1 /*
2 * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.tools.jarsigner;
27
28 import java.io.*;
29 import java.util.*;
30 import java.util.zip.*;
31 import java.util.jar.*;
32 import java.net.URI;
33 import java.text.Collator;
34 import java.text.MessageFormat;
35 import java.security.cert.Certificate;
36 import java.security.cert.X509Certificate;
37 import java.security.cert.CertificateException;
38 import java.security.*;
39
40 import java.net.SocketTimeoutException;
41 import java.net.URL;
42 import java.security.cert.CertPath;
43 import java.security.cert.CertPathValidator;
44 import java.security.cert.CertificateExpiredException;
45 import java.security.cert.CertificateFactory;
46 import java.security.cert.CertificateNotYetValidException;
47 import java.security.cert.PKIXParameters;
48 import java.security.cert.TrustAnchor;
49 import java.util.Map.Entry;
50
51 import jdk.security.jarsigner.JarSigner;
52 import jdk.security.jarsigner.JarSignerException;
53 import sun.security.pkcs.PKCS7;
54 import sun.security.pkcs.SignerInfo;
55 import sun.security.timestamp.TimestampToken;
56 import sun.security.tools.KeyStoreUtil;
57 import sun.security.x509.*;
58 import sun.security.util.*;
59
60
61 /**
62 * <p>The jarsigner utility.
63 *
64 * The exit codes for the main method are:
65 *
66 * 0: success
67 * 1: any error that the jar cannot be signed or verified, including:
68 * keystore loading error
69 * TSP communication error
70 * jarsigner command line error...
71 * otherwise: error codes from -strict
72 *
73 * @author Roland Schemers
74 * @author Jan Luehe
75 */
76 public class Main {
77
78 // for i18n
79 private static final java.util.ResourceBundle rb =
80 java.util.ResourceBundle.getBundle
81 ("sun.security.tools.jarsigner.Resources");
82 private static final Collator collator = Collator.getInstance();
83 static {
84 // this is for case insensitive string comparisions
85 collator.setStrength(Collator.PRIMARY);
86 }
87
88 private static final String NONE = "NONE";
89 private static final String P11KEYSTORE = "PKCS11";
90
91 private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
92
93 // PROPERTY_CERTPATH_DISABLED_ALGS is currently more restrictive than
94 // PROPERTY_JAR_DISABLED_ALGS and we used it at signing time.
95 private static final DisabledAlgorithmConstraints VERIFY_CHECK =
96 new DisabledAlgorithmConstraints(
97 DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
98 private static final DisabledAlgorithmConstraints SIGN_CHECK =
99 new DisabledAlgorithmConstraints(
100 DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
101
102 private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections
103 .unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
104 private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
105 .unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
106
107 // Attention:
108 // This is the entry that get launched by the security tool jarsigner.
109 public static void main(String args[]) throws Exception {
110 Main js = new Main();
111 js.run(args);
112 }
113
114 static final String VERSION = "1.0";
115
116 static final int IN_KEYSTORE = 0x01; // signer is in keystore
117 static final int NOT_ALIAS = 0x04; // alias list is NOT empty and
118 // signer is not in alias list
119 static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list
120
121 X509Certificate[] certChain; // signer's cert chain (when composing)
122 PrivateKey privateKey; // private key
123 KeyStore store; // the keystore specified by -keystore
124 // or the default keystore, never null
125
126 String keystore; // key store file
127 boolean nullStream = false; // null keystore input stream (NONE)
128 boolean token = false; // token-based keystore
129 String jarfile; // jar files to sign or verify
130 String alias; // alias to sign jar with
131 List<String> ckaliases = new ArrayList<>(); // aliases in -verify
132 char[] storepass; // keystore password
133 boolean protectedPath; // protected authentication path
134 String storetype; // keystore type
135 String providerName; // provider name
136 List<String> providers = null; // list of provider names
137 List<String> providerClasses = null; // list of provider classes
138 // arguments for provider constructors
139 HashMap<String,String> providerArgs = new HashMap<>();
140 char[] keypass; // private key password
141 String sigfile; // name of .SF file
142 String sigalg; // name of signature algorithm
143 String digestalg; // name of digest algorithm
144 String signedjar; // output filename
145 String tsaUrl; // location of the Timestamping Authority
146 String tsaAlias; // alias for the Timestamping Authority's certificate
147 String altCertChain; // file to read alternative cert chain from
148 String tSAPolicyID;
149 String tSADigestAlg;
150 boolean verify = false; // verify the jar
151 String verbose = null; // verbose output when signing/verifying
152 boolean showcerts = false; // show certs when verifying
153 boolean debug = false; // debug
154 boolean signManifest = true; // "sign" the whole manifest
155 boolean externalSF = true; // leave the .SF out of the PKCS7 block
156 boolean strict = false; // treat warnings as error
157
158 // read zip entry raw bytes
159 private String altSignerClass = null;
160 private String altSignerClasspath = null;
161 private ZipFile zipFile = null;
162
163 // Informational warnings
164 private boolean hasExpiringCert = false;
165 private boolean noTimestamp = false;
166 private Date expireDate = new Date(0L); // used in noTimestamp warning
167
168 // Severe warnings
169 private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg
170 private boolean hasExpiredCert = false;
171 private boolean notYetValidCert = false;
172 private boolean chainNotValidated = false;
173 private boolean notSignedByAlias = false;
174 private boolean aliasNotInStore = false;
175 private boolean hasUnsignedEntry = false;
176 private boolean badKeyUsage = false;
177 private boolean badExtendedKeyUsage = false;
178 private boolean badNetscapeCertType = false;
179 private boolean signerSelfSigned = false;
180
181 private Throwable chainNotValidatedReason = null;
182
183 private boolean seeWeak = false;
184
185 CertificateFactory certificateFactory;
186 CertPathValidator validator;
187 PKIXParameters pkixParameters;
188
189 public void run(String args[]) {
190 try {
191 args = parseArgs(args);
192
193 // Try to load and install the specified providers
194 if (providers != null) {
195 for (String provName: providers) {
196 try {
197 KeyStoreUtil.loadProviderByName(provName,
198 providerArgs.get(provName));
199 if (debug) {
200 System.out.println("loadProviderByName: " + provName);
201 }
202 } catch (IllegalArgumentException e) {
203 throw new Exception(String.format(rb.getString(
204 "provider.name.not.found"), provName));
205 }
206 }
207 }
208
209 if (providerClasses != null) {
210 ClassLoader cl = ClassLoader.getSystemClassLoader();
211 for (String provClass: providerClasses) {
212 try {
213 KeyStoreUtil.loadProviderByClass(provClass,
214 providerArgs.get(provClass), cl);
215 if (debug) {
216 System.out.println("loadProviderByClass: " + provClass);
217 }
218 } catch (ClassCastException cce) {
219 throw new Exception(String.format(rb.getString(
220 "provclass.not.a.provider"), provClass));
221 } catch (IllegalArgumentException e) {
222 throw new Exception(String.format(rb.getString(
223 "provider.class.not.found"), provClass), e.getCause());
224 }
225 }
226 }
227
228 if (verify) {
229 try {
230 loadKeyStore(keystore, false);
231 } catch (Exception e) {
232 if ((keystore != null) || (storepass != null)) {
233 System.out.println(rb.getString("jarsigner.error.") +
234 e.getMessage());
235 if (debug) {
236 e.printStackTrace();
237 }
238 System.exit(1);
239 }
240 }
241 /* if (debug) {
242 SignatureFileVerifier.setDebug(true);
243 ManifestEntryVerifier.setDebug(true);
244 }
245 */
246 verifyJar(jarfile);
247 } else {
248 loadKeyStore(keystore, true);
249 getAliasInfo(alias);
250
251 signJar(jarfile, alias);
252 }
253 } catch (Exception e) {
254 System.out.println(rb.getString("jarsigner.error.") + e);
255 if (debug) {
256 e.printStackTrace();
257 }
258 System.exit(1);
259 } finally {
260 // zero-out private key password
261 if (keypass != null) {
262 Arrays.fill(keypass, ' ');
263 keypass = null;
264 }
265 // zero-out keystore password
266 if (storepass != null) {
267 Arrays.fill(storepass, ' ');
268 storepass = null;
269 }
270 }
271
272 if (strict) {
273 int exitCode = 0;
274 if (weakAlg != 0 || chainNotValidated || hasExpiredCert || notYetValidCert || signerSelfSigned) {
275 exitCode |= 4;
276 }
277 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
278 exitCode |= 8;
279 }
280 if (hasUnsignedEntry) {
281 exitCode |= 16;
282 }
283 if (notSignedByAlias || aliasNotInStore) {
284 exitCode |= 32;
285 }
286 if (exitCode != 0) {
287 System.exit(exitCode);
288 }
289 }
290 }
291
292 /*
293 * Parse command line arguments.
