1 /* |
1 /* |
2 * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
160 // Informational warnings |
160 // Informational warnings |
161 private boolean hasExpiringCert = false; |
161 private boolean hasExpiringCert = false; |
162 private boolean noTimestamp = false; |
162 private boolean noTimestamp = false; |
163 private Date expireDate = new Date(0L); // used in noTimestamp warning |
163 private Date expireDate = new Date(0L); // used in noTimestamp warning |
164 |
164 |
165 // Severe warnings |
165 // Severe warnings. |
|
166 |
|
167 // jarsigner used to check signer cert chain validity and key usages |
|
168 // itself and set various warnings. Later CertPath validation is |
|
169 // added but chainNotValidated is only flagged when no other existing |
|
170 // warnings are set. TSA cert chain check is added separately and |
|
171 // only tsaChainNotValidated is set, i.e. has no affect on hasExpiredCert, |
|
172 // notYetValidCert, or any badXyzUsage. |
|
173 |
166 private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg |
174 private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg |
167 private boolean hasExpiredCert = false; |
175 private boolean hasExpiredCert = false; |
168 private boolean notYetValidCert = false; |
176 private boolean notYetValidCert = false; |
169 private boolean chainNotValidated = false; |
177 private boolean chainNotValidated = false; |
|
178 private boolean tsaChainNotValidated = false; |
170 private boolean notSignedByAlias = false; |
179 private boolean notSignedByAlias = false; |
171 private boolean aliasNotInStore = false; |
180 private boolean aliasNotInStore = false; |
172 private boolean hasUnsignedEntry = false; |
181 private boolean hasUnsignedEntry = false; |
173 private boolean badKeyUsage = false; |
182 private boolean badKeyUsage = false; |
174 private boolean badExtendedKeyUsage = false; |
183 private boolean badExtendedKeyUsage = false; |
175 private boolean badNetscapeCertType = false; |
184 private boolean badNetscapeCertType = false; |
176 private boolean signerSelfSigned = false; |
185 private boolean signerSelfSigned = false; |
177 |
186 |
178 private Throwable chainNotValidatedReason = null; |
187 private Throwable chainNotValidatedReason = null; |
|
188 private Throwable tsaChainNotValidatedReason = null; |
179 |
189 |
180 private boolean seeWeak = false; |
190 private boolean seeWeak = false; |
181 |
191 |
182 PKIXBuilderParameters pkixParameters; |
192 PKIXBuilderParameters pkixParameters; |
183 |
193 |
264 } |
274 } |
265 } |
275 } |
266 |
276 |
267 if (strict) { |
277 if (strict) { |
268 int exitCode = 0; |
278 int exitCode = 0; |
269 if (weakAlg != 0 || chainNotValidated || hasExpiredCert || notYetValidCert || signerSelfSigned) { |
279 if (weakAlg != 0 || chainNotValidated |
|
280 || hasExpiredCert || notYetValidCert || signerSelfSigned) { |
270 exitCode |= 4; |
281 exitCode |= 4; |
271 } |
282 } |
272 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) { |
283 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) { |
273 exitCode |= 8; |
284 exitCode |= 8; |
274 } |
285 } |
275 if (hasUnsignedEntry) { |
286 if (hasUnsignedEntry) { |
276 exitCode |= 16; |
287 exitCode |= 16; |
277 } |
288 } |
278 if (notSignedByAlias || aliasNotInStore) { |
289 if (notSignedByAlias || aliasNotInStore) { |
279 exitCode |= 32; |
290 exitCode |= 32; |
|
291 } |
|
292 if (tsaChainNotValidated) { |
