author | prr |
Thu, 27 Sep 2018 11:46:28 -0700 | |
changeset 52237 | 170e876d529c |
parent 48893 | 454518b338b0 |
child 53398 | dd1be616c95e |
permissions | -rw-r--r-- |
2 | 1 |
/* |
48543
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
2 |
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
26 |
package sun.security.tools.jarsigner; |
2 | 27 |
|
28 |
import java.io.*; |
|
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
29 |
import java.net.UnknownHostException; |
43183 | 30 |
import java.security.cert.CertPathValidatorException; |
31 |
import java.security.cert.PKIXBuilderParameters; |
|
2 | 32 |
import java.util.*; |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
33 |
import java.util.stream.Collectors; |
2 | 34 |
import java.util.zip.*; |
35 |
import java.util.jar.*; |
|
36 |
import java.net.URI; |
|
37 |
import java.text.Collator; |
|
38 |
import java.text.MessageFormat; |
|
39 |
import java.security.cert.Certificate; |
|
40 |
import java.security.cert.X509Certificate; |
|
41 |
import java.security.cert.CertificateException; |
|
42 |
import java.security.*; |
|
43 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
44 |
import java.net.SocketTimeoutException; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
45 |
import java.net.URL; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
46 |
import java.security.cert.CertPath; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
47 |
import java.security.cert.CertificateExpiredException; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
48 |
import java.security.cert.CertificateFactory; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
49 |
import java.security.cert.CertificateNotYetValidException; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
50 |
import java.security.cert.TrustAnchor; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
51 |
import java.util.Map.Entry; |
33872 | 52 |
|
53 |
import jdk.security.jarsigner.JarSigner; |
|
54 |
import jdk.security.jarsigner.JarSignerException; |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
55 |
import sun.security.pkcs.PKCS7; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
56 |
import sun.security.pkcs.SignerInfo; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
57 |
import sun.security.timestamp.TimestampToken; |
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
58 |
import sun.security.tools.KeyStoreUtil; |
43183 | 59 |
import sun.security.validator.Validator; |
60 |
import sun.security.validator.ValidatorException; |
|
2 | 61 |
import sun.security.x509.*; |
62 |
import sun.security.util.*; |
|
63 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
64 |
|
2 | 65 |
/** |
66 |
* <p>The jarsigner utility. |
|
67 |
* |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
68 |
* The exit codes for the main method are: |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
69 |
* |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
70 |
* 0: success |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
71 |
* 1: any error that the jar cannot be signed or verified, including: |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
72 |
* keystore loading error |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
73 |
* TSP communication error |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
74 |
* jarsigner command line error... |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
75 |
* otherwise: error codes from -strict |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
76 |
* |
2 | 77 |
* @author Roland Schemers |
78 |
* @author Jan Luehe |
|
79 |
*/ |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
80 |
public class Main { |
2 | 81 |
|
82 |
// for i18n |
|
83 |
private static final java.util.ResourceBundle rb = |
|
84 |
java.util.ResourceBundle.getBundle |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
85 |
("sun.security.tools.jarsigner.Resources"); |
2 | 86 |
private static final Collator collator = Collator.getInstance(); |
87 |
static { |
|
88 |
// this is for case insensitive string comparisions |
|
89 |
collator.setStrength(Collator.PRIMARY); |
|
90 |
} |
|
91 |
||
92 |
private static final String NONE = "NONE"; |
|
93 |
private static final String P11KEYSTORE = "PKCS11"; |
|
94 |
||
95 |
private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
96 |
private static final long ONE_YEAR = 366*24*60*60*1000L; |
2 | 97 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
98 |
private static final DisabledAlgorithmConstraints DISABLED_CHECK = |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
99 |
new DisabledAlgorithmConstraints( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
100 |
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
101 |
|
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
102 |
private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
103 |
.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
104 |
private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
105 |
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
106 |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
107 |
static final String VERSION = "1.0"; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
108 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
109 |
static final int IN_KEYSTORE = 0x01; // signer is in keystore |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
110 |
static final int NOT_ALIAS = 0x04; // alias list is NOT empty and |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
111 |
// signer is not in alias list |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
112 |
static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
113 |
|
2 | 114 |
// Attention: |
115 |
// This is the entry that get launched by the security tool jarsigner. |
|
116 |
public static void main(String args[]) throws Exception { |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
117 |
Main js = new Main(); |
2 | 118 |
js.run(args); |
119 |
} |
|
120 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
121 |
X509Certificate[] certChain; // signer's cert chain (when composing) |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
122 |
PrivateKey privateKey; // private key |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
123 |
KeyStore store; // the keystore specified by -keystore |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
124 |
// or the default keystore, never null |
2 | 125 |
|
126 |
String keystore; // key store file |
|
127 |
boolean nullStream = false; // null keystore input stream (NONE) |
|
128 |
boolean token = false; // token-based keystore |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5461
diff
changeset
|
129 |
String jarfile; // jar files to sign or verify |
2 | 130 |
String alias; // alias to sign jar with |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
131 |
List<String> ckaliases = new ArrayList<>(); // aliases in -verify |
2 | 132 |
char[] storepass; // keystore password |
133 |
boolean protectedPath; // protected authentication path |
|
134 |
String storetype; // keystore type |
|
135 |
String providerName; // provider name |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
136 |
List<String> providers = null; // list of provider names |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
137 |
List<String> providerClasses = null; // list of provider classes |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
138 |
// arguments for provider constructors |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
139 |
HashMap<String,String> providerArgs = new HashMap<>(); |
2 | 140 |
char[] keypass; // private key password |
141 |
String sigfile; // name of .SF file |
|
142 |
String sigalg; // name of signature algorithm |
|
33872 | 143 |
String digestalg; // name of digest algorithm |
2 | 144 |
String signedjar; // output filename |
145 |
String tsaUrl; // location of the Timestamping Authority |
|
146 |
String tsaAlias; // alias for the Timestamping Authority's certificate |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
147 |
String altCertChain; // file to read alternative cert chain from |
17161
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
148 |
String tSAPolicyID; |
33872 | 149 |
String tSADigestAlg; |
2 | 150 |
boolean verify = false; // verify the jar |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
151 |
String verbose = null; // verbose output when signing/verifying |
2 | 152 |
boolean showcerts = false; // show certs when verifying |
153 |
boolean debug = false; // debug |
|
154 |
boolean signManifest = true; // "sign" the whole manifest |
|
155 |
boolean externalSF = true; // leave the .SF out of the PKCS7 block |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
156 |
boolean strict = false; // treat warnings as error |
2 | 157 |
|
158 |
// read zip entry raw bytes |
|
159 |
private String altSignerClass = null; |
|
160 |
private String altSignerClasspath = null; |
|
161 |
private ZipFile zipFile = null; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
162 |
|
22315 | 163 |
// Informational warnings |
164 |
private boolean hasExpiringCert = false; |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
165 |
private boolean hasExpiringTsaCert = false; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
166 |
private boolean noTimestamp = true; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
167 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
168 |
// Expiration date. The value could be null if signed by a trusted cert. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
169 |
private Date expireDate = null; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
170 |
private Date tsaExpireDate = null; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
171 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
172 |
// If there is a time stamp block inside the PKCS7 block file |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
173 |
boolean hasTimestampBlock = false; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
174 |
|
22315 | 175 |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
176 |
// Severe warnings. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
177 |
|
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
178 |
// jarsigner used to check signer cert chain validity and key usages |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
179 |
// itself and set various warnings. Later CertPath validation is |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
180 |
// added but chainNotValidated is only flagged when no other existing |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
181 |
// warnings are set. TSA cert chain check is added separately and |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
182 |
// only tsaChainNotValidated is set, i.e. has no affect on hasExpiredCert, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
183 |
// notYetValidCert, or any badXyzUsage. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
184 |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
185 |
private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg |
2 | 186 |
private boolean hasExpiredCert = false; |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
187 |
private boolean hasExpiredTsaCert = false; |
2 | 188 |
private boolean notYetValidCert = false; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
189 |
private boolean chainNotValidated = false; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
190 |
private boolean tsaChainNotValidated = false; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
191 |
private boolean notSignedByAlias = false; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
192 |
private boolean aliasNotInStore = false; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
193 |
private boolean hasUnsignedEntry = false; |
2 | 194 |
private boolean badKeyUsage = false; |
195 |
private boolean badExtendedKeyUsage = false; |
|
196 |
private boolean badNetscapeCertType = false; |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
197 |
private boolean signerSelfSigned = false; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
198 |
|
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
199 |
private Throwable chainNotValidatedReason = null; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
200 |
private Throwable tsaChainNotValidatedReason = null; |
2 | 201 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
202 |
private boolean seeWeak = false; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
203 |
|
43183 | 204 |
PKIXBuilderParameters pkixParameters; |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
205 |
Set<X509Certificate> trustedCerts = new HashSet<>(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
206 |
|
2 | 207 |
public void run(String args[]) { |
208 |
try { |
|
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
209 |
args = parseArgs(args); |
2 | 210 |
|
211 |
// Try to load and install the specified providers |
|
212 |
if (providers != null) { |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
213 |
for (String provName: providers) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
214 |
try { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
215 |
KeyStoreUtil.loadProviderByName(provName, |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
216 |
providerArgs.get(provName)); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
217 |
if (debug) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
218 |
System.out.println("loadProviderByName: " + provName); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
219 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
220 |
} catch (IllegalArgumentException e) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
221 |
throw new Exception(String.format(rb.getString( |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
222 |
"provider.name.not.found"), provName)); |
2 | 223 |
} |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
224 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
225 |
} |
2 | 226 |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
227 |
if (providerClasses != null) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
228 |
ClassLoader cl = ClassLoader.getSystemClassLoader(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
229 |
for (String provClass: providerClasses) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
230 |
try { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
231 |
KeyStoreUtil.loadProviderByClass(provClass, |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
232 |
providerArgs.get(provClass), cl); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
233 |
if (debug) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
234 |
System.out.println("loadProviderByClass: " + provClass); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
235 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
236 |
} catch (ClassCastException cce) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
237 |
throw new Exception(String.format(rb.getString( |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
238 |
"provclass.not.a.provider"), provClass)); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
239 |
} catch (IllegalArgumentException e) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
240 |
throw new Exception(String.format(rb.getString( |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
241 |
"provider.class.not.found"), provClass), e.getCause()); |
2 | 242 |
} |
243 |
} |
|
244 |
} |
|
245 |
||
246 |
if (verify) { |
|
247 |
try { |
|
248 |
loadKeyStore(keystore, false); |
|
249 |
} catch (Exception e) { |
|
250 |
if ((keystore != null) || (storepass != null)) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
251 |
System.out.println(rb.getString("jarsigner.error.") + |
2 | 252 |
e.getMessage()); |
33872 | 253 |
if (debug) { |
254 |
e.printStackTrace(); |
|
255 |
} |
|
2 | 256 |
System.exit(1); |
257 |
} |
|
258 |
} |
|
259 |
/* if (debug) { |
|
260 |
SignatureFileVerifier.setDebug(true); |
|
261 |
ManifestEntryVerifier.setDebug(true); |
|
262 |
} |
|
263 |
*/ |
|
264 |
verifyJar(jarfile); |
|
265 |
} else { |
|
266 |
loadKeyStore(keystore, true); |
|
267 |
getAliasInfo(alias); |
|
268 |
||
33872 | 269 |
signJar(jarfile, alias); |
2 | 270 |
} |
271 |
} catch (Exception e) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
272 |
System.out.println(rb.getString("jarsigner.error.") + e); |
2 | 273 |
if (debug) { |
274 |
e.printStackTrace(); |
|
275 |
} |
|
276 |
System.exit(1); |
|
277 |
} finally { |
|
278 |
// zero-out private key password |
|
279 |
if (keypass != null) { |
|
280 |
Arrays.fill(keypass, ' '); |
|
281 |
keypass = null; |
|
282 |
} |
|
283 |
// zero-out keystore password |
|
284 |
if (storepass != null) { |
|
285 |
Arrays.fill(storepass, ' '); |
|
286 |
storepass = null; |
|
287 |
} |
|
288 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
289 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
290 |
if (strict) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
291 |
int exitCode = 0; |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
292 |
if (weakAlg != 0 || chainNotValidated || hasExpiredCert |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
293 |
|| hasExpiredTsaCert || notYetValidCert || signerSelfSigned) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
294 |
exitCode |= 4; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
295 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
296 |
if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
297 |
exitCode |= 8; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
298 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
299 |
if (hasUnsignedEntry) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
300 |
exitCode |= 16; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
301 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
302 |
if (notSignedByAlias || aliasNotInStore) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
303 |
exitCode |= 32; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
304 |
} |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
305 |
