7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp

Reviewed-by: xuelei

7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
Reviewed-by: xuelei
a1c7a361 · weijun · bf14ebe9 · a1c7a361
隐藏空白更改
内联并排

Showing with 48 addition and 32 deletion

src/share/classes/sun/security/tools/JarSigner.java src/share/classes/sun/security/tools/JarSigner.java +48 -32

未找到文件。
--- a/src/share/classes/sun/security/tools/JarSigner.java
+++ b/src/share/classes/sun/security/tools/JarSigner.java
@@ -66,7 +66,7 @@ import sun.misc.BASE64Encoder;
 * 0: success
 * 1: any error that the jar cannot be signed or verified, including:
 *      keystore loading error
- *      TSP communciation error
+ *      TSP communication error
 *      jarsigner command line error...
 * otherwise: error codes from -strict
 *
@@ -258,8 +258,7 @@ public class JarSigner {
            if (hasExpiringCert) {
                exitCode |= 2;
            }
-            if (chainNotValidated) {
+            if (chainNotValidated || hasExpiredCert || notYetValidCert) {
-                // hasExpiredCert and notYetValidCert included in this case
                exitCode |= 4;
            }
            if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
@@ -600,7 +599,6 @@ public class JarSigner {
                if (verbose != null) System.out.println();
                Enumeration<JarEntry> e = entriesVec.elements();
-                long now = System.currentTimeMillis();
                String tab = rb.getString("6SPACE");
                while (e.hasMoreElements()) {
@@ -648,7 +646,7 @@ public class JarSigner {
                            // signerInfo() must be called even if -verbose
                            // not provided. The method updates various
                            // warning flags.
-                            String si = signerInfo(signer, tab, now);
+                            String si = signerInfo(signer, tab);
                            if (showcerts) {
                                sb.append(si);
                                sb.append('\n');
@@ -837,7 +835,7 @@ public class JarSigner {
     * Note: no newline character at the end
     */
    String printCert(String tab, Certificate c, boolean checkValidityPeriod,
-        long now, boolean checkUsage) {
+        Date timestamp, boolean checkUsage) {
        StringBuilder certStr = new StringBuilder();
        String space = rb.getString("SPACE");
@@ -862,22 +860,24 @@ public class JarSigner {
            certStr.append("\n").append(tab).append("[");
            Date notAfter = x509Cert.getNotAfter();
            try {
-                x509Cert.checkValidity();
+                boolean printValidity = true;
-                // test if cert will expire within six months
+                if (timestamp == null) {
-                if (now == 0) {
+                    x509Cert.checkValidity();
-                    now = System.currentTimeMillis();
+                    // test if cert will expire within six months
-                }
+                    if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
-                if (notAfter.getTime() < now + SIX_MONTHS) {
+                        hasExpiringCert = true;
-                    hasExpiringCert = true;
+                        if (expiringTimeForm == null) {
+                            expiringTimeForm = new MessageFormat(
-                    if (expiringTimeForm == null) {
+                                rb.getString("certificate.will.expire.on"));
-                        expiringTimeForm = new MessageFormat(
+                        }
-                            rb.getString("certificate.will.expire.on"));
+                        Object[] source = { notAfter };
+                        certStr.append(expiringTimeForm.format(source));
+                        printValidity = false;
                    }
-                    Object[] source = { notAfter };
-                    certStr.append(expiringTimeForm.format(source));
                } else {
+                    x509Cert.checkValidity(timestamp);
+                }
+                if (printValidity) {
                    if (validityTimeForm == null) {
                        validityTimeForm = new MessageFormat(
                            rb.getString("certificate.is.valid.from"));
@@ -1283,7 +1283,7 @@ public class JarSigner {
                            tsaURI);
                    }
                    System.out.println(rb.getString("TSA.certificate.") +
-                        printCert("", tsaCert, false, 0, false));
+                        printCert("", tsaCert, false, null, false));
                }
                if (signingMechanism != null) {
                    System.out.println(
@@ -1481,23 +1481,27 @@ public class JarSigner {
    /**
     * Returns a string of singer info, with a newline at the end
     */
-    private String signerInfo(CodeSigner signer, String tab, long now) {
+    private String signerInfo(CodeSigner signer, String tab) {
        if (cacheForSignerInfo.containsKey(signer)) {
            return cacheForSignerInfo.get(signer);
        }
        StringBuffer s = new StringBuffer();
        List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
        // display the signature timestamp, if present
-        Timestamp timestamp = signer.getTimestamp();
+        Date timestamp;
-        if (timestamp != null) {
+        Timestamp ts = signer.getTimestamp();
-            s.append(printTimestamp(tab, timestamp));
+        if (ts != null) {
+            s.append(printTimestamp(tab, ts));
            s.append('\n');
+            timestamp = ts.getTimestamp();
+        } else {
+            timestamp = null;
        }
-        // display the certificate(s). The first one is end-enity cert and
+        // display the certificate(s). The first one is end-entity cert and
        // its KeyUsage should be checked.
        boolean first = true;
        for (Certificate c : certs) {
-            s.append(printCert(tab, c, true, now, first));
+            s.append(printCert(tab, c, true, timestamp, first));
            s.append('\n');
            first = false;
        }
@@ -1508,9 +1512,15 @@ public class JarSigner {
            if (debug) {
                e.printStackTrace();
            }
-            chainNotValidated = true;
+            if (e.getCause() != null &&
-            s.append(tab + rb.getString(".CertPath.not.validated.") +
+                    (e.getCause() instanceof CertificateExpiredException ||
-                    e.getLocalizedMessage() + "]\n");   // TODO
+                     e.getCause() instanceof CertificateNotYetValidException)) {
+                // No more warning, we alreay have hasExpiredCert or notYetValidCert
+            } else {
+                chainNotValidated = true;
+                s.append(tab + rb.getString(".CertPath.not.validated.") +
+                        e.getLocalizedMessage() + "]\n");   // TODO
+            }
        }
        String result = s.toString();
        cacheForSignerInfo.put(signer, result);
@@ -1804,7 +1814,7 @@ public class JarSigner {
            // We don't meant to print anything, the next call
            // checks validity and keyUsage etc
-            printCert("", certChain[0], true, 0, true);
+            printCert("", certChain[0], true, null, true);
            try {
                CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));
@@ -1813,7 +1823,13 @@ public class JarSigner {
                if (debug) {
                    e.printStackTrace();
                }
-                chainNotValidated = true;
+                if (e.getCause() != null &&
+                        (e.getCause() instanceof CertificateExpiredException ||
+                        e.getCause() instanceof CertificateNotYetValidException)) {
+                    // No more warning, we alreay have hasExpiredCert or notYetValidCert
+                } else {
+                    chainNotValidated = true;
+                }
            }
            try {