rev 15874 : 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar

   1 /*
   2  * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.tools.jarsigner;
  27 
  28 import java.io.*;
  29 import java.util.*;
  30 import java.util.zip.*;
  31 import java.util.jar.*;
  32 import java.net.URI;
  33 import java.text.Collator;
  34 import java.text.MessageFormat;
  35 import java.security.cert.Certificate;
  36 import java.security.cert.X509Certificate;
  37 import java.security.cert.CertificateException;
  38 import java.security.*;
  39 
  40 import java.net.SocketTimeoutException;
  41 import java.net.URL;
  42 import java.security.cert.CertPath;
  43 import java.security.cert.CertPathValidator;
  44 import java.security.cert.CertificateExpiredException;
  45 import java.security.cert.CertificateFactory;
  46 import java.security.cert.CertificateNotYetValidException;
  47 import java.security.cert.PKIXParameters;
  48 import java.security.cert.TrustAnchor;
  49 import java.util.Map.Entry;
  50 
  51 import jdk.security.jarsigner.JarSigner;
  52 import jdk.security.jarsigner.JarSignerException;
  53 import sun.security.pkcs.PKCS7;
  54 import sun.security.pkcs.SignerInfo;
  55 import sun.security.timestamp.TimestampToken;
  56 import sun.security.tools.KeyStoreUtil;
  57 import sun.security.x509.*;
  58 import sun.security.util.*;
  59 
  60 
  61 /**
  62  * <p>The jarsigner utility.
  63  *
  64  * The exit codes for the main method are:
  65  *
  66  * 0: success
  67  * 1: any error that the jar cannot be signed or verified, including:
  68  *      keystore loading error
  69  *      TSP communication error
  70  *      jarsigner command line error...
  71  * otherwise: error codes from -strict
  72  *
  73  * @author Roland Schemers
  74  * @author Jan Luehe
  75  */
  76 public class Main {
  77 
  78     // for i18n
  79     private static final java.util.ResourceBundle rb =
  80         java.util.ResourceBundle.getBundle
  81         ("sun.security.tools.jarsigner.Resources");
  82     private static final Collator collator = Collator.getInstance();
  83     static {
  84         // this is for case insensitive string comparisions
  85         collator.setStrength(Collator.PRIMARY);
  86     }
  87 
  88     private static final String NONE = "NONE";
  89     private static final String P11KEYSTORE = "PKCS11";
  90 
  91     private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
  92 
  93     private static final DisabledAlgorithmConstraints DISABLED_CHECK =
  94             new DisabledAlgorithmConstraints(
  95                     DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
  96 
  97     private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections
  98             .unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
  99     private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
 100             .unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
 101 
 102     // Attention:
 103     // This is the entry that get launched by the security tool jarsigner.
 104     public static void main(String args[]) throws Exception {
 105         Main js = new Main();
 106         js.run(args);
 107     }
 108 
 109     static final String VERSION = "1.0";
 110 
 111     static final int IN_KEYSTORE = 0x01;        // signer is in keystore
 112     static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and
 113                                                 // signer is not in alias list
 114     static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
 115 
 116     X509Certificate[] certChain;    // signer's cert chain (when composing)
 117     PrivateKey privateKey;          // private key
 118     KeyStore store;                 // the keystore specified by -keystore
 119                                     // or the default keystore, never null
 120 
 121     String keystore; // key store file
 122     boolean nullStream = false; // null keystore input stream (NONE)
 123     boolean token = false; // token-based keystore
 124     String jarfile;  // jar files to sign or verify
 125     String alias;    // alias to sign jar with
 126     List<String> ckaliases = new ArrayList<>(); // aliases in -verify
 127     char[] storepass; // keystore password
 128     boolean protectedPath; // protected authentication path
 129     String storetype; // keystore type
 130     String providerName; // provider name
 131     List<String> providers = null; // list of provider names
 132     List<String> providerClasses = null; // list of provider classes
 133     // arguments for provider constructors
 134     HashMap<String,String> providerArgs = new HashMap<>();
 135     char[] keypass; // private key password
 136     String sigfile; // name of .SF file
 137     String sigalg; // name of signature algorithm
 138     String digestalg; // name of digest algorithm
 139     String signedjar; // output filename
 140     String tsaUrl; // location of the Timestamping Authority
 141     String tsaAlias; // alias for the Timestamping Authority's certificate
 142     String altCertChain; // file to read alternative cert chain from
 143     String tSAPolicyID;
 144     String tSADigestAlg;
 145     boolean verify = false; // verify the jar
 146     String verbose = null; // verbose output when signing/verifying
 147     boolean showcerts = false; // show certs when verifying
 148     boolean debug = false; // debug
 149     boolean signManifest = true; // "sign" the whole manifest
 150     boolean externalSF = true; // leave the .SF out of the PKCS7 block
 151     boolean strict = false;  // treat warnings as error
 152 
 153     // read zip entry raw bytes