|
293 exitCode |= 64; |
280 } |
294 } |
281 if (exitCode != 0) { |
295 if (exitCode != 0) { |
282 System.exit(exitCode); |
296 System.exit(exitCode); |
283 } |
297 } |
284 } |
298 } |
862 // keystore, it can be self-signed. |
876 // keystore, it can be self-signed. |
863 if (!aliasNotInStore) { |
877 if (!aliasNotInStore) { |
864 signerSelfSigned = false; |
878 signerSelfSigned = false; |
865 } |
879 } |
866 |
880 |
|
881 // If there is a time stamp block inside the PKCS7 block file |
|
882 boolean hasTimestampBlock = false; |
|
883 |
867 // Even if the verbose option is not specified, all out strings |
884 // Even if the verbose option is not specified, all out strings |
868 // must be generated so seeWeak can be updated. |
885 // must be generated so seeWeak can be updated. |
869 if (!digestMap.isEmpty() |
886 if (!digestMap.isEmpty() |
870 || !sigMap.isEmpty() |
887 || !sigMap.isEmpty() |
871 || !unparsableSignatures.isEmpty()) { |
888 || !unparsableSignatures.isEmpty()) { |
890 si.getDigestAlgorithmId().getName(), |
907 si.getDigestAlgorithmId().getName(), |
891 si.getDigestEncryptionAlgorithmId().getName()); |
908 si.getDigestEncryptionAlgorithmId().getName()); |
892 PublicKey key = signer.getPublicKey(); |
909 PublicKey key = signer.getPublicKey(); |
893 PKCS7 tsToken = si.getTsToken(); |
910 PKCS7 tsToken = si.getTsToken(); |
894 if (tsToken != null) { |
911 if (tsToken != null) { |
|
912 hasTimestampBlock = true; |
895 SignerInfo tsSi = tsToken.getSignerInfos()[0]; |
913 SignerInfo tsSi = tsToken.getSignerInfos()[0]; |
896 X509Certificate tsSigner = tsSi.getCertificate(tsToken); |
914 X509Certificate tsSigner = tsSi.getCertificate(tsToken); |
897 byte[] encTsTokenInfo = tsToken.getContentInfo().getData(); |
915 byte[] encTsTokenInfo = tsToken.getContentInfo().getData(); |
898 TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); |
916 TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); |
899 PublicKey tsKey = tsSigner.getPublicKey(); |
917 PublicKey tsKey = tsSigner.getPublicKey(); |
965 boolean warningAppeared = false; |
983 boolean warningAppeared = false; |
966 boolean errorAppeared = false; |
984 boolean errorAppeared = false; |
967 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || |
985 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || |
968 notYetValidCert || chainNotValidated || hasExpiredCert || |
986 notYetValidCert || chainNotValidated || hasExpiredCert || |
969 hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) || |
987 hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) || |
970 aliasNotInStore || notSignedByAlias) { |
988 aliasNotInStore || notSignedByAlias || tsaChainNotValidated) { |
971 |
989 |
972 if (strict) { |
990 if (strict) { |
973 System.out.println(rb.getString("jar.verified.with.signer.errors.")); |
991 System.out.println(rb.getString("jar.verified.with.signer.errors.")); |
974 System.out.println(); |
992 System.out.println(); |
975 System.out.println(rb.getString("Error.")); |
993 System.out.println(rb.getString("Error.")); |
1017 "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.")); |
1035 "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.")); |
1018 } |
1036 } |
1019 |
1037 |
1020 if (chainNotValidated) { |
1038 if (chainNotValidated) { |
1021 System.out.println(String.format( |
1039 System.out.println(String.format( |
