6890876: jarsigner can add CRL info into signed jar

Reviewed-by: mullan

src/share/classes/com/sun/jarsigner/ContentSignerParameters.java

 /*
- * Copyright 2003 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,9 @@
 package com.sun.jarsigner;
 
 import java.net.URI;
+import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
+import java.util.Set;
 import java.util.zip.ZipFile;
 
 /**
@@ -80,6 +82,13 @@ public interface ContentSignerParameters {
      */
     public X509Certificate[] getSignerCertificateChain();
 
+    /**
+     * Retrieves the signer's X.509 CRLs.
+     *
+     * @return An unmodifiable set of X.509 CRLs (never <code>null</code>)
+     */
+    public Set<X509CRL> getCRLs();
+
     /**
      * Retrieves the content that was signed.
      * The content is the JAR file's signature file.

src/share/classes/java/security/CodeSigner.java

 /*
- * Copyright 2003-2004 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,10 @@
 package java.security;
 
 import java.io.Serializable;
+import java.security.cert.CRL;
 import java.security.cert.CertPath;
+import sun.misc.JavaSecurityCodeSignerAccess;
+import sun.misc.SharedSecrets;
 
 /**
  * This class encapsulates information about a code signer.
@@ -163,4 +166,43 @@ public final class CodeSigner implements Serializable {
         sb.append(")");
         return sb.toString();
     }
+
+    // A private attribute attached to this CodeSigner object. Can be accessed
+    // through SharedSecrets.getJavaSecurityCodeSignerAccess().[g|s]etCRLs
+    //
+    // Currently called in SignatureFileVerifier.getSigners
+    private transient CRL[] crls;
+
+    /**
+     * Sets the CRLs attached
+     * @param crls, null to clear
+     */
+    void setCRLs(CRL[] crls) {
+        this.crls = crls;
+    }
+
+    /**
+     * Returns the CRLs attached
+     * @return the crls, initially null
+     */
+    CRL[] getCRLs() {
+        return crls;
+    }
+
+    // Set up JavaSecurityCodeSignerAccess in SharedSecrets
+    static {
+        SharedSecrets.setJavaSecurityCodeSignerAccess(
+                new JavaSecurityCodeSignerAccess() {
+            @Override
+            public void setCRLs(CodeSigner signer, CRL[] crls) {
+                signer.setCRLs(crls);
+            }
+
+            @Override
+            public CRL[] getCRLs(CodeSigner signer) {
+                return signer.getCRLs();
+            }
+        });
+    }
+
 }

src/share/classes/java/util/jar/JarVerifier.java

 /*
- * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,7 +27,6 @@ package java.util.jar;
 
 import java.io.*;
 import java.util.*;
-import java.util.zip.*;
 import java.security.*;
 import java.security.cert.CertificateException;
 

src/share/classes/sun/misc/JavaSecurityCodeSignerAccess.java

+/*
+ * Copyright 2010 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+package sun.misc;
+
+import java.security.CodeSigner;
+import java.security.cert.CRL;
+
+public interface JavaSecurityCodeSignerAccess {
+    void setCRLs(CodeSigner signer, CRL[] crls);
+    CRL[] getCRLs(CodeSigner signer);
+}

src/share/classes/sun/misc/SharedSecrets.java

@@ -27,8 +27,8 @@ package sun.misc;
 
 import java.util.jar.JarFile;
 import java.io.Console;
-import java.io.File;
 import java.io.FileDescriptor;
+import java.security.CodeSigner;
 import java.security.ProtectionDomain;
 
 /** A repository of "shared secrets", which are a mechanism for
@@ -49,6 +49,7 @@ public class SharedSecrets {
     private static JavaNioAccess javaNioAccess;
     private static JavaIOFileDescriptorAccess javaIOFileDescriptorAccess;
     private static JavaSecurityProtectionDomainAccess javaSecurityProtectionDomainAccess;
+    private static JavaSecurityCodeSignerAccess javaSecurityCodeSignerAccess;
 