294 */
295 String[] parseArgs(String args[]) throws Exception {
296 /* parse flags */
297 int n = 0;
298
299 if (args.length == 0) fullusage();
300
301 String confFile = null;
302 String command = "-sign";
303 for (n=0; n < args.length; n++) {
304 if (collator.compare(args[n], "-verify") == 0) {
305 command = "-verify";
306 } else if (collator.compare(args[n], "-conf") == 0) {
307 if (n == args.length - 1) {
308 usageNoArg();
309 }
310 confFile = args[++n];
311 }
312 }
313
314 if (confFile != null) {
315 args = KeyStoreUtil.expandArgs(
316 "jarsigner", confFile, command, null, args);
317 }
318
319 debug = Arrays.stream(args).anyMatch(
320 x -> collator.compare(x, "-debug") == 0);
321
322 if (debug) {
323 // No need to localize debug output
324 System.out.println("Command line args: " +
325 Arrays.toString(args));
326 }
327
328 for (n=0; n < args.length; n++) {
329
330 String flags = args[n];
331 String modifier = null;
332
333 if (flags.startsWith("-")) {
334 int pos = flags.indexOf(':');
335 if (pos > 0) {
336 modifier = flags.substring(pos+1);
337 flags = flags.substring(0, pos);
338 }
339 }
340
341 if (!flags.startsWith("-")) {
342 if (jarfile == null) {
343 jarfile = flags;
344 } else {
345 alias = flags;
346 ckaliases.add(alias);
347 }
348 } else if (collator.compare(flags, "-conf") == 0) {
349 if (++n == args.length) usageNoArg();
350 } else if (collator.compare(flags, "-keystore") == 0) {
351 if (++n == args.length) usageNoArg();
352 keystore = args[n];
353 } else if (collator.compare(flags, "-storepass") ==0) {
354 if (++n == args.length) usageNoArg();
355 storepass = getPass(modifier, args[n]);
356 } else if (collator.compare(flags, "-storetype") ==0) {
357 if (++n == args.length) usageNoArg();
358 storetype = args[n];
359 } else if (collator.compare(flags, "-providerName") ==0) {
360 if (++n == args.length) usageNoArg();
361 providerName = args[n];
362 } else if (collator.compare(flags, "-provider") == 0 ||
363 collator.compare(flags, "-providerClass") == 0) {
364 if (++n == args.length) usageNoArg();
365 if (providerClasses == null) {
366 providerClasses = new ArrayList<>(3);
367 }
368 providerClasses.add(args[n]);
369
370 if (args.length > (n+1)) {
371 flags = args[n+1];
372 if (collator.compare(flags, "-providerArg") == 0) {
373 if (args.length == (n+2)) usageNoArg();
374 providerArgs.put(args[n], args[n+2]);
375 n += 2;
376 }
377 }
378 } else if (collator.compare(flags, "-addprovider") == 0) {
379 if (++n == args.length) usageNoArg();
380 if (providers == null) {
381 providers = new ArrayList<>(3);
382 }
383 providers.add(args[n]);
384
385 if (args.length > (n+1)) {
386 flags = args[n+1];
387 if (collator.compare(flags, "-providerArg") == 0) {
388 if (args.length == (n+2)) usageNoArg();
389 providerArgs.put(args[n], args[n+2]);
390 n += 2;
391 }
392 }
393 } else if (collator.compare(flags, "-protected") ==0) {
394 protectedPath = true;
395 } else if (collator.compare(flags, "-certchain") ==0) {
396 if (++n == args.length) usageNoArg();
397 altCertChain = args[n];
398 } else if (collator.compare(flags, "-tsapolicyid") ==0) {
399 if (++n == args.length) usageNoArg();
400 tSAPolicyID = args[n];
401 } else if (collator.compare(flags, "-tsadigestalg") ==0) {
402 if (++n == args.length) usageNoArg();
403 tSADigestAlg = args[n];
404 } else if (collator.compare(flags, "-debug") ==0) {
405 // Already processed
406 } else if (collator.compare(flags, "-keypass") ==0) {
407 if (++n == args.length) usageNoArg();
408 keypass = getPass(modifier, args[n]);
409 } else if (collator.compare(flags, "-sigfile") ==0) {
410 if (++n == args.length) usageNoArg();
411 sigfile = args[n];
412 } else if (collator.compare(flags, "-signedjar") ==0) {
413 if (++n == args.length) usageNoArg();
414 signedjar = args[n];
415 } else if (collator.compare(flags, "-tsa") ==0) {
416 if (++n == args.length) usageNoArg();
417 tsaUrl = args[n];
418 } else if (collator.compare(flags, "-tsacert") ==0) {
419 if (++n == args.length) usageNoArg();
420 tsaAlias = args[n];
421 } else if (collator.compare(flags, "-altsigner") ==0) {
422 if (++n == args.length) usageNoArg();
423 altSignerClass = args[n];
424 System.err.println(
425 rb.getString("This.option.is.deprecated") +
426 "-altsigner");
427 } else if (collator.compare(flags, "-altsignerpath") ==0) {
428 if (++n == args.length) usageNoArg();
429 altSignerClasspath = args[n];
430 System.err.println(
431 rb.getString("This.option.is.deprecated") +
432 "-altsignerpath");
433 } else if (collator.compare(flags, "-sectionsonly") ==0) {
434 signManifest = false;
435 } else if (collator.compare(flags, "-internalsf") ==0) {
436 externalSF = false;
437 } else if (collator.compare(flags, "-verify") ==0) {
438 verify = true;
439 } else if (collator.compare(flags, "-verbose") ==0) {
440 verbose = (modifier != null) ? modifier : "all";
441 } else if (collator.compare(flags, "-sigalg") ==0) {
442 if (++n == args.length) usageNoArg();
443 sigalg = args[n];
444 } else if (collator.compare(flags, "-digestalg") ==0) {
445 if (++n == args.length) usageNoArg();
446 digestalg = args[n];
447 } else if (collator.compare(flags, "-certs") ==0) {
448 showcerts = true;
449 } else if (collator.compare(flags, "-strict") ==0) {
450 strict = true;
451 } else if (collator.compare(flags, "-h") == 0 ||
452 collator.compare(flags, "-help") == 0) {
453 fullusage();
454 } else {
455 System.err.println(
456 rb.getString("Illegal.option.") + flags);
457 usage();
458 }
459 }
460
461 // -certs must always be specified with -verbose
462 if (verbose == null) showcerts = false;
463
464 if (jarfile == null) {
465 System.err.println(rb.getString("Please.specify.jarfile.name"));
466 usage();
467 }
468 if (!verify && alias == null) {
469 System.err.println(rb.getString("Please.specify.alias.name"));
470 usage();
471 }
472 if (!verify && ckaliases.size() > 1) {
473 System.err.println(rb.getString("Only.one.alias.can.be.specified"));
474 usage();
475 }
476
477 if (storetype == null) {
478 storetype = KeyStore.getDefaultType();
479 }
480 storetype = KeyStoreUtil.niceStoreTypeName(storetype);
481
482 try {
483 if (signedjar != null && new File(signedjar).getCanonicalPath().equals(
484 new File(jarfile).getCanonicalPath())) {
485 signedjar = null;
486 }
487 } catch (IOException ioe) {
488 // File system error?
489 // Just ignore it.