1022 rb.getString("This.jar.contains.entries.whose.certificate.chain.is.not.validated.reason.1"), |
1040 rb.getString("This.jar.contains.entries.whose.certificate.chain.is.invalid.reason.1"), |
1023 chainNotValidatedReason.getLocalizedMessage())); |
1041 chainNotValidatedReason.getLocalizedMessage())); |
|
1042 } |
|
1043 |
|
1044 if (tsaChainNotValidated) { |
|
1045 System.out.println(String.format( |
|
1046 rb.getString("This.jar.contains.entries.whose.tsa.certificate.chain.is.invalid.reason.1"), |
|
1047 tsaChainNotValidatedReason.getLocalizedMessage())); |
1024 } |
1048 } |
1025 |
1049 |
1026 if (notSignedByAlias) { |
1050 if (notSignedByAlias) { |
1027 System.out.println( |
1051 System.out.println( |
1028 rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.")); |
1052 rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.")); |
1048 if (hasExpiringCert) { |
1072 if (hasExpiringCert) { |
1049 System.out.println(rb.getString( |
1073 System.out.println(rb.getString( |
1050 "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.")); |
1074 "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.")); |
1051 } |
1075 } |
1052 if (noTimestamp) { |
1076 if (noTimestamp) { |
1053 System.out.println( |
1077 if (hasTimestampBlock) { |
1054 String.format(rb.getString("no.timestamp.verifying"), expireDate)); |
1078 // JarSigner API has not seen the timestamp, |
|
1079 // might have ignored it due to weak alg, etc. |
|
1080 System.out.println( |
|
1081 String.format(rb.getString("bad.timestamp.verifying"), expireDate)); |
|
1082 } else { |
|
1083 System.out.println( |
|
1084 String.format(rb.getString("no.timestamp.verifying"), expireDate)); |
|
1085 } |
1055 } |
1086 } |
1056 } |
1087 } |
1057 if (warningAppeared || errorAppeared) { |
1088 if (warningAppeared || errorAppeared) { |
1058 if (! (verbose != null && showcerts)) { |
1089 if (! (verbose != null && showcerts)) { |
1059 System.out.println(); |
1090 System.out.println(); |
1104 private static MessageFormat validityTimeForm = null; |
1135 private static MessageFormat validityTimeForm = null; |
1105 private static MessageFormat notYetTimeForm = null; |
1136 private static MessageFormat notYetTimeForm = null; |
1106 private static MessageFormat expiredTimeForm = null; |
1137 private static MessageFormat expiredTimeForm = null; |
1107 private static MessageFormat expiringTimeForm = null; |
1138 private static MessageFormat expiringTimeForm = null; |
1108 |
1139 |
1109 /* |
1140 /** |
1110 * Display some details about a certificate: |
1141 * Returns a string about a certificate: |
1111 * |
1142 * |
1112 * [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"] |
1143 * [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"] |
1113 * [<validity-period> | <expiry-warning>] |
1144 * [<validity-period> | <expiry-warning>] |
|
1145 * [<key-usage-warning>] |
1114 * |
1146 * |
1115 * Note: no newline character at the end |
1147 * Note: no newline character at the end. |
|
1148 * |
|
1149 * When isTsCert is true, this method sets global flags like hasExpiredCert, |
|
1150 * notYetValidCert, badKeyUsage, badExtendedKeyUsage, badNetscapeCertType. |
|
1151 * |
|
1152 * @param isTsCert true if c is in the TSA cert chain, false otherwise. |
|
1153 * @param checkUsage true to check code signer keyUsage |
1116 */ |
1154 */ |
1117 String printCert(String tab, Certificate c, boolean checkValidityPeriod, |