if (tsaChainNotValidated) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
306 |
exitCode |= 64; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
307 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
308 |
if (exitCode != 0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
309 |
System.exit(exitCode); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
310 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
311 |
} |
2 | 312 |
} |
313 |
||
314 |
/* |
|
315 |
* Parse command line arguments. |
|
316 |
*/ |
|
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
317 |
String[] parseArgs(String args[]) throws Exception { |
2 | 318 |
/* parse flags */ |
319 |
int n = 0; |
|
320 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
321 |
if (args.length == 0) fullusage(); |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
322 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
323 |
String confFile = null; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
324 |
String command = "-sign"; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
325 |
for (n=0; n < args.length; n++) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
326 |
if (collator.compare(args[n], "-verify") == 0) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
327 |
command = "-verify"; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
328 |
} else if (collator.compare(args[n], "-conf") == 0) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
329 |
if (n == args.length - 1) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
330 |
usageNoArg(); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
331 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
332 |
confFile = args[++n]; |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
333 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
334 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
335 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
336 |
if (confFile != null) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
337 |
args = KeyStoreUtil.expandArgs( |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
338 |
"jarsigner", confFile, command, null, args); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
339 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
340 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
341 |
debug = Arrays.stream(args).anyMatch( |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
342 |
x -> collator.compare(x, "-debug") == 0); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
343 |
|
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
344 |
if (debug) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
345 |
// No need to localize debug output |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
346 |
System.out.println("Command line args: " + |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
347 |
Arrays.toString(args)); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
348 |
} |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
349 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
350 |
for (n=0; n < args.length; n++) { |
2 | 351 |
|
352 |
String flags = args[n]; |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
353 |
String modifier = null; |
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
354 |
|
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
355 |
if (flags.startsWith("-")) { |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
356 |
int pos = flags.indexOf(':'); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
357 |
if (pos > 0) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
358 |
modifier = flags.substring(pos+1); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
359 |
flags = flags.substring(0, pos); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
360 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
361 |
} |
2 | 362 |
|
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
363 |
if (!flags.startsWith("-")) { |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
364 |
if (jarfile == null) { |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
365 |
jarfile = flags; |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
366 |
} else { |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
367 |
alias = flags; |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
368 |
ckaliases.add(alias); |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
369 |
} |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
370 |
} else if (collator.compare(flags, "-conf") == 0) { |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
371 |
if (++n == args.length) usageNoArg(); |
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
372 |
} else if (collator.compare(flags, "-keystore") == 0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
373 |
if (++n == args.length) usageNoArg(); |
2 | 374 |
keystore = args[n]; |
375 |
} else if (collator.compare(flags, "-storepass") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
376 |
if (++n == args.length) usageNoArg(); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
377 |
storepass = getPass(modifier, args[n]); |
2 | 378 |
} else if (collator.compare(flags, "-storetype") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
379 |
if (++n == args.length) usageNoArg(); |
2 | 380 |
storetype = args[n]; |
381 |
} else if (collator.compare(flags, "-providerName") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
382 |
if (++n == args.length) usageNoArg(); |
2 | 383 |
providerName = args[n]; |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
384 |
} else if (collator.compare(flags, "-provider") == 0 || |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
385 |
collator.compare(flags, "-providerClass") == 0) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
386 |
if (++n == args.length) usageNoArg(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
387 |
if (providerClasses == null) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
388 |
providerClasses = new ArrayList<>(3); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
389 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
390 |
providerClasses.add(args[n]); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
391 |
|
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
392 |
if (args.length > (n+1)) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
393 |
flags = args[n+1]; |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
394 |
if (collator.compare(flags, "-providerArg") == 0) { |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
395 |
if (args.length == (n+2)) usageNoArg(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
396 |
providerArgs.put(args[n], args[n+2]); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
397 |
n += 2; |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
398 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
399 |
} |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
400 |
} else if (collator.compare(flags, "-addprovider") == 0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
401 |
if (++n == args.length) usageNoArg(); |
2 | 402 |
if (providers == null) { |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
403 |
providers = new ArrayList<>(3); |
2 | 404 |
} |
405 |
providers.add(args[n]); |
|
406 |
||
407 |
if (args.length > (n+1)) { |
|
408 |
flags = args[n+1]; |
|
409 |
if (collator.compare(flags, "-providerArg") == 0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
410 |
if (args.length == (n+2)) usageNoArg(); |
2 | 411 |
providerArgs.put(args[n], args[n+2]); |
412 |
n += 2; |
|
413 |
} |
|
414 |
} |
|
415 |
} else if (collator.compare(flags, "-protected") ==0) { |
|
416 |
protectedPath = true; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
417 |
} else if (collator.compare(flags, "-certchain") ==0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
418 |
if (++n == args.length) usageNoArg(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
419 |
altCertChain = args[n]; |
17161
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
420 |
} else if (collator.compare(flags, "-tsapolicyid") ==0) { |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
421 |
if (++n == args.length) usageNoArg(); |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
422 |
tSAPolicyID = args[n]; |
24034
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
423 |
} else if (collator.compare(flags, "-tsadigestalg") ==0) { |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
424 |
if (++n == args.length) usageNoArg(); |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
425 |
tSADigestAlg = args[n]; |
2 | 426 |
} else if (collator.compare(flags, "-debug") ==0) { |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
427 |
// Already processed |
2 | 428 |
} else if (collator.compare(flags, "-keypass") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
429 |
if (++n == args.length) usageNoArg(); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
430 |
keypass = getPass(modifier, args[n]); |
2 | 431 |
} else if (collator.compare(flags, "-sigfile") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
432 |
if (++n == args.length) usageNoArg(); |
2 | 433 |
sigfile = args[n]; |
434 |
} else if (collator.compare(flags, "-signedjar") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
435 |
if (++n == args.length) usageNoArg(); |
2 | 436 |
signedjar = args[n]; |
437 |
} else if (collator.compare(flags, "-tsa") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
438 |
if (++n == args.length) usageNoArg(); |
2 | 439 |
tsaUrl = args[n]; |
440 |
} else if (collator.compare(flags, "-tsacert") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
441 |
if (++n == args.length) usageNoArg(); |
2 | 442 |
tsaAlias = args[n]; |
443 |
} else if (collator.compare(flags, "-altsigner") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
444 |
if (++n == args.length) usageNoArg(); |
2 | 445 |
altSignerClass = args[n]; |
31060 | 446 |
System.err.println( |
447 |
rb.getString("This.option.is.deprecated") + |
|
448 |
"-altsigner"); |
|
2 | 449 |
} else if (collator.compare(flags, "-altsignerpath") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
450 |
if (++n == args.length) usageNoArg(); |
2 | 451 |
altSignerClasspath = args[n]; |
31060 | 452 |
System.err.println( |
453 |
rb.getString("This.option.is.deprecated") + |
|
454 |
"-altsignerpath"); |
|
2 | 455 |
} else if (collator.compare(flags, "-sectionsonly") ==0) { |
456 |
signManifest = false; |
|
457 |
} else if (collator.compare(flags, "-internalsf") ==0) { |
|
458 |
externalSF = false; |
|
459 |
} else if (collator.compare(flags, "-verify") ==0) { |
|
460 |
verify = true; |
|
461 |
} else if (collator.compare(flags, "-verbose") ==0) { |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
462 |
verbose = (modifier != null) ? modifier : "all"; |
2 | 463 |
} else if (collator.compare(flags, "-sigalg") ==0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
464 |
if (++n == args.length) usageNoArg(); |
2 | 465 |
sigalg = args[n]; |
466 |
} else if (collator.compare(flags, "-digestalg") ==0) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
467 |
if (++n == args.length) usageNoArg(); |
2 | 468 |
digestalg = args[n]; |
469 |
} else if (collator.compare(flags, "-certs") ==0) { |
|
470 |
showcerts = true; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
471 |
} else if (collator.compare(flags, "-strict") ==0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
472 |
strict = true; |
48543
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
473 |
} else if (collator.compare(flags, "-?") == 0 || |
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
474 |
collator.compare(flags, "-h") == 0 || |
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
475 |
collator.compare(flags, "--help") == 0 || |
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
476 |
// -help: legacy. |
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
477 |
collator.compare(flags, "-help") == 0) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
478 |
fullusage(); |
2 | 479 |
} else { |
19189
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
480 |
System.err.println( |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
481 |
rb.getString("Illegal.option.") + flags); |
a4b8478a2bc5
8021789: jarsigner parses alias as command line option (depending on locale)
weijun
parents:
17161
diff
changeset
|
482 |
usage(); |
2 | 483 |
} |
484 |
} |
|
485 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
486 |
// -certs must always be specified with -verbose |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
487 |
if (verbose == null) showcerts = false; |
2 | 488 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
489 |
if (jarfile == null) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
490 |
System.err.println(rb.getString("Please.specify.jarfile.name")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
491 |
usage(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
492 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
493 |
if (!verify && alias == null) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
494 |
System.err.println(rb.getString("Please.specify.alias.name")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
495 |
usage(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
496 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
497 |
if (!verify && ckaliases.size() > 1) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
498 |
System.err.println(rb.getString("Only.one.alias.can.be.specified")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
499 |
usage(); |
2 | 500 |
} |
501 |
||
502 |
if (storetype == null) { |
|
503 |
storetype = KeyStore.getDefaultType(); |
|
504 |
} |
|
505 |
storetype = KeyStoreUtil.niceStoreTypeName(storetype); |
|
506 |
||
3481
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
507 |
try { |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
508 |
if (signedjar != null && new File(signedjar).getCanonicalPath().equals( |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
509 |
new File(jarfile).getCanonicalPath())) { |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
510 |
signedjar = null; |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
511 |
} |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
512 |
} catch (IOException ioe) { |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
513 |
// File system error? |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
514 |
// Just ignore it. |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
515 |
} |
6ae7a2a6c956
6866479: libzip.so caused JVM to crash when running jarsigner
weijun
parents:
3318
diff
changeset
|
516 |
|
2 | 517 |
if (P11KEYSTORE.equalsIgnoreCase(storetype) || |
518 |
KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
519 |
token = true; |
|
520 |
if (keystore == null) { |
|
521 |
keystore = NONE; |
|
522 |
} |
|
523 |
} |
|
524 |
||
525 |
if (NONE.equals(keystore)) { |
|
526 |
nullStream = true; |
|
527 |
} |
|
528 |
||
529 |
if (token && !nullStream) { |
|
530 |
System.err.println(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
531 |
(".keystore.must.be.NONE.if.storetype.is.{0}"), storetype)); |
2 | 532 |
usage(); |
533 |
} |
|
534 |
||
535 |
if (token && keypass != null) { |
|
536 |
System.err.println(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
537 |
(".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype)); |
2 | 538 |
usage(); |
539 |
} |
|
540 |
||
541 |
if (protectedPath) { |
|
542 |
if (storepass != null || keypass != null) { |
|
543 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
544 |
("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified")); |
2 | 545 |
usage(); |
546 |
} |
|
547 |
} |
|
548 |
if (KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
549 |
if (storepass != null || keypass != null) { |
|
550 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
551 |
("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified")); |
2 | 552 |
usage(); |
553 |
} |
|
554 |
} |
|
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
555 |
return args; |
2 | 556 |
} |
557 |
||
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
558 |
static char[] getPass(String modifier, String arg) { |
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
559 |
char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
560 |
if (output != null) return output; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
561 |
usage(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
562 |
return null; // Useless, usage() already exit |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
563 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
564 |
|
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
565 |
static void usageNoArg() { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
566 |
System.out.println(rb.getString("Option.lacks.argument")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
567 |
usage(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
568 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
569 |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
570 |
static void usage() { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
571 |
System.out.println(); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
572 |
System.out.println(rb.getString("Please.type.jarsigner.help.for.usage")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
573 |
System.exit(1); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
574 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
575 |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3716
diff
changeset
|
576 |
static void fullusage() { |
2 | 577 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
578 |
("Usage.jarsigner.options.jar.file.alias")); |
2 | 579 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
580 |
(".jarsigner.verify.options.jar.file.alias.")); |
2 | 581 |
System.out.println(); |
582 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
583 |
(".keystore.url.keystore.location")); |
2 | 584 |
System.out.println(); |
585 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
586 |
(".storepass.password.password.for.keystore.integrity")); |