490 }
491
492 if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
493 KeyStoreUtil.isWindowsKeyStore(storetype)) {
494 token = true;
495 if (keystore == null) {
496 keystore = NONE;
497 }
498 }
499
500 if (NONE.equals(keystore)) {
501 nullStream = true;
502 }
503
504 if (token && !nullStream) {
505 System.err.println(MessageFormat.format(rb.getString
506 (".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
507 usage();
508 }
509
510 if (token && keypass != null) {
511 System.err.println(MessageFormat.format(rb.getString
512 (".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype));
513 usage();
514 }
515
516 if (protectedPath) {
517 if (storepass != null || keypass != null) {
518 System.err.println(rb.getString
519 ("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified"));
520 usage();
521 }
522 }
523 if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
524 if (storepass != null || keypass != null) {
525 System.err.println(rb.getString
526 ("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified"));
527 usage();
528 }
529 }
530 return args;
531 }
532
533 static char[] getPass(String modifier, String arg) {
534 char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb);
535 if (output != null) return output;
536 usage();
537 return null; // Useless, usage() already exit
538 }
539
540 static void usageNoArg() {
541 System.out.println(rb.getString("Option.lacks.argument"));
542 usage();
543 }
544
545 static void usage() {
546 System.out.println();
547 System.out.println(rb.getString("Please.type.jarsigner.help.for.usage"));
548 System.exit(1);
549 }
550
551 static void fullusage() {
552 System.out.println(rb.getString
553 ("Usage.jarsigner.options.jar.file.alias"));
554 System.out.println(rb.getString
555 (".jarsigner.verify.options.jar.file.alias."));
556 System.out.println();
557 System.out.println(rb.getString
558 (".keystore.url.keystore.location"));
559 System.out.println();
560 System.out.println(rb.getString
561 (".storepass.password.password.for.keystore.integrity"));
562 System.out.println();
563 System.out.println(rb.getString
564 (".storetype.type.keystore.type"));
565 System.out.println();
566 System.out.println(rb.getString
567 (".keypass.password.password.for.private.key.if.different."));
568 System.out.println();
569 System.out.println(rb.getString
570 (".certchain.file.name.of.alternative.certchain.file"));
571 System.out.println();
572 System.out.println(rb.getString
573 (".sigfile.file.name.of.SF.DSA.file"));
574 System.out.println();
575 System.out.println(rb.getString
576 (".signedjar.file.name.of.signed.JAR.file"));
577 System.out.println();
578 System.out.println(rb.getString
579 (".digestalg.algorithm.name.of.digest.algorithm"));
580 System.out.println();
581 System.out.println(rb.getString
582 (".sigalg.algorithm.name.of.signature.algorithm"));
583 System.out.println();
584 System.out.println(rb.getString
585 (".verify.verify.a.signed.JAR.file"));
586 System.out.println();
587 System.out.println(rb.getString
588 (".verbose.suboptions.verbose.output.when.signing.verifying."));
589 System.out.println(rb.getString
590 (".suboptions.can.be.all.grouped.or.summary"));
591 System.out.println();
592 System.out.println(rb.getString
593 (".certs.display.certificates.when.verbose.and.verifying"));
594 System.out.println();
595 System.out.println(rb.getString
596 (".tsa.url.location.of.the.Timestamping.Authority"));
597 System.out.println();
598 System.out.println(rb.getString
599 (".tsacert.alias.public.key.certificate.for.Timestamping.Authority"));
600 System.out.println();
601 System.out.println(rb.getString
602 (".tsapolicyid.tsapolicyid.for.Timestamping.Authority"));
603 System.out.println();
604 System.out.println(rb.getString
605 (".tsadigestalg.algorithm.of.digest.data.in.timestamping.request"));
606 System.out.println();
607 System.out.println(rb.getString
608 (".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
609 System.out.println();
610 System.out.println(rb.getString
611 (".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism"));
612 System.out.println();
613 System.out.println(rb.getString
614 (".internalsf.include.the.SF.file.inside.the.signature.block"));
615 System.out.println();
616 System.out.println(rb.getString
617 (".sectionsonly.don.t.compute.hash.of.entire.manifest"));
618 System.out.println();
619 System.out.println(rb.getString
620 (".protected.keystore.has.protected.authentication.path"));
621 System.out.println();
622 System.out.println(rb.getString
623 (".providerName.name.provider.name"));
624 System.out.println();
625 System.out.println(rb.getString
626 (".add.provider.option"));
627 System.out.println(rb.getString
628 (".providerArg.option.1"));
629 System.out.println();
630 System.out.println(rb.getString
631 (".providerClass.option"));
632 System.out.println(rb.getString
633 (".providerArg.option.2"));
634 System.out.println();
635 System.out.println(rb.getString
636 (".strict.treat.warnings.as.errors"));
637 System.out.println();
638 System.out.println(rb.getString
639 (".conf.url.specify.a.pre.configured.options.file"));
640 System.out.println();
641
642 System.exit(0);
643 }
644
645 void verifyJar(String jarName)
646 throws Exception
647 {
648 boolean anySigned = false; // if there exists entry inside jar signed
649 JarFile jf = null;
650 Map<String,String> digestMap = new HashMap<>();
651 Map<String,PKCS7> sigMap = new HashMap<>();
652 Map<String,String> sigNameMap = new HashMap<>();
653 Map<String,String> unparsableSignatures = new HashMap<>();
654
655 try {
656 jf = new JarFile(jarName, true);
657 Vector<JarEntry> entriesVec = new Vector<>();
658 byte[] buffer = new byte[8192];
659
660 Enumeration<JarEntry> entries = jf.entries();
661 while (entries.hasMoreElements()) {
662 JarEntry je = entries.nextElement();
663 entriesVec.addElement(je);
664 try (InputStream is = jf.getInputStream(je)) {
665 String name = je.getName();
666 if (signatureRelated(name)
667 && SignatureFileVerifier.isBlockOrSF(name)) {
668 String alias = name.substring(name.lastIndexOf('/') + 1,
669 name.lastIndexOf('.'));
670 try {
671 if (name.endsWith(".SF")) {
672 Manifest sf = new Manifest(is);
673 boolean found = false;
674 for (Object obj : sf.getMainAttributes().keySet()) {
675 String key = obj.toString();
676 if (key.endsWith("-Digest-Manifest")) {
677 digestMap.put(alias,
678 key.substring(0, key.length() - 16));
679 found = true;
680 break;
681 }
682 }
683 if (!found) {
684 unparsableSignatures.putIfAbsent(alias,
685 String.format(
686 rb.getString("history.unparsable"),
687 name));
688 }
689 } else {
690 sigNameMap.put(alias, name);
691 sigMap.put(alias, new PKCS7(is));
692 }
693 } catch (IOException ioe) {
694 unparsableSignatures.putIfAbsent(alias, String.format(
695 rb.getString("history.unparsable"), name));
696 }
697 } else {
698 while (is.read(buffer, 0, buffer.length) != -1) {
699 // we just read. this will throw a SecurityException
700 // if a signature/digest check fails.
701 }
702 }
703 }
704 }
705
706 Manifest man = jf.getManifest();
707 boolean hasSignature = false;
708
709 // The map to record display info, only used when -verbose provided
710 // key: signer info string
711 // value: the list of files with common key
712 Map<String,List<String>> output = new LinkedHashMap<>();
713
714 if (man != null) {
715 if (verbose != null) System.out.println();
716 Enumeration<JarEntry> e = entriesVec.elements();
717
718 String tab = rb.getString("6SPACE");
719
720 while (e.hasMoreElements()) {
721 JarEntry je = e.nextElement();
722 String name = je.getName();
723
724 hasSignature = hasSignature
725 || SignatureFileVerifier.isBlockOrSF(name);
726
727 CodeSigner[] signers = je.getCodeSigners();
728 boolean isSigned = (signers != null);
729 anySigned |= isSigned;
730 hasUnsignedEntry |= !je.isDirectory() && !isSigned
731 && !signatureRelated(name);
732
733 int inStoreWithAlias = inKeyStore(signers);
734
735 boolean inStore = (inStoreWithAlias & IN_KEYSTORE) != 0;
736
737 notSignedByAlias |= (inStoreWithAlias & NOT_ALIAS) != 0;
738 if (keystore != null) {
739 aliasNotInStore |= isSigned && !inStore;
740 }
741
742 // Only used when -verbose provided
743 StringBuffer sb = null;
744 if (verbose != null) {
745 sb = new StringBuffer();
746 boolean inManifest =
747 ((man.getAttributes(name) != null) ||
748 (man.getAttributes("./"+name) != null) ||
749 (man.getAttributes("/"+name) != null));
750 sb.append(isSigned ? rb.getString("s") : rb.getString("SPACE"))
751 .append(inManifest ? rb.getString("m") : rb.getString("SPACE"))
752 .append(inStore ? rb.getString("k") : rb.getString("SPACE"))
753 .append((inStoreWithAlias & NOT_ALIAS) != 0 ? 'X' : ' ')
754 .append(rb.getString("SPACE"));
755 sb.append('|');
756 }
757
758 // When -certs provided, display info has extra empty
759 // lines at the beginning and end.
760 if (isSigned) {
761 if (showcerts) sb.append('\n');
762 for (CodeSigner signer: signers) {
763 // signerInfo() must be called even if -verbose
764 // not provided. The method updates various
765 // warning flags.
