7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
authorweijun
Tue, 06 Mar 2012 10:25:45 +0800
changeset 12046 378aa3362868
parent 12045 3c08f7ce2890
child 12047 320a714614e9
7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp Reviewed-by: xuelei
jdk/src/share/classes/sun/security/tools/JarSigner.java
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java	Mon Mar 05 17:38:01 2012 -0800
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java	Tue Mar 06 10:25:45 2012 +0800
@@ -66,7 +66,7 @@
  * 0: success
  * 1: any error that the jar cannot be signed or verified, including:
  *      keystore loading error
- *      TSP communciation error
+ *      TSP communication error
  *      jarsigner command line error...
  * otherwise: error codes from -strict
  *
@@ -258,8 +258,7 @@
             if (hasExpiringCert) {
                 exitCode |= 2;
             }
-            if (chainNotValidated) {
-                // hasExpiredCert and notYetValidCert included in this case
+            if (chainNotValidated || hasExpiredCert || notYetValidCert) {
                 exitCode |= 4;
             }
             if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
@@ -600,7 +599,6 @@
                 if (verbose != null) System.out.println();
                 Enumeration<JarEntry> e = entriesVec.elements();
 
-                long now = System.currentTimeMillis();
                 String tab = rb.getString("6SPACE");
 
                 while (e.hasMoreElements()) {
@@ -648,7 +646,7 @@
                             // signerInfo() must be called even if -verbose
                             // not provided. The method updates various
                             // warning flags.
-                            String si = signerInfo(signer, tab, now);
+                            String si = signerInfo(signer, tab);
                             if (showcerts) {
                                 sb.append(si);
                                 sb.append('\n');
@@ -837,7 +835,7 @@
      * Note: no newline character at the end
      */
     String printCert(String tab, Certificate c, boolean checkValidityPeriod,
-        long now, boolean checkUsage) {
+        Date timestamp, boolean checkUsage) {
 
         StringBuilder certStr = new StringBuilder();
         String space = rb.getString("SPACE");
@@ -862,22 +860,24 @@
             certStr.append("\n").append(tab).append("[");
             Date notAfter = x509Cert.getNotAfter();
             try {
-                x509Cert.checkValidity();
-                // test if cert will expire within six months
-                if (now == 0) {
-                    now = System.currentTimeMillis();
+                boolean printValidity = true;
+                if (timestamp == null) {
+                    x509Cert.checkValidity();
+                    // test if cert will expire within six months
+                    if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
+                        hasExpiringCert = true;
+                        if (expiringTimeForm == null) {
+                            expiringTimeForm = new MessageFormat(
+                                rb.getString("certificate.will.expire.on"));
+                        }
+                        Object[] source = { notAfter };
+                        certStr.append(expiringTimeForm.format(source));
+                        printValidity = false;
+                    }
+                } else {
+                    x509Cert.checkValidity(timestamp);
                 }
-                if (notAfter.getTime() < now + SIX_MONTHS) {
-                    hasExpiringCert = true;
-
-                    if (expiringTimeForm == null) {
-                        expiringTimeForm = new MessageFormat(
-                            rb.getString("certificate.will.expire.on"));
-                    }
-                    Object[] source = { notAfter };
-                    certStr.append(expiringTimeForm.format(source));
-
-                } else {
+                if (printValidity) {
                     if (validityTimeForm == null) {
                         validityTimeForm = new MessageFormat(
                             rb.getString("certificate.is.valid.from"));
@@ -1283,7 +1283,7 @@
                             tsaURI);
                     }
                     System.out.println(rb.getString("TSA.certificate.") +
-                        printCert("", tsaCert, false, 0, false));
+                        printCert("", tsaCert, false, null, false));
                 }
                 if (signingMechanism != null) {
                     System.out.println(
@@ -1481,23 +1481,27 @@
     /**
      * Returns a string of singer info, with a newline at the end
      */
-    private String signerInfo(CodeSigner signer, String tab, long now) {
+    private String signerInfo(CodeSigner signer, String tab) {
         if (cacheForSignerInfo.containsKey(signer)) {
             return cacheForSignerInfo.get(signer);
         }
         StringBuffer s = new StringBuffer();
         List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
         // display the signature timestamp, if present
-        Timestamp timestamp = signer.getTimestamp();
-        if (timestamp != null) {
-            s.append(printTimestamp(tab, timestamp));
+        Date timestamp;
+        Timestamp ts = signer.getTimestamp();
+        if (ts != null) {
+            s.append(printTimestamp(tab, ts));
             s.append('\n');
+            timestamp = ts.getTimestamp();
+        } else {
+            timestamp = null;
         }
-        // display the certificate(s). The first one is end-enity cert and
+        // display the certificate(s). The first one is end-entity cert and
         // its KeyUsage should be checked.
         boolean first = true;
         for (Certificate c : certs) {
-            s.append(printCert(tab, c, true, now, first));
+            s.append(printCert(tab, c, true, timestamp, first));
             s.append('\n');
             first = false;
         }
@@ -1508,9 +1512,15 @@
             if (debug) {
                 e.printStackTrace();
             }
-            chainNotValidated = true;
-            s.append(tab + rb.getString(".CertPath.not.validated.") +
-                    e.getLocalizedMessage() + "]\n");   // TODO
+            if (e.getCause() != null &&
+                    (e.getCause() instanceof CertificateExpiredException ||
+                     e.getCause() instanceof CertificateNotYetValidException)) {
+                // No more warning, we alreay have hasExpiredCert or notYetValidCert
+            } else {
+                chainNotValidated = true;
+                s.append(tab + rb.getString(".CertPath.not.validated.") +
+                        e.getLocalizedMessage() + "]\n");   // TODO
+            }
         }
         String result = s.toString();
         cacheForSignerInfo.put(signer, result);
@@ -1804,7 +1814,7 @@
 
             // We don't meant to print anything, the next call
             // checks validity and keyUsage etc
-            printCert("", certChain[0], true, 0, true);
+            printCert("", certChain[0], true, null, true);
 
             try {
                 CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));
@@ -1813,7 +1823,13 @@
                 if (debug) {
                     e.printStackTrace();
                 }
-                chainNotValidated = true;
+                if (e.getCause() != null &&
+                        (e.getCause() instanceof CertificateExpiredException ||
+                        e.getCause() instanceof CertificateNotYetValidException)) {
+                    // No more warning, we alreay have hasExpiredCert or notYetValidCert
+                } else {
+                    chainNotValidated = true;
+                }
             }
 
             try {