     public static JavaUtilJarAccess javaUtilJarAccess() {
         if (javaUtilJarAccess == null) {
@@ -126,4 +127,16 @@ public class SharedSecrets {
                 unsafe.ensureClassInitialized(ProtectionDomain.class);
             return javaSecurityProtectionDomainAccess;
     }
+
+    public static void setJavaSecurityCodeSignerAccess
+            (JavaSecurityCodeSignerAccess jscsa) {
+        javaSecurityCodeSignerAccess = jscsa;
+    }
+
+    public static JavaSecurityCodeSignerAccess
+            getJavaSecurityCodeSignerAccess() {
+        if (javaSecurityCodeSignerAccess == null)
+            unsafe.ensureClassInitialized(CodeSigner.class);
+        return javaSecurityCodeSignerAccess;
+    }
 }

src/share/classes/sun/security/pkcs/PKCS7.java

 /*
- * Copyright 1996-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1996-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,6 @@ package sun.security.pkcs;
 import java.io.*;
 import java.math.BigInteger;
 import java.util.*;
-import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509CRL;
@@ -173,20 +172,30 @@ public class PKCS7 {
      * @param digestAlgorithmIds the message digest algorithm identifiers.
      * @param contentInfo the content information.
      * @param certificates an array of X.509 certificates.
+     * @param crls an array of CRLs
      * @param signerInfos an array of signer information.
      */
     public PKCS7(AlgorithmId[] digestAlgorithmIds,
                  ContentInfo contentInfo,
                  X509Certificate[] certificates,
+                 X509CRL[] crls,
                  SignerInfo[] signerInfos) {
 
         version = BigInteger.ONE;
         this.digestAlgorithmIds = digestAlgorithmIds;
         this.contentInfo = contentInfo;
         this.certificates = certificates;
+        this.crls = crls;
         this.signerInfos = signerInfos;
     }
 
+    public PKCS7(AlgorithmId[] digestAlgorithmIds,
+                 ContentInfo contentInfo,
+                 X509Certificate[] certificates,
+                 SignerInfo[] signerInfos) {
+        this(digestAlgorithmIds, contentInfo, certificates, null, signerInfos);
+    }
+
     private void parseNetscapeCertChain(DerValue val)
     throws ParsingException, IOException {
         DerInputStream dis = new DerInputStream(val.toByteArray());
@@ -312,7 +321,7 @@ public class PKCS7 {
                 ByteArrayInputStream bais = null;
                 try {
                     if (certfac == null)
-                        crls[i] = (X509CRL) new X509CRLImpl(crlVals[i]);
+                        crls[i] = new X509CRLImpl(crlVals[i]);
                     else {
                         byte[] encoded = crlVals[i].toByteArray();
                         bais = new ByteArrayInputStream(encoded);
@@ -480,7 +489,30 @@ public class PKCS7 {
             signedData.putOrderedSetOf((byte)0xA0, implCerts);
         }
 
-        // no crls (OPTIONAL field)
+        // CRLs (optional)
+        if (crls != null && crls.length != 0) {
+            // cast to X509CRLImpl[] since X509CRLImpl implements DerEncoder
+            Set<X509CRLImpl> implCRLs = new HashSet<X509CRLImpl>(crls.length);
+            for (X509CRL crl: crls) {
+                if (crl instanceof X509CRLImpl)
+                    implCRLs.add((X509CRLImpl) crl);
+                else {
+                    try {
+                        byte[] encoded = crl.getEncoded();
+                        implCRLs.add(new X509CRLImpl(encoded));
+                    } catch (CRLException ce) {
+                        IOException ie = new IOException(ce.getMessage());
+                        ie.initCause(ce);
+                        throw ie;
+                    }
+                }
+            }
+
+            // Add the CRL set (tagged with [1] IMPLICIT)
+            // to the signed data
+            signedData.putOrderedSetOf((byte)0xA1,
+                    implCRLs.toArray(new X509CRLImpl[implCRLs.size()]));
+        }
 
         // signerInfos
         signedData.putOrderedSetOf(DerValue.tag_Set, signerInfos);

src/share/classes/sun/security/tools/JarSigner.java

@@ -26,6 +26,7 @@
 package sun.security.tools;
 
 import java.io.*;
+import java.security.cert.X509CRL;
 import java.util.*;
 import java.util.zip.*;
 import java.util.jar.*;
@@ -35,6 +36,7 @@ import java.net.URISyntaxException;
 import java.text.Collator;
 import java.text.MessageFormat;
 import java.security.cert.Certificate;
+import java.security.cert.CRL;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
 import java.security.*;
@@ -56,6 +58,7 @@ import java.util.Map.Entry;
 import sun.security.x509.*;
 import sun.security.util.*;
 import sun.misc.BASE64Encoder;
+import sun.misc.SharedSecrets;
 