1155 String printCert(boolean isTsCert, String tab, Certificate c, |
1118 Date timestamp, boolean checkUsage) { |
1156 Date timestamp, boolean checkUsage) throws Exception { |
1119 |
1157 |
1120 StringBuilder certStr = new StringBuilder(); |
1158 StringBuilder certStr = new StringBuilder(); |
1121 String space = rb.getString("SPACE"); |
1159 String space = rb.getString("SPACE"); |
1122 X509Certificate x509Cert = null; |
1160 X509Certificate x509Cert = null; |
1123 |
1161 |
1133 String alias = storeHash.get(c); |
1171 String alias = storeHash.get(c); |
1134 if (alias != null) { |
1172 if (alias != null) { |
1135 certStr.append(space).append(alias); |
1173 certStr.append(space).append(alias); |
1136 } |
1174 } |
1137 |
1175 |
1138 if (checkValidityPeriod && x509Cert != null) { |
1176 if (x509Cert != null) { |
1139 |
1177 |
1140 certStr.append("\n").append(tab).append("["); |
1178 certStr.append("\n").append(tab).append("["); |
1141 Date notAfter = x509Cert.getNotAfter(); |
1179 Date notAfter = x509Cert.getNotAfter(); |
1142 try { |
1180 try { |
1143 boolean printValidity = true; |
1181 boolean printValidity = true; |
1146 expireDate = notAfter; |
1184 expireDate = notAfter; |
1147 } |
1185 } |
1148 x509Cert.checkValidity(); |
1186 x509Cert.checkValidity(); |
1149 // test if cert will expire within six months |
1187 // test if cert will expire within six months |
1150 if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) { |
1188 if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) { |
1151 hasExpiringCert = true; |
1189 if (!isTsCert) hasExpiringCert = true; |
1152 if (expiringTimeForm == null) { |
1190 if (expiringTimeForm == null) { |
1153 expiringTimeForm = new MessageFormat( |
1191 expiringTimeForm = new MessageFormat( |
1154 rb.getString("certificate.will.expire.on")); |
1192 rb.getString("certificate.will.expire.on")); |
1155 } |
1193 } |
1156 Object[] source = { notAfter }; |
1194 Object[] source = { notAfter }; |
1167 } |
1205 } |
1168 Object[] source = { x509Cert.getNotBefore(), notAfter }; |
1206 Object[] source = { x509Cert.getNotBefore(), notAfter }; |
1169 certStr.append(validityTimeForm.format(source)); |
1207 certStr.append(validityTimeForm.format(source)); |
1170 } |
1208 } |
1171 } catch (CertificateExpiredException cee) { |
1209 } catch (CertificateExpiredException cee) { |
1172 hasExpiredCert = true; |
1210 if (!isTsCert) hasExpiredCert = true; |
1173 |
1211 |
1174 if (expiredTimeForm == null) { |
1212 if (expiredTimeForm == null) { |
1175 expiredTimeForm = new MessageFormat( |
1213 expiredTimeForm = new MessageFormat( |
1176 rb.getString("certificate.expired.on")); |
1214 rb.getString("certificate.expired.on")); |
1177 } |
1215 } |
1178 Object[] source = { notAfter }; |
1216 Object[] source = { notAfter }; |
1179 certStr.append(expiredTimeForm.format(source)); |
1217 certStr.append(expiredTimeForm.format(source)); |
1180 |
1218 |
1181 } catch (CertificateNotYetValidException cnyve) { |
1219 } catch (CertificateNotYetValidException cnyve) { |
1182 notYetValidCert = true; |
1220 if (!isTsCert) notYetValidCert = true; |
1183 |
1221 |
1184 if (notYetTimeForm == null) { |
1222 if (notYetTimeForm == null) { |
1185 notYetTimeForm = new MessageFormat( |
1223 notYetTimeForm = new MessageFormat( |
1186 rb.getString("certificate.is.not.valid.until")); |
1224 rb.getString("certificate.is.not.valid.until")); |
1187 } |
1225 } |
1396 rb.getString("requesting.a.signature.timestamp")); |