 154     private String altSignerClass = null;
 155     private String altSignerClasspath = null;
 156     private ZipFile zipFile = null;
 157 
 158     // Informational warnings
 159     private boolean hasExpiringCert = false;
 160     private boolean noTimestamp = false;
 161     private Date expireDate = new Date(0L);     // used in noTimestamp warning
 162 
 163     // Severe warnings
 164     private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg
 165     private boolean hasExpiredCert = false;
 166     private boolean notYetValidCert = false;
 167     private boolean chainNotValidated = false;
 168     private boolean notSignedByAlias = false;
 169     private boolean aliasNotInStore = false;
 170     private boolean hasUnsignedEntry = false;
 171     private boolean badKeyUsage = false;
 172     private boolean badExtendedKeyUsage = false;
 173     private boolean badNetscapeCertType = false;
 174     private boolean signerSelfSigned = false;
 175 
 176     private Throwable chainNotValidatedReason = null;
 177 
 178     private boolean seeWeak = false;
 179 
 180     CertificateFactory certificateFactory;
 181     CertPathValidator validator;
 182     PKIXParameters pkixParameters;
 183 
 184     public void run(String args[]) {
 185         try {
 186             args = parseArgs(args);
 187 
 188             // Try to load and install the specified providers
 189             if (providers != null) {
 190                 for (String provName: providers) {
 191                     try {
 192                         KeyStoreUtil.loadProviderByName(provName,
 193                                 providerArgs.get(provName));
 194                         if (debug) {
 195                             System.out.println("loadProviderByName: " + provName);
 196                         }
 197                     } catch (IllegalArgumentException e) {
 198                         throw new Exception(String.format(rb.getString(
 199                                 "provider.name.not.found"), provName));
 200                     }
 201                 }
 202             }
 203 
 204             if (providerClasses != null) {
 205                 ClassLoader cl = ClassLoader.getSystemClassLoader();
 206                 for (String provClass: providerClasses) {
 207                     try {
 208                         KeyStoreUtil.loadProviderByClass(provClass,
 209                                 providerArgs.get(provClass), cl);
 210                         if (debug) {
 211                             System.out.println("loadProviderByClass: " + provClass);
 212                         }
 213                     } catch (ClassCastException cce) {
 214                         throw new Exception(String.format(rb.getString(
 215                                 "provclass.not.a.provider"), provClass));
 216                     } catch (IllegalArgumentException e) {
 217                         throw new Exception(String.format(rb.getString(
 218                                 "provider.class.not.found"), provClass), e.getCause());
 219                     }
 220                 }
 221             }
 222 
 223             if (verify) {
 224                 try {
 225                     loadKeyStore(keystore, false);
 226                 } catch (Exception e) {
 227                     if ((keystore != null) || (storepass != null)) {
 228                         System.out.println(rb.getString("jarsigner.error.") +
 229                                         e.getMessage());
 230                         if (debug) {
 231                             e.printStackTrace();
 232                         }
 233                         System.exit(1);
 234                     }
 235                 }
 236                 /*              if (debug) {
 237                     SignatureFileVerifier.setDebug(true);
 238                     ManifestEntryVerifier.setDebug(true);
 239                 }
 240                 */
 241                 verifyJar(jarfile);
 242             } else {
 243                 loadKeyStore(keystore, true);
 244                 getAliasInfo(alias);
 245 
 246                 signJar(jarfile, alias);
 247             }
 248         } catch (Exception e) {
 249             System.out.println(rb.getString("jarsigner.error.") + e);
 250             if (debug) {
 251                 e.printStackTrace();
 252             }
 253             System.exit(1);
 254         } finally {
 255             // zero-out private key password
 256             if (keypass != null) {
 257                 Arrays.fill(keypass, ' ');
 258                 keypass = null;
 259             }
 260             // zero-out keystore password
 261             if (storepass != null) {
 262                 Arrays.fill(storepass, ' ');
 263                 storepass = null;
 264             }
 265         }
 266 
 267         if (strict) {
 268             int exitCode = 0;
 269             if (weakAlg != 0 || chainNotValidated || hasExpiredCert || notYetValidCert || signerSelfSigned) {
 270                 exitCode |= 4;
 271             }
 272             if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
 273                 exitCode |= 8;
 274             }
 275             if (hasUnsignedEntry) {
 276                 exitCode |= 16;
 277             }
 278             if (notSignedByAlias || aliasNotInStore) {
 279                 exitCode |= 32;
 280             }
 281             if (exitCode != 0) {
 282                 System.exit(exitCode);
 283             }
 284         }
 285     }
 286 
 287     /*
 288      * Parse command line arguments.
