--- a/jdk/src/share/classes/com/sun/jarsigner/ContentSignerParameters.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/com/sun/jarsigner/ContentSignerParameters.java Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,9 +26,7 @@
package com.sun.jarsigner;
import java.net.URI;
-import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
-import java.util.Set;
import java.util.zip.ZipFile;
/**
@@ -83,13 +81,6 @@
public X509Certificate[] getSignerCertificateChain();
/**
- * Retrieves the signer's X.509 CRLs.
- *
- * @return An unmodifiable set of X.509 CRLs (never <code>null</code>)
- */
- public Set<X509CRL> getCRLs();
-
- /**
* Retrieves the content that was signed.
* The content is the JAR file's signature file.
*
--- a/jdk/src/share/classes/java/security/CodeSigner.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/java/security/CodeSigner.java Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,10 +26,7 @@
package java.security;
import java.io.*;
-import java.security.cert.CRL;
import java.security.cert.CertPath;
-import sun.misc.JavaSecurityCodeSignerAccess;
-import sun.misc.SharedSecrets;
/**
* This class encapsulates information about a code signer.
@@ -167,44 +164,6 @@
return sb.toString();
}
- // A private attribute attached to this CodeSigner object. Can be accessed
- // through SharedSecrets.getJavaSecurityCodeSignerAccess().[g|s]etCRLs
- //
- // Currently called in SignatureFileVerifier.getSigners
- private transient CRL[] crls;
-
- /**
- * Sets the CRLs attached
- * @param crls, null to clear
- */
- void setCRLs(CRL[] crls) {
- this.crls = crls;
- }
-
- /**
- * Returns the CRLs attached
- * @return the crls, initially null
- */
- CRL[] getCRLs() {
- return crls;
- }
-
- // Set up JavaSecurityCodeSignerAccess in SharedSecrets
- static {
- SharedSecrets.setJavaSecurityCodeSignerAccess(
- new JavaSecurityCodeSignerAccess() {
- @Override
- public void setCRLs(CodeSigner signer, CRL[] crls) {
- signer.setCRLs(crls);
- }
-
- @Override
- public CRL[] getCRLs(CodeSigner signer) {
- return signer.getCRLs();
- }
- });
- }
-
// Explicitly reset hash code value to -1
private void readObject(ObjectInputStream ois)
throws IOException, ClassNotFoundException {
--- a/jdk/src/share/classes/sun/misc/JavaSecurityCodeSignerAccess.java Mon Feb 28 06:40:46 2011 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-/*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-package sun.misc;
-
-import java.security.CodeSigner;
-import java.security.cert.CRL;
-
-public interface JavaSecurityCodeSignerAccess {
- void setCRLs(CodeSigner signer, CRL[] crls);
- CRL[] getCRLs(CodeSigner signer);
-}
--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,6 @@
import java.util.jar.JarFile;
import java.io.Console;
import java.io.FileDescriptor;
-import java.security.CodeSigner;
import java.security.ProtectionDomain;
/** A repository of "shared secrets", which are a mechanism for
@@ -49,7 +48,6 @@
private static JavaNioAccess javaNioAccess;
private static JavaIOFileDescriptorAccess javaIOFileDescriptorAccess;
private static JavaSecurityProtectionDomainAccess javaSecurityProtectionDomainAccess;
- private static JavaSecurityCodeSignerAccess javaSecurityCodeSignerAccess;
public static JavaUtilJarAccess javaUtilJarAccess() {
if (javaUtilJarAccess == null) {
@@ -127,16 +125,4 @@
unsafe.ensureClassInitialized(ProtectionDomain.class);
return javaSecurityProtectionDomainAccess;
}
-
- public static void setJavaSecurityCodeSignerAccess
- (JavaSecurityCodeSignerAccess jscsa) {
- javaSecurityCodeSignerAccess = jscsa;
- }
-
- public static JavaSecurityCodeSignerAccess
- getJavaSecurityCodeSignerAccess() {
- if (javaSecurityCodeSignerAccess == null)
- unsafe.ensureClassInitialized(CodeSigner.class);
- return javaSecurityCodeSignerAccess;
- }
}
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,6 @@
package sun.security.tools;
import java.io.*;
-import java.security.cert.X509CRL;
import java.util.*;
import java.util.zip.*;
import java.util.jar.*;
@@ -36,7 +35,6 @@
import java.text.Collator;
import java.text.MessageFormat;
