--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java	Mon Dec 06 10:46:18 2010 +0800
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java	Mon Dec 06 10:46:26 2010 +0800
@@ -658,7 +658,9 @@
                     boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
 
                     notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
-                    aliasNotInStore |= isSigned && (!inStore && !inScope);
+                    if (keystore != null) {
+                        aliasNotInStore |= isSigned && (!inStore && !inScope);
+                    }
 
                     // Only used when -verbose provided
                     StringBuffer sb = null;
@@ -889,7 +891,7 @@
      * Note: no newline character at the end
      */
     String printCert(String tab, Certificate c, boolean checkValidityPeriod,
-        long now) {
+        long now, boolean checkUsage) {
 
         StringBuilder certStr = new StringBuilder();
         String space = rb.getString("SPACE");
@@ -959,24 +961,26 @@
             }
             certStr.append("]");
 
-            boolean[] bad = new boolean[3];
-            checkCertUsage(x509Cert, bad);
-            if (bad[0] || bad[1] || bad[2]) {
-                String x = "";
-                if (bad[0]) {
-                    x ="KeyUsage";
-                }
-                if (bad[1]) {
-                    if (x.length() > 0) x = x + ", ";
-                    x = x + "ExtendedKeyUsage";
-                }
-                if (bad[2]) {
-                    if (x.length() > 0) x = x + ", ";
-                    x = x + "NetscapeCertType";
-                }
-                certStr.append("\n").append(tab)
+            if (checkUsage) {
+                boolean[] bad = new boolean[3];
+                checkCertUsage(x509Cert, bad);
+                if (bad[0] || bad[1] || bad[2]) {
+                    String x = "";
+                    if (bad[0]) {
+                        x ="KeyUsage";
+                    }
+                    if (bad[1]) {
+                        if (x.length() > 0) x = x + ", ";
+                        x = x + "ExtendedKeyUsage";
+                    }
+                    if (bad[2]) {
+                        if (x.length() > 0) x = x + ", ";
+                        x = x + "NetscapeCertType";
+                    }
+                    certStr.append("\n").append(tab)
                         .append(MessageFormat.format(rb.getString(
                         ".{0}.extension.does.not.support.code.signing."), x));
+                }
             }
         }
         return certStr.toString();
@@ -1335,7 +1339,7 @@
                             certUrl);
                     }
                     System.out.println(rb.getString("TSA.certificate.") +
-                        printCert("", tsaCert, false, 0));
+                        printCert("", tsaCert, false, 0, false));
                 }
                 if (signingMechanism != null) {
                     System.out.println(
@@ -1544,10 +1548,13 @@
             s.append(printTimestamp(tab, timestamp));
             s.append('\n');
         }
-        // display the certificate(s)
+        // display the certificate(s). The first one is end-enity cert and
+        // its KeyUsage should be checked.
+        boolean first = true;
         for (Certificate c : certs) {
-            s.append(printCert(tab, c, true, now));
+            s.append(printCert(tab, c, true, now, first));
             s.append('\n');
+            first = false;
         }
         try {
             CertPath cp = certificateFactory.generateCertPath(certs);
@@ -1847,7 +1854,7 @@
 
             // We don't meant to print anything, the next call
             // checks validity and keyUsage etc
-            printCert("", certChain[0], true, 0);
+            printCert("", certChain[0], true, 0, true);
 
             try {
                 CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));