 289      */
 290     String[] parseArgs(String args[]) throws Exception {
 291         /* parse flags */
 292         int n = 0;
 293 
 294         if (args.length == 0) fullusage();
 295 
 296         String confFile = null;
 297         String command = "-sign";
 298         for (n=0; n < args.length; n++) {
 299             if (collator.compare(args[n], "-verify") == 0) {
 300                 command = "-verify";
 301             } else if (collator.compare(args[n], "-conf") == 0) {
 302                 if (n == args.length - 1) {
 303                     usageNoArg();
 304                 }
 305                 confFile = args[++n];
 306             }
 307         }
 308 
 309         if (confFile != null) {
 310             args = KeyStoreUtil.expandArgs(
 311                     "jarsigner", confFile, command, null, args);
 312         }
 313 
 314         debug = Arrays.stream(args).anyMatch(
 315                 x -> collator.compare(x, "-debug") == 0);
 316 
 317         if (debug) {
 318             // No need to localize debug output
 319             System.out.println("Command line args: " +
 320                     Arrays.toString(args));
 321         }
 322 
 323         for (n=0; n < args.length; n++) {
 324 
 325             String flags = args[n];
 326             String modifier = null;
 327 
 328             if (flags.startsWith("-")) {
 329                 int pos = flags.indexOf(':');
 330                 if (pos > 0) {
 331                     modifier = flags.substring(pos+1);
 332                     flags = flags.substring(0, pos);
 333                 }
 334             }
 335 
 336             if (!flags.startsWith("-")) {
 337                 if (jarfile == null) {
 338                     jarfile = flags;
 339                 } else {
 340                     alias = flags;
 341                     ckaliases.add(alias);
 342                 }
 343             } else if (collator.compare(flags, "-conf") == 0) {
 344                 if (++n == args.length) usageNoArg();
 345             } else if (collator.compare(flags, "-keystore") == 0) {
 346                 if (++n == args.length) usageNoArg();
 347                 keystore = args[n];
 348             } else if (collator.compare(flags, "-storepass") ==0) {
 349                 if (++n == args.length) usageNoArg();
 350                 storepass = getPass(modifier, args[n]);
 351             } else if (collator.compare(flags, "-storetype") ==0) {
 352                 if (++n == args.length) usageNoArg();
 353                 storetype = args[n];
 354             } else if (collator.compare(flags, "-providerName") ==0) {
 355                 if (++n == args.length) usageNoArg();
 356                 providerName = args[n];
 357             } else if (collator.compare(flags, "-provider") == 0 ||
 358                         collator.compare(flags, "-providerClass") == 0) {
 359                 if (++n == args.length) usageNoArg();
 360                 if (providerClasses == null) {
 361                     providerClasses = new ArrayList<>(3);
 362                 }
 363                 providerClasses.add(args[n]);
 364 
 365                 if (args.length > (n+1)) {
 366                     flags = args[n+1];
 367                     if (collator.compare(flags, "-providerArg") == 0) {
 368                         if (args.length == (n+2)) usageNoArg();
 369                         providerArgs.put(args[n], args[n+2]);
 370                         n += 2;
 371                     }
 372                 }
 373             } else if (collator.compare(flags, "-addprovider") == 0) {
 374                 if (++n == args.length) usageNoArg();
 375                 if (providers == null) {
 376                     providers = new ArrayList<>(3);
 377                 }
 378                 providers.add(args[n]);
 379 
 380                 if (args.length > (n+1)) {
 381                     flags = args[n+1];
 382                     if (collator.compare(flags, "-providerArg") == 0) {
 383                         if (args.length == (n+2)) usageNoArg();
 384                         providerArgs.put(args[n], args[n+2]);
 385                         n += 2;
 386                     }
 387                 }
 388             } else if (collator.compare(flags, "-protected") ==0) {
 389                 protectedPath = true;
 390             } else if (collator.compare(flags, "-certchain") ==0) {
 391                 if (++n == args.length) usageNoArg();
 392                 altCertChain = args[n];
 393             } else if (collator.compare(flags, "-tsapolicyid") ==0) {
 394                 if (++n == args.length) usageNoArg();
 395                 tSAPolicyID = args[n];
 396             } else if (collator.compare(flags, "-tsadigestalg") ==0) {
 397                 if (++n == args.length) usageNoArg();
 398                 tSADigestAlg = args[n];
 399             } else if (collator.compare(flags, "-debug") ==0) {
 400                 // Already processed
 401             } else if (collator.compare(flags, "-keypass") ==0) {
 402                 if (++n == args.length) usageNoArg();
 403                 keypass = getPass(modifier, args[n]);
 404             } else if (collator.compare(flags, "-sigfile") ==0) {
 405                 if (++n == args.length) usageNoArg();
 406                 sigfile = args[n];
 407             } else if (collator.compare(flags, "-signedjar") ==0) {
 408                 if (++n == args.length) usageNoArg();
 409                 signedjar = args[n];
 410             } else if (collator.compare(flags, "-tsa") ==0) {
 411                 if (++n == args.length) usageNoArg();
 412                 tsaUrl = args[n];
 413             } else if (collator.compare(flags, "-tsacert") ==0) {
 414                 if (++n == args.length) usageNoArg();
 415                 tsaAlias = args[n];
 416             } else if (collator.compare(flags, "-altsigner") ==0) {
 417                 if (++n == args.length) usageNoArg();
 418                 altSignerClass = args[n];
 419                 System.err.println(
 420                         rb.getString("This.option.is.deprecated") +
 421                                 "-altsigner");
 422             } else if (collator.compare(flags, "-altsignerpath") ==0) {
 423                 if (++n == args.length) usageNoArg();
 424                 altSignerClasspath = args[n];
