze.getTime());
90ce3da70b43 Initial load duke parents: diff changeset	1623	ze2.setComment(ze.getComment());
90ce3da70b43 Initial load duke parents: diff changeset	1624	ze2.setExtra(ze.getExtra());
90ce3da70b43 Initial load duke parents: diff changeset	1625	if (ze.getMethod() == ZipEntry.STORED) {
90ce3da70b43 Initial load duke parents: diff changeset	1626	ze2.setSize(ze.getSize());
90ce3da70b43 Initial load duke parents: diff changeset	1627	ze2.setCrc(ze.getCrc());
90ce3da70b43 Initial load duke parents: diff changeset	1628	}
90ce3da70b43 Initial load duke parents: diff changeset	1629	os.putNextEntry(ze2);
90ce3da70b43 Initial load duke parents: diff changeset	1630	writeBytes(zf, ze, os);
90ce3da70b43 Initial load duke parents: diff changeset	1631	}
90ce3da70b43 Initial load duke parents: diff changeset	1632
90ce3da70b43 Initial load duke parents: diff changeset	1633	/**
90ce3da70b43 Initial load duke parents: diff changeset	1634	* Writes all the bytes for a given entry to the specified output stream.
90ce3da70b43 Initial load duke parents: diff changeset	1635	*/
90ce3da70b43 Initial load duke parents: diff changeset	1636	private synchronized void writeBytes
90ce3da70b43 Initial load duke parents: diff changeset	1637	(ZipFile zf, ZipEntry ze, ZipOutputStream os) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	1638	int n;
90ce3da70b43 Initial load duke parents: diff changeset	1639
90ce3da70b43 Initial load duke parents: diff changeset	1640	InputStream is = null;
90ce3da70b43 Initial load duke parents: diff changeset	1641	try {
90ce3da70b43 Initial load duke parents: diff changeset	1642	is = zf.getInputStream(ze);
90ce3da70b43 Initial load duke parents: diff changeset	1643	long left = ze.getSize();
90ce3da70b43 Initial load duke parents: diff changeset	1644
90ce3da70b43 Initial load duke parents: diff changeset	1645	while((left > 0) && (n = is.read(buffer, 0, buffer.length)) != -1) {
90ce3da70b43 Initial load duke parents: diff changeset	1646	os.write(buffer, 0, n);
90ce3da70b43 Initial load duke parents: diff changeset	1647	left -= n;
90ce3da70b43 Initial load duke parents: diff changeset	1648	}
90ce3da70b43 Initial load duke parents: diff changeset	1649	} finally {
90ce3da70b43 Initial load duke parents: diff changeset	1650	if (is != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1651	is.close();
90ce3da70b43 Initial load duke parents: diff changeset	1652	}
90ce3da70b43 Initial load duke parents: diff changeset	1653	}
90ce3da70b43 Initial load duke parents: diff changeset	1654	}
90ce3da70b43 Initial load duke parents: diff changeset	1655
90ce3da70b43 Initial load duke parents: diff changeset	1656	void loadKeyStore(String keyStoreName, boolean prompt) {
90ce3da70b43 Initial load duke parents: diff changeset	1657
90ce3da70b43 Initial load duke parents: diff changeset	1658	if (!nullStream && keyStoreName == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1659	keyStoreName = System.getProperty("user.home") + File.separator
90ce3da70b43 Initial load duke parents: diff changeset	1660	+ ".keystore";
90ce3da70b43 Initial load duke parents: diff changeset	1661	}
90ce3da70b43 Initial load duke parents: diff changeset	1662
90ce3da70b43 Initial load duke parents: diff changeset	1663	try {
10427 c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1664
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1665	certificateFactory = CertificateFactory.getInstance("X.509");
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1666	validator = CertPathValidator.getInstance("PKIX");
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1667	Set<TrustAnchor> tas = new HashSet<>();
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1668	try {
14182 3041082abb40 7194449: String resources for Key Tool and Policy Tool should be in their respective packages sflores parents: 12046 diff changeset	1669	KeyStore caks = KeyStoreUtil.getCacertsKeyStore();
10427 c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1670	if (caks != null) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1671	Enumeration<String> aliases = caks.aliases();
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1672	while (aliases.hasMoreElements()) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1673	String a = aliases.nextElement();
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1674	try {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1675	tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null));
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1676	} catch (Exception e2) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1677	// ignore, when a SecretkeyEntry does not include a cert
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1678	}
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1679	}
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1680	}
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1681	} catch (Exception e) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1682	// Ignore, if cacerts cannot be loaded
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1683	}
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1684
2 90ce3da70b43 Initial load duke parents: diff changeset	1685	if (providerName == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1686	store = KeyStore.getInstance(storetype);
90ce3da70b43 Initial load duke parents: diff changeset	1687	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1688	store = KeyStore.getInstance(storetype, providerName);
90ce3da70b43 Initial load duke parents: diff changeset	1689	}
90ce3da70b43 Initial load duke parents: diff changeset	1690
90ce3da70b43 Initial load duke parents: diff changeset	1691	// Get pass phrase
90ce3da70b43 Initial load duke parents: diff changeset	1692	// XXX need to disable echo; on UNIX, call getpass(char *prompt)Z
90ce3da70b43 Initial load duke parents: diff changeset	1693	// and on NT call ??
90ce3da70b43 Initial load duke parents: diff changeset	1694	if (token && storepass == null && !protectedPath
90ce3da70b43 Initial load duke parents: diff changeset	1695	&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
90ce3da70b43 Initial load duke parents: diff changeset	1696	storepass = getPass
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1697	(rb.getString("Enter.Passphrase.for.keystore."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1698	} else if (!token && storepass == null && prompt) {
90ce3da70b43 Initial load duke parents: diff changeset	1699	storepass = getPass
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1700	(rb.getString("Enter.Passphrase.for.keystore."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1701	}
90ce3da70b43 Initial load duke parents: diff changeset	1702
10427 c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1703	try {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1704	if (nullStream) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1705	store.load(null, storepass);
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1706	} else {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1707	keyStoreName = keyStoreName.replace(File.separatorChar, '/');
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1708	URL url = null;
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1709	try {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1710	url = new URL(keyStoreName);
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1711	} catch (java.net.MalformedURLException e) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1712	// try as file
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1713	url = new File(keyStoreName).toURI().toURL();
2 90ce3da70b43 Initial load duke parents: diff changeset	1714	}
10427 c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1715	InputStream is = null;
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1716	try {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1717	is = url.openStream();
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1718	store.load(is, storepass);
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1719	} finally {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1720	if (is != null) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1721	is.close();
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1722	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1723	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1724	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1725	Enumeration<String> aliases = store.aliases();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1726	while (aliases.hasMoreElements()) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1727	String a = aliases.nextElement();
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1728	try {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1729	X509Certificate c = (X509Certificate)store.getCertificate(a);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1730	// Only add TrustedCertificateEntry and self-signed
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1731	// PrivateKeyEntry
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1732	if (store.isCertificateEntry(a) \|\|
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1733	c.getSubjectDN().equals(c.getIssuerDN())) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1734	tas.add(new TrustAnchor(c, null));
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1735	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1736	} catch (Exception e2) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1737	// ignore, when a SecretkeyEntry does not include a cert
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1738	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1739	}
10427 c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1740	} finally {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1741	try {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1742	pkixParameters = new PKIXParameters(tas);
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1743	pkixParameters.setRevocationEnabled(false);
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1744	} catch (InvalidAlgorithmParameterException ex) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1745	// Only if tas is empty
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1746	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1747	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1748	} catch (IOException ioe) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1749	throw new RuntimeException(rb.getString("keystore.load.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1750	ioe.getMessage());
90ce3da70b43 Initial load duke parents: diff changeset	1751	} catch (java.security.cert.CertificateException ce) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1752	throw new RuntimeException(rb.getString("certificate.exception.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1753	ce.getMessage());
90ce3da70b43 Initial load duke parents: diff changeset	1754	} catch (NoSuchProviderException pe) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1755	throw new RuntimeException(rb.getString("keystore.load.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1756	pe.getMessage());
90ce3da70b43 Initial load duke parents: diff changeset	1757	} catch (NoSuchAlgorithmException nsae) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1758	throw new RuntimeException(rb.getString("keystore.load.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1759	nsae.getMessage());
90ce3da70b43 Initial load duke parents: diff changeset	1760	} catch (KeyStoreException kse) {
90ce3da70b43 Initial load duke parents: diff changeset	1761	throw new RuntimeException
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1762	(rb.getString("unable.to.instantiate.keystore.class.") +
2 90ce3da70b43 Initial load duke parents: diff changeset	1763	kse.getMessage());
90ce3da70b43 Initial load duke parents: diff changeset	1764	}
90ce3da70b43 Initial load duke parents: diff changeset	1765	}
90ce3da70b43 Initial load duke parents: diff changeset	1766
90ce3da70b43 Initial load duke parents: diff changeset	1767	X509Certificate getTsaCert(String alias) {
90ce3da70b43 Initial load duke parents: diff changeset	1768
90ce3da70b43 Initial load duke parents: diff changeset	1769	java.security.cert.Certificate cs = null;
90ce3da70b43 Initial load duke parents: diff changeset	1770
90ce3da70b43 Initial load duke parents: diff changeset	1771	try {
90ce3da70b43 Initial load duke parents: diff changeset	1772	cs = store.getCertificate(alias);
90ce3da70b43 Initial load duke parents: diff changeset	1773	} catch (KeyStoreException kse) {
90ce3da70b43 Initial load duke parents: diff changeset	1774	// this never happens, because keystore has been loaded
90ce3da70b43 Initial load duke parents: diff changeset	1775	}
90ce3da70b43 Initial load duke parents: diff changeset	1776	if (cs == null \|\| (!(cs instanceof X509Certificate))) {
90ce3da70b43 Initial load duke parents: diff changeset	1777	MessageFormat form = new MessageFormat(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1778	("Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1779	Object[] source = {alias, alias};
90ce3da70b43 Initial load duke parents: diff changeset	1780	error(form.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	1781	}
90ce3da70b43 Initial load duke parents: diff changeset	1782	return (X509Certificate) cs;
90ce3da70b43 Initial load duke parents: diff changeset	1783	}
90ce3da70b43 Initial load duke parents: diff changeset	1784
90ce3da70b43 Initial load duke parents: diff changeset	1785	/**
90ce3da70b43 Initial load duke parents: diff changeset	1786	* Check if userCert is designed to be a code signer
90ce3da70b43 Initial load duke parents: diff changeset	1787	* @param userCert the certificate to be examined
90ce3da70b43 Initial load duke parents: diff changeset	1788	* @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage,
90ce3da70b43 Initial load duke parents: diff changeset	1789	* NetscapeCertType has codeSigning flag turned on.