import java.security.cert.Certificate;
-import java.security.cert.CRL;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
import java.security.*;
@@ -58,7 +56,6 @@
import sun.security.x509.*;
import sun.security.util.*;
import sun.misc.BASE64Encoder;
-import sun.misc.SharedSecrets;
/**
@@ -117,13 +114,11 @@
static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list
X509Certificate[] certChain; // signer's cert chain (when composing)
- Set<X509CRL> crls; // signer provided CRLs
PrivateKey privateKey; // private key
KeyStore store; // the keystore specified by -keystore
// or the default keystore, never null
String keystore; // key store file
- List<String> crlfiles = new ArrayList<>(); // CRL files to add
boolean nullStream = false; // null keystore input stream (NONE)
boolean token = false; // token-based keystore
String jarfile; // jar files to sign or verify
@@ -151,7 +146,6 @@
boolean signManifest = true; // "sign" the whole manifest
boolean externalSF = true; // leave the .SF out of the PKCS7 block
boolean strict = false; // treat warnings as error
- boolean autoCRL = false; // Automatcially add CRL defined in cert
// read zip entry raw bytes
private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
@@ -232,29 +226,6 @@
} else {
loadKeyStore(keystore, true);
getAliasInfo(alias);
- crls = new HashSet<X509CRL>();
- if (crlfiles.size() > 0 || autoCRL) {
- CertificateFactory fac =
- CertificateFactory.getInstance("X509");
- List<CRL> list = new ArrayList<>();
- for (String file: crlfiles) {
- Collection<? extends CRL> tmp = KeyTool.loadCRLs(file);
- for (CRL crl: tmp) {
- if (crl instanceof X509CRL) {
- crls.add((X509CRL)crl);
- }
- }
- }
- if (autoCRL) {
- List<CRL> crlsFromCert =
- KeyTool.readCRLsFromCert(certChain[0]);
- for (CRL crl: crlsFromCert) {
- if (crl instanceof X509CRL) {
- crls.add((X509CRL)crl);
- }
- }
- }
- }
// load the alternative signing mechanism
if (altSignerClass != null) {
@@ -396,13 +367,6 @@
} else if (collator.compare(flags, "-digestalg") ==0) {
if (++n == args.length) usageNoArg();
digestalg = args[n];
- } else if (collator.compare(flags, "-crl") ==0) {
- if ("auto".equals(modifier)) {
- autoCRL = true;
- } else {
- if (++n == args.length) usageNoArg();
- crlfiles.add(args[n]);
- }
} else if (collator.compare(flags, "-certs") ==0) {
showcerts = true;
} else if (collator.compare(flags, "-strict") ==0) {
@@ -549,9 +513,6 @@
(".sigalg.algorithm.name.of.signature.algorithm"));
System.out.println();
System.out.println(rb.getString
- (".crl.auto.file.include.CRL.in.signed.jar"));
- System.out.println();
- System.out.println(rb.getString
(".verify.verify.a.signed.JAR.file"));
System.out.println();
System.out.println(rb.getString
@@ -691,20 +652,6 @@
if (showcerts) {
sb.append(si);
sb.append('\n');
- CRL[] crls = SharedSecrets
- .getJavaSecurityCodeSignerAccess()
- .getCRLs(signer);
- if (crls != null) {
- for (CRL crl: crls) {
- if (crl instanceof X509CRLImpl) {
- sb.append(tab).append("[");
- sb.append(String.format(
- rb.getString("with.a.CRL.including.d.entries"),
- ((X509CRLImpl)crl).getRevokedCertificates().size()))
- .append("]\n");
- }
- }
- }
}
}
} else if (showcerts && !verbose.equals("all")) {
@@ -1284,7 +1231,7 @@
try {
block =
- sf.generateBlock(privateKey, sigalg, certChain, crls,
+ sf.generateBlock(privateKey, sigalg, certChain,
externalSF, tsaUrl, tsaCert, signingMechanism, args,
zipFile);
} catch (SocketTimeoutException e) {
@@ -2249,7 +2196,6 @@
public Block generateBlock(PrivateKey privateKey,
String sigalg,
X509Certificate[] certChain,
- Set<X509CRL> crls,
boolean externalSF, String tsaUrl,
X509Certificate tsaCert,
ContentSigner signingMechanism,
@@ -2257,7 +2203,7 @@
throws NoSuchAlgorithmException, InvalidKeyException, IOException,
SignatureException, CertificateException
{
- return new Block(this, privateKey, sigalg, certChain, crls, externalSF,
+ return new Block(this, privateKey, sigalg, certChain, externalSF,
tsaUrl, tsaCert, signingMechanism, args, zipFile);
}
@@ -2271,8 +2217,7 @@
* Construct a new signature block.