2 | 587 |
System.out.println(); |
588 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
589 |
(".storetype.type.keystore.type")); |
2 | 590 |
System.out.println(); |
591 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
592 |
(".keypass.password.password.for.private.key.if.different.")); |
2 | 593 |
System.out.println(); |
594 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
595 |
(".certchain.file.name.of.alternative.certchain.file")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
596 |
System.out.println(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
597 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
598 |
(".sigfile.file.name.of.SF.DSA.file")); |
2 | 599 |
System.out.println(); |
600 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
601 |
(".signedjar.file.name.of.signed.JAR.file")); |
2 | 602 |
System.out.println(); |
603 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
604 |
(".digestalg.algorithm.name.of.digest.algorithm")); |
2 | 605 |
System.out.println(); |
606 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
607 |
(".sigalg.algorithm.name.of.signature.algorithm")); |
2 | 608 |
System.out.println(); |
609 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
610 |
(".verify.verify.a.signed.JAR.file")); |
2 | 611 |
System.out.println(); |
612 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
613 |
(".verbose.suboptions.verbose.output.when.signing.verifying.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
614 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
615 |
(".suboptions.can.be.all.grouped.or.summary")); |
2 | 616 |
System.out.println(); |
617 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
618 |
(".certs.display.certificates.when.verbose.and.verifying")); |
2 | 619 |
System.out.println(); |
620 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
621 |
(".tsa.url.location.of.the.Timestamping.Authority")); |
2 | 622 |
System.out.println(); |
623 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
624 |
(".tsacert.alias.public.key.certificate.for.Timestamping.Authority")); |
2 | 625 |
System.out.println(); |
626 |
System.out.println(rb.getString |
|
17161
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
627 |
(".tsapolicyid.tsapolicyid.for.Timestamping.Authority")); |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
628 |
System.out.println(); |
df1ec0e2f0e7
8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
weijun
parents:
16020
diff
changeset
|
629 |
System.out.println(rb.getString |
24034
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
630 |
(".tsadigestalg.algorithm.of.digest.data.in.timestamping.request")); |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
631 |
System.out.println(); |
31fe17eef94a
8038837: Add support to jarsigner for specifying timestamp hash algorithm
weijun
parents:
23912
diff
changeset
|
632 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
633 |
(".altsigner.class.class.name.of.an.alternative.signing.mechanism")); |
2 | 634 |
System.out.println(); |
635 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
636 |
(".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism")); |
2 | 637 |
System.out.println(); |
638 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
639 |
(".internalsf.include.the.SF.file.inside.the.signature.block")); |
2 | 640 |
System.out.println(); |
641 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
642 |
(".sectionsonly.don.t.compute.hash.of.entire.manifest")); |
2 | 643 |
System.out.println(); |
644 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
645 |
(".protected.keystore.has.protected.authentication.path")); |
2 | 646 |
System.out.println(); |
647 |
System.out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
648 |
(".providerName.name.provider.name")); |
2 | 649 |
System.out.println(); |
650 |
System.out.println(rb.getString |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
651 |
(".add.provider.option")); |
2 | 652 |
System.out.println(rb.getString |
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
653 |
(".providerArg.option.1")); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
654 |
System.out.println(); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
655 |
System.out.println(rb.getString |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
656 |
(".providerClass.option")); |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
657 |
System.out.println(rb.getString |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
34382
diff
changeset
|
658 |
(".providerArg.option.2")); |
2 | 659 |
System.out.println(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
660 |
System.out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
661 |
(".strict.treat.warnings.as.errors")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
662 |
System.out.println(); |
24868
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
663 |
System.out.println(rb.getString |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
664 |
(".conf.url.specify.a.pre.configured.options.file")); |
89d9bd9eba96
8023197: Pre-configured command line options for keytool and jarsigner
weijun
parents:
24625
diff
changeset
|
665 |
System.out.println(); |
48543
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
666 |
System.out.println(rb.getString |
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
667 |
(".print.this.help.message")); |
7067fe4e054e
8189102: All tools should support -?, -h and --help
goetz
parents:
47469
diff
changeset
|
668 |
System.out.println(); |
2 | 669 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
670 |
System.exit(0); |
2 | 671 |
} |
672 |
||
673 |
void verifyJar(String jarName) |
|
674 |
throws Exception |
|
675 |
{ |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
676 |
boolean anySigned = false; // if there exists entry inside jar signed |
2 | 677 |
JarFile jf = null; |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
678 |
Map<String,String> digestMap = new HashMap<>(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
679 |
Map<String,PKCS7> sigMap = new HashMap<>(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
680 |
Map<String,String> sigNameMap = new HashMap<>(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
681 |
Map<String,String> unparsableSignatures = new HashMap<>(); |
2 | 682 |
|
683 |
try { |
|
684 |
jf = new JarFile(jarName, true); |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
685 |
Vector<JarEntry> entriesVec = new Vector<>(); |
2 | 686 |
byte[] buffer = new byte[8192]; |
687 |
||
688 |
Enumeration<JarEntry> entries = jf.entries(); |
|
689 |
while (entries.hasMoreElements()) { |
|
690 |
JarEntry je = entries.nextElement(); |
|
691 |
entriesVec.addElement(je); |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
692 |
try (InputStream is = jf.getInputStream(je)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
693 |
String name = je.getName(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
694 |
if (signatureRelated(name) |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
695 |
&& SignatureFileVerifier.isBlockOrSF(name)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
696 |
String alias = name.substring(name.lastIndexOf('/') + 1, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
697 |
name.lastIndexOf('.')); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
698 |
try { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
699 |
if (name.endsWith(".SF")) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
700 |
Manifest sf = new Manifest(is); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
701 |
boolean found = false; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
702 |
for (Object obj : sf.getMainAttributes().keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
703 |
String key = obj.toString(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
704 |
if (key.endsWith("-Digest-Manifest")) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
705 |
digestMap.put(alias, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
706 |
key.substring(0, key.length() - 16)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
707 |
found = true; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
708 |
break; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
709 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
710 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
711 |
if (!found) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
712 |
unparsableSignatures.putIfAbsent(alias, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
713 |
String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
714 |
rb.getString("history.unparsable"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
715 |
name)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
716 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
717 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
718 |
sigNameMap.put(alias, name); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
719 |
sigMap.put(alias, new PKCS7(is)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
720 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
721 |
} catch (IOException ioe) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
722 |
unparsableSignatures.putIfAbsent(alias, String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
723 |
rb.getString("history.unparsable"), name)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
724 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
725 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
726 |
while (is.read(buffer, 0, buffer.length) != -1) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
727 |
// we just read. this will throw a SecurityException |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
728 |
// if a signature/digest check fails. |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
729 |
} |
2 | 730 |
} |
731 |
} |
|
732 |
} |
|
733 |
||
734 |
Manifest man = jf.getManifest(); |
|
41582
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
735 |
boolean hasSignature = false; |
2 | 736 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
737 |
// The map to record display info, only used when -verbose provided |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
738 |
// key: signer info string |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
739 |
// value: the list of files with common key |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
740 |
Map<String,List<String>> output = new LinkedHashMap<>(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
741 |
|
2 | 742 |
if (man != null) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
743 |
if (verbose != null) System.out.println(); |
2 | 744 |
Enumeration<JarEntry> e = entriesVec.elements(); |
745 |
||
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
746 |
String tab = rb.getString("6SPACE"); |
2 | 747 |
|
748 |
while (e.hasMoreElements()) { |
|
749 |
JarEntry je = e.nextElement(); |
|
750 |
String name = je.getName(); |
|
41582
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
751 |
|
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
752 |
hasSignature = hasSignature |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
753 |
|| SignatureFileVerifier.isBlockOrSF(name); |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
754 |
|
2 | 755 |
CodeSigner[] signers = je.getCodeSigners(); |
756 |
boolean isSigned = (signers != null); |
|
757 |
anySigned |= isSigned; |
|
758 |
hasUnsignedEntry |= !je.isDirectory() && !isSigned |
|
759 |
&& !signatureRelated(name); |
|
760 |
||
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
761 |
int inStoreWithAlias = inKeyStore(signers); |
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
762 |
|
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
763 |
boolean inStore = (inStoreWithAlias & IN_KEYSTORE) != 0; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
764 |
|
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
765 |
notSignedByAlias |= (inStoreWithAlias & NOT_ALIAS) != 0; |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
766 |
if (keystore != null) { |
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
767 |
aliasNotInStore |= isSigned && !inStore; |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
768 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
769 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
770 |
// Only used when -verbose provided |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
771 |
StringBuffer sb = null; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
772 |
if (verbose != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
773 |
sb = new StringBuffer(); |
2 | 774 |
boolean inManifest = |
775 |
((man.getAttributes(name) != null) || |
|
776 |
(man.getAttributes("./"+name) != null) || |
|
777 |
(man.getAttributes("/"+name) != null)); |
|
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
778 |
sb.append(isSigned ? rb.getString("s") : rb.getString("SPACE")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
779 |
.append(inManifest ? rb.getString("m") : rb.getString("SPACE")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
780 |
.append(inStore ? rb.getString("k") : rb.getString("SPACE")) |
40177
e2a7079bd50a
8163303: Remove identity scope information from jarsigner -verbose output
weijun
parents:
39633
diff
changeset
|
781 |
.append((inStoreWithAlias & NOT_ALIAS) != 0 ? 'X' : ' ') |
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
782 |
.append(rb.getString("SPACE")); |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
783 |
sb.append('|'); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
784 |
} |
2 | 785 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
786 |
// When -certs provided, display info has extra empty |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
787 |
// lines at the beginning and end. |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
788 |
if (isSigned) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
789 |
if (showcerts) sb.append('\n'); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
790 |
for (CodeSigner signer: signers) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
791 |
// signerInfo() must be called even if -verbose |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
792 |
// not provided. The method updates various |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
793 |
// warning flags. |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
794 |
String si = signerInfo(signer, tab); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
795 |
if (showcerts) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
796 |
sb.append(si); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
797 |
sb.append('\n'); |
2 | 798 |
} |
799 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
800 |
} else if (showcerts && !verbose.equals("all")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
801 |
// Print no info for unsigned entries when -verbose:all, |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
802 |
// to be consistent with old behavior. |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
803 |
if (signatureRelated(name)) { |
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
804 |
sb.append('\n') |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
805 |
.append(tab) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
806 |
.append(rb |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
807 |
.getString(".Signature.related.entries.")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
808 |
.append("\n\n"); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
809 |
} else { |
27957
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
810 |
sb.append('\n').append(tab) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
811 |
.append(rb.getString(".Unsigned.entries.")) |
24b4e6082f19
8055723: Replace concat String to append in StringBuilder parameters (dev)
weijun
parents:
27344
diff
changeset
|
812 |
.append("\n\n"); |
2 | 813 |
} |
814 |
} |
|
815 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
816 |
if (verbose != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
817 |
String label = sb.toString(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
818 |
if (signatureRelated(name)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
819 |
// Entries inside META-INF and other unsigned |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
820 |
// entries are grouped separately. |
7524
ec12e1e6fa20
7004035: signed jar with only META-INF/* inside is not verifiable
weijun
parents:
7179
diff
changeset
|
821 |
label = "-" + label; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
822 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
823 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
824 |
// The label finally contains 2 parts separated by '|': |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
825 |
// The legend displayed before the entry names, and |
21278 | 826 |
// the cert info (if -certs specified). |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
827 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
828 |
if (!output.containsKey(label)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
829 |
output.put(label, new ArrayList<String>()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
830 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
831 |
|
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
832 |
StringBuilder fb = new StringBuilder(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
833 |
String s = Long.toString(je.getSize()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
834 |
for (int i = 6 - s.length(); i > 0; --i) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
835 |
fb.append(' '); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
836 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
837 |
fb.append(s).append(' '). |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
838 |
append(new Date(je.getTime()).toString()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
839 |
fb.append(' ').append(name); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