90ce3da70b43 Initial load duke parents: diff changeset	1790	* If null, the class field badKeyUsage, badExtendedKeyUsage,
90ce3da70b43 Initial load duke parents: diff changeset	1791	* badNetscapeCertType will be set.
90ce3da70b43 Initial load duke parents: diff changeset	1792	*/
90ce3da70b43 Initial load duke parents: diff changeset	1793	void checkCertUsage(X509Certificate userCert, boolean[] bad) {
90ce3da70b43 Initial load duke parents: diff changeset	1794
90ce3da70b43 Initial load duke parents: diff changeset	1795	// Can act as a signer?
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1796	// 1. if KeyUsage, then [0:digitalSignature] or
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1797	// [1:nonRepudiation] should be true
2 90ce3da70b43 Initial load duke parents: diff changeset	1798	// 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING
90ce3da70b43 Initial load duke parents: diff changeset	1799	// 3. if NetscapeCertType, then should contains OBJECT_SIGNING
90ce3da70b43 Initial load duke parents: diff changeset	1800	// 1,2,3 must be true
90ce3da70b43 Initial load duke parents: diff changeset	1801
90ce3da70b43 Initial load duke parents: diff changeset	1802	if (bad != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1803	bad[0] = bad[1] = bad[2] = false;
90ce3da70b43 Initial load duke parents: diff changeset	1804	}
90ce3da70b43 Initial load duke parents: diff changeset	1805
90ce3da70b43 Initial load duke parents: diff changeset	1806	boolean[] keyUsage = userCert.getKeyUsage();
90ce3da70b43 Initial load duke parents: diff changeset	1807	if (keyUsage != null) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1808	keyUsage = Arrays.copyOf(keyUsage, 9);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1809	if (!keyUsage[0] && !keyUsage[1]) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1810	if (bad != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1811	bad[0] = true;
90ce3da70b43 Initial load duke parents: diff changeset	1812	badKeyUsage = true;
90ce3da70b43 Initial load duke parents: diff changeset	1813	}
90ce3da70b43 Initial load duke parents: diff changeset	1814	}
90ce3da70b43 Initial load duke parents: diff changeset	1815	}
90ce3da70b43 Initial load duke parents: diff changeset	1816
90ce3da70b43 Initial load duke parents: diff changeset	1817	try {
90ce3da70b43 Initial load duke parents: diff changeset	1818	List<String> xKeyUsage = userCert.getExtendedKeyUsage();
90ce3da70b43 Initial load duke parents: diff changeset	1819	if (xKeyUsage != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1820	if (!xKeyUsage.contains("2.5.29.37.0") // anyExtendedKeyUsage
90ce3da70b43 Initial load duke parents: diff changeset	1821	&& !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning
90ce3da70b43 Initial load duke parents: diff changeset	1822	if (bad != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1823	bad[1] = true;
90ce3da70b43 Initial load duke parents: diff changeset	1824	badExtendedKeyUsage = true;
90ce3da70b43 Initial load duke parents: diff changeset	1825	}
90ce3da70b43 Initial load duke parents: diff changeset	1826	}
90ce3da70b43 Initial load duke parents: diff changeset	1827	}
90ce3da70b43 Initial load duke parents: diff changeset	1828	} catch (java.security.cert.CertificateParsingException e) {
90ce3da70b43 Initial load duke parents: diff changeset	1829	// shouldn't happen
90ce3da70b43 Initial load duke parents: diff changeset	1830	}
90ce3da70b43 Initial load duke parents: diff changeset	1831
90ce3da70b43 Initial load duke parents: diff changeset	1832	try {
90ce3da70b43 Initial load duke parents: diff changeset	1833	// OID_NETSCAPE_CERT_TYPE
90ce3da70b43 Initial load duke parents: diff changeset	1834	byte[] netscapeEx = userCert.getExtensionValue
90ce3da70b43 Initial load duke parents: diff changeset	1835	("2.16.840.1.113730.1.1");
90ce3da70b43 Initial load duke parents: diff changeset	1836	if (netscapeEx != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1837	DerInputStream in = new DerInputStream(netscapeEx);
90ce3da70b43 Initial load duke parents: diff changeset	1838	byte[] encoded = in.getOctetString();
90ce3da70b43 Initial load duke parents: diff changeset	1839	encoded = new DerValue(encoded).getUnalignedBitString()
90ce3da70b43 Initial load duke parents: diff changeset	1840	.toByteArray();
90ce3da70b43 Initial load duke parents: diff changeset	1841
90ce3da70b43 Initial load duke parents: diff changeset	1842	NetscapeCertTypeExtension extn =
90ce3da70b43 Initial load duke parents: diff changeset	1843	new NetscapeCertTypeExtension(encoded);
90ce3da70b43 Initial load duke parents: diff changeset	1844
10336 0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 9011 diff changeset	1845	Boolean val = extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING);
2 90ce3da70b43 Initial load duke parents: diff changeset	1846	if (!val) {
90ce3da70b43 Initial load duke parents: diff changeset	1847	if (bad != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1848	bad[2] = true;
90ce3da70b43 Initial load duke parents: diff changeset	1849	badNetscapeCertType = true;
90ce3da70b43 Initial load duke parents: diff changeset	1850	}
90ce3da70b43 Initial load duke parents: diff changeset	1851	}
90ce3da70b43 Initial load duke parents: diff changeset	1852	}
90ce3da70b43 Initial load duke parents: diff changeset	1853	} catch (IOException e) {
90ce3da70b43 Initial load duke parents: diff changeset	1854	//
90ce3da70b43 Initial load duke parents: diff changeset	1855	}
90ce3da70b43 Initial load duke parents: diff changeset	1856	}
90ce3da70b43 Initial load duke parents: diff changeset	1857
90ce3da70b43 Initial load duke parents: diff changeset	1858	void getAliasInfo(String alias) {
90ce3da70b43 Initial load duke parents: diff changeset	1859
90ce3da70b43 Initial load duke parents: diff changeset	1860	Key key = null;
90ce3da70b43 Initial load duke parents: diff changeset	1861
90ce3da70b43 Initial load duke parents: diff changeset	1862	try {
90ce3da70b43 Initial load duke parents: diff changeset	1863	java.security.cert.Certificate[] cs = null;
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1864	if (altCertChain != null) {
21642 5efc900f8ecd 8027991: InputStream should be closed in sun.security.tools.jarsigner.Main weijun parents: 21278 diff changeset	1865	try (FileInputStream fis = new FileInputStream(altCertChain)) {
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1866	cs = CertificateFactory.getInstance("X.509").
21642 5efc900f8ecd 8027991: InputStream should be closed in sun.security.tools.jarsigner.Main weijun parents: 21278 diff changeset	1867	generateCertificates(fis).
