From 4a0b431d1fbd16110bc5d179c31a1d60b2cbc83b Mon Sep 17 00:00:00 2001
From: igerasim <unknown>
Date: Wed, 14 Sep 2016 11:41:41 +0300
Subject: [PATCH] 8165816: jarsigner -verify shows jar unsigned if it was
 signed with a weak algorithm Reviewed-by: mullan

---
 .../classes/sun/security/pkcs/SignerInfo.java |  5 ++++-
 .../sun/security/tools/jarsigner/Main.java    | 12 ++++++++--
 .../security/tools/jarsigner/Resources.java   |  6 +++--
 .../tools/jarsigner/warnings/Test.java        | 22 +++++++++++++++++++
 4 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/src/share/classes/sun/security/pkcs/SignerInfo.java b/src/share/classes/sun/security/pkcs/SignerInfo.java
index 5f131fcac..d93a09fa4 100644
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java
+++ b/src/share/classes/sun/security/pkcs/SignerInfo.java
@@ -55,6 +55,7 @@ import sun.security.util.DerInputStream;
 import sun.security.util.DerOutputStream;
 import sun.security.util.DerValue;
 import sun.security.util.DisabledAlgorithmConstraints;
+import sun.security.util.KeyUtil;
 import sun.security.util.ObjectIdentifier;
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X500Name;
@@ -399,7 +400,9 @@ public class SignerInfo implements DerEncoder {
             // check if the public key is restricted
             if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
                 throw new SignatureException("Public key check failed. " +
-                        "Disabled algorithm used: " + key.getAlgorithm());
+                        "Disabled key used: " +
+                        KeyUtil.getKeySize(key) + " bit " +
+                        key.getAlgorithm());
             }
 
             if (cert.hasUnsupportedCriticalExtension()) {
diff --git a/src/share/classes/sun/security/tools/jarsigner/Main.java b/src/share/classes/sun/security/tools/jarsigner/Main.java
index 37b04c9bf..961921c1d 100644
--- a/src/share/classes/sun/security/tools/jarsigner/Main.java
+++ b/src/share/classes/sun/security/tools/jarsigner/Main.java
@@ -603,6 +603,7 @@ public class Main {
             }
 
             Manifest man = jf.getManifest();
+            boolean hasSignature = false;
 
             // The map to record display info, only used when -verbose provided
             //      key: signer info string
@@ -618,6 +619,10 @@ public class Main {
                 while (e.hasMoreElements()) {
                     JarEntry je = e.nextElement();
                     String name = je.getName();
+
+                    hasSignature = hasSignature
+                            || SignatureFileVerifier.isBlockOrSF(name);
+
                     CodeSigner[] signers = je.getCodeSigners();
                     boolean isSigned = (signers != null);
                     anySigned |= isSigned;
@@ -757,8 +762,11 @@ public class Main {
                 System.out.println(rb.getString("no.manifest."));
 
             if (!anySigned) {
-                System.out.println(rb.getString(
-                      "jar.is.unsigned.signatures.missing.or.not.parsable."));
+                if (hasSignature) {
+                    System.out.println(rb.getString("jar.treated.unsigned"));
+                } else {
+                    System.out.println(rb.getString("jar.is.unsigned"));
+                }
             } else {
                 boolean warningAppeared = false;
                 boolean errorAppeared = false;
diff --git a/src/share/classes/sun/security/tools/jarsigner/Resources.java b/src/share/classes/sun/security/tools/jarsigner/Resources.java
index db35b1e58..909d573d4 100644
--- a/src/share/classes/sun/security/tools/jarsigner/Resources.java
+++ b/src/share/classes/sun/security/tools/jarsigner/Resources.java
@@ -135,8 +135,10 @@ public class Resources extends java.util.ListResourceBundle {
         {"no.manifest.", "no manifest."},
         {".Signature.related.entries.","(Signature related entries)"},
         {".Unsigned.entries.", "(Unsigned entries)"},
-        {"jar.is.unsigned.signatures.missing.or.not.parsable.",
-                "jar is unsigned. (signatures missing or not parsable)"},
+        {"jar.is.unsigned",
+                "jar is unsigned."},
+        {"jar.treated.unsigned",
+                "Signature not parsable or verifiable. The jar will be treated as unsigned. The jar may have been signed with a weak algorithm that is now disabled. For more information, rerun jarsigner with debug enabled (-J-Djava.security.debug=jar)."},
         {"jar.signed.", "jar signed."},
         {"jar.signed.with.signer.errors.", "jar signed, with signer errors."},
         {"jar.verified.", "jar verified."},
diff --git a/test/sun/security/tools/jarsigner/warnings/Test.java b/test/sun/security/tools/jarsigner/warnings/Test.java
index 6018a6deb..999789a5e 100644
--- a/test/sun/security/tools/jarsigner/warnings/Test.java
+++ b/test/sun/security/tools/jarsigner/warnings/Test.java
@@ -22,6 +22,11 @@
  */
 
 import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 
 /**
  * Base class.
@@ -175,4 +180,21 @@ public abstract class Test {
         }
         analyzer.shouldContain(JAR_SIGNED);
     }
+
+    protected OutputAnalyzer keytool(String... cmd) throws Throwable {
+        return tool(KEYTOOL, cmd);
+    }
+
+    protected OutputAnalyzer jarsigner(String... cmd) throws Throwable {
+        return tool(JARSIGNER, cmd);
+    }
+
+    private OutputAnalyzer tool(String tool, String... args) throws Throwable {
+        List<String> cmd = new ArrayList<>();
+        cmd.add(tool);
+        cmd.add("-J-Duser.language=en");
+        cmd.add("-J-Duser.country=US");
+        cmd.addAll(Arrays.asList(args));
+        return ProcessTools.executeCommand(cmd.toArray(new String[cmd.size()]));
+    }
 }
-- 
GitLab