8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161

Reviewed-by: mullan

8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
Reviewed-by: mullan
9b65d35f · weijun · 1137dfe6 · 9b65d35f · 9b65d35f · 9b65d35f
9 changed file
--- a/src/share/classes/com/sun/jarsigner/ContentSignerParameters.java
+++ b/src/share/classes/com/sun/jarsigner/ContentSignerParameters.java
@@ -59,6 +59,13 @@ public interface ContentSignerParameters {
     */
    public X509Certificate getTimestampingAuthorityCertificate();

+    /**
+     * Retrieves the TSAPolicyID for a Timestamping Authority (TSA).
+     *
+     * @return The TSAPolicyID. May be null.
+     */
+    public String getTSAPolicyID();
+
    /**
     * Retrieves the JAR file's signature.
     *

--- a/src/share/classes/sun/security/pkcs/PKCS7.java
+++ b/src/share/classes/sun/security/pkcs/PKCS7.java
@@ -784,6 +784,9 @@ public class PKCS7 {
     * @param signatureAlgorithm the name of the signature algorithm
     * @param tsaURI the URI of the Timestamping Authority; or null if no
     *         timestamp is requested
+     * @param tSAPolicyID the TSAPolicyID of the Timestamping Authority as a
+     *         numerical object identifier; or null if we leave the TSA server
+     *         to choose one. This argument is only used when tsaURI is provided
     * @return the bytes of the encoded PKCS #7 signed data message
     * @throws NoSuchAlgorithmException The exception is thrown if the signature
     *         algorithm is unrecognised.
@@ -798,7 +801,8 @@ public class PKCS7 {
                                            X509Certificate[] signerChain,
                                            byte[] content,
                                            String signatureAlgorithm,
-                                            URI tsaURI)
+                                            URI tsaURI,
+                                            String tSAPolicyID)
        throws CertificateException, IOException, NoSuchAlgorithmException
    {

@@ -807,7 +811,7 @@ public class PKCS7 {
        if (tsaURI != null) {
            // Timestamp the signature
            HttpTimestamper tsa = new HttpTimestamper(tsaURI);
-            byte[] tsToken = generateTimestampToken(tsa, signature);
+            byte[] tsToken = generateTimestampToken(tsa, tSAPolicyID, signature);

            // Insert the timestamp token into the PKCS #7 signer info element
            // (as an unsigned attribute)
@@ -851,14 +855,20 @@ public class PKCS7 {
     * set to true.
     *
     * @param tsa the timestamping authority to use
+     * @param tSAPolicyID the TSAPolicyID of the Timestamping Authority as a
+     *         numerical object identifier; or null if we leave the TSA server
+     *         to choose one
     * @param toBeTimestamped the token that is to be timestamped
     * @return the encoded timestamp token
     * @throws IOException The exception is thrown if an error occurs while
-     *                     communicating with the TSA.
+     *                     communicating with the TSA, or a non-null
+     *                     TSAPolicyID is specified in the request but it
+     *                     does not match the one in the reply
     * @throws CertificateException The exception is thrown if the TSA's
     *                     certificate is not permitted for timestamping.
     */
    private static byte[] generateTimestampToken(Timestamper tsa,
+                                                 String tSAPolicyID,
                                                 byte[] toBeTimestamped)
        throws IOException, CertificateException
    {
@@ -868,7 +878,7 @@ public class PKCS7 {
        try {
            // SHA-1 is always used.
            messageDigest = MessageDigest.getInstance("SHA-1");
-            tsQuery = new TSRequest(toBeTimestamped, messageDigest);
+            tsQuery = new TSRequest(tSAPolicyID, toBeTimestamped, messageDigest);
        } catch (NoSuchAlgorithmException e) {
            // ignore
        }
@@ -889,6 +899,12 @@ public class PKCS7 {
                tsReply.getStatusCodeAsText() + " " +
                tsReply.getFailureCodeAsText());
        }
+
+        if (tSAPolicyID != null &&
+                !tSAPolicyID.equals(tsReply.getTimestampToken().getPolicyID())) {
+            throw new IOException("TSAPolicyID changed in "
+                    + "timestamp token");
+        }
        PKCS7 tsToken = tsReply.getToken();