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1868	toArray(new Certificate[0]);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1869	} catch (FileNotFoundException ex) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1870	error(rb.getString("File.specified.by.certchain.does.not.exist"));
21642 5efc900f8ecd 8027991: InputStream should be closed in sun.security.tools.jarsigner.Main weijun parents: 21278 diff changeset	1871	} catch (CertificateException \| IOException ex) {
5efc900f8ecd 8027991: InputStream should be closed in sun.security.tools.jarsigner.Main weijun parents: 21278 diff changeset	1872	error(rb.getString("Cannot.restore.certchain.from.file.specified"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1873	}
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1874	} else {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1875	try {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1876	cs = store.getCertificateChain(alias);
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1877	} catch (KeyStoreException kse) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1878	// this never happens, because keystore has been loaded
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1879	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1880	}
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1881	if (cs == null \|\| cs.length == 0) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1882	if (altCertChain != null) {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1883	error(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1884	("Certificate.chain.not.found.in.the.file.specified."));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1885	} else {
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1886	MessageFormat form = new MessageFormat(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1887	("Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and"));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1888	Object[] source = {alias, alias};
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1889	error(form.format(source));
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1890	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1891	}
90ce3da70b43 Initial load duke parents: diff changeset	1892
90ce3da70b43 Initial load duke parents: diff changeset	1893	certChain = new X509Certificate[cs.length];
90ce3da70b43 Initial load duke parents: diff changeset	1894	for (int i=0; i<cs.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	1895	if (!(cs[i] instanceof X509Certificate)) {
90ce3da70b43 Initial load duke parents: diff changeset	1896	error(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1897	("found.non.X.509.certificate.in.signer.s.chain"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1898	}
90ce3da70b43 Initial load duke parents: diff changeset	1899	certChain[i] = (X509Certificate)cs[i];
90ce3da70b43 Initial load duke parents: diff changeset	1900	}
90ce3da70b43 Initial load duke parents: diff changeset	1901
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1902	// We don't meant to print anything, the next call
dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1903	// checks validity and keyUsage etc
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1904	printCert("", certChain[0], true, null, true);
2 90ce3da70b43 Initial load duke parents: diff changeset	1905
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1906	try {
24625 22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1907	validateCertChain(Arrays.asList(certChain));
2432 dc17f417ef85 6802846: jarsigner needs enhanced cert validation(options) weijun parents: 2 diff changeset	1908	} catch (Exception e) {
10427 c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1909	if (debug) {
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1910	e.printStackTrace();
c255e1803e4d 7081783: jarsigner error when no $HOME/.keystore weijun parents: 10336 diff changeset	1911	}
12046 378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1912	if (e.getCause() != null &&
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1913	(e.getCause() instanceof CertificateExpiredException \|\|
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1914	e.getCause() instanceof CertificateNotYetValidException)) {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1915	// No more warning, we alreay have hasExpiredCert or notYetValidCert
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1916	} else {
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1917	chainNotValidated = true;
378aa3362868 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp weijun parents: 10788 diff changeset	1918	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1919	}
90ce3da70b43 Initial load duke parents: diff changeset	1920
90ce3da70b43 Initial load duke parents: diff changeset	1921	try {
90ce3da70b43 Initial load duke parents: diff changeset	1922	if (!token && keypass == null)
90ce3da70b43 Initial load duke parents: diff changeset	1923	key = store.getKey(alias, storepass);
90ce3da70b43 Initial load duke parents: diff changeset	1924	else
90ce3da70b43 Initial load duke parents: diff changeset	1925	key = store.getKey(alias, keypass);
90ce3da70b43 Initial load duke parents: diff changeset	1926	} catch (UnrecoverableKeyException e) {
90ce3da70b43 Initial load duke parents: diff changeset	1927	if (token) {
90ce3da70b43 Initial load duke parents: diff changeset	1928	throw e;
90ce3da70b43 Initial load duke parents: diff changeset	1929	} else if (keypass == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1930	// Did not work out, so prompt user for key password
90ce3da70b43 Initial load duke parents: diff changeset	1931	MessageFormat form = new MessageFormat(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1932	("Enter.key.password.for.alias."));
2 90ce3da70b43 Initial load duke parents: diff changeset	1933	Object[] source = {alias};
90ce3da70b43 Initial load duke parents: diff changeset	1934	keypass = getPass(form.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	1935	key = store.getKey(alias, keypass);
90ce3da70b43 Initial load duke parents: diff changeset	1936	}
90ce3da70b43 Initial load duke parents: diff changeset	1937	}
90ce3da70b43 Initial load duke parents: diff changeset	1938	} catch (NoSuchAlgorithmException e) {
90ce3da70b43 Initial load duke parents: diff changeset	1939	error(e.getMessage());
90ce3da70b43 Initial load duke parents: diff changeset	1940	} catch (UnrecoverableKeyException e) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1941	error(rb.getString("unable.to.recover.key.from.keystore"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1942	} catch (KeyStoreException kse) {
90ce3da70b43 Initial load duke parents: diff changeset	1943	// this never happens, because keystore has been loaded
90ce3da70b43 Initial load duke parents: diff changeset	1944	}
90ce3da70b43 Initial load duke parents: diff changeset	1945
90ce3da70b43 Initial load duke parents: diff changeset	1946	if (!(key instanceof PrivateKey)) {
90ce3da70b43 Initial load duke parents: diff changeset	1947	MessageFormat form = new MessageFormat(rb.getString
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1948	("key.associated.with.alias.not.a.private.key"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1949	Object[] source = {alias};
90ce3da70b43 Initial load duke parents: diff changeset	1950	error(form.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	1951	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1952	privateKey = (PrivateKey)key;
90ce3da70b43 Initial load duke parents: diff changeset	1953	}
90ce3da70b43 Initial load duke parents: diff changeset	1954	}
90ce3da70b43 Initial load duke parents: diff changeset	1955
90ce3da70b43 Initial load duke parents: diff changeset	1956	void error(String message)
90ce3da70b43 Initial load duke parents: diff changeset	1957	{
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1958	System.out.println(rb.getString("jarsigner.")+message);
2 90ce3da70b43 Initial load duke parents: diff changeset	1959	System.exit(1);
90ce3da70b43 Initial load duke parents: diff changeset	1960	}
90ce3da70b43 Initial load duke parents: diff changeset	1961
90ce3da70b43 Initial load duke parents: diff changeset	1962
90ce3da70b43 Initial load duke parents: diff changeset	1963	void error(String message, Exception e)
90ce3da70b43 Initial load duke parents: diff changeset	1964	{
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1965	System.out.println(rb.getString("jarsigner.")+message);
2 90ce3da70b43 Initial load duke parents: diff changeset	1966	if (debug) {
90ce3da70b43 Initial load duke parents: diff changeset	1967	e.printStackTrace();
90ce3da70b43 Initial load duke parents: diff changeset	1968	}
90ce3da70b43 Initial load duke parents: diff changeset	1969	System.exit(1);
90ce3da70b43 Initial load duke parents: diff changeset	1970	}
90ce3da70b43 Initial load duke parents: diff changeset	1971
24625 22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1972	void validateCertChain(List<? extends Certificate> certs) throws Exception {
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1973	int cpLen = 0;
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1974	out: for (; cpLen<certs.size(); cpLen++) {
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1975	for (TrustAnchor ta: pkixParameters.getTrustAnchors()) {
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1976	if (ta.getTrustedCert().equals(certs.get(cpLen))) {
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1977	break out;
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1978	}
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1979	}
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1980	}
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1981	if (cpLen > 0) {
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1982	CertPath cp = certificateFactory.generateCertPath(
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1983	(cpLen == certs.size())? certs: certs.subList(0, cpLen));
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1984	validator.validate(cp, pkixParameters);
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1985	}
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1986	}
22fb8a68756f 8036709: Java 7 jarsigner displays warning about cert policy tree weijun parents: 24034 diff changeset	1987
2 90ce3da70b43 Initial load duke parents: diff changeset	1988	char[] getPass(String prompt)
90ce3da70b43 Initial load duke parents: diff changeset	1989	{
90ce3da70b43 Initial load duke parents: diff changeset	1990	System.err.print(prompt);
90ce3da70b43 Initial load duke parents: diff changeset	1991	System.err.flush();
90ce3da70b43 Initial load duke parents: diff changeset	1992	try {
90ce3da70b43 Initial load duke parents: diff changeset	1993	char[] pass = Password.readPassword(System.in);
90ce3da70b43 Initial load duke parents: diff changeset	1994
90ce3da70b43 Initial load duke parents: diff changeset	1995	if (pass == null) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	1996	error(rb.getString("you.must.enter.key.password"));
2 90ce3da70b43 Initial load duke parents: diff changeset	1997	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1998	return pass;
90ce3da70b43 Initial load duke parents: diff changeset	1999	}
90ce3da70b43 Initial load duke parents: diff changeset	2000	} catch (IOException ioe) {
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	2001	error(rb.getString("unable.to.read.password.")+ioe.getMessage());
2 90ce3da70b43 Initial load duke parents: diff changeset	2002	}
90ce3da70b43 Initial load duke parents: diff changeset	2003	// this shouldn't happen
90ce3da70b43 Initial load duke parents: diff changeset	2004	return null;
90ce3da70b43 Initial load duke parents: diff changeset	2005	}
90ce3da70b43 Initial load duke parents: diff changeset	2006
90ce3da70b43 Initial load duke parents: diff changeset	2007	/*
90ce3da70b43 Initial load duke parents: diff changeset	2008	* Reads all the bytes for a given zip entry.
90ce3da70b43 Initial load duke parents: diff changeset	2009	*/
90ce3da70b43 Initial load duke parents: diff changeset	2010	private synchronized byte[] getBytes(ZipFile zf,
90ce3da70b43 Initial load duke parents: diff changeset	2011	ZipEntry ze) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	2012	int n;
90ce3da70b43 Initial load duke parents: diff changeset	2013
90ce3da70b43 Initial load duke parents: diff changeset	2014	InputStream is = null;
90ce3da70b43 Initial load duke parents: diff changeset	2015	try {
90ce3da70b43 Initial load duke parents: diff changeset	2016	is = zf.getInputStream(ze);
90ce3da70b43 Initial load duke parents: diff changeset	2017	baos.reset();
90ce3da70b43 Initial load duke parents: diff changeset	2018	long left = ze.getSize();
90ce3da70b43 Initial load duke parents: diff changeset	2019
90ce3da70b43 Initial load duke parents: diff changeset	2020	while((left > 0) && (n = is.read(buffer, 0, buffer.length)) != -1) {
90ce3da70b43 Initial load duke parents: diff changeset	2021	baos.write(buffer, 0, n);
90ce3da70b43 Initial load duke parents: diff changeset	2022	left -= n;
90ce3da70b43 Initial load duke parents: diff changeset	2023	}
90ce3da70b43 Initial load duke parents: diff changeset	2024	} finally {
90ce3da70b43 Initial load duke parents: diff changeset	2025	if (is != null) {
90ce3da70b43 Initial load duke parents: diff changeset	2026	is.close();
90ce3da70b43 Initial load duke parents: diff changeset	2027	}
90ce3da70b43 Initial load duke parents: diff changeset	2028	}
90ce3da70b43 Initial load duke parents: diff changeset	2029
90ce3da70b43 Initial load duke parents: diff changeset	2030	return baos.toByteArray();
90ce3da70b43 Initial load duke parents: diff changeset	2031	}
90ce3da70b43 Initial load duke parents: diff changeset	2032
90ce3da70b43 Initial load duke parents: diff changeset	2033	/*
90ce3da70b43 Initial load duke parents: diff changeset	2034	* Returns manifest entry from given jar file, or null if given jar file
90ce3da70b43 Initial load duke parents: diff changeset	2035	* does not have a manifest entry.