840 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
841 |
output.get(label).add(fb.toString()); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
842 |
} |
2 | 843 |
} |
844 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
845 |
if (verbose != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
846 |
for (Entry<String,List<String>> s: output.entrySet()) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
847 |
List<String> files = s.getValue(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
848 |
String key = s.getKey(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
849 |
if (key.charAt(0) == '-') { // the signature-related group |
7524
ec12e1e6fa20
7004035: signed jar with only META-INF/* inside is not verifiable
weijun
parents:
7179
diff
changeset
|
850 |
key = key.substring(1); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
851 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
852 |
int pipe = key.indexOf('|'); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
853 |
if (verbose.equals("all")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
854 |
for (String f: files) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
855 |
System.out.println(key.substring(0, pipe) + f); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
856 |
System.out.printf(key.substring(pipe+1)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
857 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
858 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
859 |
if (verbose.equals("grouped")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
860 |
for (String f: files) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
861 |
System.out.println(key.substring(0, pipe) + f); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
862 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
863 |
} else if (verbose.equals("summary")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
864 |
System.out.print(key.substring(0, pipe)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
865 |
if (files.size() > 1) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
866 |
System.out.println(files.get(0) + " " + |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
867 |
String.format(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
868 |
".and.d.more."), files.size()-1)); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
869 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
870 |
System.out.println(files.get(0)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
871 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
872 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
873 |
System.out.printf(key.substring(pipe+1)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
874 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
875 |
} |
2 | 876 |
System.out.println(); |
877 |
System.out.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
878 |
".s.signature.was.verified.")); |
2 | 879 |
System.out.println(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
880 |
".m.entry.is.listed.in.manifest")); |
2 | 881 |
System.out.println(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
882 |
".k.at.least.one.certificate.was.found.in.keystore")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
883 |
if (ckaliases.size() > 0) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
884 |
System.out.println(rb.getString( |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
885 |
".X.not.signed.by.specified.alias.es.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
886 |
} |
2 | 887 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
888 |
if (man == null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
889 |
System.out.println(); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
890 |
System.out.println(rb.getString("no.manifest.")); |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
891 |
} |
2 | 892 |
|
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
893 |
// If signer is a trusted cert or private entry in user's own |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
894 |
// keystore, it can be self-signed. Please note aliasNotInStore |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
895 |
// is always false when ~/.keystore is used. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
896 |
if (!aliasNotInStore && keystore != null) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
897 |
signerSelfSigned = false; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
898 |
} |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
899 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
900 |
// Even if the verbose option is not specified, all out strings |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
901 |
// must be generated so seeWeak can be updated. |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
902 |
if (!digestMap.isEmpty() |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
903 |
|| !sigMap.isEmpty() |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
904 |
|| !unparsableSignatures.isEmpty()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
905 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
906 |
System.out.println(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
907 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
908 |
for (String s : sigMap.keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
909 |
if (!digestMap.containsKey(s)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
910 |
unparsableSignatures.putIfAbsent(s, String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
911 |
rb.getString("history.nosf"), s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
912 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
913 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
914 |
for (String s : digestMap.keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
915 |
PKCS7 p7 = sigMap.get(s); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
916 |
if (p7 != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
917 |
String history; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
918 |
try { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
919 |
SignerInfo si = p7.getSignerInfos()[0]; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
920 |
X509Certificate signer = si.getCertificate(p7); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
921 |
String digestAlg = digestMap.get(s); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
922 |
String sigAlg = AlgorithmId.makeSigAlg( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
923 |
si.getDigestAlgorithmId().getName(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
924 |
si.getDigestEncryptionAlgorithmId().getName()); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
925 |
PublicKey key = signer.getPublicKey(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
926 |
PKCS7 tsToken = si.getTsToken(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
927 |
if (tsToken != null) { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
928 |
hasTimestampBlock = true; |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
929 |
SignerInfo tsSi = tsToken.getSignerInfos()[0]; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
930 |
X509Certificate tsSigner = tsSi.getCertificate(tsToken); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
931 |
byte[] encTsTokenInfo = tsToken.getContentInfo().getData(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
932 |
TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
933 |
PublicKey tsKey = tsSigner.getPublicKey(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
934 |
String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName(); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
935 |
String tsSigAlg = AlgorithmId.makeSigAlg( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
936 |
tsSi.getDigestAlgorithmId().getName(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
937 |
tsSi.getDigestEncryptionAlgorithmId().getName()); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
938 |
Calendar c = Calendar.getInstance( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
939 |
TimeZone.getTimeZone("UTC"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
940 |
Locale.getDefault(Locale.Category.FORMAT)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
941 |
c.setTime(tsTokenInfo.getDate()); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
942 |
history = String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
943 |
rb.getString("history.with.ts"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
944 |
signer.getSubjectX500Principal(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
945 |
withWeak(digestAlg, DIGEST_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
946 |
withWeak(sigAlg, SIG_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
947 |
withWeak(key), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
948 |
c, |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
949 |
tsSigner.getSubjectX500Principal(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
950 |
withWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
951 |
withWeak(tsSigAlg, SIG_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
952 |
withWeak(tsKey)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
953 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
954 |
history = String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
955 |
rb.getString("history.without.ts"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
956 |
signer.getSubjectX500Principal(), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
957 |
withWeak(digestAlg, DIGEST_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
958 |
withWeak(sigAlg, SIG_PRIMITIVE_SET), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
959 |
withWeak(key)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
960 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
961 |
} catch (Exception e) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
962 |
// The only usage of sigNameMap, remember the name |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
963 |
// of the block file if it's invalid. |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
964 |
history = String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
965 |
rb.getString("history.unparsable"), |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
966 |
sigNameMap.get(s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
967 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
968 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
969 |
System.out.println(history); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
970 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
971 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
972 |
unparsableSignatures.putIfAbsent(s, String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
973 |
rb.getString("history.nobk"), s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
974 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
975 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
976 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
977 |
for (String s : unparsableSignatures.keySet()) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
978 |
System.out.println(unparsableSignatures.get(s)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
979 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
980 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
981 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
982 |
System.out.println(); |
2 | 983 |
if (!anySigned) { |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
984 |
if (seeWeak) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
985 |
if (verbose != null) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
986 |
System.out.println(rb.getString("jar.treated.unsigned.see.weak.verbose")); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
987 |
System.out.println("\n " + |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
988 |
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS + |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
989 |
"=" + Security.getProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
990 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
991 |
System.out.println(rb.getString("jar.treated.unsigned.see.weak")); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
992 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
993 |
} else if (hasSignature) { |
41582
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
994 |
System.out.println(rb.getString("jar.treated.unsigned")); |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
995 |
} else { |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
996 |
System.out.println(rb.getString("jar.is.unsigned")); |
246512d81eba
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
weijun
parents:
40177
diff
changeset
|
997 |
} |
2 | 998 |
} else { |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
999 |
displayMessagesAndResult(false); |
2 | 1000 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1001 |
return; |
2 | 1002 |
} catch (Exception e) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1003 |
System.out.println(rb.getString("jarsigner.") + e); |
2 | 1004 |
if (debug) { |
1005 |
e.printStackTrace(); |
|
1006 |
} |
|
1007 |
} finally { // close the resource |
|
1008 |
if (jf != null) { |
|
1009 |
jf.close(); |
|
1010 |
} |
|
1011 |
} |
|
1012 |
||
1013 |
System.exit(1); |
|
1014 |
} |
|
1015 |
||
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1016 |
private void displayMessagesAndResult(boolean isSigning) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1017 |
String result; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1018 |
List<String> errors = new ArrayList<>(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1019 |
List<String> warnings = new ArrayList<>(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1020 |
List<String> info = new ArrayList<>(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1021 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1022 |
boolean signerNotExpired = expireDate == null |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1023 |
|| expireDate.after(new Date()); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1024 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1025 |
if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1026 |
notYetValidCert || chainNotValidated || hasExpiredCert || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1027 |
hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1028 |
aliasNotInStore || notSignedByAlias || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1029 |
tsaChainNotValidated || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1030 |
(hasExpiredTsaCert && !signerNotExpired)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1031 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1032 |
if (strict) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1033 |
result = rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1034 |
? "jar.signed.with.signer.errors." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1035 |
: "jar.verified.with.signer.errors."); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1036 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1037 |
result = rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1038 |
? "jar.signed." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1039 |
: "jar.verified."); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1040 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1041 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1042 |
if (badKeyUsage) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1043 |
errors.add(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1044 |
? "The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1045 |
: "This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1046 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1047 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1048 |
if (badExtendedKeyUsage) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1049 |
errors.add(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1050 |
? "The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1051 |
: "This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1052 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1053 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1054 |
if (badNetscapeCertType) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1055 |
errors.add(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1056 |
? "The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1057 |
: "This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1058 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1059 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1060 |
// only in verifying |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1061 |
if (hasUnsignedEntry) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1062 |
errors.add(rb.getString( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1063 |
"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1064 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1065 |
if (hasExpiredCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1066 |
errors.add(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1067 |
? "The.signer.certificate.has.expired." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1068 |
: "This.jar.contains.entries.whose.signer.certificate.has.expired.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1069 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1070 |
if (notYetValidCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1071 |
errors.add(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1072 |
? "The.signer.certificate.is.not.yet.valid." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1073 |
: "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1074 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1075 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1076 |