 425                 System.err.println(
 426                         rb.getString("This.option.is.deprecated") +
 427                                 "-altsignerpath");
 428             } else if (collator.compare(flags, "-sectionsonly") ==0) {
 429                 signManifest = false;
 430             } else if (collator.compare(flags, "-internalsf") ==0) {
 431                 externalSF = false;
 432             } else if (collator.compare(flags, "-verify") ==0) {
 433                 verify = true;
 434             } else if (collator.compare(flags, "-verbose") ==0) {
 435                 verbose = (modifier != null) ? modifier : "all";
 436             } else if (collator.compare(flags, "-sigalg") ==0) {
 437                 if (++n == args.length) usageNoArg();
 438                 sigalg = args[n];
 439             } else if (collator.compare(flags, "-digestalg") ==0) {
 440                 if (++n == args.length) usageNoArg();
 441                 digestalg = args[n];
 442             } else if (collator.compare(flags, "-certs") ==0) {
 443                 showcerts = true;
 444             } else if (collator.compare(flags, "-strict") ==0) {
 445                 strict = true;
 446             } else if (collator.compare(flags, "-h") == 0 ||
 447                         collator.compare(flags, "-help") == 0) {
 448                 fullusage();
 449             } else {
 450                 System.err.println(
 451                         rb.getString("Illegal.option.") + flags);
 452                 usage();
 453             }
 454         }
 455 
 456         // -certs must always be specified with -verbose
 457         if (verbose == null) showcerts = false;
 458 
 459         if (jarfile == null) {
 460             System.err.println(rb.getString("Please.specify.jarfile.name"));
 461             usage();
 462         }
 463         if (!verify && alias == null) {
 464             System.err.println(rb.getString("Please.specify.alias.name"));
 465             usage();
 466         }
 467         if (!verify && ckaliases.size() > 1) {
 468             System.err.println(rb.getString("Only.one.alias.can.be.specified"));
 469             usage();
 470         }
 471 
 472         if (storetype == null) {
 473             storetype = KeyStore.getDefaultType();
 474         }
 475         storetype = KeyStoreUtil.niceStoreTypeName(storetype);
 476 
 477         try {
 478             if (signedjar != null && new File(signedjar).getCanonicalPath().equals(
 479                     new File(jarfile).getCanonicalPath())) {
 480                 signedjar = null;
 481             }
 482         } catch (IOException ioe) {
 483             // File system error?
 484             // Just ignore it.
 485         }
 486 
 487         if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
 488                 KeyStoreUtil.isWindowsKeyStore(storetype)) {
 489             token = true;
 490             if (keystore == null) {
 491                 keystore = NONE;
 492             }
 493         }
 494 
 495         if (NONE.equals(keystore)) {
 496             nullStream = true;
 497         }
 498 
 499         if (token && !nullStream) {
 500             System.err.println(MessageFormat.format(rb.getString
 501                 (".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
 502             usage();
 503         }
 504 
 505         if (token && keypass != null) {
 506             System.err.println(MessageFormat.format(rb.getString
 507                 (".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype));
 508             usage();
 509         }
 510 
 511         if (protectedPath) {
 512             if (storepass != null || keypass != null) {
 513                 System.err.println(rb.getString
 514                         ("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified"));
 515                 usage();
 516             }
 517         }
 518         if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
 519             if (storepass != null || keypass != null) {
 520                 System.err.println(rb.getString
 521                         ("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified"));
 522                 usage();
 523             }
 524         }
 525         return args;
 526     }
 527 
 528     static char[] getPass(String modifier, String arg) {
 529         char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb);
 530         if (output != null) return output;
 531         usage();
 532         return null;    // Useless, usage() already exit
 533     }
 534 
 535     static void usageNoArg() {
 536         System.out.println(rb.getString("Option.lacks.argument"));
 537         usage();
 538     }
 539 
 540     static void usage() {
 541         System.out.println();
 542         System.out.println(rb.getString("Please.type.jarsigner.help.for.usage"));
 543         System.exit(1);
 544     }
 545 
 546     static void fullusage() {
 547         System.out.println(rb.getString
 548                 ("Usage.jarsigner.options.jar.file.alias"));
 549         System.out.println(rb.getString
 550                 (".jarsigner.verify.options.jar.file.alias."));
 551         System.out.println();
 552         System.out.println(rb.getString
 553                 (".keystore.url.keystore.location"));
 554         System.out.println();
 555         System.out.println(rb.getString
 556                 (".storepass.password.password.for.keystore.integrity"));
 557         System.out.println();
 558         System.out.println(rb.getString
 559                 (".storetype.type.keystore.type"));
 560         System.out.println();
 561         System.out.println(rb.getString
 562                 (".keypass.password.password.for.private.key.if.different."));
 563         System.out.println();
 564         System.out.println(rb.getString
 565                 (".certchain.file.name.of.alternative.certchain.file"));
 566         System.out.println();
 567         System.out.println(rb.getString
 568                 (".sigfile.file.name.of.SF.DSA.file"));
 569         System.out.println();
 570         System.out.println(rb.getString
 571                 (".signedjar.file.name.of.signed.JAR.file"));
 572         System.out.println();
 573         System.out.println(rb.getString
 574                 (".digestalg.algorithm.name.of.digest.algorithm"));