90ce3da70b43 Initial load duke parents: diff changeset	2036	*/
90ce3da70b43 Initial load duke parents: diff changeset	2037	private ZipEntry getManifestFile(ZipFile zf) {
90ce3da70b43 Initial load duke parents: diff changeset	2038	ZipEntry ze = zf.getEntry(JarFile.MANIFEST_NAME);
90ce3da70b43 Initial load duke parents: diff changeset	2039	if (ze == null) {
90ce3da70b43 Initial load duke parents: diff changeset	2040	// Check all entries for matching name
90ce3da70b43 Initial load duke parents: diff changeset	2041	Enumeration<? extends ZipEntry> enum_ = zf.entries();
90ce3da70b43 Initial load duke parents: diff changeset	2042	while (enum_.hasMoreElements() && ze == null) {
90ce3da70b43 Initial load duke parents: diff changeset	2043	ze = enum_.nextElement();
90ce3da70b43 Initial load duke parents: diff changeset	2044	if (!JarFile.MANIFEST_NAME.equalsIgnoreCase
90ce3da70b43 Initial load duke parents: diff changeset	2045	(ze.getName())) {
90ce3da70b43 Initial load duke parents: diff changeset	2046	ze = null;
90ce3da70b43 Initial load duke parents: diff changeset	2047	}
90ce3da70b43 Initial load duke parents: diff changeset	2048	}
90ce3da70b43 Initial load duke parents: diff changeset	2049	}
90ce3da70b43 Initial load duke parents: diff changeset	2050	return ze;
90ce3da70b43 Initial load duke parents: diff changeset	2051	}
90ce3da70b43 Initial load duke parents: diff changeset	2052
90ce3da70b43 Initial load duke parents: diff changeset	2053	/*
90ce3da70b43 Initial load duke parents: diff changeset	2054	* Computes the digests of a zip entry, and returns them as an array
90ce3da70b43 Initial load duke parents: diff changeset	2055	* of base64-encoded strings.
90ce3da70b43 Initial load duke parents: diff changeset	2056	*/
90ce3da70b43 Initial load duke parents: diff changeset	2057	private synchronized String[] getDigests(ZipEntry ze, ZipFile zf,
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2058	MessageDigest[] digests)
2 90ce3da70b43 Initial load duke parents: diff changeset	2059	throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	2060
90ce3da70b43 Initial load duke parents: diff changeset	2061	int n, i;
90ce3da70b43 Initial load duke parents: diff changeset	2062	InputStream is = null;
90ce3da70b43 Initial load duke parents: diff changeset	2063	try {
90ce3da70b43 Initial load duke parents: diff changeset	2064	is = zf.getInputStream(ze);
90ce3da70b43 Initial load duke parents: diff changeset	2065	long left = ze.getSize();
90ce3da70b43 Initial load duke parents: diff changeset	2066	while((left > 0)
90ce3da70b43 Initial load duke parents: diff changeset	2067	&& (n = is.read(buffer, 0, buffer.length)) != -1) {
90ce3da70b43 Initial load duke parents: diff changeset	2068	for (i=0; i<digests.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	2069	digests[i].update(buffer, 0, n);
90ce3da70b43 Initial load duke parents: diff changeset	2070	}
90ce3da70b43 Initial load duke parents: diff changeset	2071	left -= n;
90ce3da70b43 Initial load duke parents: diff changeset	2072	}
90ce3da70b43 Initial load duke parents: diff changeset	2073	} finally {
90ce3da70b43 Initial load duke parents: diff changeset	2074	if (is != null) {
90ce3da70b43 Initial load duke parents: diff changeset	2075	is.close();
90ce3da70b43 Initial load duke parents: diff changeset	2076	}
90ce3da70b43 Initial load duke parents: diff changeset	2077	}
90ce3da70b43 Initial load duke parents: diff changeset	2078
90ce3da70b43 Initial load duke parents: diff changeset	2079	// complete the digests
90ce3da70b43 Initial load duke parents: diff changeset	2080	String[] base64Digests = new String[digests.length];
90ce3da70b43 Initial load duke parents: diff changeset	2081	for (i=0; i<digests.length; i++) {
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2082	base64Digests[i] = Base64.getEncoder().encodeToString(digests[i].digest());
2 90ce3da70b43 Initial load duke parents: diff changeset	2083	}
90ce3da70b43 Initial load duke parents: diff changeset	2084	return base64Digests;
90ce3da70b43 Initial load duke parents: diff changeset	2085	}
90ce3da70b43 Initial load duke parents: diff changeset	2086
90ce3da70b43 Initial load duke parents: diff changeset	2087	/*
90ce3da70b43 Initial load duke parents: diff changeset	2088	* Computes the digests of a zip entry, and returns them as a list of
90ce3da70b43 Initial load duke parents: diff changeset	2089	* attributes
90ce3da70b43 Initial load duke parents: diff changeset	2090	*/
90ce3da70b43 Initial load duke parents: diff changeset	2091	private Attributes getDigestAttributes(ZipEntry ze, ZipFile zf,
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2092	MessageDigest[] digests)
2 90ce3da70b43 Initial load duke parents: diff changeset	2093	throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	2094
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2095	String[] base64Digests = getDigests(ze, zf, digests);
2 90ce3da70b43 Initial load duke parents: diff changeset	2096	Attributes attrs = new Attributes();
90ce3da70b43 Initial load duke parents: diff changeset	2097
90ce3da70b43 Initial load duke parents: diff changeset	2098	for (int i=0; i<digests.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	2099	attrs.putValue(digests[i].getAlgorithm()+"-Digest",
90ce3da70b43 Initial load duke parents: diff changeset	2100	base64Digests[i]);
90ce3da70b43 Initial load duke parents: diff changeset	2101	}
90ce3da70b43 Initial load duke parents: diff changeset	2102	return attrs;
90ce3da70b43 Initial load duke parents: diff changeset	2103	}
90ce3da70b43 Initial load duke parents: diff changeset	2104
90ce3da70b43 Initial load duke parents: diff changeset	2105	/*
90ce3da70b43 Initial load duke parents: diff changeset	2106	* Updates the digest attributes of a manifest entry, by adding or
90ce3da70b43 Initial load duke parents: diff changeset	2107	* replacing digest values.
90ce3da70b43 Initial load duke parents: diff changeset	2108	* A digest value is added if the manifest entry does not contain a digest
90ce3da70b43 Initial load duke parents: diff changeset	2109	* for that particular algorithm.
90ce3da70b43 Initial load duke parents: diff changeset	2110	* A digest value is replaced if it is obsolete.
90ce3da70b43 Initial load duke parents: diff changeset	2111	*
90ce3da70b43 Initial load duke parents: diff changeset	2112	* Returns true if the manifest entry has been changed, and false
90ce3da70b43 Initial load duke parents: diff changeset	2113	* otherwise.
90ce3da70b43 Initial load duke parents: diff changeset	2114	*/
90ce3da70b43 Initial load duke parents: diff changeset	2115	private boolean updateDigests(ZipEntry ze, ZipFile zf,
90ce3da70b43 Initial load duke parents: diff changeset	2116	MessageDigest[] digests,
90ce3da70b43 Initial load duke parents: diff changeset	2117	Manifest mf) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	2118	boolean update = false;
90ce3da70b43 Initial load duke parents: diff changeset	2119
90ce3da70b43 Initial load duke parents: diff changeset	2120	Attributes attrs = mf.getAttributes(ze.getName());
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2121	String[] base64Digests = getDigests(ze, zf, digests);
2 90ce3da70b43 Initial load duke parents: diff changeset	2122
90ce3da70b43 Initial load duke parents: diff changeset	2123	for (int i=0; i<digests.length; i++) {
3716 aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2124	// The entry name to be written into attrs
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2125	String name = null;
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2126	try {
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2127	// Find if the digest already exists
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2128	AlgorithmId aid = AlgorithmId.get(digests[i].getAlgorithm());
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2129	for (Object key: attrs.keySet()) {
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2130	if (key instanceof Attributes.Name) {
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2131	String n = ((Attributes.Name)key).toString();
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2132	if (n.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2133	String tmp = n.substring(0, n.length() - 7);
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2134	if (AlgorithmId.get(tmp).equals(aid)) {
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2135	name = n;
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2136	break;
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2137	}
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2138	}
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2139	}
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2140	}
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2141	} catch (NoSuchAlgorithmException nsae) {
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2142	// Ignored. Writing new digest entry.