1434 rb.getString("requesting.a.signature.timestamp")); |
1397 if (tsaUrl != null) { |
1435 if (tsaUrl != null) { |
1398 System.out.println(rb.getString("TSA.location.") + tsaUrl); |
1436 System.out.println(rb.getString("TSA.location.") + tsaUrl); |
1399 } else if (tsaCert != null) { |
1437 } else if (tsaCert != null) { |
1400 System.out.println(rb.getString("TSA.certificate.") + |
1438 System.out.println(rb.getString("TSA.certificate.") + |
1401 printCert("", tsaCert, false, null, false)); |
1439 printCert(true, "", tsaCert, null, false)); |
1402 } |
1440 } |
1403 } |
1441 } |
1404 builder.tsa(tsaURI); |
1442 builder.tsa(tsaURI); |
1405 if (tSADigestAlg != null) { |
1443 if (tSADigestAlg != null) { |
1406 builder.setProperty("tsaDigestAlg", tSADigestAlg); |
1444 builder.setProperty("tsaDigestAlg", tSADigestAlg); |
1456 if (fos != null) { |
1494 if (fos != null) { |
1457 fos.close(); |
1495 fos.close(); |
1458 } |
1496 } |
1459 } |
1497 } |
1460 |
1498 |
|
1499 // The JarSigner API always accepts the timestamp received. |
|
1500 // We need to extract the certs from the signed jar to |
|
1501 // validate it. |
|
1502 if (!noTimestamp) { |
|
1503 try (JarFile check = new JarFile(signedJarFile)) { |
|
1504 PKCS7 p7 = new PKCS7(check.getInputStream(check.getEntry( |
|
1505 "META-INF/" + sigfile + "." + privateKey.getAlgorithm()))); |
|
1506 SignerInfo si = p7.getSignerInfos()[0]; |
|
1507 PKCS7 tsToken = si.getTsToken(); |
|
1508 SignerInfo tsSi = tsToken.getSignerInfos()[0]; |
|
1509 try { |
|
1510 validateCertChain(Validator.VAR_TSA_SERVER, |
|
1511 tsSi.getCertificateChain(tsToken), null); |
|
1512 } catch (Exception e) { |
|
1513 tsaChainNotValidated = true; |
|
1514 tsaChainNotValidatedReason = e; |
|
1515 } |
|
1516 } catch (Exception e) { |
|
1517 if (debug) { |
|
1518 e.printStackTrace(); |
|
1519 } |
|
1520 } |
|
1521 } |
|
1522 |
1461 // no IOException thrown in the follow try clause, so disable |
1523 // no IOException thrown in the follow try clause, so disable |
1462 // the try clause. |
1524 // the try clause. |
1463 // try { |
1525 // try { |
1464 if (signedjar == null) { |
1526 if (signedjar == null) { |
1465 // attempt an atomic rename. If that fails, |
1527 // attempt an atomic rename. If that fails, |
1485 } |
1547 } |
1486 } |
1548 } |
1487 } |
1549 } |
1488 |
1550 |
1489 boolean warningAppeared = false; |
1551 boolean warningAppeared = false; |
1490 if (weakAlg != 0 || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || |
1552 if (weakAlg != 0 || badKeyUsage || badExtendedKeyUsage |
1491 notYetValidCert || chainNotValidated || hasExpiredCert || signerSelfSigned) { |
1553 || badNetscapeCertType || notYetValidCert |
|
1554 || chainNotValidated || tsaChainNotValidated |
|
1555 || hasExpiredCert || signerSelfSigned) { |
1492 if (strict) { |
1556 if (strict) { |
1493 System.out.println(rb.getString("jar.signed.with.signer.errors.")); |
1557 System.out.println(rb.getString("jar.signed.with.signer.errors.")); |
1494 System.out.println(); |
1558 System.out.println(); |
1495 System.out.println(rb.getString("Error.")); |
1559 System.out.println(rb.getString("Error.")); |
1496 } else { |
1560 } else { |
1523 rb.getString("The.signer.certificate.is.not.yet.valid.")); |
1587 rb.getString("The.signer.certificate.is.not.yet.valid.")); |
1524 } |
1588 } |
1525 |
1589 |
1526 if (chainNotValidated) { |