766 String si = signerInfo(signer, tab);
767 if (showcerts) {
768 sb.append(si);
769 sb.append('\n');
770 }
771 }
772 } else if (showcerts && !verbose.equals("all")) {
773 // Print no info for unsigned entries when -verbose:all,
774 // to be consistent with old behavior.
775 if (signatureRelated(name)) {
776 sb.append('\n')
777 .append(tab)
778 .append(rb
779 .getString(".Signature.related.entries."))
780 .append("\n\n");
781 } else {
782 sb.append('\n').append(tab)
783 .append(rb.getString(".Unsigned.entries."))
784 .append("\n\n");
785 }
786 }
787
788 if (verbose != null) {
789 String label = sb.toString();
790 if (signatureRelated(name)) {
791 // Entries inside META-INF and other unsigned
792 // entries are grouped separately.
793 label = "-" + label;
794 }
795
796 // The label finally contains 2 parts separated by '|':
797 // The legend displayed before the entry names, and
798 // the cert info (if -certs specified).
799
800 if (!output.containsKey(label)) {
801 output.put(label, new ArrayList<String>());
802 }
803
804 StringBuilder fb = new StringBuilder();
805 String s = Long.toString(je.getSize());
806 for (int i = 6 - s.length(); i > 0; --i) {
807 fb.append(' ');
808 }
809 fb.append(s).append(' ').
810 append(new Date(je.getTime()).toString());
811 fb.append(' ').append(name);
812
813 output.get(label).add(fb.toString());
814 }
815 }
816 }
817 if (verbose != null) {
818 for (Entry<String,List<String>> s: output.entrySet()) {
819 List<String> files = s.getValue();
820 String key = s.getKey();
821 if (key.charAt(0) == '-') { // the signature-related group
822 key = key.substring(1);
823 }
824 int pipe = key.indexOf('|');
825 if (verbose.equals("all")) {
826 for (String f: files) {
827 System.out.println(key.substring(0, pipe) + f);
828 System.out.printf(key.substring(pipe+1));
829 }
830 } else {
831 if (verbose.equals("grouped")) {
832 for (String f: files) {
833 System.out.println(key.substring(0, pipe) + f);
834 }
835 } else if (verbose.equals("summary")) {
836 System.out.print(key.substring(0, pipe));
837 if (files.size() > 1) {
838 System.out.println(files.get(0) + " " +
839 String.format(rb.getString(
840 ".and.d.more."), files.size()-1));
841 } else {
842 System.out.println(files.get(0));
843 }
844 }
845 System.out.printf(key.substring(pipe+1));
846 }
847 }
848 System.out.println();
849 System.out.println(rb.getString(
850 ".s.signature.was.verified."));
851 System.out.println(rb.getString(
852 ".m.entry.is.listed.in.manifest"));
853 System.out.println(rb.getString(
854 ".k.at.least.one.certificate.was.found.in.keystore"));
855 if (ckaliases.size() > 0) {
856 System.out.println(rb.getString(
857 ".X.not.signed.by.specified.alias.es."));
858 }
859 }
860 if (man == null) {
861 System.out.println();
862 System.out.println(rb.getString("no.manifest."));
863 }
864
865 // If signer is a trusted cert or private entry in user's own
866 // keystore, it can be self-signed.
867 if (!aliasNotInStore) {
868 signerSelfSigned = false;
869 }
870
871 // Even if the verbose option is not specified, all out strings
872 // must be generated so seeWeak can be updated.
873 if (!digestMap.isEmpty()
874 || !sigMap.isEmpty()
875 || !unparsableSignatures.isEmpty()) {
876 if (verbose != null) {
877 System.out.println();
878 }
879 for (String s : sigMap.keySet()) {
880 if (!digestMap.containsKey(s)) {
881 unparsableSignatures.putIfAbsent(s, String.format(
882 rb.getString("history.nosf"), s));
883 }
884 }
885 for (String s : digestMap.keySet()) {
886 PKCS7 p7 = sigMap.get(s);
887 if (p7 != null) {
888 String history;
889 try {
890 SignerInfo si = p7.getSignerInfos()[0];
891 X509Certificate signer = si.getCertificate(p7);
892 String digestAlg = digestMap.get(s);
893 String sigAlg = AlgorithmId.makeSigAlg(
894 si.getDigestAlgorithmId().getName(),
895 si.getDigestEncryptionAlgorithmId().getName());
896 PublicKey key = signer.getPublicKey();
897 PKCS7 tsToken = si.getTsToken();
898 if (tsToken != null) {
899 SignerInfo tsSi = tsToken.getSignerInfos()[0];
900 X509Certificate tsSigner = tsSi.getCertificate(tsToken);
901 byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
902 TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo);
903 PublicKey tsKey = tsSigner.getPublicKey();
904 String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName();
905 String tsSigAlg = AlgorithmId.makeSigAlg(
906 tsSi.getDigestAlgorithmId().getName(),
907 tsSi.getDigestEncryptionAlgorithmId().getName());
908 Calendar c = Calendar.getInstance(
909 TimeZone.getTimeZone("UTC"),
910 Locale.getDefault(Locale.Category.FORMAT));
911 c.setTime(tsTokenInfo.getDate());
912 history = String.format(
913 rb.getString("history.with.ts"),
914 signer.getSubjectX500Principal(),
915 withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
916 withWeak(sigAlg, SIG_PRIMITIVE_SET),
917 withWeak(key),
918 c,
919 tsSigner.getSubjectX500Principal(),
920 withWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET),
921 withWeak(tsSigAlg, SIG_PRIMITIVE_SET),
922 withWeak(tsKey));
923 } else {
924 history = String.format(
925 rb.getString("history.without.ts"),
926 signer.getSubjectX500Principal(),
927 withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
928 withWeak(sigAlg, SIG_PRIMITIVE_SET),
929 withWeak(key));
930 }
931 } catch (Exception e) {
932 // The only usage of sigNameMap, remember the name
933 // of the block file if it's invalid.
934 history = String.format(
935 rb.getString("history.unparsable"),
936 sigNameMap.get(s));
937 }
938 if (verbose != null) {
939 System.out.println(history);
940 }
941 } else {
942 unparsableSignatures.putIfAbsent(s, String.format(
943 rb.getString("history.nobk"), s));
944 }
945 }
946 if (verbose != null) {
947 for (String s : unparsableSignatures.keySet()) {
948 System.out.println(unparsableSignatures.get(s));
949 }
950 }
951 }
952 System.out.println();
953 if (!anySigned) {
954 if (seeWeak) {
955 if (verbose != null) {
956 System.out.println(rb.getString("jar.treated.unsigned.see.weak.verbose"));
957 System.out.println("\n " +
958 DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS +
959 "=" + Security.getProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS));
960 } else {
961 System.out.println(rb.getString("jar.treated.unsigned.see.weak"));
962 }
963 } else if (hasSignature) {
964 System.out.println(rb.getString("jar.treated.unsigned"));
965 } else {
966 System.out.println(rb.getString("jar.is.unsigned"));
967 }
968 } else {
969 boolean warningAppeared = false;
970 boolean errorAppeared = false;
971 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
972 notYetValidCert || chainNotValidated || hasExpiredCert ||
973 hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) ||
974 aliasNotInStore || notSignedByAlias) {
975
976 if (strict) {
977 System.out.println(rb.getString("jar.verified.with.signer.errors."));
978 System.out.println();
979 System.out.println(rb.getString("Error."));
980 errorAppeared = true;
981 } else {
982 System.out.println(rb.getString("jar.verified."));
983 System.out.println();
984 System.out.println(rb.getString("Warning."));
985 warningAppeared = true;
986 }
987
988 if (weakAlg != 0) {
989 // In fact, jarsigner verification did not catch this
990 // since it has not read the JarFile content itself.
991 // Everything is done with JarFile API. The signing
992 // history (digestMap etc) will show these info and
993 // print out proper warnings.