if (chainNotValidated) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1077 |
errors.add(String.format(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1078 |
? "The.signer.s.certificate.chain.is.invalid.reason.1" |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1079 |
: "This.jar.contains.entries.whose.certificate.chain.is.invalid.reason.1"), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1080 |
chainNotValidatedReason.getLocalizedMessage())); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1081 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1082 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1083 |
if (hasExpiredTsaCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1084 |
errors.add(rb.getString("The.timestamp.has.expired.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1085 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1086 |
if (tsaChainNotValidated) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1087 |
errors.add(String.format(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1088 |
? "The.tsa.certificate.chain.is.invalid.reason.1" |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1089 |
: "This.jar.contains.entries.whose.tsa.certificate.chain.is.invalid.reason.1"), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1090 |
tsaChainNotValidatedReason.getLocalizedMessage())); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1091 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1092 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1093 |
// only in verifying |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1094 |
if (notSignedByAlias) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1095 |
errors.add( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1096 |
rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1097 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1098 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1099 |
// only in verifying |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1100 |
if (aliasNotInStore) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1101 |
errors.add(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1102 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1103 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1104 |
if (signerSelfSigned) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1105 |
errors.add(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1106 |
? "The.signer.s.certificate.is.self.signed." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1107 |
: "This.jar.contains.entries.whose.signer.certificate.is.self.signed.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1108 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1109 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1110 |
// weakAlg only detected in signing. The jar file is |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1111 |
// now simply treated unsigned in verifying. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1112 |
if ((weakAlg & 1) == 1) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1113 |
errors.add(String.format( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1114 |
rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1115 |
digestalg, "-digestalg")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1116 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1117 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1118 |
if ((weakAlg & 2) == 2) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1119 |
errors.add(String.format( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1120 |
rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1121 |
sigalg, "-sigalg")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1122 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1123 |
if ((weakAlg & 4) == 4) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1124 |
errors.add(String.format( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1125 |
rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1126 |
tSADigestAlg, "-tsadigestalg")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1127 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1128 |
if ((weakAlg & 8) == 8) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1129 |
errors.add(String.format( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1130 |
rb.getString("The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk."), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1131 |
privateKey.getAlgorithm(), KeyUtil.getKeySize(privateKey))); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1132 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1133 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1134 |
result = rb.getString(isSigning ? "jar.signed." : "jar.verified."); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1135 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1136 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1137 |
if (hasExpiredTsaCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1138 |
// No need to warn about expiring if already expired |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1139 |
hasExpiringTsaCert = false; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1140 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1141 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1142 |
if (hasExpiringCert || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1143 |
(hasExpiringTsaCert && expireDate != null) || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1144 |
(noTimestamp && expireDate != null) || |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1145 |
(hasExpiredTsaCert && signerNotExpired)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1146 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1147 |
if (hasExpiredTsaCert && signerNotExpired) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1148 |
if (expireDate != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1149 |
warnings.add(String.format( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1150 |
rb.getString("The.timestamp.expired.1.but.usable.2"), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1151 |
tsaExpireDate, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1152 |
expireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1153 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1154 |
// Reset the flag so exit code is 0 |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1155 |
hasExpiredTsaCert = false; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1156 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1157 |
if (hasExpiringCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1158 |
warnings.add(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1159 |
? "The.signer.certificate.will.expire.within.six.months." |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1160 |
: "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1161 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1162 |
if (hasExpiringTsaCert && expireDate != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1163 |
if (expireDate.after(tsaExpireDate)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1164 |
warnings.add(String.format(rb.getString( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1165 |
"The.timestamp.will.expire.within.one.year.on.1.but.2"), tsaExpireDate, expireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1166 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1167 |
warnings.add(String.format(rb.getString( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1168 |
"The.timestamp.will.expire.within.one.year.on.1"), tsaExpireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1169 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1170 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1171 |
if (noTimestamp && expireDate != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1172 |
if (hasTimestampBlock) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1173 |
warnings.add(String.format(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1174 |
? "invalid.timestamp.signing" |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1175 |
: "bad.timestamp.verifying"), expireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1176 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1177 |
warnings.add(String.format(rb.getString(isSigning |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1178 |
? "no.timestamp.signing" |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1179 |
: "no.timestamp.verifying"), expireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1180 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1181 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1182 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1183 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1184 |
System.out.println(result); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1185 |
if (strict) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1186 |
if (!errors.isEmpty()) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1187 |
System.out.println(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1188 |
System.out.println(rb.getString("Error.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1189 |
errors.forEach(System.out::println); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1190 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1191 |
if (!warnings.isEmpty()) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1192 |
System.out.println(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1193 |
System.out.println(rb.getString("Warning.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1194 |
warnings.forEach(System.out::println); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1195 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1196 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1197 |
if (!errors.isEmpty() || !warnings.isEmpty()) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1198 |
System.out.println(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1199 |
System.out.println(rb.getString("Warning.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1200 |
errors.forEach(System.out::println); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1201 |
warnings.forEach(System.out::println); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1202 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1203 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1204 |
if (!isSigning && (!errors.isEmpty() || !warnings.isEmpty())) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1205 |
if (! (verbose != null && showcerts)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1206 |
System.out.println(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1207 |
System.out.println(rb.getString( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1208 |
"Re.run.with.the.verbose.and.certs.options.for.more.details.")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1209 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1210 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1211 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1212 |
if (isSigning || verbose != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1213 |
// Always print out expireDate, unless expired or expiring. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1214 |
if (!hasExpiringCert && !hasExpiredCert |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1215 |
&& expireDate != null && signerNotExpired) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1216 |
info.add(String.format(rb.getString( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1217 |
"The.signer.certificate.will.expire.on.1."), expireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1218 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1219 |
if (!noTimestamp) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1220 |
if (!hasExpiringTsaCert && !hasExpiredTsaCert && tsaExpireDate != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1221 |
if (signerNotExpired) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1222 |
info.add(String.format(rb.getString( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1223 |
"The.timestamp.will.expire.on.1."), tsaExpireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1224 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1225 |
info.add(String.format(rb.getString( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1226 |
"signer.cert.expired.1.but.timestamp.good.2."), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1227 |
expireDate, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1228 |
tsaExpireDate)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1229 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1230 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1231 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1232 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1233 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1234 |
if (!info.isEmpty()) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1235 |
System.out.println(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1236 |
info.forEach(System.out::println); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1237 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1238 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1239 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1240 |
private String withWeak(String alg, Set<CryptoPrimitive> primitiveSet) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1241 |
if (DISABLED_CHECK.permits(primitiveSet, alg, null)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1242 |
return alg; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1243 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1244 |
seeWeak = true; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1245 |
return String.format(rb.getString("with.weak"), alg); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1246 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1247 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1248 |
|
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1249 |
private String withWeak(PublicKey key) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1250 |
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { |
46139
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1251 |
int kLen = KeyUtil.getKeySize(key); |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1252 |
if (kLen >= 0) { |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1253 |
return String.format(rb.getString("key.bit"), kLen); |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1254 |
} else { |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1255 |
return rb.getString("unknown.size"); |
5196af754957
8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
weijun
parents:
44597
diff
changeset
|
1256 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1257 |
} else { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1258 |
seeWeak = true; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1259 |
return String.format( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1260 |
rb.getString("key.bit.weak"), KeyUtil.getKeySize(key)); |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1261 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1262 |
} |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1263 |
|
2 | 1264 |
private static MessageFormat validityTimeForm = null; |
1265 |
private static MessageFormat notYetTimeForm = null; |
|
1266 |
private static MessageFormat expiredTimeForm = null; |
|
1267 |
private static MessageFormat expiringTimeForm = null; |
|
1268 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1269 |
/** |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1270 |
* Returns a string about a certificate: |
2 | 1271 |
* |
1272 |
* [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"] |
|
1273 |
* [<validity-period> | <expiry-warning>] |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1274 |
* [<key-usage-warning>] |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1275 |
* |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1276 |
* Note: no newline character at the end. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1277 |
* |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1278 |
* This method sets global flags like hasExpiringCert, hasExpiredCert, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1279 |
* notYetValidCert, badKeyUsage, badExtendedKeyUsage, badNetscapeCertType, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1280 |
* hasExpiringTsaCert, hasExpiredTsaCert. |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1281 |
* |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1282 |
* @param isTsCert true if c is in the TSA cert chain, false otherwise. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1283 |
* @param checkUsage true to check code signer keyUsage |
2 | 1284 |
*/ |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1285 |
String printCert(boolean isTsCert, String tab, Certificate c, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1286 |
Date timestamp, boolean checkUsage) throws Exception { |
2 | 1287 |
|
1288 |
StringBuilder certStr = new StringBuilder(); |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1289 |
String space = rb.getString("SPACE"); |
2 | 1290 |
X509Certificate x509Cert = null; |
1291 |
||
1292 |
if (c instanceof X509Certificate) { |
|
1293 |
x509Cert = (X509Certificate) c; |
|
1294 |
certStr.append(tab).append(x509Cert.getType()) |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1295 |
.append(rb.getString("COMMA")) |
2 | 1296 |
.append(x509Cert.getSubjectDN().getName()); |
1297 |
} else { |
|
1298 |
certStr.append(tab).append(c.getType()); |
|
1299 |
} |
|
1300 |
||
1301 |
String alias = storeHash.get(c); |
|
1302 |
if (alias != null) { |
|
1303 |
certStr.append(space).append(alias); |
|
1304 |
} |
|
1305 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1306 |
if (x509Cert != null) { |
2 | 1307 |
|
1308 |