*/
Block(SignatureFile sfg, PrivateKey privateKey, String sigalg,
- X509Certificate[] certChain, Set<X509CRL> crls,
- boolean externalSF, String tsaUrl,
+ X509Certificate[] certChain, boolean externalSF, String tsaUrl,
X509Certificate tsaCert, ContentSigner signingMechanism,
String[] args, ZipFile zipFile)
throws NoSuchAlgorithmException, InvalidKeyException, IOException,
@@ -2359,7 +2304,7 @@
// Assemble parameters for the signing mechanism
ContentSignerParameters params =
new JarSignerParameters(args, tsaUri, tsaCert, signature,
- signatureAlgorithm, certChain, crls, content, zipFile);
+ signatureAlgorithm, certChain, content, zipFile);
// Generate the signature block
block = signingMechanism.generateSignedData(
@@ -2400,7 +2345,6 @@
private byte[] signature;
private String signatureAlgorithm;
private X509Certificate[] signerCertificateChain;
- private Set<X509CRL> crls;
private byte[] content;
private ZipFile source;
@@ -2409,8 +2353,7 @@
*/
JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
byte[] signature, String signatureAlgorithm,
- X509Certificate[] signerCertificateChain, Set<X509CRL> crls,
- byte[] content,
+ X509Certificate[] signerCertificateChain, byte[] content,
ZipFile source) {
if (signature == null || signatureAlgorithm == null ||
@@ -2423,7 +2366,6 @@
this.signature = signature;
this.signatureAlgorithm = signatureAlgorithm;
this.signerCertificateChain = signerCertificateChain;
- this.crls = crls;
this.content = content;
this.source = source;
}
@@ -2499,13 +2441,4 @@
public ZipFile getSource() {
return source;
}
-
- @Override
- public Set<X509CRL> getCRLs() {
- if (crls == null) {
- return Collections.emptySet();
- } else {
- return Collections.unmodifiableSet(crls);
- }
- }
}
--- a/jdk/src/share/classes/sun/security/tools/JarSignerResources.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/sun/security/tools/JarSignerResources.java Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -74,8 +74,6 @@
"[-digestalg <algorithm>] name of digest algorithm"},
{".sigalg.algorithm.name.of.signature.algorithm",
"[-sigalg <algorithm>] name of signature algorithm"},
- {".crl.auto.file.include.CRL.in.signed.jar",
- "[-crl[:auto| <file>] include CRL in signed jar"},
{".verify.verify.a.signed.JAR.file",
"[-verify] verify a signed JAR file"},
{".verbose.suboptions.verbose.output.when.signing.verifying.",
@@ -193,7 +191,6 @@
{"using.an.alternative.signing.mechanism",
"using an alternative signing mechanism"},
{"entry.was.signed.on", "entry was signed on {0}"},
- {"with.a.CRL.including.d.entries", "with a CRL including %d entries"},
{"Warning.", "Warning: "},
{"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
"This jar contains unsigned entries which have not been integrity-checked. "},
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,6 @@
package sun.security.tools;
-import sun.misc.SharedSecrets;
import java.io.*;
import java.security.CodeSigner;
import java.security.KeyStore;
@@ -2311,16 +2310,6 @@
out.println();
}
}
- CRL[] crls = SharedSecrets
- .getJavaSecurityCodeSignerAccess()
- .getCRLs(signer);
- if (crls != null) {
- out.println(rb.getString("CRLs."));
- out.println();
- for (CRL crl: crls) {
- printCRL(crl, out);
- }
- }
}
}
}
--- a/jdk/src/share/classes/sun/security/tools/TimestampedSigner.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/sun/security/tools/TimestampedSigner.java Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,6 @@
import java.util.List;
import com.sun.jarsigner.*;
-import java.security.cert.X509CRL;
import java.util.Arrays;
import sun.security.pkcs.*;
import sun.security.timestamp.*;