        TimestampToken tst = tsReply.getTimestampToken();

--- a/src/share/classes/sun/security/timestamp/TSRequest.java
+++ b/src/share/classes/sun/security/timestamp/TSRequest.java
@@ -88,9 +88,10 @@ public class TSRequest {
     * @param messageDigest The MessageDigest of the hash algorithm to use.
     * @throws NoSuchAlgorithmException if the hash algorithm is not supported
     */
-    public TSRequest(byte[] toBeTimeStamped, MessageDigest messageDigest)
+    public TSRequest(String tSAPolicyID, byte[] toBeTimeStamped, MessageDigest messageDigest)
        throws NoSuchAlgorithmException {

+        this.policyId = tSAPolicyID;
        this.hashAlgorithmId = AlgorithmId.get(messageDigest.getAlgorithm());
        this.hashValue = messageDigest.digest(toBeTimeStamped);
    }

--- a/src/share/classes/sun/security/timestamp/TimestampToken.java
+++ b/src/share/classes/sun/security/timestamp/TimestampToken.java
@@ -115,6 +115,10 @@ public class TimestampToken {
        return nonce;
    }

+    public String getPolicyID() {
+        return policy.toString();
+    }
+
    /*
     * Parses the timestamp token info.
     *

--- a/src/share/classes/sun/security/tools/jarsigner/Main.java
+++ b/src/share/classes/sun/security/tools/jarsigner/Main.java
@@ -141,6 +141,7 @@ public class Main {
    String tsaUrl; // location of the Timestamping Authority
    String tsaAlias; // alias for the Timestamping Authority's certificate
    String altCertChain; // file to read alternative cert chain from
+    String tSAPolicyID;
    boolean verify = false; // verify the jar
    String verbose = null; // verbose output when signing/verifying
    boolean showcerts = false; // show certs when verifying
@@ -331,6 +332,9 @@ public class Main {
            } else if (collator.compare(flags, "-certchain") ==0) {
                if (++n == args.length) usageNoArg();
                altCertChain = args[n];
+            } else if (collator.compare(flags, "-tsapolicyid") ==0) {
+                if (++n == args.length) usageNoArg();
+                tSAPolicyID = args[n];
            } else if (collator.compare(flags, "-debug") ==0) {
                debug = true;
            } else if (collator.compare(flags, "-keypass") ==0) {
@@ -530,6 +534,9 @@ public class Main {
        System.out.println(rb.getString
                (".tsacert.alias.public.key.certificate.for.Timestamping.Authority"));
        System.out.println();
+        System.out.println(rb.getString
+                (".tsapolicyid.tsapolicyid.for.Timestamping.Authority"));
+        System.out.println();
        System.out.println(rb.getString
                (".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
        System.out.println();
@@ -1232,7 +1239,7 @@ public class Main {
            try {
                block =
                    sf.generateBlock(privateKey, sigalg, certChain,
-                        externalSF, tsaUrl, tsaCert, signingMechanism, args,
+                        externalSF, tsaUrl, tsaCert, tSAPolicyID, signingMechanism, args,
                        zipFile);
            } catch (SocketTimeoutException e) {
                // Provide a helpful message when TSA is beyond a firewall
@@ -2206,13 +2213,14 @@ class SignatureFile {
                               X509Certificate[] certChain,
                               boolean externalSF, String tsaUrl,
                               X509Certificate tsaCert,
+                               String tSAPolicyID,
                               ContentSigner signingMechanism,
                               String[] args, ZipFile zipFile)
        throws NoSuchAlgorithmException, InvalidKeyException, IOException,
            SignatureException, CertificateException
    {
        return new Block(this, privateKey, sigalg, certChain, externalSF,
-                tsaUrl, tsaCert, signingMechanism, args, zipFile);
+                tsaUrl, tsaCert, tSAPolicyID, signingMechanism, args, zipFile);
    }


@@ -2226,7 +2234,7 @@ class SignatureFile {
         */
        Block(SignatureFile sfg, PrivateKey privateKey, String sigalg,
            X509Certificate[] certChain, boolean externalSF, String tsaUrl,
-            X509Certificate tsaCert, ContentSigner signingMechanism,
+            X509Certificate tsaCert, String tSAPolicyID, ContentSigner signingMechanism,
            String[] args, ZipFile zipFile)
            throws NoSuchAlgorithmException, InvalidKeyException, IOException,
            SignatureException, CertificateException {
@@ -2309,7 +2317,7 @@ class SignatureFile {