994 }
995
996 if (badKeyUsage) {
997 System.out.println(
998 rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
999 }
1000
1001 if (badExtendedKeyUsage) {
1002 System.out.println(
1003 rb.getString("This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
1004 }
1005
1006 if (badNetscapeCertType) {
1007 System.out.println(
1008 rb.getString("This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
1009 }
1010
1011 if (hasUnsignedEntry) {
1012 System.out.println(rb.getString(
1013 "This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked."));
1014 }
1015 if (hasExpiredCert) {
1016 System.out.println(rb.getString(
1017 "This.jar.contains.entries.whose.signer.certificate.has.expired."));
1018 }
1019 if (notYetValidCert) {
1020 System.out.println(rb.getString(
1021 "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
1022 }
1023
1024 if (chainNotValidated) {
1025 System.out.println(String.format(
1026 rb.getString("This.jar.contains.entries.whose.certificate.chain.is.not.validated.reason.1"),
1027 chainNotValidatedReason.getLocalizedMessage()));
1028 }
1029
1030 if (notSignedByAlias) {
1031 System.out.println(
1032 rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es."));
1033 }
1034
1035 if (aliasNotInStore) {
1036 System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
1037 }
1038
1039 if (signerSelfSigned) {
1040 System.out.println(rb.getString(
1041 "This.jar.contains.entries.whose.signer.certificate.is.self.signed."));
1042 }
1043 } else {
1044 System.out.println(rb.getString("jar.verified."));
1045 }
1046 if (hasExpiringCert || noTimestamp) {
1047 if (!warningAppeared) {
1048 System.out.println();
1049 System.out.println(rb.getString("Warning."));
1050 warningAppeared = true;
1051 }
1052 if (hasExpiringCert) {
1053 System.out.println(rb.getString(
1054 "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
1055 }
1056 if (noTimestamp) {
1057 System.out.println(
1058 String.format(rb.getString("no.timestamp.verifying"), expireDate));
1059 }
1060 }
1061 if (warningAppeared || errorAppeared) {
1062 if (! (verbose != null && showcerts)) {
1063 System.out.println();
1064 System.out.println(rb.getString(
1065 "Re.run.with.the.verbose.and.certs.options.for.more.details."));
1066 }
1067 }
1068 }
1069 return;
1070 } catch (Exception e) {
1071 System.out.println(rb.getString("jarsigner.") + e);
1072 if (debug) {
1073 e.printStackTrace();
1074 }
1075 } finally { // close the resource
1076 if (jf != null) {
1077 jf.close();
1078 }
1079 }
1080
1081 System.exit(1);
1082 }
1083
1084 private String withWeak(String alg, Set<CryptoPrimitive> primitiveSet) {
1085 if (VERIFY_CHECK.permits(primitiveSet, alg, null)) {
1086 return alg;
1087 } else {
1088 seeWeak = true;
1089 return String.format(rb.getString("with.weak"), alg);
1090 }
1091 }
1092
1093 private String withWeak(PublicKey key) {
1094 if (VERIFY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1095 return String.format(
1096 rb.getString("key.bit"), KeyUtil.getKeySize(key));
1097 } else {
1098 seeWeak = true;
1099 return String.format(
1100 rb.getString("key.bit.weak"), KeyUtil.getKeySize(key));
1101 }
1102 }
1103
1104 private static MessageFormat validityTimeForm = null;
1105 private static MessageFormat notYetTimeForm = null;
1106 private static MessageFormat expiredTimeForm = null;
1107 private static MessageFormat expiringTimeForm = null;
1108
1109 /*
1110 * Display some details about a certificate:
1111 *
1112 * [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"]
1113 * [<validity-period> | <expiry-warning>]
1114 *
1115 * Note: no newline character at the end
1116 */
1117 String printCert(String tab, Certificate c, boolean checkValidityPeriod,
1118 Date timestamp, boolean checkUsage) {
1119
1120 StringBuilder certStr = new StringBuilder();
1121 String space = rb.getString("SPACE");
1122 X509Certificate x509Cert = null;
1123
1124 if (c instanceof X509Certificate) {
1125 x509Cert = (X509Certificate) c;
1126 certStr.append(tab).append(x509Cert.getType())
1127 .append(rb.getString("COMMA"))
1128 .append(x509Cert.getSubjectDN().getName());
1129 } else {
1130 certStr.append(tab).append(c.getType());
1131 }
1132
1133 String alias = storeHash.get(c);
1134 if (alias != null) {
1135 certStr.append(space).append(alias);
1136 }
1137
1138 if (checkValidityPeriod && x509Cert != null) {
1139
1140 certStr.append("\n").append(tab).append("[");
1141 Date notAfter = x509Cert.getNotAfter();
1142 try {
1143 boolean printValidity = true;
1144 if (timestamp == null) {
1145 if (expireDate.getTime() == 0 || expireDate.after(notAfter)) {
1146 expireDate = notAfter;
1147 }
1148 x509Cert.checkValidity();
1149 // test if cert will expire within six months
1150 if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
1151 hasExpiringCert = true;
1152 if (expiringTimeForm == null) {
1153 expiringTimeForm = new MessageFormat(
1154 rb.getString("certificate.will.expire.on"));
1155 }
1156 Object[] source = { notAfter };
1157 certStr.append(expiringTimeForm.format(source));
1158 printValidity = false;
1159 }
1160 } else {
1161 x509Cert.checkValidity(timestamp);
1162 }
1163 if (printValidity) {
1164 if (validityTimeForm == null) {
1165 validityTimeForm = new MessageFormat(
1166 rb.getString("certificate.is.valid.from"));
1167 }
1168 Object[] source = { x509Cert.getNotBefore(), notAfter };
1169 certStr.append(validityTimeForm.format(source));
1170 }
1171 } catch (CertificateExpiredException cee) {
1172 hasExpiredCert = true;
1173
1174 if (expiredTimeForm == null) {
1175 expiredTimeForm = new MessageFormat(
1176 rb.getString("certificate.expired.on"));
1177 }
1178 Object[] source = { notAfter };
1179 certStr.append(expiredTimeForm.format(source));
1180
1181 } catch (CertificateNotYetValidException cnyve) {
1182 notYetValidCert = true;
1183
1184 if (notYetTimeForm == null) {
1185 notYetTimeForm = new MessageFormat(
1186 rb.getString("certificate.is.not.valid.until"));
1187 }
1188 Object[] source = { x509Cert.getNotBefore() };
1189 certStr.append(notYetTimeForm.format(source));
1190 }
1191 certStr.append("]");
1192
1193 if (checkUsage) {
1194 boolean[] bad = new boolean[3];
1195 checkCertUsage(x509Cert, bad);
1196 if (bad[0] || bad[1] || bad[2]) {
1197 String x = "";
1198 if (bad[0]) {
1199 x ="KeyUsage";
1200 }
1201 if (bad[1]) {
1202 if (x.length() > 0) x = x + ", ";
1203 x = x + "ExtendedKeyUsage";
1204 }
1205 if (bad[2]) {
1206 if (x.length() > 0) x = x + ", ";
1207 x = x + "NetscapeCertType";
1208 }
1209 certStr.append("\n").append(tab)
1210 .append(MessageFormat.format(rb.getString(
1211 ".{0}.extension.does.not.support.code.signing."), x));
1212 }
1213 }
1214 }
1215 return certStr.toString();
1216 }
1217
1218 private static MessageFormat signTimeForm = null;
1219
1220 private String printTimestamp(String tab, Timestamp timestamp) {
1221
1222 if (signTimeForm == null) {
1223 signTimeForm =
1224 new MessageFormat(rb.getString("entry.was.signed.on"));
1225 }
1226 Object[] source = { timestamp.getTimestamp() };
1227
1228 return new StringBuilder().append(tab).append("[")
1229 .append(signTimeForm.format(source)).append("]").toString();
1230 }
1231
1232 private Map<CodeSigner,Integer> cacheForInKS = new IdentityHashMap<>();
1233
1234 private int inKeyStoreForOneSigner(CodeSigner signer) {
1235 if (cacheForInKS.containsKey(signer)) {
1236 return cacheForInKS.get(signer);
1237 }
1238
1239 int result = 0;
1240 List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
1241 for (Certificate c : certs) {
1242 String alias = storeHash.get(c);
1243 if (alias != null) {
1244 if (alias.startsWith("(")) {
1245 result |= IN_KEYSTORE;
1246 }
1247 if (ckaliases.contains(alias.substring(1, alias.length() - 1))) {
1248 result |= SIGNED_BY_ALIAS;
1249 }
1250 } else {
1251 if (store != null) {
1252 try {
1253 alias = store.getCertificateAlias(c);
1254 } catch (KeyStoreException kse) {
1255 // never happens, because keystore has been loaded
1256 }
1257 if (alias != null) {
1258 storeHash.put(c, "(" + alias + ")");
1259 result |= IN_KEYSTORE;
1260 }
1261 }
1262 if (ckaliases.contains(alias)) {
1263 result |= SIGNED_BY_ALIAS;
1264 }
1265 }
1266 }
1267 cacheForInKS.put(signer, result);
1268 return result;
1269 }
1270
1271 Hashtable<Certificate, String> storeHash = new Hashtable<>();
1272
1273 int inKeyStore(CodeSigner[] signers) {
1274
1275 if (signers == null)
1276 return 0;
1277
1278 int output = 0;
1279
1280 for (CodeSigner signer: signers) {
1281 int result = inKeyStoreForOneSigner(signer);
1282 output |= result;
1283 }
1284 if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) {
1285 output |= NOT_ALIAS;
1286 }
1287 return output;
1288 }
1289
1290 void signJar(String jarName, String alias)
1291 throws Exception {
1292
1293 if (digestalg != null && !SIGN_CHECK.permits(
1294 DIGEST_PRIMITIVE_SET, digestalg, null)) {
1295 weakAlg |= 1;
1296 }
1297 if (tSADigestAlg != null && !SIGN_CHECK.permits(
1298 DIGEST_PRIMITIVE_SET, tSADigestAlg, null)) {
1299 weakAlg |= 4;
1300 }
1301 if (sigalg != null && !SIGN_CHECK.permits(
1302 SIG_PRIMITIVE_SET , sigalg, null)) {
1303 weakAlg |= 2;
1304 }
1305 if (!SIGN_CHECK.permits(
1306 SIG_PRIMITIVE_SET, privateKey)) {
1307 weakAlg |= 8;
1308 }
1309
1310 boolean aliasUsed = false;
1311 X509Certificate tsaCert = null;
1312
1313 if (sigfile == null) {
1314 sigfile = alias;
1315 aliasUsed = true;
1316 }
1317
1318 if (sigfile.length() > 8) {
1319 sigfile = sigfile.substring(0, 8).toUpperCase(Locale.ENGLISH);
1320 } else {
1321 sigfile = sigfile.toUpperCase(Locale.ENGLISH);
1322 }
1323
1324 StringBuilder tmpSigFile = new StringBuilder(sigfile.length());
1325 for (int j = 0; j < sigfile.length(); j++) {
1326 char c = sigfile.charAt(j);
1327 if (!