certStr.append("\n").append(tab).append("["); |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1309 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1310 |
if (trustedCerts.contains(x509Cert)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1311 |
certStr.append(rb.getString("trusted.certificate")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1312 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1313 |
Date notAfter = x509Cert.getNotAfter(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1314 |
try { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1315 |
boolean printValidity = true; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1316 |
if (isTsCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1317 |
if (tsaExpireDate == null || tsaExpireDate.after(notAfter)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1318 |
tsaExpireDate = notAfter; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1319 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1320 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1321 |
if (expireDate == null || expireDate.after(notAfter)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1322 |
expireDate = notAfter; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1323 |
} |
22315 | 1324 |
} |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1325 |
if (timestamp == null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1326 |
x509Cert.checkValidity(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1327 |
// test if cert will expire within six months (or one year for tsa) |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1328 |
long age = isTsCert ? ONE_YEAR : SIX_MONTHS; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1329 |
if (notAfter.getTime() < System.currentTimeMillis() + age) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1330 |
if (isTsCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1331 |
hasExpiringTsaCert = true; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1332 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1333 |
hasExpiringCert = true; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1334 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1335 |
if (expiringTimeForm == null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1336 |
expiringTimeForm = new MessageFormat( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1337 |
rb.getString("certificate.will.expire.on")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1338 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1339 |
Object[] source = {notAfter}; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1340 |
certStr.append(expiringTimeForm.format(source)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1341 |
printValidity = false; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1342 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1343 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1344 |
x509Cert.checkValidity(timestamp); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1345 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1346 |
if (printValidity) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1347 |
if (validityTimeForm == null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1348 |
validityTimeForm = new MessageFormat( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1349 |
rb.getString("certificate.is.valid.from")); |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1350 |
} |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1351 |
Object[] source = {x509Cert.getNotBefore(), notAfter}; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1352 |
certStr.append(validityTimeForm.format(source)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1353 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1354 |
} catch (CertificateExpiredException cee) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1355 |
if (isTsCert) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1356 |
hasExpiredTsaCert = true; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1357 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1358 |
hasExpiredCert = true; |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1359 |
} |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1360 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1361 |
if (expiredTimeForm == null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1362 |
expiredTimeForm = new MessageFormat( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1363 |
rb.getString("certificate.expired.on")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1364 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1365 |
Object[] source = {notAfter}; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1366 |
certStr.append(expiredTimeForm.format(source)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1367 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1368 |
} catch (CertificateNotYetValidException cnyve) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1369 |
if (!isTsCert) notYetValidCert = true; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1370 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1371 |
if (notYetTimeForm == null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1372 |
notYetTimeForm = new MessageFormat( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1373 |
rb.getString("certificate.is.not.valid.until")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1374 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1375 |
Object[] source = {x509Cert.getNotBefore()}; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1376 |
certStr.append(notYetTimeForm.format(source)); |
2 | 1377 |
} |
1378 |
} |
|
1379 |
certStr.append("]"); |
|
1380 |
||
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1381 |
if (checkUsage) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1382 |
boolean[] bad = new boolean[3]; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1383 |
checkCertUsage(x509Cert, bad); |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1384 |
if (bad[0] || bad[1] || bad[2]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1385 |
String x = ""; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1386 |
if (bad[0]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1387 |
x ="KeyUsage"; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1388 |
} |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1389 |
if (bad[1]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1390 |
if (x.length() > 0) x = x + ", "; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1391 |
x = x + "ExtendedKeyUsage"; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1392 |
} |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1393 |
if (bad[2]) { |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1394 |
if (x.length() > 0) x = x + ", "; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1395 |
x = x + "NetscapeCertType"; |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1396 |
} |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1397 |
certStr.append("\n").append(tab) |
2 | 1398 |
.append(MessageFormat.format(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1399 |
".{0}.extension.does.not.support.code.signing."), x)); |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1400 |
} |
2 | 1401 |
} |
1402 |
} |
|
1403 |
return certStr.toString(); |
|
1404 |
} |
|
1405 |
||
1406 |
private static MessageFormat signTimeForm = null; |
|
1407 |
||
1408 |
private String printTimestamp(String tab, Timestamp timestamp) { |
|
1409 |
||
1410 |
if (signTimeForm == null) { |
|
1411 |
signTimeForm = |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1412 |
new MessageFormat(rb.getString("entry.was.signed.on")); |
2 | 1413 |
} |
1414 |
Object[] source = { timestamp.getTimestamp() }; |
|
1415 |
||
1416 |
return new StringBuilder().append(tab).append("[") |
|
1417 |
.append(signTimeForm.format(source)).append("]").toString(); |
|
1418 |
} |
|
1419 |
||
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
1420 |
private Map<CodeSigner,Integer> cacheForInKS = new IdentityHashMap<>(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1421 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1422 |
private int inKeyStoreForOneSigner(CodeSigner signer) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1423 |
if (cacheForInKS.containsKey(signer)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1424 |
return cacheForInKS.get(signer); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1425 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1426 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1427 |
int result = 0; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1428 |
List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1429 |
for (Certificate c : certs) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1430 |
String alias = storeHash.get(c); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1431 |
if (alias != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1432 |
if (alias.startsWith("(")) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1433 |
result |= IN_KEYSTORE; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1434 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1435 |
if (ckaliases.contains(alias.substring(1, alias.length() - 1))) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1436 |
result |= SIGNED_BY_ALIAS; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1437 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1438 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1439 |
if (store != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1440 |
try { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1441 |
alias = store.getCertificateAlias(c); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1442 |
} catch (KeyStoreException kse) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1443 |
// never happens, because keystore has been loaded |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1444 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1445 |
if (alias != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1446 |
storeHash.put(c, "(" + alias + ")"); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1447 |
result |= IN_KEYSTORE; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1448 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1449 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1450 |
if (ckaliases.contains(alias)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1451 |
result |= SIGNED_BY_ALIAS; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1452 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1453 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1454 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1455 |
cacheForInKS.put(signer, result); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1456 |
return result; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1457 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1458 |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
1459 |
Hashtable<Certificate, String> storeHash = new Hashtable<>(); |
2 | 1460 |
|
1461 |
int inKeyStore(CodeSigner[] signers) { |
|
1462 |
||
1463 |
if (signers == null) |
|
1464 |
return 0; |
|
1465 |
||
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1466 |
int output = 0; |
2 | 1467 |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1468 |
for (CodeSigner signer: signers) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1469 |
int result = inKeyStoreForOneSigner(signer); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1470 |
output |= result; |
2 | 1471 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1472 |
if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1473 |
output |= NOT_ALIAS; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1474 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1475 |
return output; |
2 | 1476 |
} |
1477 |
||
33872 | 1478 |
void signJar(String jarName, String alias) |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1479 |
throws Exception { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1480 |
|
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1481 |
if (digestalg != null && !DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1482 |
DIGEST_PRIMITIVE_SET, digestalg, null)) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1483 |
weakAlg |= 1; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1484 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1485 |
if (tSADigestAlg != null && !DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1486 |
DIGEST_PRIMITIVE_SET, tSADigestAlg, null)) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1487 |
weakAlg |= 4; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1488 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1489 |
if (sigalg != null && !DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1490 |
SIG_PRIMITIVE_SET , sigalg, null)) { |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1491 |
weakAlg |= 2; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1492 |
} |
41590
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1493 |
if (!DISABLED_CHECK.permits( |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1494 |
SIG_PRIMITIVE_SET, privateKey)) { |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1495 |
weakAlg |= 8; |
1c5b1891b8e0
8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
weijun
parents:
41582
diff
changeset
|
1496 |
} |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1497 |
|
2 | 1498 |
boolean aliasUsed = false; |
1499 |
X509Certificate tsaCert = null; |
|
1500 |
||
1501 |
if (sigfile == null) { |
|
1502 |
sigfile = alias; |
|
1503 |
aliasUsed = true; |
|
1504 |
} |
|
1505 |
||
1506 |
if (sigfile.length() > 8) { |
|
4152
bc36a9f01ac6
6870812: enhance security tools to use ECC algorithms
weijun
parents:
3951
diff
changeset
|
1507 |
sigfile = sigfile.substring(0, 8).toUpperCase(Locale.ENGLISH); |
2 | 1508 |
} else { |
4152
bc36a9f01ac6
6870812: enhance security tools to use ECC algorithms
weijun
parents:
3951
diff
changeset
|
1509 |
sigfile = sigfile.toUpperCase(Locale.ENGLISH); |
2 | 1510 |
} |
1511 |
||
1512 |
StringBuilder tmpSigFile = new StringBuilder(sigfile.length()); |
|
1513 |
for (int j = 0; j < sigfile.length(); j++) { |
|
1514 |
char c = sigfile.charAt(j); |
|
1515 |
if (! |
|
33872 | 1516 |
((c>= 'A' && c<= 'Z') || |
1517 |
(c>= '0' && c<= '9') || |
|
1518 |
(c == '-') || |
|
1519 |
(c == '_'))) { |
|
2 | 1520 |
if (aliasUsed) { |
1521 |
// convert illegal characters from the alias to be _'s |
|
1522 |
c = '_'; |
|
1523 |
} else { |
|
33872 | 1524 |
throw new |
1525 |
RuntimeException(rb.getString |
|
1526 |
("signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.")); |
|
2 | 1527 |
} |
1528 |
} |
|
1529 |
tmpSigFile.append(c); |
|
1530 |
} |
|
1531 |
||
1532 |
sigfile = tmpSigFile.toString(); |
|
1533 |
||
1534 |
String tmpJarName; |
|
1535 |
if (signedjar == null) tmpJarName = jarName+".sig"; |
|
1536 |
else tmpJarName = signedjar; |
|
1537 |
||
1538 |
File jarFile = new File(jarName); |
|
1539 |
File signedJarFile = new File(tmpJarName); |
|
1540 |
||
1541 |
// Open the jar (zip) file |
|
1542 |
try { |
|
1543 |
zipFile = new ZipFile(jarName); |
|
1544 |
} catch (IOException ioe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1545 |
error(rb.getString("unable.to.open.jar.file.")+jarName, ioe); |
2 | 1546 |
} |
1547 |
||
33872 | 1548 |
CertPath cp = CertificateFactory.getInstance("X.509") |
1549 |
.generateCertPath(Arrays.asList(certChain)); |
|
1550 |
JarSigner.Builder builder = new JarSigner.Builder(privateKey, cp); |
|
2 | 1551 |
|
33872 | 1552 |
if (verbose != null) { |
1553 |
builder.eventHandler((action, file) -> { |
|
1554 |
System.out.println(rb.getString("." + action + ".") + file); |
|
1555 |
}); |
|
1556 |
} |
|
1557 |
||
1558 |
if (digestalg != null) { |
|
1559 |
builder.digestAlgorithm(digestalg); |
|
1560 |
} |
|
1561 |
if (sigalg != null) { |
|
1562 |
builder.signatureAlgorithm(sigalg); |
|
1563 |
} |
|
2 | 1564 |
|
33872 | 1565 |
URI tsaURI = null; |
2 | 1566 |
|
33872 | 1567 |
if (tsaUrl != null) { |
1568 |
tsaURI = new URI(tsaUrl); |
|
1569 |
} else if (tsaAlias != null) { |
|
1570 |
tsaCert = getTsaCert(tsaAlias); |
|
1571 |
tsaURI = TimestampedSigner.getTimestampingURI(tsaCert); |
|
1572 |
} |
|
2 | 1573 |
|
33872 | 1574 |
if (tsaURI != null) { |
1575 |
if (verbose != null) { |
|
1576 |
System.out.println( |
|
1577 |
rb.getString("requesting.a.signature.timestamp")); |
|
1578 |
if (tsaUrl != null) { |
|
1579 |
System.out.println(rb.getString("TSA.location.") + tsaUrl); |
|
1580 |
} else if (tsaCert != null) { |
|
1581 |
System.out.println(rb.getString("TSA.certificate.") + |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1582 |
printCert(true, "", tsaCert, null, false)); |
2 | 1583 |
} |
1584 |
} |
|
33872 | 1585 |
builder.tsa(tsaURI); |
1586 |
if (tSADigestAlg != null) { |
|
1587 |
builder.setProperty("tsaDigestAlg", tSADigestAlg); |
|
2 | 1588 |
} |
1589 |
||
33872 | 1590 |
if (tSAPolicyID != null) { |
1591 |
builder.setProperty("tsaPolicyId", tSAPolicyID); |
|
2 | 1592 |
} |
33872 | 1593 |
} |
1594 |
||
1595 |
if (altSignerClass != null) { |
|
1596 |
builder.setProperty("altSigner", altSignerClass); |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1597 |
if (verbose != null) { |
33872 | 1598 |
System.out.println( |
1599 |
rb.getString("using.an.alternative.signing.mechanism")); |
|
2 | 1600 |
} |
33872 | 1601 |
} |
2 | 1602 |
|
33872 | 1603 |
if (altSignerClasspath != null) { |
1604 |
builder.setProperty("altSignerPath", altSignerClasspath); |
|
1605 |
} |
|
2 | 1606 |
|
33872 | 1607 |
builder.signerName(sigfile); |
2 | 1608 |
|
33872 | 1609 |
builder.setProperty("sectionsOnly", Boolean.toString(!signManifest)); |
1610 |
builder.setProperty("internalSF", Boolean.toString(!externalSF)); |
|
2 | 1611 |
|
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1612 |
FileOutputStream fos = null; |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1613 |
try { |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1614 |