 
 /**
@@ -114,14 +117,16 @@ public class JarSigner {
     static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
 
     X509Certificate[] certChain;    // signer's cert chain (when composing)
+    Set<X509CRL> crls;                 // signer provided CRLs
     PrivateKey privateKey;          // private key
     KeyStore store;                 // the keystore specified by -keystore
                                     // or the default keystore, never null
 
     String keystore; // key store file
+    List<String> crlfiles = new ArrayList<String>();  // CRL files to add
     boolean nullStream = false; // null keystore input stream (NONE)
     boolean token = false; // token-based keystore
-    String jarfile;  // jar file to sign or verify
+    String jarfile;  // jar files to sign or verify
     String alias;    // alias to sign jar with
     List<String> ckaliases = new ArrayList<String>(); // aliases in -verify
     char[] storepass; // keystore password
@@ -146,6 +151,7 @@ public class JarSigner {
     boolean signManifest = true; // "sign" the whole manifest
     boolean externalSF = true; // leave the .SF out of the PKCS7 block
     boolean strict = false;  // treat warnings as error
+    boolean autoCRL = false;    // Automatcially add CRL defined in cert
 
     // read zip entry raw bytes
     private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
@@ -226,6 +232,29 @@ public class JarSigner {
             } else {
                 loadKeyStore(keystore, true);
                 getAliasInfo(alias);
+                crls = new HashSet<X509CRL>();
+                if (crlfiles.size() > 0 || autoCRL) {
+                    CertificateFactory fac =
+                            CertificateFactory.getInstance("X509");
+                    List<CRL> list = new ArrayList<CRL>();
+                    for (String file: crlfiles) {
+                        Collection<? extends CRL> tmp = KeyTool.loadCRLs(file);
+                        for (CRL crl: tmp) {
+                            if (crl instanceof X509CRL) {
+                                crls.add((X509CRL)crl);
+                            }
+                        }
+                    }
+                    if (autoCRL) {
+                        List<CRL> crlsFromCert =
+                                KeyTool.readCRLsFromCert(certChain[0]);
+                        for (CRL crl: crlsFromCert) {
+                            if (crl instanceof X509CRL) {
+                                crls.add((X509CRL)crl);
+                            }
+                        }
+                    }
+                }
 
                 // load the alternative signing mechanism
                 if (altSignerClass != null) {
@@ -367,6 +396,13 @@ public class JarSigner {
             } else if (collator.compare(flags, "-digestalg") ==0) {
                 if (++n == args.length) usageNoArg();
                 digestalg = args[n];
+            } else if (collator.compare(flags, "-crl") ==0) {
+                if ("auto".equals(modifier)) {
+                    autoCRL = true;
+                } else {
+                    if (++n == args.length) usageNoArg();
+                    crlfiles.add(args[n]);
+                }
             } else if (collator.compare(flags, "-certs") ==0) {
                 showcerts = true;
             } else if (collator.compare(flags, "-strict") ==0) {
@@ -515,6 +551,9 @@ public class JarSigner {
         System.out.println(rb.getString
                 ("[-sigalg <algorithm>]       name of signature algorithm"));
         System.out.println();
+        System.out.println(rb.getString
+                ("[-crl[:auto| <file>]        include CRL in signed jar"));
+        System.out.println();
         System.out.println(rb.getString
                 ("[-verify]                   verify a signed JAR file"));
         System.out.println();
@@ -654,6 +693,20 @@ public class JarSigner {
                             if (showcerts) {
                                 sb.append(si);
                                 sb.append('\n');
+                                CRL[] crls = SharedSecrets
+                                        .getJavaSecurityCodeSignerAccess()
+                                        .getCRLs(signer);
+                                if (crls != null) {
+                                    for (CRL crl: crls) {
+                                        if (crl instanceof X509CRLImpl) {
+                                            sb.append(tab).append("[");
+                                            sb.append(String.format(
+                                                    rb.getString("with a CRL including %d entries"),
+                                                    ((X509CRLImpl)crl).getRevokedCertificates().size()))
+                                                .append("]\n");
+                                        }
+                                    }
+                                }
                             }
                         }
                     } else if (showcerts && !verbose.equals("all")) {
@@ -1233,7 +1286,7 @@ public class JarSigner {
 