 575         System.out.println();
 576         System.out.println(rb.getString
 577                 (".sigalg.algorithm.name.of.signature.algorithm"));
 578         System.out.println();
 579         System.out.println(rb.getString
 580                 (".verify.verify.a.signed.JAR.file"));
 581         System.out.println();
 582         System.out.println(rb.getString
 583                 (".verbose.suboptions.verbose.output.when.signing.verifying."));
 584         System.out.println(rb.getString
 585                 (".suboptions.can.be.all.grouped.or.summary"));
 586         System.out.println();
 587         System.out.println(rb.getString
 588                 (".certs.display.certificates.when.verbose.and.verifying"));
 589         System.out.println();
 590         System.out.println(rb.getString
 591                 (".tsa.url.location.of.the.Timestamping.Authority"));
 592         System.out.println();
 593         System.out.println(rb.getString
 594                 (".tsacert.alias.public.key.certificate.for.Timestamping.Authority"));
 595         System.out.println();
 596         System.out.println(rb.getString
 597                 (".tsapolicyid.tsapolicyid.for.Timestamping.Authority"));
 598         System.out.println();
 599         System.out.println(rb.getString
 600                 (".tsadigestalg.algorithm.of.digest.data.in.timestamping.request"));
 601         System.out.println();
 602         System.out.println(rb.getString
 603                 (".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
 604         System.out.println();
 605         System.out.println(rb.getString
 606                 (".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism"));
 607         System.out.println();
 608         System.out.println(rb.getString
 609                 (".internalsf.include.the.SF.file.inside.the.signature.block"));
 610         System.out.println();
 611         System.out.println(rb.getString
 612                 (".sectionsonly.don.t.compute.hash.of.entire.manifest"));
 613         System.out.println();
 614         System.out.println(rb.getString
 615                 (".protected.keystore.has.protected.authentication.path"));
 616         System.out.println();
 617         System.out.println(rb.getString
 618                 (".providerName.name.provider.name"));
 619         System.out.println();
 620         System.out.println(rb.getString
 621                 (".add.provider.option"));
 622         System.out.println(rb.getString
 623                 (".providerArg.option.1"));
 624         System.out.println();
 625         System.out.println(rb.getString
 626                 (".providerClass.option"));
 627         System.out.println(rb.getString
 628                 (".providerArg.option.2"));
 629         System.out.println();
 630         System.out.println(rb.getString
 631                 (".strict.treat.warnings.as.errors"));
 632         System.out.println();
 633         System.out.println(rb.getString
 634                 (".conf.url.specify.a.pre.configured.options.file"));
 635         System.out.println();
 636 
 637         System.exit(0);
 638     }
 639 
 640     void verifyJar(String jarName)
 641         throws Exception
 642     {
 643         boolean anySigned = false;  // if there exists entry inside jar signed
 644         JarFile jf = null;
 645         Map<String,String> digestMap = new HashMap<>();
 646         Map<String,PKCS7> sigMap = new HashMap<>();
 647         Map<String,String> sigNameMap = new HashMap<>();
 648         Map<String,String> unparsableSignatures = new HashMap<>();
 649 
 650         try {
 651             jf = new JarFile(jarName, true);
 652             Vector<JarEntry> entriesVec = new Vector<>();
 653             byte[] buffer = new byte[8192];
 654 
 655             Enumeration<JarEntry> entries = jf.entries();
 656             while (entries.hasMoreElements()) {
 657                 JarEntry je = entries.nextElement();
 658                 entriesVec.addElement(je);
 659                 try (InputStream is = jf.getInputStream(je)) {
 660                     String name = je.getName();
 661                     if (signatureRelated(name)
 662                             && SignatureFileVerifier.isBlockOrSF(name)) {
 663                         String alias = name.substring(name.lastIndexOf('/') + 1,
 664                                 name.lastIndexOf('.'));
 665                         try {
 666                             if (name.endsWith(".SF")) {
 667                                 Manifest sf = new Manifest(is);
 668                                 boolean found = false;
 669                                 for (Object obj : sf.getMainAttributes().keySet()) {
 670                                     String key = obj.toString();
 671                                     if (key.endsWith("-Digest-Manifest")) {
 672                                         digestMap.put(alias,
 673                                                 key.substring(0, key.length() - 16));
 674                                         found = true;
 675                                         break;
 676                                     }
 677                                 }
 678                                 if (!found) {
 679                                     unparsableSignatures.putIfAbsent(alias,
 680                                         String.format(
 681                                             rb.getString("history.unparsable"),
 682                                             name));
 683                                 }
 684                             } else {
 685                                 sigNameMap.put(alias, name);
 686                                 sigMap.put(alias, new PKCS7(is));
 687                             }
 688                         } catch (IOException ioe) {
 689                             unparsableSignatures.putIfAbsent(alias, String.format(
 690                                     rb.getString("history.unparsable"), name));
 691                         }
 692                     } else {
 693                         while (is.read(buffer, 0, buffer.length) != -1) {
 694                             // we just read. this will throw a SecurityException
 695                             // if  a signature/digest check fails.