@@ -238,9 +237,8 @@
AlgorithmId[] algorithms = {digestAlgorithmId};
// Create the PKCS #7 signed data message
- PKCS7 p7 =
- new PKCS7(algorithms, contentInfo, signerCertificateChain,
- parameters.getCRLs().toArray(new X509CRL[parameters.getCRLs().size()]), signerInfos);
+ PKCS7 p7 = new PKCS7(algorithms, contentInfo, signerCertificateChain,
+ null, signerInfos);
ByteArrayOutputStream p7out = new ByteArrayOutputStream();
p7.encodeSignedData(p7out);
--- a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java Mon Feb 28 23:02:37 2011 +0800
@@ -37,7 +37,6 @@
import sun.security.pkcs.*;
import sun.security.timestamp.TimestampToken;
import sun.misc.BASE64Decoder;
-import sun.misc.SharedSecrets;
import sun.security.jca.Providers;
@@ -486,12 +485,7 @@
signers = new ArrayList<CodeSigner>();
}
// Append the new code signer
- CodeSigner signer = new CodeSigner(certChain, getTimestamp(info));
- if (block.getCRLs() != null) {
- SharedSecrets.getJavaSecurityCodeSignerAccess().setCRLs(
- signer, block.getCRLs());
- }
- signers.add(signer);
+ signers.add(new CodeSigner(certChain, getTimestamp(info)));
if (debug != null) {
debug.println("Signature Block Certificate: " +
--- a/jdk/test/sun/security/tools/jarsigner/crl.sh Mon Feb 28 06:40:46 2011 -0500
+++ b/jdk/test/sun/security/tools/jarsigner/crl.sh Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
@@ -32,9 +32,6 @@
fi
# set platform-dependent variables
-# PF: platform name, say, solaris-sparc
-
-PF=""
OS=`uname -s`
case "$OS" in
@@ -47,54 +44,28 @@
esac
KS=crl.jks
-JFILE=crl.jar
KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS"
-JAR=$TESTJAVA${FS}bin${FS}jar
-JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
-rm $KS $JFILE 2> /dev/null
+rm $KS 2> /dev/null
-# Generates some crl files, each containing two entries
+# Test keytool -gencrl
$KT -alias a -dname CN=a -keyalg rsa -genkey -validity 300
-$KT -alias a -gencrl -id 1:1 -id 2:2 -file crl1
-$KT -alias a -gencrl -id 3:3 -id 4:4 -file crl2
-$KT -alias b -dname CN=b -keyalg rsa -genkey -validity 300
-$KT -alias b -gencrl -id 5:1 -id 6:2 -file crl3
+$KT -alias a -gencrl -id 1:1 -id 2:2 -file crl1 || exit 1
+$KT -alias a -gencrl -id 3:3 -id 4:4 -file crl2 || exit 2
+$KT -alias a -gencrl -id 5:1 -id 6:2 -file crl3 || exit 4
-cat > ToURI.java <<EOF
-class ToURI {
- public static void main(String[] args) throws Exception {
- System.out.println(new java.io.File("crl1").toURI());
- }
-}
-EOF
-$TESTJAVA${FS}bin${FS}javac ToURI.java
-$TESTJAVA${FS}bin${FS}java ToURI > uri
-$KT -alias c -dname CN=c -keyalg rsa -genkey -validity 300 \
- -ext crl=uri:`cat uri`
-
-echo A > A
+# Test keytool -printcrl
-# Test -crl:auto, cRLDistributionPoints is a local file
+$KT -printcrl -file crl1 || exit 5
+$KT -printcrl -file crl2 || exit 6
+$KT -printcrl -file crl3 || exit 7
-$JAR cvf $JFILE A
-$JARSIGNER -keystore $KS -storepass changeit $JFILE c \
- -crl:auto || exit 1
-$JARSIGNER -keystore $KS -verify -debug -strict $JFILE || exit 6
-$KT -printcert -jarfile $JFILE | grep CRLs || exit 7
-
-# Test -crl <file>
-$JAR cvf $JFILE A
-$JARSIGNER -keystore $KS -storepass changeit $JFILE a \
- -crl crl1 -crl crl2 || exit 2
-$JARSIGNER -keystore $KS -storepass changeit $JFILE b \
- -crl crl3 -crl crl2 || exit 3
-$JARSIGNER -keystore $KS -verify -debug -strict $JFILE || exit 3
-$KT -printcert -jarfile $JFILE | grep CRLs || exit 4
-CRLCOUNT=`$KT -printcert -jarfile $JFILE | grep SerialNumber | wc -l`
-if [ $CRLCOUNT != 8 ]; then exit 5; fi
+# Test keytool -ext crl
+
+$KT -alias b -dname CN=c -keyalg rsa -genkey -validity 300 \
+ -ext crl=uri:http://www.example.com/crl || exit 10
exit 0