fos = new FileOutputStream(signedJarFile); |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1615 |
} catch (IOException ioe) { |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1616 |
error(rb.getString("unable.to.create.")+tmpJarName, ioe); |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1617 |
} |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1618 |
|
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1619 |
Throwable failedCause = null; |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1620 |
String failedMessage = null; |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1621 |
|
33872 | 1622 |
try { |
1623 |
builder.build().sign(zipFile, fos); |
|
1624 |
} catch (JarSignerException e) { |
|
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1625 |
failedCause = e.getCause(); |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1626 |
if (failedCause instanceof SocketTimeoutException |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1627 |
|| failedCause instanceof UnknownHostException) { |
2 | 1628 |
// Provide a helpful message when TSA is beyond a firewall |
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1629 |
failedMessage = rb.getString("unable.to.sign.jar.") + |
33872 | 1630 |
rb.getString("no.response.from.the.Timestamping.Authority.") + |
1631 |
"\n -J-Dhttp.proxyHost=<hostname>" + |
|
1632 |
"\n -J-Dhttp.proxyPort=<portnumber>\n" + |
|
1633 |
rb.getString("or") + |
|
1634 |
"\n -J-Dhttps.proxyHost=<hostname> " + |
|
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1635 |
"\n -J-Dhttps.proxyPort=<portnumber> "; |
33872 | 1636 |
} else { |
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1637 |
// JarSignerException might have a null cause |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1638 |
if (failedCause == null) { |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1639 |
failedCause = e; |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1640 |
} |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1641 |
failedMessage = rb.getString("unable.to.sign.jar.") + failedCause; |
2 | 1642 |
} |
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1643 |
} catch (Exception e) { |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1644 |
failedCause = e; |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1645 |
failedMessage = rb.getString("unable.to.sign.jar.") + failedCause; |
2 | 1646 |
} finally { |
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1647 |
// close the resources |
2 | 1648 |
if (zipFile != null) { |
1649 |
zipFile.close(); |
|
1650 |
zipFile = null; |
|
1651 |
} |
|
1652 |
||
33872 | 1653 |
if (fos != null) { |
1654 |
fos.close(); |
|
2 | 1655 |
} |
48760
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1656 |
|
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1657 |
} |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1658 |
|
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1659 |
if (failedCause != null) { |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1660 |
signedJarFile.delete(); |
25725c11c296
8196823: jarsigner should not create a signed jar if the signing fails
weijun
parents:
48543
diff
changeset
|
1661 |
error(failedMessage, failedCause); |
2 | 1662 |
} |
1663 |
||
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1664 |
if (verbose != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1665 |
System.out.println(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1666 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1667 |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1668 |
// The JarSigner API always accepts the timestamp received. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1669 |
// We need to extract the certs from the signed jar to |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1670 |
// validate it. |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1671 |
try (JarFile check = new JarFile(signedJarFile)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1672 |
PKCS7 p7 = new PKCS7(check.getInputStream(check.getEntry( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1673 |
"META-INF/" + sigfile + "." + privateKey.getAlgorithm()))); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1674 |
Timestamp ts = null; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1675 |
try { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1676 |
SignerInfo si = p7.getSignerInfos()[0]; |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1677 |
if (si.getTsToken() != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1678 |
hasTimestampBlock = true; |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1679 |
} |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1680 |
ts = si.getTimestamp(); |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1681 |
} catch (Exception e) { |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1682 |
tsaChainNotValidated = true; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1683 |
tsaChainNotValidatedReason = e; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1684 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1685 |
// Spaces before the ">>> Signer" and other lines are different |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1686 |
String result = certsAndTSInfo("", " ", Arrays.asList(certChain), ts); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1687 |
if (verbose != null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1688 |
System.out.println(result); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1689 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1690 |
} catch (Exception e) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1691 |
if (debug) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1692 |
e.printStackTrace(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1693 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1694 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1695 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1696 |
if (signedjar == null) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1697 |
// attempt an atomic rename. If that fails, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1698 |
// rename the original jar file, then the signed |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1699 |
// one, then delete the original. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1700 |
if (!signedJarFile.renameTo(jarFile)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1701 |
File origJar = new File(jarName+".orig"); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1702 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1703 |
if (jarFile.renameTo(origJar)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1704 |
if (signedJarFile.renameTo(jarFile)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1705 |
origJar.delete(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1706 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1707 |
MessageFormat form = new MessageFormat(rb.getString |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1708 |
("attempt.to.rename.signedJarFile.to.jarFile.failed")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1709 |
Object[] source = {signedJarFile, jarFile}; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1710 |
error(form.format(source)); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1711 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1712 |
} else { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1713 |
MessageFormat form = new MessageFormat(rb.getString |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1714 |
("attempt.to.rename.jarFile.to.origJar.failed")); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1715 |
Object[] source = {jarFile, origJar}; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1716 |
error(form.format(source)); |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1717 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1718 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1719 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1720 |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1721 |
displayMessagesAndResult(true); |
2 | 1722 |
} |
1723 |
||
1724 |
/** |
|
1725 |
* signature-related files include: |
|
1726 |
* . META-INF/MANIFEST.MF |
|
1727 |
* . META-INF/SIG-* |
|
1728 |
* . META-INF/*.SF |
|
1729 |
* . META-INF/*.DSA |
|
1730 |
* . META-INF/*.RSA |
|
4152
bc36a9f01ac6
6870812: enhance security tools to use ECC algorithms
weijun
parents:
3951
diff
changeset
|
1731 |
* . META-INF/*.EC |
2 | 1732 |
*/ |
1733 |
private boolean signatureRelated(String name) { |
|
23912 | 1734 |
return SignatureFileVerifier.isSigningRelated(name); |
2 | 1735 |
} |
1736 |
||
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7525
diff
changeset
|
1737 |
Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1738 |
|
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1739 |
/** |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1740 |
* Returns a string of signer info, with a newline at the end. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1741 |
* Called by verifyJar(). |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1742 |
*/ |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1743 |
private String signerInfo(CodeSigner signer, String tab) throws Exception { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1744 |
if (cacheForSignerInfo.containsKey(signer)) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1745 |
return cacheForSignerInfo.get(signer); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1746 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1747 |
List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates(); |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1748 |
// signing time is only displayed on verification |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1749 |
Timestamp ts = signer.getTimestamp(); |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1750 |
String tsLine = ""; |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1751 |
if (ts != null) { |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1752 |
tsLine = printTimestamp(tab, ts) + "\n"; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1753 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1754 |
// Spaces before the ">>> Signer" and other lines are the same. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1755 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1756 |
String result = certsAndTSInfo(tab, tab, certs, ts); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1757 |
cacheForSignerInfo.put(signer, tsLine + result); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1758 |
return result; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1759 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1760 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1761 |
/** |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1762 |
* Fills info on certs and timestamp into a StringBuilder, sets |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1763 |
* warning flags (through printCert) and validates cert chains. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1764 |
* |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1765 |
* @param tab1 spaces before the ">>> Signer" line |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1766 |
* @param tab2 spaces before the other lines |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1767 |
* @param certs the signer cert |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1768 |
* @param ts the timestamp, can be null |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1769 |
* @return the info as a string |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1770 |
*/ |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1771 |
private String certsAndTSInfo( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1772 |
String tab1, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1773 |
String tab2, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1774 |
List<? extends Certificate> certs, Timestamp ts) |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1775 |
throws Exception { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1776 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1777 |
Date timestamp; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1778 |
if (ts != null) { |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1779 |
timestamp = ts.getTimestamp(); |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1780 |
noTimestamp = false; |
12046
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1781 |
} else { |
378aa3362868
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
weijun
parents:
10788
diff
changeset
|
1782 |
timestamp = null; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1783 |
} |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1784 |
// display the certificate(sb). The first one is end-entity cert and |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1785 |
// its KeyUsage should be checked. |
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1786 |
boolean first = true; |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1787 |
StringBuilder sb = new StringBuilder(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1788 |
sb.append(tab1).append(rb.getString("...Signer")).append('\n'); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1789 |
for (Certificate c : certs) { |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1790 |
sb.append(printCert(false, tab2, c, timestamp, first)); |
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
24868
diff
changeset
|
1791 |
sb.append('\n'); |
7525
16d2b5e6517a
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
weijun
parents:
7524
diff
changeset
|
1792 |
first = false; |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1793 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1794 |
try { |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1795 |
validateCertChain(Validator.VAR_CODE_SIGNING, certs, ts); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1796 |
} catch (Exception e) { |
43183 | 1797 |
chainNotValidated = true; |
1798 |
chainNotValidatedReason = e; |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1799 |
sb.append(tab2).append(rb.getString(".Invalid.certificate.chain.")) |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1800 |
.append(e.getLocalizedMessage()).append("]\n"); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1801 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1802 |
if (ts != null) { |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1803 |
sb.append(tab1).append(rb.getString("...TSA")).append('\n'); |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1804 |
for (Certificate c : ts.getSignerCertPath().getCertificates()) { |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1805 |
sb.append(printCert(true, tab2, c, null, false)); |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1806 |
sb.append('\n'); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1807 |
} |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1808 |
try { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1809 |
validateCertChain(Validator.VAR_TSA_SERVER, |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1810 |
ts.getSignerCertPath().getCertificates(), null); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1811 |
} catch (Exception e) { |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1812 |
tsaChainNotValidated = true; |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1813 |
tsaChainNotValidatedReason = e; |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1814 |
sb.append(tab2).append(rb.getString(".Invalid.TSA.certificate.chain.")) |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1815 |
.append(e.getLocalizedMessage()).append("]\n"); |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
1816 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1817 |
} |
34382
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1818 |
if (certs.size() == 1 |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1819 |
&& KeyStoreUtil.isSelfSigned((X509Certificate)certs.get(0))) { |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1820 |
signerSelfSigned = true; |
5d11306d6969
8130132: jarsigner should emit warning if weak algorithms or keysizes are used
weijun
parents:
33872
diff
changeset
|
1821 |
} |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1822 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1823 |
return sb.toString(); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1824 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1825 |
|
2 | 1826 |
void loadKeyStore(String keyStoreName, boolean prompt) { |
1827 |
||
1828 |
if (!nullStream && keyStoreName == null) { |
|
1829 |
keyStoreName = System.getProperty("user.home") + File.separator |
|
1830 |
+ ".keystore"; |
|
1831 |
} |
|
1832 |
||
1833 |
try { |
|
10427 | 1834 |
try { |
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12046
diff
changeset
|
1835 |
KeyStore caks = KeyStoreUtil.getCacertsKeyStore(); |
10427 | 1836 |
if (caks != null) { |
1837 |
Enumeration<String> aliases = caks.aliases(); |
|
1838 |
while (aliases.hasMoreElements()) { |
|
1839 |
String a = aliases.nextElement(); |
|
1840 |
try { |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1841 |
trustedCerts.add((X509Certificate)caks.getCertificate(a)); |
10427 | 1842 |
} catch (Exception e2) { |
1843 |
// ignore, when a SecretkeyEntry does not include a cert |
|
1844 |
} |
|
1845 |
} |
|
1846 |
} |
|
1847 |
} catch (Exception e) { |
|
1848 |
// Ignore, if cacerts cannot be loaded |
|
1849 |
} |
|
1850 |
||
2 | 1851 |
if (providerName == null) { |
1852 |
store = KeyStore.getInstance(storetype); |
|
1853 |
} else { |
|
1854 |
store = KeyStore.getInstance(storetype, providerName); |
|
1855 |
} |
|
1856 |
||
1857 |
// Get pass phrase |
|
1858 |
// XXX need to disable echo; on UNIX, call getpass(char *prompt)Z |
|
1859 |
// and on NT call ?? |
|
1860 |
if (token && storepass == null && !protectedPath |
|
1861 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1862 |