 696                         }



 697                     }
 698                 }
 699             }
 700 
 701             Manifest man = jf.getManifest();
 702             boolean hasSignature = false;
 703 
 704             // The map to record display info, only used when -verbose provided
 705             //      key: signer info string
 706             //      value: the list of files with common key
 707             Map<String,List<String>> output = new LinkedHashMap<>();
 708 
 709             if (man != null) {
 710                 if (verbose != null) System.out.println();
 711                 Enumeration<JarEntry> e = entriesVec.elements();
 712 
 713                 String tab = rb.getString("6SPACE");
 714 
 715                 while (e.hasMoreElements()) {
 716                     JarEntry je = e.nextElement();
 717                     String name = je.getName();
 718 
 719                     hasSignature = hasSignature
 720                             || SignatureFileVerifier.isBlockOrSF(name);
 721 
 722                     CodeSigner[] signers = je.getCodeSigners();
 723                     boolean isSigned = (signers != null);
 724                     anySigned |= isSigned;
 725                     hasUnsignedEntry |= !je.isDirectory() && !isSigned
 726                                         && !signatureRelated(name);
 727 
 728                     int inStoreWithAlias = inKeyStore(signers);
 729 
 730                     boolean inStore = (inStoreWithAlias & IN_KEYSTORE) != 0;
 731 
 732                     notSignedByAlias |= (inStoreWithAlias & NOT_ALIAS) != 0;
 733                     if (keystore != null) {
 734                         aliasNotInStore |= isSigned && !inStore;
 735                     }
 736 
 737                     // Only used when -verbose provided
 738                     StringBuffer sb = null;
 739                     if (verbose != null) {
 740                         sb = new StringBuffer();
 741                         boolean inManifest =
 742                             ((man.getAttributes(name) != null) ||
 743                              (man.getAttributes("./"+name) != null) ||
 744                              (man.getAttributes("/"+name) != null));
 745                         sb.append(isSigned ? rb.getString("s") : rb.getString("SPACE"))
 746                                 .append(inManifest ? rb.getString("m") : rb.getString("SPACE"))
 747                                 .append(inStore ? rb.getString("k") : rb.getString("SPACE"))
 748                                 .append((inStoreWithAlias & NOT_ALIAS) != 0 ? 'X' : ' ')
 749                                 .append(rb.getString("SPACE"));
 750                         sb.append('|');
 751                     }
 752 
 753                     // When -certs provided, display info has extra empty
 754                     // lines at the beginning and end.
 755                     if (isSigned) {
 756                         if (showcerts) sb.append('\n');
 757                         for (CodeSigner signer: signers) {
 758                             // signerInfo() must be called even if -verbose
 759                             // not provided. The method updates various
 760                             // warning flags.
 761                             String si = signerInfo(signer, tab);
 762                             if (showcerts) {
 763                                 sb.append(si);
 764                                 sb.append('\n');
 765                             }
 766                         }
 767                     } else if (showcerts && !verbose.equals("all")) {
 768                         // Print no info for unsigned entries when -verbose:all,
 769                         // to be consistent with old behavior.
 770                         if (signatureRelated(name)) {
 771                             sb.append('\n')
 772                                     .append(tab)
 773                                     .append(rb
 774                                             .getString(".Signature.related.entries."))
 775                                     .append("\n\n");
 776                         } else {
 777                             sb.append('\n').append(tab)
 778                                     .append(rb.getString(".Unsigned.entries."))
 779                                     .append("\n\n");
 780                         }
 781                     }
 782 
 783                     if (verbose != null) {
 784                         String label = sb.toString();
 785                         if (signatureRelated(name)) {
 786                             // Entries inside META-INF and other unsigned
 787                             // entries are grouped separately.
 788                             label = "-" + label;
 789                         }
 790 
 791                         // The label finally contains 2 parts separated by '|':
 792                         // The legend displayed before the entry names, and
 793                         // the cert info (if -certs specified).
 794 
 795                         if (!output.containsKey(label)) {
 796                             output.put(label, new ArrayList<String>());
 797                         }
 798 
 799                         StringBuilder fb = new StringBuilder();
 800                         String s = Long.toString(je.getSize());
 801                         for (int i = 6 - s.length(); i > 0; --i) {
 802                             fb.append(' ');
 803                         }
 804                         fb.append(s).append(' ').