            // Assemble parameters for the signing mechanism
            ContentSignerParameters params =
-                new JarSignerParameters(args, tsaUri, tsaCert, signature,
+                new JarSignerParameters(args, tsaUri, tsaCert, tSAPolicyID, signature,
                    signatureAlgorithm, certChain, content, zipFile);

            // Generate the signature block
@@ -2353,11 +2361,13 @@ class JarSignerParameters implements ContentSignerParameters {
    private X509Certificate[] signerCertificateChain;
    private byte[] content;
    private ZipFile source;
+    private String tSAPolicyID;

    /**
     * Create a new object.
     */
    JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
+        String tSAPolicyID,
        byte[] signature, String signatureAlgorithm,
        X509Certificate[] signerCertificateChain, byte[] content,
        ZipFile source) {
@@ -2369,6 +2379,7 @@ class JarSignerParameters implements ContentSignerParameters {
        this.args = args;
        this.tsa = tsa;
        this.tsaCertificate = tsaCertificate;
+        this.tSAPolicyID = tSAPolicyID;
        this.signature = signature;
        this.signatureAlgorithm = signatureAlgorithm;
        this.signerCertificateChain = signerCertificateChain;
@@ -2403,6 +2414,10 @@ class JarSignerParameters implements ContentSignerParameters {
        return tsaCertificate;
    }

+    public String getTSAPolicyID() {
+        return tSAPolicyID;
+    }
+
    /**
     * Retrieves the signature.
     *

--- a/src/share/classes/sun/security/tools/jarsigner/Resources.java
+++ b/src/share/classes/sun/security/tools/jarsigner/Resources.java
@@ -86,6 +86,8 @@ public class Resources extends java.util.ListResourceBundle {
                "[-tsa <url>]                location of the Timestamping Authority"},
        {".tsacert.alias.public.key.certificate.for.Timestamping.Authority",
                "[-tsacert <alias>]          public key certificate for Timestamping Authority"},
+        {".tsapolicyid.tsapolicyid.for.Timestamping.Authority",
+                "[-tsapolicyid <oid>]        TSAPolicyID for Timestamping Authority"},
        {".altsigner.class.class.name.of.an.alternative.signing.mechanism",
                "[-altsigner <class>]        class name of an alternative signing mechanism"},
        {".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism",

--- a/src/share/classes/sun/security/tools/jarsigner/TimestampedSigner.java
+++ b/src/share/classes/sun/security/tools/jarsigner/TimestampedSigner.java
@@ -133,7 +133,8 @@ public final class TimestampedSigner extends ContentSigner {
            }
        }
        return PKCS7.generateSignedData(signature, signerChain, content,
-                                        params.getSignatureAlgorithm(), tsaURI);
+                                        params.getSignatureAlgorithm(), tsaURI,
+                                        params.getTSAPolicyID());
    }

    /**

--- a/test/sun/security/tools/jarsigner/TimestampCheck.java
+++ b/test/sun/security/tools/jarsigner/TimestampCheck.java
@@ -260,6 +260,8 @@ public class TimestampCheck {
                jarsigner(cmd, 7, false);   // tsbad2
                jarsigner(cmd, 8, false);   // tsbad3
                jarsigner(cmd, 9, false);   // no cert in timestamp
+                jarsigner(cmd + " -tsapolicyid 1.2.3.4", 0, true);
+                jarsigner(cmd + " -tsapolicyid 1.2.3.5", 0, false);
            } else {                        // Run as a standalone server
                System.err.println("Press Enter to quit server");
                System.in.read();

--- a/test/sun/security/tools/jarsigner/ts.sh
+++ b/test/sun/security/tools/jarsigner/ts.sh
@@ -22,7 +22,7 @@
 #

 # @test
-# @bug 6543842 6543440 6939248
+# @bug 6543842 6543440 6939248 8009636
 # @summary checking response of timestamp
 #
 # @run shell/timeout=600 ts.sh