2 90ce3da70b43 Initial load duke parents: diff changeset	2143	}
3716 aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2144
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2145	if (name == null) {
aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2146	name = digests[i].getAlgorithm()+"-Digest";
2 90ce3da70b43 Initial load duke parents: diff changeset	2147	attrs.putValue(name, base64Digests[i]);
90ce3da70b43 Initial load duke parents: diff changeset	2148	update=true;
90ce3da70b43 Initial load duke parents: diff changeset	2149	} else {
90ce3da70b43 Initial load duke parents: diff changeset	2150	// compare digests, and replace the one in the manifest
90ce3da70b43 Initial load duke parents: diff changeset	2151	// if they are different
3716 aa66143f7ad1 6876328: different names for the same digest algorithms breaks jarsigner weijun parents: 3481 diff changeset	2152	String mfDigest = attrs.getValue(name);
2 90ce3da70b43 Initial load duke parents: diff changeset	2153	if (!mfDigest.equalsIgnoreCase(base64Digests[i])) {
90ce3da70b43 Initial load duke parents: diff changeset	2154	attrs.putValue(name, base64Digests[i]);
90ce3da70b43 Initial load duke parents: diff changeset	2155	update=true;
90ce3da70b43 Initial load duke parents: diff changeset	2156	}
90ce3da70b43 Initial load duke parents: diff changeset	2157	}
90ce3da70b43 Initial load duke parents: diff changeset	2158	}
90ce3da70b43 Initial load duke parents: diff changeset	2159	return update;
90ce3da70b43 Initial load duke parents: diff changeset	2160	}
90ce3da70b43 Initial load duke parents: diff changeset	2161
90ce3da70b43 Initial load duke parents: diff changeset	2162	/*
90ce3da70b43 Initial load duke parents: diff changeset	2163	* Try to load the specified signing mechanism.
90ce3da70b43 Initial load duke parents: diff changeset	2164	* The URL class loader is used.
90ce3da70b43 Initial load duke parents: diff changeset	2165	*/
90ce3da70b43 Initial load duke parents: diff changeset	2166	private ContentSigner loadSigningMechanism(String signerClassName,
90ce3da70b43 Initial load duke parents: diff changeset	2167	String signerClassPath) throws Exception {
90ce3da70b43 Initial load duke parents: diff changeset	2168
90ce3da70b43 Initial load duke parents: diff changeset	2169	// construct class loader
90ce3da70b43 Initial load duke parents: diff changeset	2170	String cpString = null; // make sure env.class.path defaults to dot
90ce3da70b43 Initial load duke parents: diff changeset	2171
90ce3da70b43 Initial load duke parents: diff changeset	2172	// do prepends to get correct ordering
90ce3da70b43 Initial load duke parents: diff changeset	2173	cpString = PathList.appendPath(System.getProperty("env.class.path"), cpString);
90ce3da70b43 Initial load duke parents: diff changeset	2174	cpString = PathList.appendPath(System.getProperty("java.class.path"), cpString);
90ce3da70b43 Initial load duke parents: diff changeset	2175	cpString = PathList.appendPath(signerClassPath, cpString);
90ce3da70b43 Initial load duke parents: diff changeset	2176	URL[] urls = PathList.pathToURLs(cpString);
90ce3da70b43 Initial load duke parents: diff changeset	2177	ClassLoader appClassLoader = new URLClassLoader(urls);
90ce3da70b43 Initial load duke parents: diff changeset	2178
90ce3da70b43 Initial load duke parents: diff changeset	2179	// attempt to find signer
10336 0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 9011 diff changeset	2180	Class<?> signerClass = appClassLoader.loadClass(signerClassName);
2 90ce3da70b43 Initial load duke parents: diff changeset	2181
90ce3da70b43 Initial load duke parents: diff changeset	2182	// Check that it implements ContentSigner
90ce3da70b43 Initial load duke parents: diff changeset	2183	Object signer = signerClass.newInstance();
90ce3da70b43 Initial load duke parents: diff changeset	2184	if (!(signer instanceof ContentSigner)) {
90ce3da70b43 Initial load duke parents: diff changeset	2185	MessageFormat form = new MessageFormat(
7179 4afb81e50183 6987827: security/util/Resources.java needs improvement weijun parents: 5627 diff changeset	2186	rb.getString("signerClass.is.not.a.signing.mechanism"));
2 90ce3da70b43 Initial load duke parents: diff changeset	2187	Object[] source = {signerClass.getName()};
90ce3da70b43 Initial load duke parents: diff changeset	2188	throw new IllegalArgumentException(form.format(source));
90ce3da70b43 Initial load duke parents: diff changeset	2189	}
90ce3da70b43 Initial load duke parents: diff changeset	2190	return (ContentSigner)signer;
90ce3da70b43 Initial load duke parents: diff changeset	2191	}
90ce3da70b43 Initial load duke parents: diff changeset	2192	}
90ce3da70b43 Initial load duke parents: diff changeset	2193
90ce3da70b43 Initial load duke parents: diff changeset	2194	class SignatureFile {
90ce3da70b43 Initial load duke parents: diff changeset	2195
90ce3da70b43 Initial load duke parents: diff changeset	2196	/** SignatureFile */
90ce3da70b43 Initial load duke parents: diff changeset	2197	Manifest sf;
90ce3da70b43 Initial load duke parents: diff changeset	2198
90ce3da70b43 Initial load duke parents: diff changeset	2199	/** .SF base name */
90ce3da70b43 Initial load duke parents: diff changeset	2200	String baseName;
90ce3da70b43 Initial load duke parents: diff changeset	2201
90ce3da70b43 Initial load duke parents: diff changeset	2202	public SignatureFile(MessageDigest digests[],
90ce3da70b43 Initial load duke parents: diff changeset	2203	Manifest mf,
90ce3da70b43 Initial load duke parents: diff changeset	2204	ManifestDigester md,
90ce3da70b43 Initial load duke parents: diff changeset	2205	String baseName,
90ce3da70b43 Initial load duke parents: diff changeset	2206	boolean signManifest)
90ce3da70b43 Initial load duke parents: diff changeset	2207
90ce3da70b43 Initial load duke parents: diff changeset	2208	{
90ce3da70b43 Initial load duke parents: diff changeset	2209	this.baseName = baseName;
90ce3da70b43 Initial load duke parents: diff changeset	2210
90ce3da70b43 Initial load duke parents: diff changeset	2211	String version = System.getProperty("java.version");
90ce3da70b43 Initial load duke parents: diff changeset	2212	String javaVendor = System.getProperty("java.vendor");
90ce3da70b43 Initial load duke parents: diff changeset	2213
90ce3da70b43 Initial load duke parents: diff changeset	2214	sf = new Manifest();
90ce3da70b43 Initial load duke parents: diff changeset	2215	Attributes mattr = sf.getMainAttributes();
90ce3da70b43 Initial load duke parents: diff changeset	2216
90ce3da70b43 Initial load duke parents: diff changeset	2217	mattr.putValue(Attributes.Name.SIGNATURE_VERSION.toString(), "1.0");
90ce3da70b43 Initial load duke parents: diff changeset	2218	mattr.putValue("Created-By", version + " (" + javaVendor + ")");
90ce3da70b43 Initial load duke parents: diff changeset	2219
90ce3da70b43 Initial load duke parents: diff changeset	2220	if (signManifest) {
90ce3da70b43 Initial load duke parents: diff changeset	2221	// sign the whole manifest
90ce3da70b43 Initial load duke parents: diff changeset	2222	for (int i=0; i < digests.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	2223	mattr.putValue(digests[i].getAlgorithm()+"-Digest-Manifest",
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2224	Base64.getEncoder().encodeToString(md.manifestDigest(digests[i])));
2 90ce3da70b43 Initial load duke parents: diff changeset	2225	}
90ce3da70b43 Initial load duke parents: diff changeset	2226	}
90ce3da70b43 Initial load duke parents: diff changeset	2227
90ce3da70b43 Initial load duke parents: diff changeset	2228	// create digest of the manifest main attributes
90ce3da70b43 Initial load duke parents: diff changeset	2229	ManifestDigester.Entry mde =
90ce3da70b43 Initial load duke parents: diff changeset	2230	md.get(ManifestDigester.MF_MAIN_ATTRS, false);
90ce3da70b43 Initial load duke parents: diff changeset	2231	if (mde != null) {
90ce3da70b43 Initial load duke parents: diff changeset	2232	for (int i=0; i < digests.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	2233	mattr.putValue(digests[i].getAlgorithm() +
90ce3da70b43 Initial load duke parents: diff changeset	2234	"-Digest-" + ManifestDigester.MF_MAIN_ATTRS,
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2235	Base64.getEncoder().encodeToString(mde.digest(digests[i])));
2 90ce3da70b43 Initial load duke parents: diff changeset	2236	}
90ce3da70b43 Initial load duke parents: diff changeset	2237	} else {
90ce3da70b43 Initial load duke parents: diff changeset	2238	throw new IllegalStateException
90ce3da70b43 Initial load duke parents: diff changeset	2239	("ManifestDigester failed to create " +
90ce3da70b43 Initial load duke parents: diff changeset	2240	"Manifest-Main-Attribute entry");
90ce3da70b43 Initial load duke parents: diff changeset	2241	}
90ce3da70b43 Initial load duke parents: diff changeset	2242
90ce3da70b43 Initial load duke parents: diff changeset	2243	/* go through the manifest entries and create the digests */
90ce3da70b43 Initial load duke parents: diff changeset	2244
90ce3da70b43 Initial load duke parents: diff changeset	2245	Map<String,Attributes> entries = sf.getEntries();
90ce3da70b43 Initial load duke parents: diff changeset	2246	Iterator<Map.Entry<String,Attributes>> mit =
90ce3da70b43 Initial load duke parents: diff changeset	2247	mf.getEntries().entrySet().iterator();
90ce3da70b43 Initial load duke parents: diff changeset	2248	while(mit.hasNext()) {
90ce3da70b43 Initial load duke parents: diff changeset	2249	Map.Entry<String,Attributes> e = mit.next();
90ce3da70b43 Initial load duke parents: diff changeset	2250	String name = e.getKey();
90ce3da70b43 Initial load duke parents: diff changeset	2251	mde = md.get(name, false);
90ce3da70b43 Initial load duke parents: diff changeset	2252	if (mde != null) {
90ce3da70b43 Initial load duke parents: diff changeset	2253	Attributes attr = new Attributes();
90ce3da70b43 Initial load duke parents: diff changeset	2254	for (int i=0; i < digests.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	2255	attr.putValue(digests[i].getAlgorithm()+"-Digest",
16020 b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests msheppar parents: 14421 diff changeset	2256	Base64.getEncoder().encodeToString(mde.digest(digests[i])));
2 90ce3da70b43 Initial load duke parents: diff changeset	2257	}
90ce3da70b43 Initial load duke parents: diff changeset	2258	entries.put(name, attr);
90ce3da70b43 Initial load duke parents: diff changeset	2259	}
90ce3da70b43 Initial load duke parents: diff changeset	2260	}
90ce3da70b43 Initial load duke parents: diff changeset	2261	}
90ce3da70b43 Initial load duke parents: diff changeset	2262
90ce3da70b43 Initial load duke parents: diff changeset	2263	/**
90ce3da70b43 Initial load duke parents: diff changeset	2264	* Writes the SignatureFile to the specified OutputStream.