 805                                 append(new Date(je.getTime()).toString());
 806                         fb.append(' ').append(name);
 807 
 808                         output.get(label).add(fb.toString());
 809                     }
 810                 }
 811             }
 812             if (verbose != null) {
 813                 for (Entry<String,List<String>> s: output.entrySet()) {
 814                     List<String> files = s.getValue();
 815                     String key = s.getKey();
 816                     if (key.charAt(0) == '-') { // the signature-related group
 817                         key = key.substring(1);
 818                     }
 819                     int pipe = key.indexOf('|');
 820                     if (verbose.equals("all")) {
 821                         for (String f: files) {
 822                             System.out.println(key.substring(0, pipe) + f);
 823                             System.out.printf(key.substring(pipe+1));
 824                         }
 825                     } else {
 826                         if (verbose.equals("grouped")) {
 827                             for (String f: files) {
 828                                 System.out.println(key.substring(0, pipe) + f);
 829                             }
 830                         } else if (verbose.equals("summary")) {
 831                             System.out.print(key.substring(0, pipe));
 832                             if (files.size() > 1) {
 833                                 System.out.println(files.get(0) + " " +
 834                                         String.format(rb.getString(
 835                                         ".and.d.more."), files.size()-1));
 836                             } else {
 837                                 System.out.println(files.get(0));
 838                             }
 839                         }
 840                         System.out.printf(key.substring(pipe+1));
 841                     }
 842                 }
 843                 System.out.println();
 844                 System.out.println(rb.getString(
 845                     ".s.signature.was.verified."));
 846                 System.out.println(rb.getString(
 847                     ".m.entry.is.listed.in.manifest"));
 848                 System.out.println(rb.getString(
 849                     ".k.at.least.one.certificate.was.found.in.keystore"));
 850                 if (ckaliases.size() > 0) {
 851                     System.out.println(rb.getString(
 852                         ".X.not.signed.by.specified.alias.es."));
 853                 }

 854             }
 855             if (man == null) {
 856                 System.out.println();
 857                 System.out.println(rb.getString("no.manifest."));
 858             }
 859 
 860             // If signer is a trusted cert or private entry in user's own
 861             // keystore, it can be self-signed.
 862             if (!aliasNotInStore) {
 863                 signerSelfSigned = false;
 864             }
 865 
 866             // Even if the verbose option is not specified, all out strings
 867             // must be generated so seeWeak can be updated.
 868             if (!digestMap.isEmpty()
 869                     || !sigMap.isEmpty()
 870                     || !unparsableSignatures.isEmpty()) {
 871                 if (verbose != null) {
 872                     System.out.println();
 873                 }
 874                 for (String s : sigMap.keySet()) {
 875                     if (!digestMap.containsKey(s)) {
 876                         unparsableSignatures.putIfAbsent(s, String.format(
 877                                 rb.getString("history.nosf"), s));
 878                     }
 879                 }
 880                 for (String s : digestMap.keySet()) {
 881                     PKCS7 p7 = sigMap.get(s);
 882                     if (p7 != null) {
 883                         String history;
 884                         try {
 885                             SignerInfo si = p7.getSignerInfos()[0];
 886                             X509Certificate signer = si.getCertificate(p7);
 887                             String digestAlg = digestMap.get(s);
 888                             String sigAlg = AlgorithmId.makeSigAlg(
 889                                     si.getDigestAlgorithmId().getName(),
 890                                     si.getDigestEncryptionAlgorithmId().getName());
 891                             PublicKey key = signer.getPublicKey();
 892                             PKCS7 tsToken = si.getTsToken();
 893                             if (tsToken != null) {
 894                                 SignerInfo tsSi = tsToken.getSignerInfos()[0];
 895                                 X509Certificate tsSigner = tsSi.getCertificate(tsToken);
 896                                 byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
 897                                 TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo);
 898                                 PublicKey tsKey = tsSigner.getPublicKey();
 899                                 String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName();
 900                                 String tsSigAlg = AlgorithmId.makeSigAlg(
 901                                         tsSi.getDigestAlgorithmId().getName(),
 902                                         tsSi.getDigestEncryptionAlgorithmId().getName());
 903                                 Calendar c = Calendar.getInstance(
 904                                         TimeZone.getTimeZone("UTC"),
 905                                         Locale.getDefault(Locale.Category.FORMAT));
 906                                 c.setTime(tsTokenInfo.getDate());
 907                                 history = String.format(
 908                                         rb.getString("history.with.ts"),
 909                                         signer.getSubjectX500Principal(),
 910                                         withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
 911                                         withWeak(sigAlg, SIG_PRIMITIVE_SET),
 912                                         withWeak(key),
 913                                         c,
 914                                         tsSigner.getSubjectX500Principal(),
 915                                         withWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET),
 916                                         withWeak(tsSigAlg, SIG_PRIMITIVE_SET),
 917                                         withWeak(tsKey));
 918                             } else {
 919                                 history = String.format(
 920                                         rb.getString("history.without.ts"),
 921                                         signer.getSubjectX500Principal(),
 922                                         withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
 923                                         withWeak(sigAlg, SIG_PRIMITIVE_SET),
 924                                         withWeak(key));
 925                             }
 926                         } catch (Exception e) {
 927                             // The only usage of sigNameMap, remember the name
 928                             // of the block file if it's invalid.