             try {
                 block =
-                    sf.generateBlock(privateKey, sigalg, certChain,
+                    sf.generateBlock(privateKey, sigalg, certChain, crls,
                         externalSF, tsaUrl, tsaCert, signingMechanism, args,
                         zipFile);
             } catch (SocketTimeoutException e) {
@@ -2197,6 +2250,7 @@ class SignatureFile {
     public Block generateBlock(PrivateKey privateKey,
                                String sigalg,
                                X509Certificate[] certChain,
+                               Set<X509CRL> crls,
                                boolean externalSF, String tsaUrl,
                                X509Certificate tsaCert,
                                ContentSigner signingMechanism,
@@ -2204,7 +2258,7 @@ class SignatureFile {
         throws NoSuchAlgorithmException, InvalidKeyException, IOException,
             SignatureException, CertificateException
     {
-        return new Block(this, privateKey, sigalg, certChain, externalSF,
+        return new Block(this, privateKey, sigalg, certChain, crls, externalSF,
                 tsaUrl, tsaCert, signingMechanism, args, zipFile);
     }
 
@@ -2218,7 +2272,8 @@ class SignatureFile {
          * Construct a new signature block.
          */
         Block(SignatureFile sfg, PrivateKey privateKey, String sigalg,
-            X509Certificate[] certChain, boolean externalSF, String tsaUrl,
+            X509Certificate[] certChain, Set<X509CRL> crls,
+            boolean externalSF, String tsaUrl,
             X509Certificate tsaCert, ContentSigner signingMechanism,
             String[] args, ZipFile zipFile)
             throws NoSuchAlgorithmException, InvalidKeyException, IOException,
@@ -2305,7 +2360,7 @@ class SignatureFile {
             // Assemble parameters for the signing mechanism
             ContentSignerParameters params =
                 new JarSignerParameters(args, tsaUri, tsaCert, signature,
-                    signatureAlgorithm, certChain, content, zipFile);
+                    signatureAlgorithm, certChain, crls, content, zipFile);
 
             // Generate the signature block
             block = signingMechanism.generateSignedData(
@@ -2346,6 +2401,7 @@ class JarSignerParameters implements ContentSignerParameters {
     private byte[] signature;
     private String signatureAlgorithm;
     private X509Certificate[] signerCertificateChain;
+    private Set<X509CRL> crls;
     private byte[] content;
     private ZipFile source;
 
@@ -2354,7 +2410,8 @@ class JarSignerParameters implements ContentSignerParameters {
      */
     JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
         byte[] signature, String signatureAlgorithm,
-        X509Certificate[] signerCertificateChain, byte[] content,
+        X509Certificate[] signerCertificateChain, Set<X509CRL> crls,
+        byte[] content,
         ZipFile source) {
 
         if (signature == null || signatureAlgorithm == null ||
@@ -2367,6 +2424,7 @@ class JarSignerParameters implements ContentSignerParameters {
         this.signature = signature;
         this.signatureAlgorithm = signatureAlgorithm;
         this.signerCertificateChain = signerCertificateChain;
+        this.crls = crls;
         this.content = content;
         this.source = source;
     }
@@ -2442,4 +2500,13 @@ class JarSignerParameters implements ContentSignerParameters {
     public ZipFile getSource() {
         return source;
     }
+
+    @Override
+    public Set<X509CRL> getCRLs() {
+        if (crls == null) {
+            return Collections.emptySet();
+        } else {
+            return Collections.unmodifiableSet(crls);
+        }
+    }
 }