1328 ((c>= 'A' && c<= 'Z') ||
1329 (c>= '0' && c<= '9') ||
1330 (c == '-') ||
1331 (c == '_'))) {
1332 if (aliasUsed) {
1333 // convert illegal characters from the alias to be _'s
1334 c = '_';
1335 } else {
1336 throw new
1337 RuntimeException(rb.getString
1338 ("signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or."));
1339 }
1340 }
1341 tmpSigFile.append(c);
1342 }
1343
1344 sigfile = tmpSigFile.toString();
1345
1346 String tmpJarName;
1347 if (signedjar == null) tmpJarName = jarName+".sig";
1348 else tmpJarName = signedjar;
1349
1350 File jarFile = new File(jarName);
1351 File signedJarFile = new File(tmpJarName);
1352
1353 // Open the jar (zip) file
1354 try {
1355 zipFile = new ZipFile(jarName);
1356 } catch (IOException ioe) {
1357 error(rb.getString("unable.to.open.jar.file.")+jarName, ioe);
1358 }
1359
1360 FileOutputStream fos = null;
1361 try {
1362 fos = new FileOutputStream(signedJarFile);
1363 } catch (IOException ioe) {
1364 error(rb.getString("unable.to.create.")+tmpJarName, ioe);
1365 }
1366
1367 CertPath cp = CertificateFactory.getInstance("X.509")
1368 .generateCertPath(Arrays.asList(certChain));
1369 JarSigner.Builder builder = new JarSigner.Builder(privateKey, cp);
1370
1371 if (verbose != null) {
1372 builder.eventHandler((action, file) -> {
1373 System.out.println(rb.getString("." + action + ".") + file);
1374 });
1375 }
1376
1377 if (digestalg != null) {
1378 builder.digestAlgorithm(digestalg);
1379 }
1380 if (sigalg != null) {
1381 builder.signatureAlgorithm(sigalg);
1382 }
1383
1384 URI tsaURI = null;
1385
1386 if (tsaUrl != null) {
1387 tsaURI = new URI(tsaUrl);
1388 } else if (tsaAlias != null) {
1389 tsaCert = getTsaCert(tsaAlias);
1390 tsaURI = TimestampedSigner.getTimestampingURI(tsaCert);
1391 }
1392
1393 if (tsaURI != null) {
1394 if (verbose != null) {
1395 System.out.println(
1396 rb.getString("requesting.a.signature.timestamp"));
1397 if (tsaUrl != null) {
1398 System.out.println(rb.getString("TSA.location.") + tsaUrl);
1399 } else if (tsaCert != null) {
1400 System.out.println(rb.getString("TSA.certificate.") +
1401 printCert("", tsaCert, false, null, false));
1402 }
1403 }
1404 builder.tsa(tsaURI);
1405 if (tSADigestAlg != null) {
1406 builder.setProperty("tsaDigestAlg", tSADigestAlg);
1407 }
1408
1409 if (tSAPolicyID != null) {
1410 builder.setProperty("tsaPolicyId", tSAPolicyID);
1411 }
1412 } else {
1413 noTimestamp = true;
1414 }
1415
1416 if (altSignerClass != null) {
1417 builder.setProperty("altSigner", altSignerClass);
1418 if (verbose != null) {
1419 System.out.println(
1420 rb.getString("using.an.alternative.signing.mechanism"));
1421 }
1422 }
1423
1424 if (altSignerClasspath != null) {
1425 builder.setProperty("altSignerPath", altSignerClasspath);
1426 }
1427
1428 builder.signerName(sigfile);
1429
1430 builder.setProperty("sectionsOnly", Boolean.toString(!signManifest));
1431 builder.setProperty("internalSF", Boolean.toString(!externalSF));
1432
1433 try {
1434 builder.build().sign(zipFile, fos);
1435 } catch (JarSignerException e) {
1436 Throwable cause = e.getCause();
1437 if (cause != null && cause instanceof SocketTimeoutException) {
1438 // Provide a helpful message when TSA is beyond a firewall
1439 error(rb.getString("unable.to.sign.jar.") +
1440 rb.getString("no.response.from.the.Timestamping.Authority.") +
1441 "\n -J-Dhttp.proxyHost=<hostname>" +
1442 "\n -J-Dhttp.proxyPort=<portnumber>\n" +
1443 rb.getString("or") +
1444 "\n -J-Dhttps.proxyHost=<hostname> " +
1445 "\n -J-Dhttps.proxyPort=<portnumber> ", e);
1446 } else {
1447 error(rb.getString("unable.to.sign.jar.")+e.getCause(), e.getCause());
1448 }
1449 } finally {
1450 // close the resouces
1451 if (zipFile != null) {
1452 zipFile.close();
1453 zipFile = null;
1454 }
1455
1456 if (fos != null) {
1457 fos.close();
1458 }
1459 }
1460
1461 // no IOException thrown in the follow try clause, so disable
1462 // the try clause.
1463 // try {
1464 if (signedjar == null) {
1465 // attempt an atomic rename. If that fails,
1466 // rename the original jar file, then the signed
1467 // one, then delete the original.
