Skip to content

D
dragonwell8_jdk

openanolis / dragonwell8_jdk

通知 4
Star 2
Fork 0
D
dragonwell8_jdk

体验新版 GitCode,发现更多精彩内容 >>

提交 a1c7a361 编写于 作者: W weijun
浏览文件
操作

7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp 

Reviewed-by: xuelei
上级 bf14ebe9
显示空白变更内容
内联 并排
Showing with 48 addition and 32 deletion
src/share/classes/sun/security/tools/JarSigner.java
浏览文件 @ a1c7a361
......@@ -66,7 +66,7 @@ import sun.misc.BASE64Encoder;
* 0: success
* 1: any error that the jar cannot be signed or verified, including:
* keystore loading error
* TSP communciation error
* TSP communication error
* jarsigner command line error...
* otherwise: error codes from -strict
*
......@@ -258,8 +258,7 @@ public class JarSigner {
if (hasExpiringCert) {
exitCode |= 2;
}
if (chainNotValidated) {
// hasExpiredCert and notYetValidCert included in this case
if (chainNotValidated || hasExpiredCert || notYetValidCert) {
exitCode |= 4;
}
if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
......@@ -600,7 +599,6 @@ public class JarSigner {
if (verbose != null) System.out.println();
Enumeration<JarEntry> e = entriesVec.elements();
long now = System.currentTimeMillis();
String tab = rb.getString("6SPACE");
while (e.hasMoreElements()) {
......@@ -648,7 +646,7 @@ public class JarSigner {
// signerInfo() must be called even if -verbose
// not provided. The method updates various
// warning flags.
String si = signerInfo(signer, tab, now);
String si = signerInfo(signer, tab);
if (showcerts) {
sb.append(si);
sb.append('\n');
......@@ -837,7 +835,7 @@ public class JarSigner {
* Note: no newline character at the end
*/
String printCert(String tab, Certificate c, boolean checkValidityPeriod,
long now, boolean checkUsage) {
Date timestamp, boolean checkUsage) {
StringBuilder certStr = new StringBuilder();
String space = rb.getString("SPACE");
......@@ -862,22 +860,24 @@ public class JarSigner {
certStr.append("\n").append(tab).append("[");
Date notAfter = x509Cert.getNotAfter();
try {
boolean printValidity = true;
if (timestamp == null) {
x509Cert.checkValidity();
// test if cert will expire within six months
if (now == 0) {
now = System.currentTimeMillis();
}
if (notAfter.getTime() < now + SIX_MONTHS) {
if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
hasExpiringCert = true;
if (expiringTimeForm == null) {
expiringTimeForm = new MessageFormat(
rb.getString("certificate.will.expire.on"));
}
Object[] source = { notAfter };
certStr.append(expiringTimeForm.format(source));
printValidity = false;
}
} else {
x509Cert.checkValidity(timestamp);
}
if (printValidity) {
if (validityTimeForm == null) {
validityTimeForm = new MessageFormat(
rb.getString("certificate.is.valid.from"));
......@@ -1283,7 +1283,7 @@ public class JarSigner {
tsaURI);
}
System.out.println(rb.getString("TSA.certificate.") +
printCert("", tsaCert, false, 0, false));
printCert("", tsaCert, false, null, false));
}
if (signingMechanism != null) {
System.out.println(
......@@ -1481,23 +1481,27 @@ public class JarSigner {
/**
* Returns a string of singer info, with a newline at the end
*/
private String signerInfo(CodeSigner signer, String tab, long now) {
private String signerInfo(CodeSigner signer, String tab) {
if (cacheForSignerInfo.containsKey(signer)) {
return cacheForSignerInfo.get(signer);
}
StringBuffer s = new StringBuffer();
List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
// display the signature timestamp, if present
Timestamp timestamp = signer.getTimestamp();
if (timestamp != null) {
s.append(printTimestamp(tab, timestamp));
Date timestamp;
Timestamp ts = signer.getTimestamp();
if (ts != null) {
s.append(printTimestamp(tab, ts));
s.append('\n');
timestamp = ts.getTimestamp();
} else {
timestamp = null;
}
// display the certificate(s). The first one is end-enity cert and
// display the certificate(s). The first one is end-entity cert and
// its KeyUsage should be checked.
boolean first = true;
for (Certificate c : certs) {
s.append(printCert(tab, c, true, now, first));
s.append(printCert(tab, c, true, timestamp, first));
s.append('\n');
first = false;
}
......@@ -1508,10 +1512,16 @@ public class JarSigner {
if (debug) {
e.printStackTrace();
}
if (e.getCause() != null &&
(e.getCause() instanceof CertificateExpiredException ||
e.getCause() instanceof CertificateNotYetValidException)) {
// No more warning, we alreay have hasExpiredCert or notYetValidCert
} else {
chainNotValidated = true;
s.append(tab + rb.getString(".CertPath.not.validated.") +
e.getLocalizedMessage() + "]\n"); // TODO
}
}
String result = s.toString();
cacheForSignerInfo.put(signer, result);
return result;
......@@ -1804,7 +1814,7 @@ public class JarSigner {
// We don't meant to print anything, the next call
// checks validity and keyUsage etc
printCert("", certChain[0], true, 0, true);
printCert("", certChain[0], true, null, true);
try {
CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));
......@@ -1813,8 +1823,14 @@ public class JarSigner {
if (debug) {
e.printStackTrace();
}
if (e.getCause() != null &&
(e.getCause() instanceof CertificateExpiredException ||
e.getCause() instanceof CertificateNotYetValidException)) {
// No more warning, we alreay have hasExpiredCert or notYetValidCert
} else {
chainNotValidated = true;
}
}
try {
if (!token && keypass == null)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册