src/share/classes/sun/security/tools/JarSignerResources.java

 /*
- * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -74,6 +74,8 @@ public class JarSignerResources extends java.util.ListResourceBundle {
                 "[-digestalg <algorithm>]    name of digest algorithm"},
         {"[-sigalg <algorithm>]       name of signature algorithm",
                 "[-sigalg <algorithm>]       name of signature algorithm"},
+        {"[-crl[:auto| <file>]        include CRL in signed jar",
+                "[-crl[:auto| <file>]        include CRL in signed jar"},
         {"[-verify]                   verify a signed JAR file",
                 "[-verify]                   verify a signed JAR file"},
         {"[-verbose[:suboptions]]     verbose output when signing/verifying.",
@@ -191,6 +193,7 @@ public class JarSignerResources extends java.util.ListResourceBundle {
         {"using an alternative signing mechanism",
                 "using an alternative signing mechanism"},
         {"entry was signed on", "entry was signed on {0}"},
+        {"with a CRL including %d entries", "with a CRL including %d entries"},
         {"Warning: ", "Warning: "},
         {"This jar contains unsigned entries which have not been integrity-checked. ",
                 "This jar contains unsigned entries which have not been integrity-checked. "},

src/share/classes/sun/security/tools/TimestampedSigner.java

@@ -38,6 +38,7 @@ import java.security.cert.X509Certificate;
 import java.util.List;
 
 import com.sun.jarsigner.*;
+import java.security.cert.X509CRL;
 import java.util.Arrays;
 import sun.security.pkcs.*;
 import sun.security.timestamp.*;
@@ -239,7 +240,7 @@ public final class TimestampedSigner extends ContentSigner {
         // Create the PKCS #7 signed data message
         PKCS7 p7 =
             new PKCS7(algorithms, contentInfo, signerCertificateChain,
-                signerInfos);
+                    parameters.getCRLs().toArray(new X509CRL[parameters.getCRLs().size()]), signerInfos);
         ByteArrayOutputStream p7out = new ByteArrayOutputStream();
         p7.encodeSignedData(p7out);
 

src/share/classes/sun/security/util/Resources.java

 /*
- * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -71,6 +71,7 @@ public class Resources extends java.util.ListResourceBundle {
                 "Generates a secret key"}, //-genseckey
         {"Generates certificate from a certificate request",
                 "Generates certificate from a certificate request"}, //-gencert
+        {"Generates CRL", "Generates CRL"}, //-gencrl
         {"Imports entries from a JDK 1.1.x-style identity database",
                 "Imports entries from a JDK 1.1.x-style identity database"}, //-identitydb
         {"Imports a certificate or a certificate chain",
@@ -87,6 +88,8 @@ public class Resources extends java.util.ListResourceBundle {
                 "Prints the content of a certificate"}, //-printcert
         {"Prints the content of a certificate request",
                 "Prints the content of a certificate request"}, //-printcertreq
+        {"Prints the content of a CRL file",
+                "Prints the content of a CRL file"}, //-printcrl
         {"Generates a self-signed certificate",
                 "Generates a self-signed certificate"}, //-selfcert
         {"Changes the store password of a keystore",
@@ -176,6 +179,8 @@ public class Resources extends java.util.ListResourceBundle {
                 "verbose output"}, //-v
         {"validity number of days",
                 "validity number of days"}, //-validity
+        {"Serial ID of cert to revoke",
+                 "Serial ID of cert to revoke"}, //-id
         // keytool: Running part
         {"keytool error: ", "keytool error: "},
         {"Illegal option:  ", "Illegal option:  "},
@@ -375,6 +380,7 @@ public class Resources extends java.util.ListResourceBundle {
         {"Signer #%d:", "Signer #%d:"},
         {"Timestamp:", "Timestamp:"},
         {"Signature:", "Signature:"},
+        {"CRLs:", "CRLs:"},
         {"Certificate owner: ", "Certificate owner: "},
         {"Not a signed jar file", "Not a signed jar file"},
         {"No certificate from the SSL server",
@@ -433,6 +439,7 @@ public class Resources extends java.util.ListResourceBundle {
         {"This extension cannot be marked as critical. ",
                  "This extension cannot be marked as critical. "},
         {"Odd number of hex digits found: ", "Odd number of hex digits found: "},
+        {"Unknown extension type: ", "Unknown extension type: "},
         {"command {0} is ambiguous:", "command {0} is ambiguous:"},
 