storepass = getPass |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1863 |
(rb.getString("Enter.Passphrase.for.keystore.")); |
2 | 1864 |
} else if (!token && storepass == null && prompt) { |
1865 |
storepass = getPass |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1866 |
(rb.getString("Enter.Passphrase.for.keystore.")); |
2 | 1867 |
} |
1868 |
||
10427 | 1869 |
try { |
1870 |
if (nullStream) { |
|
1871 |
store.load(null, storepass); |
|
1872 |
} else { |
|
1873 |
keyStoreName = keyStoreName.replace(File.separatorChar, '/'); |
|
1874 |
URL url = null; |
|
1875 |
try { |
|
1876 |
url = new URL(keyStoreName); |
|
1877 |
} catch (java.net.MalformedURLException e) { |
|
1878 |
// try as file |
|
1879 |
url = new File(keyStoreName).toURI().toURL(); |
|
2 | 1880 |
} |
10427 | 1881 |
InputStream is = null; |
1882 |
try { |
|
1883 |
is = url.openStream(); |
|
1884 |
store.load(is, storepass); |
|
1885 |
} finally { |
|
1886 |
if (is != null) { |
|
1887 |
is.close(); |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1888 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1889 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1890 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1891 |
Enumeration<String> aliases = store.aliases(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1892 |
while (aliases.hasMoreElements()) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1893 |
String a = aliases.nextElement(); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1894 |
try { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1895 |
X509Certificate c = (X509Certificate)store.getCertificate(a); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1896 |
// Only add TrustedCertificateEntry and self-signed |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1897 |
// PrivateKeyEntry |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1898 |
if (store.isCertificateEntry(a) || |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1899 |
c.getSubjectDN().equals(c.getIssuerDN())) { |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1900 |
trustedCerts.add(c); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1901 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1902 |
} catch (Exception e2) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1903 |
// ignore, when a SecretkeyEntry does not include a cert |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1904 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1905 |
} |
10427 | 1906 |
} finally { |
1907 |
try { |
|
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1908 |
pkixParameters = new PKIXBuilderParameters( |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1909 |
trustedCerts.stream() |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1910 |
.map(c -> new TrustAnchor(c, null)) |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1911 |
.collect(Collectors.toSet()), |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
1912 |
null); |
10427 | 1913 |
pkixParameters.setRevocationEnabled(false); |
1914 |
} catch (InvalidAlgorithmParameterException ex) { |
|
1915 |
// Only if tas is empty |
|
1916 |
} |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1917 |
} |
2 | 1918 |
} catch (IOException ioe) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1919 |
throw new RuntimeException(rb.getString("keystore.load.") + |
2 | 1920 |
ioe.getMessage()); |
1921 |
} catch (java.security.cert.CertificateException ce) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1922 |
throw new RuntimeException(rb.getString("certificate.exception.") + |
2 | 1923 |
ce.getMessage()); |
1924 |
} catch (NoSuchProviderException pe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1925 |
throw new RuntimeException(rb.getString("keystore.load.") + |
2 | 1926 |
pe.getMessage()); |
1927 |
} catch (NoSuchAlgorithmException nsae) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1928 |
throw new RuntimeException(rb.getString("keystore.load.") + |
2 | 1929 |
nsae.getMessage()); |
1930 |
} catch (KeyStoreException kse) { |
|
1931 |
throw new RuntimeException |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1932 |
(rb.getString("unable.to.instantiate.keystore.class.") + |
2 | 1933 |
kse.getMessage()); |
1934 |
} |
|
1935 |
} |
|
1936 |
||
1937 |
X509Certificate getTsaCert(String alias) { |
|
1938 |
||
1939 |
java.security.cert.Certificate cs = null; |
|
1940 |
||
1941 |
try { |
|
1942 |
cs = store.getCertificate(alias); |
|
1943 |
} catch (KeyStoreException kse) { |
|
1944 |
// this never happens, because keystore has been loaded |
|
1945 |
} |
|
1946 |
if (cs == null || (!(cs instanceof X509Certificate))) { |
|
1947 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
1948 |
("Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the")); |
2 | 1949 |
Object[] source = {alias, alias}; |
1950 |
error(form.format(source)); |
|
1951 |
} |
|
1952 |
return (X509Certificate) cs; |
|
1953 |
} |
|
1954 |
||
1955 |
/** |
|
1956 |
* Check if userCert is designed to be a code signer |
|
1957 |
* @param userCert the certificate to be examined |
|
1958 |
* @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage, |
|
1959 |
* NetscapeCertType has codeSigning flag turned on. |
|
1960 |
* If null, the class field badKeyUsage, badExtendedKeyUsage, |
|
1961 |
* badNetscapeCertType will be set. |
|
1962 |
*/ |
|
1963 |
void checkCertUsage(X509Certificate userCert, boolean[] bad) { |
|
1964 |
||
1965 |
// Can act as a signer? |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1966 |
// 1. if KeyUsage, then [0:digitalSignature] or |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1967 |
// [1:nonRepudiation] should be true |
2 | 1968 |
// 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING |
1969 |
// 3. if NetscapeCertType, then should contains OBJECT_SIGNING |
|
1970 |
// 1,2,3 must be true |
|
1971 |
||
1972 |
if (bad != null) { |
|
1973 |
bad[0] = bad[1] = bad[2] = false; |
|
1974 |
} |
|
1975 |
||
1976 |
boolean[] keyUsage = userCert.getKeyUsage(); |
|
1977 |
if (keyUsage != null) { |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1978 |
keyUsage = Arrays.copyOf(keyUsage, 9); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
1979 |
if (!keyUsage[0] && !keyUsage[1]) { |
2 | 1980 |
if (bad != null) { |
1981 |
bad[0] = true; |
|
1982 |
badKeyUsage = true; |
|
1983 |
} |
|
1984 |
} |
|
1985 |
} |
|
1986 |
||
1987 |
try { |
|
1988 |
List<String> xKeyUsage = userCert.getExtendedKeyUsage(); |
|
1989 |
if (xKeyUsage != null) { |
|
1990 |
if (!xKeyUsage.contains("2.5.29.37.0") // anyExtendedKeyUsage |
|
1991 |
&& !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning |
|
1992 |
if (bad != null) { |
|
1993 |
bad[1] = true; |
|
1994 |
badExtendedKeyUsage = true; |
|
1995 |
} |
|
1996 |
} |
|
1997 |
} |
|
1998 |
} catch (java.security.cert.CertificateParsingException e) { |
|
1999 |
// shouldn't happen |
|
2000 |
} |
|
2001 |
||
2002 |
try { |
|
2003 |
// OID_NETSCAPE_CERT_TYPE |
|
2004 |
byte[] netscapeEx = userCert.getExtensionValue |
|
2005 |
("2.16.840.1.113730.1.1"); |
|
2006 |
if (netscapeEx != null) { |
|
2007 |
DerInputStream in = new DerInputStream(netscapeEx); |
|
2008 |
byte[] encoded = in.getOctetString(); |
|
2009 |
encoded = new DerValue(encoded).getUnalignedBitString() |
|
2010 |
.toByteArray(); |
|
2011 |
||
2012 |
NetscapeCertTypeExtension extn = |
|
2013 |
new NetscapeCertTypeExtension(encoded); |
|
2014 |
||
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9011
diff
changeset
|
2015 |
Boolean val = extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING); |
2 | 2016 |
if (!val) { |
2017 |
if (bad != null) { |
|
2018 |
bad[2] = true; |
|
2019 |
badNetscapeCertType = true; |
|
2020 |
} |
|
2021 |
} |
|
2022 |
} |
|
2023 |
} catch (IOException e) { |
|
2024 |
// |
|
2025 |
} |
|
2026 |
} |
|
2027 |
||
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2028 |
// Called by signJar(). |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2029 |
void getAliasInfo(String alias) throws Exception { |
2 | 2030 |
|
2031 |
Key key = null; |
|
2032 |
||
2033 |
try { |
|
2034 |
java.security.cert.Certificate[] cs = null; |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2035 |
if (altCertChain != null) { |
21642
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
2036 |
try (FileInputStream fis = new FileInputStream(altCertChain)) { |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2037 |
cs = CertificateFactory.getInstance("X.509"). |
21642
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
2038 |
generateCertificates(fis). |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2039 |
toArray(new Certificate[0]); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2040 |
} catch (FileNotFoundException ex) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2041 |
error(rb.getString("File.specified.by.certchain.does.not.exist")); |
21642
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
2042 |
} catch (CertificateException | IOException ex) { |
5efc900f8ecd
8027991: InputStream should be closed in sun.security.tools.jarsigner.Main
weijun
parents:
21278
diff
changeset
|
2043 |
error(rb.getString("Cannot.restore.certchain.from.file.specified")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2044 |
} |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2045 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2046 |
try { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2047 |
cs = store.getCertificateChain(alias); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2048 |
} catch (KeyStoreException kse) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2049 |
// this never happens, because keystore has been loaded |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2050 |
} |
2 | 2051 |
} |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2052 |
if (cs == null || cs.length == 0) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2053 |
if (altCertChain != null) { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2054 |
error(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2055 |
("Certificate.chain.not.found.in.the.file.specified.")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2056 |
} else { |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2057 |
MessageFormat form = new MessageFormat(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2058 |
("Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and")); |
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2059 |
Object[] source = {alias, alias}; |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2060 |
error(form.format(source)); |
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2
diff
changeset
|
2061 |
} |
2 | 2062 |
} |
2063 |
||
2064 |
certChain = new X509Certificate[cs.length]; |
|
2065 |
for (int i=0; i<cs.length; i++) { |
|
2066 |
if (!(cs[i] instanceof X509Certificate)) { |
|
2067 |
error(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2068 |
("found.non.X.509.certificate.in.signer.s.chain")); |
2 | 2069 |
} |
2070 |
certChain[i] = (X509Certificate)cs[i]; |
|
2071 |
} |
|
2072 |
||
2073 |
try { |
|
2074 |
if (!token && keypass == null) |
|
2075 |
key = store.getKey(alias, storepass); |
|
2076 |
else |
|
2077 |
key = store.getKey(alias, keypass); |
|
2078 |
} catch (UnrecoverableKeyException e) { |
|
2079 |
if (token) { |
|
2080 |
throw e; |
|
2081 |
} else if (keypass == null) { |
|
2082 |
// Did not work out, so prompt user for key password |
|
2083 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2084 |
("Enter.key.password.for.alias.")); |
2 | 2085 |
Object[] source = {alias}; |
2086 |
keypass = getPass(form.format(source)); |
|
2087 |
key = store.getKey(alias, keypass); |
|
2088 |
} |
|
2089 |
} |
|
2090 |
} catch (NoSuchAlgorithmException e) { |
|
2091 |
error(e.getMessage()); |
|
2092 |
} catch (UnrecoverableKeyException e) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2093 |
error(rb.getString("unable.to.recover.key.from.keystore")); |
2 | 2094 |
} catch (KeyStoreException kse) { |
2095 |
// this never happens, because keystore has been loaded |
|
2096 |
} |
|
2097 |
||
2098 |
if (!(key instanceof PrivateKey)) { |
|
2099 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2100 |
("key.associated.with.alias.not.a.private.key")); |
2 | 2101 |
Object[] source = {alias}; |
2102 |
error(form.format(source)); |
|
2103 |
} else { |
|
2104 |
privateKey = (PrivateKey)key; |
|
2105 |
} |
|
2106 |
} |
|
2107 |
||
33872 | 2108 |
void error(String message) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2109 |
System.out.println(rb.getString("jarsigner.")+message); |
2 | 2110 |
System.exit(1); |
2111 |
} |
|
2112 |
||
2113 |
||
33872 | 2114 |
void error(String message, Throwable e) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2115 |
System.out.println(rb.getString("jarsigner.")+message); |
2 | 2116 |
if (debug) { |
2117 |
e.printStackTrace(); |
|
2118 |
} |
|
2119 |
System.exit(1); |
|
2120 |
} |
|
2121 |
||
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2122 |
/** |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2123 |
* Validates a cert chain. |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2124 |
* |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2125 |
* @param parameter this might be a timestamp |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2126 |
*/ |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2127 |
void validateCertChain(String variant, List<? extends Certificate> certs, |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2128 |
Timestamp parameter) |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2129 |
throws Exception { |
43183 | 2130 |
try { |
2131 |
Validator.getInstance(Validator.TYPE_PKIX, |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2132 |
variant, |
43183 | 2133 |
pkixParameters) |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2134 |
.validate(certs.toArray(new X509Certificate[certs.size()]), |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2135 |
null, parameter); |
43183 | 2136 |
} catch (Exception e) { |
2137 |
if (debug) { |
|
2138 |
e.printStackTrace(); |
|
2139 |
} |
|
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2140 |
|
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2141 |
// Exception might be dismissed if another warning flag |
48893
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2142 |
// is already set by printCert. |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2143 |
|
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2144 |
if (variant.equals(Validator.VAR_TSA_SERVER) && |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2145 |
e instanceof ValidatorException) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2146 |
// Throw cause if it's CertPathValidatorException, |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2147 |
if (e.getCause() != null && |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2148 |
e.getCause() instanceof CertPathValidatorException) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2149 |
e = (Exception) e.getCause(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2150 |
Throwable t = e.getCause(); |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2151 |
if ((t instanceof CertificateExpiredException && |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2152 |
hasExpiredTsaCert)) { |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2153 |
// we already have hasExpiredTsaCert |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2154 |
return; |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2155 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2156 |
} |
454518b338b0
8191438: jarsigner should print when a timestamp will expire
weijun
parents:
48760
diff
changeset
|
2157 |
} |
47469
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2158 |
|
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2159 |
if (variant.equals(Validator.VAR_CODE_SIGNING) && |
6ae08c311cd3
8180289: jarsigner treats timestamped signed jar invalid after the signer cert expires
weijun
parents:
47216
diff
changeset
|
2160 |
e instanceof ValidatorException) { |
43183 | 2161 |
// Throw cause if it's CertPathValidatorException, |
2162 |
if (e.getCause() != null && |
|
2163 |
e.getCause() instanceof CertPathValidatorException) { |
|
2164 |
e = (Exception) e.getCause(); |
|
2165 |
Throwable t = e.getCause(); |
|
2166 |
if ((t instanceof CertificateExpiredException && |
|
2167 |
hasExpiredCert) || |
|
2168 |
(t instanceof CertificateNotYetValidException && |
|
2169 |
notYetValidCert)) { |
|
2170 |
// we already have hasExpiredCert and notYetValidCert |
|
2171 |
return; |
|
2172 |
} |
|
2173 |
} |
|
2174 |
if (e instanceof ValidatorException) { |
|
2175 |
ValidatorException ve = (ValidatorException)e; |
|
2176 |
if (ve.getErrorType() == ValidatorException.T_EE_EXTENSIONS && |
|
2177 |
(badKeyUsage || badExtendedKeyUsage || badNetscapeCertType)) { |
|
2178 |
// We already have badKeyUsage, badExtendedKeyUsage |
|
2179 |
// and badNetscapeCertType |
|
2180 |
return; |
|
2181 |
} |
|
24625
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2182 |
} |
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2183 |
} |
43183 | 2184 |
throw e; |
24625
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2185 |
} |
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2186 |
} |
22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
weijun
parents:
24034
diff
changeset
|
2187 |
|
33872 | 2188 |
char[] getPass(String prompt) { |
2 | 2189 |
System.err.print(prompt); |
2190 |
System.err.flush(); |
|
2191 |
try { |
|
2192 |
char[] pass = Password.readPassword(System.in); |
|
2193 |
||
2194 |
if (pass == null) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2195 |
error(rb.getString("you.must.enter.key.password")); |
2 | 2196 |
} else { |
2197 |
return pass; |
|
2198 |
} |
|
2199 |
} catch (IOException ioe) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5627
diff
changeset
|
2200 |
error(rb.getString("unable.to.read.password.")+ioe.getMessage()); |
2 | 2201 |
} |
2202 |
// this shouldn't happen |
|
2203 |
return null; |
|
2204 |
} |
|
2205 |
} |