90ce3da70b43 Initial load duke parents: diff changeset	2265	*
90ce3da70b43 Initial load duke parents: diff changeset	2266	* @param out the output stream
90ce3da70b43 Initial load duke parents: diff changeset	2267	* @exception IOException if an I/O error has occurred
90ce3da70b43 Initial load duke parents: diff changeset	2268	*/
90ce3da70b43 Initial load duke parents: diff changeset	2269
90ce3da70b43 Initial load duke parents: diff changeset	2270	public void write(OutputStream out) throws IOException
90ce3da70b43 Initial load duke parents: diff changeset	2271	{
90ce3da70b43 Initial load duke parents: diff changeset	2272	sf.write(out);
90ce3da70b43 Initial load duke parents: diff changeset	2273	}
90ce3da70b43 Initial load duke parents: diff changeset	2274
90ce3da70b43 Initial load duke parents: diff changeset	2275	/**
90ce3da70b43 Initial load duke parents: diff changeset	2276	* get .SF file name
90ce3da70b43 Initial load duke parents: diff changeset	2277	*/
90ce3da70b43 Initial load duke parents: diff changeset	2278	public String getMetaName()
90ce3da70b43 Initial load duke parents: diff changeset	2279	{
90ce3da70b43 Initial load duke parents: diff changeset	2280	return "META-INF/"+ baseName + ".SF";
90ce3da70b43 Initial load duke parents: diff changeset	2281	}
90ce3da70b43 Initial load duke parents: diff changeset	2282
90ce3da70b43 Initial load duke parents: diff changeset	2283	/**
90ce3da70b43 Initial load duke parents: diff changeset	2284	* get base file name
90ce3da70b43 Initial load duke parents: diff changeset	2285	*/
90ce3da70b43 Initial load duke parents: diff changeset	2286	public String getBaseName()
90ce3da70b43 Initial load duke parents: diff changeset	2287	{
90ce3da70b43 Initial load duke parents: diff changeset	2288	return baseName;
90ce3da70b43 Initial load duke parents: diff changeset	2289	}
90ce3da70b43 Initial load duke parents: diff changeset	2290
90ce3da70b43 Initial load duke parents: diff changeset	2291	/*
90ce3da70b43 Initial load duke parents: diff changeset	2292	* Generate a signed data block.
90ce3da70b43 Initial load duke parents: diff changeset	2293	* If a URL or a certificate (containing a URL) for a Timestamping
90ce3da70b43 Initial load duke parents: diff changeset	2294	* Authority is supplied then a signature timestamp is generated and
90ce3da70b43 Initial load duke parents: diff changeset	2295	* inserted into the signed data block.
90ce3da70b43 Initial load duke parents: diff changeset	2296	*
90ce3da70b43 Initial load duke parents: diff changeset	2297	* @param sigalg signature algorithm to use, or null to use default
90ce3da70b43 Initial load duke parents: diff changeset	2298	* @param tsaUrl The location of the Timestamping Authority. If null
90ce3da70b43 Initial load duke parents: diff changeset	2299	* then no timestamp is requested.
90ce3da70b43 Initial load duke parents: diff changeset	2300	* @param tsaCert The certificate for the Timestamping Authority. If null
90ce3da70b43 Initial load duke parents: diff changeset	2301	* then no timestamp is requested.
90ce3da70b43 Initial load duke parents: diff changeset	2302	* @param signingMechanism The signing mechanism to use.
90ce3da70b43 Initial load duke parents: diff changeset	2303	* @param args The command-line arguments to jarsigner.
90ce3da70b43 Initial load duke parents: diff changeset	2304	* @param zipFile The original source Zip file.
90ce3da70b43 Initial load duke parents: diff changeset	2305	*/
90ce3da70b43 Initial load duke parents: diff changeset	2306	public Block generateBlock(PrivateKey privateKey,
90ce3da70b43 Initial load duke parents: diff changeset	2307	String sigalg,
90ce3da70b43 Initial load duke parents: diff changeset	2308	X509Certificate[] certChain,
90ce3da70b43 Initial load duke parents: diff changeset	2309	boolean externalSF, String tsaUrl,
90ce3da70b43 Initial load duke parents: diff changeset	2310	X509Certificate tsaCert,
17161 df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	2311	String tSAPolicyID,
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2312	String tSADigestAlg,
2 90ce3da70b43 Initial load duke parents: diff changeset	2313	ContentSigner signingMechanism,
90ce3da70b43 Initial load duke parents: diff changeset	2314	String[] args, ZipFile zipFile)
90ce3da70b43 Initial load duke parents: diff changeset	2315	throws NoSuchAlgorithmException, InvalidKeyException, IOException,
90ce3da70b43 Initial load duke parents: diff changeset	2316	SignatureException, CertificateException
90ce3da70b43 Initial load duke parents: diff changeset	2317	{
8556 d3d6e4643560 7021789: Remove jarsigner -crl option weijun parents: 7977 diff changeset	2318	return new Block(this, privateKey, sigalg, certChain, externalSF,
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2319	tsaUrl, tsaCert, tSAPolicyID, tSADigestAlg, signingMechanism, args, zipFile);
2 90ce3da70b43 Initial load duke parents: diff changeset	2320	}
90ce3da70b43 Initial load duke parents: diff changeset	2321
90ce3da70b43 Initial load duke parents: diff changeset	2322
90ce3da70b43 Initial load duke parents: diff changeset	2323	public static class Block {
90ce3da70b43 Initial load duke parents: diff changeset	2324
90ce3da70b43 Initial load duke parents: diff changeset	2325	private byte[] block;
90ce3da70b43 Initial load duke parents: diff changeset	2326	private String blockFileName;
90ce3da70b43 Initial load duke parents: diff changeset	2327
90ce3da70b43 Initial load duke parents: diff changeset	2328	/*
90ce3da70b43 Initial load duke parents: diff changeset	2329	* Construct a new signature block.
90ce3da70b43 Initial load duke parents: diff changeset	2330	*/
90ce3da70b43 Initial load duke parents: diff changeset	2331	Block(SignatureFile sfg, PrivateKey privateKey, String sigalg,
8556 d3d6e4643560 7021789: Remove jarsigner -crl option weijun parents: 7977 diff changeset	2332	X509Certificate[] certChain, boolean externalSF, String tsaUrl,
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2333	X509Certificate tsaCert, String tSAPolicyID, String tSADigestAlg,
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2334	ContentSigner signingMechanism, String[] args, ZipFile zipFile)
2 90ce3da70b43 Initial load duke parents: diff changeset	2335	throws NoSuchAlgorithmException, InvalidKeyException, IOException,
90ce3da70b43 Initial load duke parents: diff changeset	2336	SignatureException, CertificateException {
90ce3da70b43 Initial load duke parents: diff changeset	2337
90ce3da70b43 Initial load duke parents: diff changeset	2338	Principal issuerName = certChain[0].getIssuerDN();
90ce3da70b43 Initial load duke parents: diff changeset	2339	if (!(issuerName instanceof X500Name)) {
90ce3da70b43 Initial load duke parents: diff changeset	2340	// must extract the original encoded form of DN for subsequent
90ce3da70b43 Initial load duke parents: diff changeset	2341	// name comparison checks (converting to a String and back to
90ce3da70b43 Initial load duke parents: diff changeset	2342	// an encoded DN could cause the types of String attribute
90ce3da70b43 Initial load duke parents: diff changeset	2343	// values to be changed)
90ce3da70b43 Initial load duke parents: diff changeset	2344	X509CertInfo tbsCert = new
90ce3da70b43 Initial load duke parents: diff changeset	2345	X509CertInfo(certChain[0].getTBSCertificate());
90ce3da70b43 Initial load duke parents: diff changeset	2346	issuerName = (Principal)
14421 a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant mullan parents: 14182 diff changeset	2347	tbsCert.get(X509CertInfo.ISSUER + "." +
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant mullan parents: 14182 diff changeset	2348	X509CertInfo.DN_NAME);
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant mullan parents: 14182 diff changeset	2349	}
2 90ce3da70b43 Initial load duke parents: diff changeset	2350	BigInteger serial = certChain[0].getSerialNumber();
90ce3da70b43 Initial load duke parents: diff changeset	2351
90ce3da70b43 Initial load duke parents: diff changeset	2352	String signatureAlgorithm;
90ce3da70b43 Initial load duke parents: diff changeset	2353	String keyAlgorithm = privateKey.getAlgorithm();
90ce3da70b43 Initial load duke parents: diff changeset	2354	/*
90ce3da70b43 Initial load duke parents: diff changeset	2355	* If no signature algorithm was specified, we choose a
90ce3da70b43 Initial load duke parents: diff changeset	2356	* default that is compatible with the private key algorithm.