1468 if (!signedJarFile.renameTo(jarFile)) {
1469 File origJar = new File(jarName+".orig");
1470
1471 if (jarFile.renameTo(origJar)) {
1472 if (signedJarFile.renameTo(jarFile)) {
1473 origJar.delete();
1474 } else {
1475 MessageFormat form = new MessageFormat(rb.getString
1476 ("attempt.to.rename.signedJarFile.to.jarFile.failed"));
1477 Object[] source = {signedJarFile, jarFile};
1478 error(form.format(source));
1479 }
1480 } else {
1481 MessageFormat form = new MessageFormat(rb.getString
1482 ("attempt.to.rename.jarFile.to.origJar.failed"));
1483 Object[] source = {jarFile, origJar};
1484 error(form.format(source));
1485 }
1486 }
1487 }
1488
1489 boolean warningAppeared = false;
1490 if (weakAlg != 0 || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
1491 notYetValidCert || chainNotValidated || hasExpiredCert || signerSelfSigned) {
1492 if (strict) {
1493 System.out.println(rb.getString("jar.signed.with.signer.errors."));
1494 System.out.println();
1495 System.out.println(rb.getString("Error."));
1496 } else {
1497 System.out.println(rb.getString("jar.signed."));
1498 System.out.println();
1499 System.out.println(rb.getString("Warning."));
1500 warningAppeared = true;
1501 }
1502
1503 if (badKeyUsage) {
1504 System.out.println(
1505 rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
1506 }
1507
1508 if (badExtendedKeyUsage) {
1509 System.out.println(
1510 rb.getString("The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
1511 }
1512
1513 if (badNetscapeCertType) {
1514 System.out.println(
1515 rb.getString("The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
1516 }
1517
1518 if (hasExpiredCert) {
1519 System.out.println(
1520 rb.getString("The.signer.certificate.has.expired."));
1521 } else if (notYetValidCert) {
1522 System.out.println(
1523 rb.getString("The.signer.certificate.is.not.yet.valid."));
1524 }
1525
1526 if (chainNotValidated) {
1527 System.out.println(String.format(
1528 rb.getString("The.signer.s.certificate.chain.is.not.validated.reason.1"),
1529 chainNotValidatedReason.getLocalizedMessage()));
1530 }
1531
1532 if (signerSelfSigned) {
1533 System.out.println(
1534 rb.getString("The.signer.s.certificate.is.self.signed."));
1535 }
1536
1537 if ((weakAlg & 1) == 1) {
1538 System.out.println(String.format(
1539 rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
1540 digestalg, "-digestalg"));
1541 }
1542
1543 if ((weakAlg & 2) == 2) {
1544 System.out.println(String.format(
1545 rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
1546 sigalg, "-sigalg"));
1547 }
1548 if ((weakAlg & 4) == 4) {
1549 System.out.println(String.format(
1550 rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
1551 tSADigestAlg, "-tsadigestalg"));
1552 }
1553 if ((weakAlg & 8) == 8) {
1554 System.out.println(String.format(
1555 rb.getString("The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk."),
1556 privateKey.getAlgorithm(), KeyUtil.getKeySize(privateKey)));
1557 }
1558 } else {
1559 System.out.println(rb.getString("jar.signed."));
1560 }
1561 if (hasExpiringCert || noTimestamp) {
1562 if (!warningAppeared) {
1563 System.out.println();
1564 System.out.println(rb.getString("Warning."));
1565 }
1566
1567 if (hasExpiringCert) {
1568 System.out.println(
1569 rb.getString("The.signer.certificate.will.expire.within.six.months."));
1570 }
1571
1572 if (noTimestamp) {
1573 System.out.println(
1574 String.format(rb.getString("no.timestamp.signing"), expireDate));
1575 }
1576 }
1577
1578 // no IOException thrown in the above try clause, so disable
1579 // the catch clause.
1580 // } catch(IOException ioe) {
1581 // error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
1582 // }
1583 }
1584
1585 /**
1586 * signature-related files include:
1587 * . META-INF/MANIFEST.MF
1588 * . META-INF/SIG-*
1589 * . META-INF/*.SF
1590 * . META-INF/*.DSA
1591 * . META-INF/*.RSA
1592 * . META-INF/*.EC
1593 */
1594 private boolean signatureRelated(String name) {
1595 return SignatureFileVerifier.isSigningRelated(name);
1596 }
1597
1598 Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>();
1599
1600 /**
1601 * Returns a string of singer info, with a newline at the end
1602 */
1603 private String signerInfo(CodeSigner signer, String tab) {
1604 if (cacheForSignerInfo.containsKey(signer)) {
1605 return cacheForSignerInfo.get(signer);
1606 }
1607 StringBuilder sb = new StringBuilder();
1608 List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
1609 // display the signature timestamp, if present
1610 Date timestamp;
1611 Timestamp ts = signer.getTimestamp();
1612 if (ts != null) {
1613 sb.append(printTimestamp(tab, ts));
1614 sb.append('\n');
1615 timestamp = ts.getTimestamp();
1616 } else {
1617 timestamp = null;
1618 noTimestamp = true;
1619 }
1620 // display the certificate(sb). The first one is end-entity cert and
1621 // its KeyUsage should be checked.
1622 boolean first = true;
1623 for (Certificate c : certs) {
1624 sb.append(printCert(tab, c, true, timestamp, first));
1625 sb.append('\n');
1626 first = false;
1627 }
1628 try {
1629 validateCertChain(certs);
1630 } catch (Exception e) {
1631 if (debug) {
1632 e.printStackTrace();
1633 }
1634 if (e.getCause() != null &&
1635 (e.getCause() instanceof CertificateExpiredException ||
1636 e.getCause() instanceof CertificateNotYetValidException)) {
1637 // No more warning, we alreay have hasExpiredCert or notYetValidCert
1638 } else {
1639 chainNotValidated = true;
1640 chainNotValidatedReason = e;
1641 sb.append(tab).append(rb.getString(".CertPath.not.validated."))
1642 .append(e.getLocalizedMessage()).append("]\n"); // TODO
1643 }
1644 }
1645 if (certs.size() == 1
1646 && KeyStoreUtil.isSelfSigned((X509Certificate)certs.get(0))) {
1647 signerSelfSigned = true;
1648 }
1649 String result = sb.toString();
1650 cacheForSignerInfo.put(signer, result);
1651 return result;
1652 }
1653
1654 void loadKeyStore(String keyStoreName, boolean prompt) {
1655
1656 if (!nullStream && keyStoreName == null) {
1657 keyStoreName = System.getProperty("user.home") + File.separator
1658 + ".keystore";
1659 }
1660
1661 try {
1662
1663 certificateFactory = CertificateFactory.getInstance("X.509");
1664 validator = CertPathValidator.getInstance("PKIX");
1665 Set<TrustAnchor> tas = new HashSet<>();
1666 try {
1667 KeyStore caks = KeyStoreUtil.getCacertsKeyStore();
1668 if (caks != null) {
1669 Enumeration<String> aliases = caks.aliases();
1670 while (aliases.hasMoreElements()) {
1671 String a = aliases.nextElement();
1672 try {
1673 tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null));
1674 } catch (Exception e2) {
1675 // ignore, when a SecretkeyEntry does not include a cert
1676 }
1677 }
1678 }
1679 } catch (Exception e) {
1680 // Ignore, if cacerts cannot be loaded
1681 }
1682
1683 if (providerName == null) {
1684 store = KeyStore.getInstance(storetype);
1685 } else {
1686 store = KeyStore.getInstance(storetype, providerName);
1687 }
1688
1689 // Get pass phrase
1690 // XXX need to disable echo; on UNIX, call getpass(char *prompt)Z
1691 // and on NT call ??
1692 if (token && storepass == null && !protectedPath
1693 && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
1694 storepass = getPass
1695 (rb.getString("Enter.Passphrase.for.keystore."));
1696 } else if (!token && storepass == null && prompt) {
1697 storepass = getPass
1698 (rb.getString("Enter.Passphrase.for.keystore."));
1699 }
1700
1701 try {
1702 if (nullStream) {
1703 store.load(null, storepass);
1704 } else {
1705 keyStoreName = keyStoreName.replace(File.separatorChar, '/');
1706 URL url = null;
1707 try {
1708 url = new URL(keyStoreName);
1709 } catch (java.net.MalformedURLException e) {
1710 // try as file
1711 url = new File(keyStoreName).toURI().toURL();
1712 }
1713 InputStream is = null;
1714 try {
1715 is = url.openStream();
1716 store.load(is, storepass);
1717 } finally {
1718 if (is != null) {
1719 is.close();
1720 }
1721 }
1722 }
1723 Enumeration<String> aliases = store.aliases();
1724 while (aliases.hasMoreElements()) {
1725 String a = aliases.nextElement();
1726 try {
1727 X509Certificate c = (X509Certificate)store.getCertificate(a);
1728 // Only add TrustedCertificateEntry and self-signed
1729 // PrivateKeyEntry
1730 if (store.isCertificateEntry(a) ||
1731 c.getSubjectDN().equals(c.getIssuerDN())) {
1732 tas.add(new TrustAnchor(c, null));
1733 }
1734 } catch (Exception e2) {
1735 // ignore, when a SecretkeyEntry does not include a cert
1736 }
1737 }
1738 } finally {
1739 try {
1740 pkixParameters = new PKIXParameters(tas);
1741 pkixParameters.setRevocationEnabled(false);
1742 } catch (InvalidAlgorithmParameterException ex) {
1743 // Only if tas is empty
1744 }
1745 }
1746 } catch (IOException ioe) {
1747 throw new RuntimeException(rb.getString("keystore.load.") +
1748 ioe.getMessage());
1749 } catch (java.security.cert.CertificateException ce) {
1750 throw new RuntimeException(rb.getString("certificate.exception.") +
1751 ce.getMessage());
1752 } catch (NoSuchProviderException pe) {
1753 throw new RuntimeException(rb.getString("keystore.load.") +
1754 pe.getMessage());
1755 } catch (NoSuchAlgorithmException nsae) {
1756 throw new RuntimeException(rb.getString("keystore.load.") +
1757 nsae.getMessage());
1758 } catch (KeyStoreException kse) {
1759 throw new RuntimeException
1760 (rb.getString("unable.to.instantiate.keystore.class.") +
1761 kse.getMessage());
1762 }
1763 }
1764
1765 X509Certificate getTsaCert(String alias) {
1766
1767 java.security.cert.Certificate cs = null;
1768
1769 try {
1770 cs = store.getCertificate(alias);
1771 } catch (KeyStoreException kse) {
1772 // this never happens, because keystore has been loaded
1773 }
1774 if (cs == null || (!(cs instanceof X509Certificate))) {
1775 MessageFormat form = new MessageFormat(rb.getString
1776 ("Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the"));
1777 Object[] source = {alias, alias};
1778 error(form.format(source));
1779 }
1780 return (X509Certificate) cs;
1781 }
1782
1783 /**
1784 * Check if userCert is designed to be a code signer
1785 * @param userCert the certificate to be examined
1786 * @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage,
1787 * NetscapeCertType has codeSigning flag turned on.