1590 if (chainNotValidated) { |
1527 System.out.println(String.format( |
1591 System.out.println(String.format( |
1528 rb.getString("The.signer.s.certificate.chain.is.not.validated.reason.1"), |
1592 rb.getString("The.signer.s.certificate.chain.is.invalid.reason.1"), |
1529 chainNotValidatedReason.getLocalizedMessage())); |
1593 chainNotValidatedReason.getLocalizedMessage())); |
|
1594 } |
|
1595 |
|
1596 if (tsaChainNotValidated) { |
|
1597 System.out.println(String.format( |
|
1598 rb.getString("The.tsa.certificate.chain.is.invalid.reason.1"), |
|
1599 tsaChainNotValidatedReason.getLocalizedMessage())); |
1530 } |
1600 } |
1531 |
1601 |
1532 if (signerSelfSigned) { |
1602 if (signerSelfSigned) { |
1533 System.out.println( |
1603 System.out.println( |
1534 rb.getString("The.signer.s.certificate.is.self.signed.")); |
1604 rb.getString("The.signer.s.certificate.is.self.signed.")); |
1598 Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>(); |
1668 Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>(); |
1599 |
1669 |
1600 /** |
1670 /** |
1601 * Returns a string of singer info, with a newline at the end |
1671 * Returns a string of singer info, with a newline at the end |
1602 */ |
1672 */ |
1603 private String signerInfo(CodeSigner signer, String tab) { |
1673 private String signerInfo(CodeSigner signer, String tab) throws Exception { |
1604 if (cacheForSignerInfo.containsKey(signer)) { |
1674 if (cacheForSignerInfo.containsKey(signer)) { |
1605 return cacheForSignerInfo.get(signer); |
1675 return cacheForSignerInfo.get(signer); |
1606 } |
1676 } |
1607 StringBuilder sb = new StringBuilder(); |
1677 StringBuilder sb = new StringBuilder(); |
1608 List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates(); |
1678 List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates(); |
1618 noTimestamp = true; |
1688 noTimestamp = true; |
1619 } |
1689 } |
1620 // display the certificate(sb). The first one is end-entity cert and |
1690 // display the certificate(sb). The first one is end-entity cert and |
1621 // its KeyUsage should be checked. |
1691 // its KeyUsage should be checked. |
1622 boolean first = true; |
1692 boolean first = true; |
|
1693 sb.append(tab).append(rb.getString("...Signer")).append('\n'); |
1623 for (Certificate c : certs) { |
1694 for (Certificate c : certs) { |
1624 sb.append(printCert(tab, c, true, timestamp, first)); |
1695 sb.append(printCert(false, tab, c, timestamp, first)); |
1625 sb.append('\n'); |
1696 sb.append('\n'); |
1626 first = false; |
1697 first = false; |
1627 } |
1698 } |
1628 try { |
1699 try { |
1629 validateCertChain(certs); |
1700 validateCertChain(Validator.VAR_CODE_SIGNING, certs, ts); |
1630 } catch (Exception e) { |
1701 } catch (Exception e) { |
1631 chainNotValidated = true; |
1702 chainNotValidated = true; |
1632 chainNotValidatedReason = e; |
1703 chainNotValidatedReason = e; |
1633 sb.append(tab).append(rb.getString(".CertPath.not.validated.")) |
1704 sb.append(tab).append(rb.getString(".Invalid.certificate.chain.")) |
1634 .append(e.getLocalizedMessage()).append("]\n"); // TODO |
1705 .append(e.getLocalizedMessage()).append("]\n"); |
|
1706 } |
|
1707 if (ts != null) { |
|
1708 sb.append(tab).append(rb.getString("...TSA")).append('\n'); |
|
1709 for (Certificate c : ts.getSignerCertPath().getCertificates()) { |
|
1710 sb.append(printCert(true, tab, c, timestamp, false)); |
|