90ce3da70b43 Initial load duke parents: diff changeset	2357	*/
90ce3da70b43 Initial load duke parents: diff changeset	2358	if (sigalg == null) {
90ce3da70b43 Initial load duke parents: diff changeset	2359
90ce3da70b43 Initial load duke parents: diff changeset	2360	if (keyAlgorithm.equalsIgnoreCase("DSA"))
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2361	signatureAlgorithm = "SHA1withDSA";
2 90ce3da70b43 Initial load duke parents: diff changeset	2362	else if (keyAlgorithm.equalsIgnoreCase("RSA"))
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2363	signatureAlgorithm = "SHA256withRSA";
bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2364	else if (keyAlgorithm.equalsIgnoreCase("EC"))
bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2365	signatureAlgorithm = "SHA256withECDSA";
bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2366	else
2 90ce3da70b43 Initial load duke parents: diff changeset	2367	throw new RuntimeException("private key is not a DSA or "
90ce3da70b43 Initial load duke parents: diff changeset	2368	+ "RSA key");
90ce3da70b43 Initial load duke parents: diff changeset	2369	} else {
90ce3da70b43 Initial load duke parents: diff changeset	2370	signatureAlgorithm = sigalg;
90ce3da70b43 Initial load duke parents: diff changeset	2371	}
90ce3da70b43 Initial load duke parents: diff changeset	2372
90ce3da70b43 Initial load duke parents: diff changeset	2373	// check common invalid key/signature algorithm combinations
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2374	String sigAlgUpperCase = signatureAlgorithm.toUpperCase(Locale.ENGLISH);
2 90ce3da70b43 Initial load duke parents: diff changeset	2375	if ((sigAlgUpperCase.endsWith("WITHRSA") &&
90ce3da70b43 Initial load duke parents: diff changeset	2376	!keyAlgorithm.equalsIgnoreCase("RSA")) \|\|
4152 bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2377	(sigAlgUpperCase.endsWith("WITHECDSA") &&
bc36a9f01ac6 6870812: enhance security tools to use ECC algorithms weijun parents: 3951 diff changeset	2378	!keyAlgorithm.equalsIgnoreCase("EC")) \|\|
2 90ce3da70b43 Initial load duke parents: diff changeset	2379	(sigAlgUpperCase.endsWith("WITHDSA") &&
90ce3da70b43 Initial load duke parents: diff changeset	2380	!keyAlgorithm.equalsIgnoreCase("DSA"))) {
90ce3da70b43 Initial load duke parents: diff changeset	2381	throw new SignatureException
90ce3da70b43 Initial load duke parents: diff changeset	2382	("private key algorithm is not compatible with signature algorithm");
90ce3da70b43 Initial load duke parents: diff changeset	2383	}
90ce3da70b43 Initial load duke parents: diff changeset	2384
90ce3da70b43 Initial load duke parents: diff changeset	2385	blockFileName = "META-INF/"+sfg.getBaseName()+"."+keyAlgorithm;
90ce3da70b43 Initial load duke parents: diff changeset	2386
90ce3da70b43 Initial load duke parents: diff changeset	2387	AlgorithmId sigAlg = AlgorithmId.get(signatureAlgorithm);
90ce3da70b43 Initial load duke parents: diff changeset	2388	AlgorithmId digEncrAlg = AlgorithmId.get(keyAlgorithm);
90ce3da70b43 Initial load duke parents: diff changeset	2389
90ce3da70b43 Initial load duke parents: diff changeset	2390	Signature sig = Signature.getInstance(signatureAlgorithm);
90ce3da70b43 Initial load duke parents: diff changeset	2391	sig.initSign(privateKey);
90ce3da70b43 Initial load duke parents: diff changeset	2392
90ce3da70b43 Initial load duke parents: diff changeset	2393	ByteArrayOutputStream baos = new ByteArrayOutputStream();
90ce3da70b43 Initial load duke parents: diff changeset	2394	sfg.write(baos);
90ce3da70b43 Initial load duke parents: diff changeset	2395
90ce3da70b43 Initial load duke parents: diff changeset	2396	byte[] content = baos.toByteArray();
90ce3da70b43 Initial load duke parents: diff changeset	2397
90ce3da70b43 Initial load duke parents: diff changeset	2398	sig.update(content);
90ce3da70b43 Initial load duke parents: diff changeset	2399	byte[] signature = sig.sign();
90ce3da70b43 Initial load duke parents: diff changeset	2400
90ce3da70b43 Initial load duke parents: diff changeset	2401	// Timestamp the signature and generate the signature block file
90ce3da70b43 Initial load duke parents: diff changeset	2402	if (signingMechanism == null) {
90ce3da70b43 Initial load duke parents: diff changeset	2403	signingMechanism = new TimestampedSigner();
90ce3da70b43 Initial load duke parents: diff changeset	2404	}
90ce3da70b43 Initial load duke parents: diff changeset	2405	URI tsaUri = null;
90ce3da70b43 Initial load duke parents: diff changeset	2406	try {
90ce3da70b43 Initial load duke parents: diff changeset	2407	if (tsaUrl != null) {
90ce3da70b43 Initial load duke parents: diff changeset	2408	tsaUri = new URI(tsaUrl);
90ce3da70b43 Initial load duke parents: diff changeset	2409	}
90ce3da70b43 Initial load duke parents: diff changeset	2410	} catch (URISyntaxException e) {
10336 0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 9011 diff changeset	2411	throw new IOException(e);
2 90ce3da70b43 Initial load duke parents: diff changeset	2412	}
90ce3da70b43 Initial load duke parents: diff changeset	2413
90ce3da70b43 Initial load duke parents: diff changeset	2414	// Assemble parameters for the signing mechanism
90ce3da70b43 Initial load duke parents: diff changeset	2415	ContentSignerParameters params =
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2416	new JarSignerParameters(args, tsaUri, tsaCert, tSAPolicyID,
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2417	tSADigestAlg, signature,
8556 d3d6e4643560 7021789: Remove jarsigner -crl option weijun parents: 7977 diff changeset	2418	signatureAlgorithm, certChain, content, zipFile);
2 90ce3da70b43 Initial load duke parents: diff changeset	2419
90ce3da70b43 Initial load duke parents: diff changeset	2420	// Generate the signature block
90ce3da70b43 Initial load duke parents: diff changeset	2421	block = signingMechanism.generateSignedData(
90ce3da70b43 Initial load duke parents: diff changeset	2422	params, externalSF, (tsaUrl != null \|\| tsaCert != null));
90ce3da70b43 Initial load duke parents: diff changeset	2423	}
90ce3da70b43 Initial load duke parents: diff changeset	2424
90ce3da70b43 Initial load duke parents: diff changeset	2425	/*
90ce3da70b43 Initial load duke parents: diff changeset	2426	* get block file name.
90ce3da70b43 Initial load duke parents: diff changeset	2427	*/
90ce3da70b43 Initial load duke parents: diff changeset	2428	public String getMetaName()
90ce3da70b43 Initial load duke parents: diff changeset	2429	{
90ce3da70b43 Initial load duke parents: diff changeset	2430	return blockFileName;
90ce3da70b43 Initial load duke parents: diff changeset	2431	}
90ce3da70b43 Initial load duke parents: diff changeset	2432
90ce3da70b43 Initial load duke parents: diff changeset	2433	/**
90ce3da70b43 Initial load duke parents: diff changeset	2434	* Writes the block file to the specified OutputStream.
90ce3da70b43 Initial load duke parents: diff changeset	2435	*
90ce3da70b43 Initial load duke parents: diff changeset	2436	* @param out the output stream
90ce3da70b43 Initial load duke parents: diff changeset	2437	* @exception IOException if an I/O error has occurred
90ce3da70b43 Initial load duke parents: diff changeset	2438	*/
90ce3da70b43 Initial load duke parents: diff changeset	2439
90ce3da70b43 Initial load duke parents: diff changeset	2440	public void write(OutputStream out) throws IOException
90ce3da70b43 Initial load duke parents: diff changeset	2441	{
90ce3da70b43 Initial load duke parents: diff changeset	2442	out.write(block);
90ce3da70b43 Initial load duke parents: diff changeset	2443	}
90ce3da70b43 Initial load duke parents: diff changeset	2444	}
90ce3da70b43 Initial load duke parents: diff changeset	2445	}
90ce3da70b43 Initial load duke parents: diff changeset	2446
90ce3da70b43 Initial load duke parents: diff changeset	2447
90ce3da70b43 Initial load duke parents: diff changeset	2448	/*
90ce3da70b43 Initial load duke parents: diff changeset	2449	* This object encapsulates the parameters used to perform content signing.