1788 * If null, the class field badKeyUsage, badExtendedKeyUsage,
1789 * badNetscapeCertType will be set.
1790 */
1791 void checkCertUsage(X509Certificate userCert, boolean[] bad) {
1792
1793 // Can act as a signer?
1794 // 1. if KeyUsage, then [0:digitalSignature] or
1795 // [1:nonRepudiation] should be true
1796 // 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING
1797 // 3. if NetscapeCertType, then should contains OBJECT_SIGNING
1798 // 1,2,3 must be true
1799
1800 if (bad != null) {
1801 bad[0] = bad[1] = bad[2] = false;
1802 }
1803
1804 boolean[] keyUsage = userCert.getKeyUsage();
1805 if (keyUsage != null) {
1806 keyUsage = Arrays.copyOf(keyUsage, 9);
1807 if (!keyUsage[0] && !keyUsage[1]) {
1808 if (bad != null) {
1809 bad[0] = true;
1810 badKeyUsage = true;
1811 }
1812 }
1813 }
1814
1815 try {
1816 List<String> xKeyUsage = userCert.getExtendedKeyUsage();
1817 if (xKeyUsage != null) {
1818 if (!xKeyUsage.contains("2.5.29.37.0") // anyExtendedKeyUsage
1819 && !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning
1820 if (bad != null) {
1821 bad[1] = true;
1822 badExtendedKeyUsage = true;
1823 }
1824 }
1825 }
1826 } catch (java.security.cert.CertificateParsingException e) {
1827 // shouldn't happen
1828 }
1829
1830 try {
1831 // OID_NETSCAPE_CERT_TYPE
1832 byte[] netscapeEx = userCert.getExtensionValue
1833 ("2.16.840.1.113730.1.1");
1834 if (netscapeEx != null) {
1835 DerInputStream in = new DerInputStream(netscapeEx);
1836 byte[] encoded = in.getOctetString();
1837 encoded = new DerValue(encoded).getUnalignedBitString()
1838 .toByteArray();
1839
1840 NetscapeCertTypeExtension extn =
1841 new NetscapeCertTypeExtension(encoded);
1842
1843 Boolean val = extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING);
1844 if (!val) {
1845 if (bad != null) {
1846 bad[2] = true;
1847 badNetscapeCertType = true;
1848 }
1849 }
1850 }
1851 } catch (IOException e) {
1852 //
1853 }
1854 }
1855
1856 void getAliasInfo(String alias) {
1857
1858 Key key = null;
1859
1860 try {
1861 java.security.cert.Certificate[] cs = null;
1862 if (altCertChain != null) {
1863 try (FileInputStream fis = new FileInputStream(altCertChain)) {
1864 cs = CertificateFactory.getInstance("X.509").
1865 generateCertificates(fis).
1866 toArray(new Certificate[0]);
1867 } catch (FileNotFoundException ex) {
1868 error(rb.getString("File.specified.by.certchain.does.not.exist"));
1869 } catch (CertificateException | IOException ex) {
1870 error(rb.getString("Cannot.restore.certchain.from.file.specified"));
1871 }
1872 } else {
1873 try {
1874 cs = store.getCertificateChain(alias);
1875 } catch (KeyStoreException kse) {
1876 // this never happens, because keystore has been loaded
1877 }
1878 }
1879 if (cs == null || cs.length == 0) {
1880 if (altCertChain != null) {
1881 error(rb.getString
1882 ("Certificate.chain.not.found.in.the.file.specified."));
1883 } else {
1884 MessageFormat form = new MessageFormat(rb.getString
1885 ("Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and"));
1886 Object[] source = {alias, alias};
1887 error(form.format(source));
1888 }
1889 }
1890
1891 certChain = new X509Certificate[cs.length];
1892 for (int i=0; i<cs.length; i++) {
1893 if (!(cs[i] instanceof X509Certificate)) {
1894 error(rb.getString
1895 ("found.non.X.509.certificate.in.signer.s.chain"));
1896 }
1897 certChain[i] = (X509Certificate)cs[i];
1898 }
1899
1900 // We don't meant to print anything, the next call
1901 // checks validity and keyUsage etc
1902 printCert("", certChain[0], true, null, true);
1903
1904 try {
1905 validateCertChain(Arrays.asList(certChain));
1906 } catch (Exception e) {
1907 if (debug) {
1908 e.printStackTrace();
1909 }
1910 if (e.getCause() != null &&
1911 (e.getCause() instanceof CertificateExpiredException ||
1912 e.getCause() instanceof CertificateNotYetValidException)) {
1913 // No more warning, we already have hasExpiredCert or notYetValidCert
1914 } else {
1915 chainNotValidated = true;
1916 chainNotValidatedReason = e;
1917 }
1918 }
1919
1920 if (KeyStoreUtil.isSelfSigned(certChain[0])) {
1921 signerSelfSigned = true;
1922 }
1923
1924 try {
1925 if (!token && keypass == null)
1926 key = store.getKey(alias, storepass);
1927 else
1928 key = store.getKey(alias, keypass);
1929 } catch (UnrecoverableKeyException e) {
1930 if (token) {
1931 throw e;
1932 } else if (keypass == null) {
1933 // Did not work out, so prompt user for key password
1934 MessageFormat form = new MessageFormat(rb.getString
1935 ("Enter.key.password.for.alias."));
1936 Object[] source = {alias};
1937 keypass = getPass(form.format(source));
1938 key = store.getKey(alias, keypass);
1939 }
1940 }
1941 } catch (NoSuchAlgorithmException e) {
1942 error(e.getMessage());
1943 } catch (UnrecoverableKeyException e) {
1944 error(rb.getString("unable.to.recover.key.from.keystore"));
1945 } catch (KeyStoreException kse) {
1946 // this never happens, because keystore has been loaded
1947 }
1948
1949 if (!(key instanceof PrivateKey)) {
1950 MessageFormat form = new MessageFormat(rb.getString
1951 ("key.associated.with.alias.not.a.private.key"));
1952 Object[] source = {alias};
1953 error(form.format(source));
1954 } else {
1955 privateKey = (PrivateKey)key;
1956 }
1957 }
1958
1959 void error(String message) {
1960 System.out.println(rb.getString("jarsigner.")+message);
1961 System.exit(1);
1962 }
1963
1964
1965 void error(String message, Throwable e) {
1966 System.out.println(rb.getString("jarsigner.")+message);
1967 if (debug) {
1968 e.printStackTrace();
1969 }
1970 System.exit(1);
1971 }
1972
1973 void validateCertChain(List<? extends Certificate> certs) throws Exception {
1974 int cpLen = 0;
1975 out: for (; cpLen<certs.size(); cpLen++) {
1976 for (TrustAnchor ta: pkixParameters.getTrustAnchors()) {
1977 if (ta.getTrustedCert().equals(certs.get(cpLen))) {
1978 break out;
1979 }
1980 }
1981 }
1982 if (cpLen > 0) {
1983 CertPath cp = certificateFactory.generateCertPath(
1984 (cpLen == certs.size())? certs: certs.subList(0, cpLen));
1985 validator.validate(cp, pkixParameters);
1986 }
1987 }
1988
1989 char[] getPass(String prompt) {
1990 System.err.print(prompt);
1991 System.err.flush();
1992 try {
1993 char[] pass = Password.readPassword(System.in);
1994
1995 if (pass == null) {
1996 error(rb.getString("you.must.enter.key.password"));
1997 } else {
1998 return pass;
1999 }
2000 } catch (IOException ioe) {
2001 error(rb.getString("unable.to.read.password.")+ioe.getMessage());
2002 }
2003 // this shouldn't happen
2004 return null;
2005 }
2006 }