1711 sb.append('\n'); |
|
1712 } |
|
1713 try { |
|
1714 validateCertChain(Validator.VAR_TSA_SERVER, |
|
1715 ts.getSignerCertPath().getCertificates(), null); |
|
1716 } catch (Exception e) { |
|
1717 tsaChainNotValidated = true; |
|
1718 tsaChainNotValidatedReason = e; |
|
1719 sb.append(tab).append(rb.getString(".Invalid.TSA.certificate.chain.")) |
|
1720 .append(e.getLocalizedMessage()).append("]\n"); |
|
1721 } |
1635 } |
1722 } |
1636 if (certs.size() == 1 |
1723 if (certs.size() == 1 |
1637 && KeyStoreUtil.isSelfSigned((X509Certificate)certs.get(0))) { |
1724 && KeyStoreUtil.isSelfSigned((X509Certificate)certs.get(0))) { |
1638 signerSelfSigned = true; |
1725 signerSelfSigned = true; |
1639 } |
1726 } |
1885 certChain[i] = (X509Certificate)cs[i]; |
1972 certChain[i] = (X509Certificate)cs[i]; |
1886 } |
1973 } |
1887 |
1974 |
1888 // We don't meant to print anything, the next call |
1975 // We don't meant to print anything, the next call |
1889 // checks validity and keyUsage etc |
1976 // checks validity and keyUsage etc |
1890 printCert("", certChain[0], true, null, true); |
1977 printCert(false, "", certChain[0], null, true); |
1891 |
1978 |
1892 try { |
1979 try { |
1893 validateCertChain(Arrays.asList(certChain)); |
1980 validateCertChain(Validator.VAR_CODE_SIGNING, |
|
1981 Arrays.asList(certChain), null); |
1894 } catch (Exception e) { |
1982 } catch (Exception e) { |
1895 chainNotValidated = true; |
1983 chainNotValidated = true; |
1896 chainNotValidatedReason = e; |
1984 chainNotValidatedReason = e; |
1897 } |
1985 } |
1898 |
1986 |
1947 e.printStackTrace(); |
2035 e.printStackTrace(); |
1948 } |
2036 } |
1949 System.exit(1); |
2037 System.exit(1); |
1950 } |
2038 } |
1951 |
2039 |
1952 void validateCertChain(List<? extends Certificate> certs) throws Exception { |
2040 /** |
|
2041 * Validates a cert chain. |
|
2042 * |
|
2043 * @param parameter this might be a timestamp |
|
2044 */ |
|
2045 void validateCertChain(String variant, List<? extends Certificate> certs, |
|
2046 Object parameter) |
|
2047 throws Exception { |
1953 try { |
2048 try { |
1954 Validator.getInstance(Validator.TYPE_PKIX, |
2049 Validator.getInstance(Validator.TYPE_PKIX, |
1955 Validator.VAR_CODE_SIGNING, |
2050 variant, |
1956 pkixParameters) |
2051 pkixParameters) |
1957 .validate(certs.toArray(new X509Certificate[certs.size()])); |
2052 .validate(certs.toArray(new X509Certificate[certs.size()]), |
|
2053 null, parameter); |
1958 } catch (Exception e) { |
2054 } catch (Exception e) { |
1959 if (debug) { |
2055 if (debug) { |
1960 e.printStackTrace(); |
2056 e.printStackTrace(); |
1961 } |
2057 } |
1962 if (e instanceof ValidatorException) { |
2058 |
|
2059 // Exception might be dismissed if another warning flag |
|
2060 // is already set by printCert. This is only done for |
|
2061 // code signing certs. |
|
2062 |
|
2063 if (variant.equals(Validator.VAR_CODE_SIGNING) && |
|
2064 e instanceof ValidatorException) { |
1963 // Throw cause if it's CertPathValidatorException, |
2065 // Throw cause if it's CertPathValidatorException, |
1964 if (e.getCause() != null && |
2066 if (e.getCause() != null && |
1965 e.getCause() instanceof CertPathValidatorException) { |
2067 e.getCause() instanceof CertPathValidatorException) { |
1966 e = (Exception) e.getCause(); |
2068 e = (Exception) e.getCause(); |
1967 Throwable t = e.getCause(); |
2069 Throwable t = e.getCause(); |