90ce3da70b43 Initial load duke parents: diff changeset	2450	*/
90ce3da70b43 Initial load duke parents: diff changeset	2451	class JarSignerParameters implements ContentSignerParameters {
90ce3da70b43 Initial load duke parents: diff changeset	2452
90ce3da70b43 Initial load duke parents: diff changeset	2453	private String[] args;
90ce3da70b43 Initial load duke parents: diff changeset	2454	private URI tsa;
90ce3da70b43 Initial load duke parents: diff changeset	2455	private X509Certificate tsaCertificate;
90ce3da70b43 Initial load duke parents: diff changeset	2456	private byte[] signature;
90ce3da70b43 Initial load duke parents: diff changeset	2457	private String signatureAlgorithm;
90ce3da70b43 Initial load duke parents: diff changeset	2458	private X509Certificate[] signerCertificateChain;
90ce3da70b43 Initial load duke parents: diff changeset	2459	private byte[] content;
90ce3da70b43 Initial load duke parents: diff changeset	2460	private ZipFile source;
17161 df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	2461	private String tSAPolicyID;
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2462	private String tSADigestAlg;
2 90ce3da70b43 Initial load duke parents: diff changeset	2463
90ce3da70b43 Initial load duke parents: diff changeset	2464	/**
90ce3da70b43 Initial load duke parents: diff changeset	2465	* Create a new object.
90ce3da70b43 Initial load duke parents: diff changeset	2466	*/
90ce3da70b43 Initial load duke parents: diff changeset	2467	JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2468	String tSAPolicyID, String tSADigestAlg,
2 90ce3da70b43 Initial load duke parents: diff changeset	2469	byte[] signature, String signatureAlgorithm,
8556 d3d6e4643560 7021789: Remove jarsigner -crl option weijun parents: 7977 diff changeset	2470	X509Certificate[] signerCertificateChain, byte[] content,
2 90ce3da70b43 Initial load duke parents: diff changeset	2471	ZipFile source) {
90ce3da70b43 Initial load duke parents: diff changeset	2472
90ce3da70b43 Initial load duke parents: diff changeset	2473	if (signature == null \|\| signatureAlgorithm == null \|\|
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2474	signerCertificateChain == null \|\| tSADigestAlg == null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	2475	throw new NullPointerException();
90ce3da70b43 Initial load duke parents: diff changeset	2476	}
90ce3da70b43 Initial load duke parents: diff changeset	2477	this.args = args;
90ce3da70b43 Initial load duke parents: diff changeset	2478	this.tsa = tsa;
90ce3da70b43 Initial load duke parents: diff changeset	2479	this.tsaCertificate = tsaCertificate;
17161 df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	2480	this.tSAPolicyID = tSAPolicyID;
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2481	this.tSADigestAlg = tSADigestAlg;
2 90ce3da70b43 Initial load duke parents: diff changeset	2482	this.signature = signature;
90ce3da70b43 Initial load duke parents: diff changeset	2483	this.signatureAlgorithm = signatureAlgorithm;
90ce3da70b43 Initial load duke parents: diff changeset	2484	this.signerCertificateChain = signerCertificateChain;
90ce3da70b43 Initial load duke parents: diff changeset	2485	this.content = content;
90ce3da70b43 Initial load duke parents: diff changeset	2486	this.source = source;
90ce3da70b43 Initial load duke parents: diff changeset	2487	}
90ce3da70b43 Initial load duke parents: diff changeset	2488
90ce3da70b43 Initial load duke parents: diff changeset	2489	/**
90ce3da70b43 Initial load duke parents: diff changeset	2490	* Retrieves the command-line arguments.
90ce3da70b43 Initial load duke parents: diff changeset	2491	*
90ce3da70b43 Initial load duke parents: diff changeset	2492	* @return The command-line arguments. May be null.
90ce3da70b43 Initial load duke parents: diff changeset	2493	*/
90ce3da70b43 Initial load duke parents: diff changeset	2494	public String[] getCommandLine() {
90ce3da70b43 Initial load duke parents: diff changeset	2495	return args;
90ce3da70b43 Initial load duke parents: diff changeset	2496	}
90ce3da70b43 Initial load duke parents: diff changeset	2497
90ce3da70b43 Initial load duke parents: diff changeset	2498	/**
90ce3da70b43 Initial load duke parents: diff changeset	2499	* Retrieves the identifier for a Timestamping Authority (TSA).
90ce3da70b43 Initial load duke parents: diff changeset	2500	*
90ce3da70b43 Initial load duke parents: diff changeset	2501	* @return The TSA identifier. May be null.
90ce3da70b43 Initial load duke parents: diff changeset	2502	*/
90ce3da70b43 Initial load duke parents: diff changeset	2503	public URI getTimestampingAuthority() {
90ce3da70b43 Initial load duke parents: diff changeset	2504	return tsa;
90ce3da70b43 Initial load duke parents: diff changeset	2505	}
90ce3da70b43 Initial load duke parents: diff changeset	2506
90ce3da70b43 Initial load duke parents: diff changeset	2507	/**
90ce3da70b43 Initial load duke parents: diff changeset	2508	* Retrieves the certificate for a Timestamping Authority (TSA).
90ce3da70b43 Initial load duke parents: diff changeset	2509	*
90ce3da70b43 Initial load duke parents: diff changeset	2510	* @return The TSA certificate. May be null.
90ce3da70b43 Initial load duke parents: diff changeset	2511	*/
90ce3da70b43 Initial load duke parents: diff changeset	2512	public X509Certificate getTimestampingAuthorityCertificate() {
90ce3da70b43 Initial load duke parents: diff changeset	2513	return tsaCertificate;
90ce3da70b43 Initial load duke parents: diff changeset	2514	}
90ce3da70b43 Initial load duke parents: diff changeset	2515
17161 df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	2516	public String getTSAPolicyID() {
df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	2517	return tSAPolicyID;
df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	2518	}
df1ec0e2f0e7 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161 weijun parents: 16020 diff changeset	2519
24034 31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2520	public String getTSADigestAlg() {
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2521	return tSADigestAlg;
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2522	}
31fe17eef94a 8038837: Add support to jarsigner for specifying timestamp hash algorithm weijun parents: 23912 diff changeset	2523
2 90ce3da70b43 Initial load duke parents: diff changeset	2524	/**
90ce3da70b43 Initial load duke parents: diff changeset	2525	* Retrieves the signature.
90ce3da70b43 Initial load duke parents: diff changeset	2526	*
90ce3da70b43 Initial load duke parents: diff changeset	2527	* @return The non-null signature bytes.
90ce3da70b43 Initial load duke parents: diff changeset	2528	*/
90ce3da70b43 Initial load duke parents: diff changeset	2529	public byte[] getSignature() {
90ce3da70b43 Initial load duke parents: diff changeset	2530	return signature;
90ce3da70b43 Initial load duke parents: diff changeset	2531	}
90ce3da70b43 Initial load duke parents: diff changeset	2532
90ce3da70b43 Initial load duke parents: diff changeset	2533	/**
90ce3da70b43 Initial load duke parents: diff changeset	2534	* Retrieves the name of the signature algorithm.
90ce3da70b43 Initial load duke parents: diff changeset	2535	*
90ce3da70b43 Initial load duke parents: diff changeset	2536	* @return The non-null string name of the signature algorithm.
90ce3da70b43 Initial load duke parents: diff changeset	2537	*/
90ce3da70b43 Initial load duke parents: diff changeset	2538	public String getSignatureAlgorithm() {
90ce3da70b43 Initial load duke parents: diff changeset	2539	return signatureAlgorithm;
90ce3da70b43 Initial load duke parents: diff changeset	2540	}
90ce3da70b43 Initial load duke parents: diff changeset	2541
90ce3da70b43 Initial load duke parents: diff changeset	2542	/**
90ce3da70b43 Initial load duke parents: diff changeset	2543	* Retrieves the signer's X.509 certificate chain.
90ce3da70b43 Initial load duke parents: diff changeset	2544	*
90ce3da70b43 Initial load duke parents: diff changeset	2545	* @return The non-null array of X.509 public-key certificates.
90ce3da70b43 Initial load duke parents: diff changeset	2546	*/
90ce3da70b43 Initial load duke parents: diff changeset	2547	public X509Certificate[] getSignerCertificateChain() {
90ce3da70b43 Initial load duke parents: diff changeset	2548	return signerCertificateChain;
90ce3da70b43 Initial load duke parents: diff changeset	2549	}
90ce3da70b43 Initial load duke parents: diff changeset	2550
90ce3da70b43 Initial load duke parents: diff changeset	2551	/**
90ce3da70b43 Initial load duke parents: diff changeset	2552	* Retrieves the content that was signed.
90ce3da70b43 Initial load duke parents: diff changeset	2553	*
90ce3da70b43 Initial load duke parents: diff changeset	2554	* @return The content bytes. May be null.
90ce3da70b43 Initial load duke parents: diff changeset	2555	*/
90ce3da70b43 Initial load duke parents: diff changeset	2556	public byte[] getContent() {
90ce3da70b43 Initial load duke parents: diff changeset	2557	return content;
90ce3da70b43 Initial load duke parents: diff changeset	2558	}
90ce3da70b43 Initial load duke parents: diff changeset	2559
90ce3da70b43 Initial load duke parents: diff changeset	2560	/**
90ce3da70b43 Initial load duke parents: diff changeset	2561	* Retrieves the original source ZIP file before it was signed.
90ce3da70b43 Initial load duke parents: diff changeset	2562	*
90ce3da70b43 Initial load duke parents: diff changeset	2563	* @return The original ZIP file. May be null.
90ce3da70b43 Initial load duke parents: diff changeset	2564	*/
90ce3da70b43 Initial load duke parents: diff changeset	2565	public ZipFile getSource() {
90ce3da70b43 Initial load duke parents: diff changeset	2566	return source;
90ce3da70b43 Initial load duke parents: diff changeset	2567	}
90ce3da70b43 Initial load duke parents: diff changeset	2568	}

author	psandoz
	Mon, 16 Jun 2014 17:45:26 +0100
changeset 24969	afa6934dd8e8
parent 24868	89d9bd9eba96
permissions	-rw-r--r--