         // policytool

src/share/classes/sun/security/util/SignatureFileVerifier.java

 /*
- * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,6 @@
 
 package sun.security.util;
 
-import java.security.CodeSigner;
 import java.security.cert.CertPath;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
@@ -34,11 +33,11 @@ import java.security.*;
 import java.io.*;
 import java.util.*;
 import java.util.jar.*;
-import java.io.ByteArrayOutputStream;
 
 import sun.security.pkcs.*;
 import sun.security.timestamp.TimestampToken;
 import sun.misc.BASE64Decoder;
+import sun.misc.SharedSecrets;
 
 import sun.security.jca.Providers;
 
@@ -479,7 +478,12 @@ public class SignatureFileVerifier {
                 signers = new ArrayList<CodeSigner>();
             }
             // Append the new code signer
-            signers.add(new CodeSigner(certChain, getTimestamp(info)));
+            CodeSigner signer = new CodeSigner(certChain, getTimestamp(info));
+            if (block.getCRLs() != null) {
+                SharedSecrets.getJavaSecurityCodeSignerAccess().setCRLs(
+                        signer, block.getCRLs());
+            }
+            signers.add(signer);
 
             if (debug != null) {
                 debug.println("Signature Block Certificate: " +

src/share/classes/sun/security/x509/X509CRLImpl.java

 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -89,7 +89,7 @@ import sun.misc.HexDumpEncoder;
  * @author Hemma Prafullchandra
  * @see X509CRL
  */
-public class X509CRLImpl extends X509CRL {
+public class X509CRLImpl extends X509CRL implements DerEncoder {
 
     // CRL data, and its envelope
     private byte[]      signedCRL = null; // DER encoded crl
@@ -1189,6 +1189,13 @@ public class X509CRLImpl extends X509CRL {
         }
     }
 
+    @Override
+    public void derEncode(OutputStream out) throws IOException {
+        if (signedCRL == null)
+            throw new IOException("Null CRL to encode");
+        out.write(signedCRL.clone());
+    }
+
     /**
      * Immutable X.509 Certificate Issuer DN and serial number pair
      */

test/sun/security/tools/jarsigner/crl.sh

+#
+# Copyright 2010 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6890876
+# @summary jarsigner can add CRL info into signed jar
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+# PF: platform name, say, solaris-sparc
+
+PF=""
+
+OS=`uname -s`
+case "$OS" in
+  Windows* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+
+KS=crl.jks
+JFILE=crl.jar
+
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
+
+rm $KS $JFILE
+
+# Generates some crl files, each containing two entries
+
+$KT -alias a -dname CN=a -keyalg rsa -genkey -validity 300
+$KT -alias a -gencrl -id 1:1 -id 2:2 -file crl1
+$KT -alias a -gencrl -id 3:3 -id 4:4 -file crl2
+$KT -alias b -dname CN=b -keyalg rsa -genkey -validity 300
+$KT -alias b -gencrl -id 5:1 -id 6:2 -file crl3
+
+$KT -alias c -dname CN=c -keyalg rsa -genkey -validity 300 \
+    -ext crl=uri:file://`pwd`/crl1
+
+echo A > A
+
+# Test -crl:auto, cRLDistributionPoints is a local file
+
+$JAR cvf $JFILE A
+$JARSIGNER -keystore $KS -storepass changeit $JFILE c \
+        -crl:auto || exit 1
+$JARSIGNER -keystore $KS -verify -debug -strict $JFILE || exit 6
+$KT -printcert -jarfile $JFILE | grep CRLs || exit 7
+
+# Test -crl <file>
+
+$JAR cvf $JFILE A
+$JARSIGNER -keystore $KS -storepass changeit $JFILE a \
+        -crl crl1 -crl crl2 || exit 1
+$JARSIGNER -keystore $KS -storepass changeit $JFILE b \
+        -crl crl3 -crl crl2 || exit 1
+$JARSIGNER -keystore $KS -verify -debug -strict $JFILE || exit 3
+$KT -printcert -jarfile $JFILE | grep CRLs || exit 4
+CRLCOUNT=`$KT -printcert -jarfile $JFILE | grep SerialNumber | wc -l`
+if [ $CRLCOUNT != 8 ]; then exit 5; fi
+
+exit 0