 929                             history = String.format(
 930                                     rb.getString("history.unparsable"),
 931                                     sigNameMap.get(s));
 932                         }
 933                         if (verbose != null) {
 934                             System.out.println(history);
 935                         }
 936                     } else {
 937                         unparsableSignatures.putIfAbsent(s, String.format(
 938                                 rb.getString("history.nobk"), s));
 939                     }
 940                 }
 941                 if (verbose != null) {
 942                     for (String s : unparsableSignatures.keySet()) {
 943                         System.out.println(unparsableSignatures.get(s));
 944                     }
 945                 }
 946             }
 947             System.out.println();
 948             if (!anySigned) {
 949                 if (seeWeak) {
 950                     if (verbose != null) {
 951                         System.out.println(rb.getString("jar.treated.unsigned.see.weak.verbose"));
 952                         System.out.println("\n  " +
 953                                 DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS +
 954                                 "=" + Security.getProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS));
 955                     } else {
 956                         System.out.println(rb.getString("jar.treated.unsigned.see.weak"));
 957                     }
 958                 } else if (hasSignature) {
 959                     System.out.println(rb.getString("jar.treated.unsigned"));
 960                 } else {
 961                     System.out.println(rb.getString("jar.is.unsigned"));
 962                 }
 963             } else {
 964                 boolean warningAppeared = false;
 965                 boolean errorAppeared = false;
 966                 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
 967                         notYetValidCert || chainNotValidated || hasExpiredCert ||
 968                         hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) ||
 969                         aliasNotInStore || notSignedByAlias) {
 970 
 971                     if (strict) {
 972                         System.out.println(rb.getString("jar.verified.with.signer.errors."));
 973                         System.out.println();
 974                         System.out.println(rb.getString("Error."));
 975                         errorAppeared = true;
 976                     } else {
 977                         System.out.println(rb.getString("jar.verified."));
 978                         System.out.println();
 979                         System.out.println(rb.getString("Warning."));
 980                         warningAppeared = true;
 981                     }
 982 
 983                     if (weakAlg != 0) {
 984                         // In fact, jarsigner verification did not catch this
 985                         // since it has not read the JarFile content itself.
 986                         // Everything is done with JarFile API. The signing
 987                         // history (digestMap etc) will show these info and
 988                         // print out proper warnings.
 989                     }
 990 
 991                     if (badKeyUsage) {
 992                         System.out.println(
 993                             rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
 994                     }
 995 
 996                     if (badExtendedKeyUsage) {
 997                         System.out.println(
 998                             rb.getString("This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
 999                     }
1000 
1001                     if (badNetscapeCertType) {
1002                         System.out.println(
1003                             rb.getString("This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
1004                     }
1005 
1006                     if (hasUnsignedEntry) {
1007                         System.out.println(rb.getString(
1008                             "This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked."));
1009                     }
1010                     if (hasExpiredCert) {
1011                         System.out.println(rb.getString(
1012                             "This.jar.contains.entries.whose.signer.certificate.has.expired."));
1013                     }
1014                     if (notYetValidCert) {
1015                         System.out.println(rb.getString(
1016                             "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
1017                     }
1018 
1019                     if (chainNotValidated) {
1020                         System.out.println(String.format(
1021                                 rb.getString("This.jar.contains.entries.whose.certificate.chain.is.not.validated.reason.1"),
1022                                 chainNotValidatedReason.getLocalizedMessage()));
1023                     }
1024 
1025                     if (notSignedByAlias) {
1026                         System.out.println(
1027                                 rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es."));
1028                     }
1029 
1030                     if (aliasNotInStore) {
1031                         System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
1032                     }
1033 
1034                     if (signerSelfSigned) {
1035                         System.out.println(rb.getString(
1036                                 "This.jar.contains.entries.whose.signer.certificate.is.self.signed."));
1037                     }
1038                 } else {
1039                     System.out.println(rb.getString("jar.verified."));
1040                 }
1041                 if (hasExpiringCert || noTimestamp) {
1042                     if (!warningAppeared) {
1043                         System.out.println();
1044                         System.out.println(rb.getString("Warning."));
1045                         warningAppeared = true;
1046                     }
1047                     if (hasExpiringCert) {
1048                         System.out.println(rb.getString(
1049                                 "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
1050                     }
1051                     if (noTimestamp) {
1052                         System.out.println(
1053                                 String.format(rb.getString("no.timestamp.verifying"), expireDate));
1054                     }
1055                 }
1056                 if (warningAppeared || errorAppeared) {
1057                     if (! (verbose != null && showcerts)) {
1058                         System.out.println();
1059                         System.out.println(rb.getString(
1060                                 "Re.run.with.the.verbose.and.certs.options.for.more.details."));
1061                     }
1062                 }
1063             }
1064             return;
1065         } catch (Exception e) {
1066             System.out.println(rb.getString("jarsigner.") + e);
1067             if (debug) {
1068                 e.printStackTrace();
1069             }
1070         } finally { // close the resource
1071             if (jf != null) {
1072                 jf.close();
1073             }
1074         }
1075 
1076         System.exit(1);
1077     }
1078 
1079     private String withWeak(String alg, Set<CryptoPrimitive> primitiveSet) {
1080         if (DISABLED_CHECK.permits(primitiveSet, alg, null)) {
1081             return alg;
1082         } else {
1083             seeWeak = true;
1084             return String.format(rb.getString("with.weak"), alg);
1085         }
1086     }
1087 
1088     private String withWeak(PublicKey key) {
1089         if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1090             return String.format(
1091                     rb.getString("key.bit"), KeyUtil.getKeySize(key));
1092         } else {
1093             seeWeak = true;
1094             return String.format(
1095                     rb.getString("key.bit.weak"), KeyUtil.getKeySize(key));
1096         }
1097     }
1098 
1099     private static MessageFormat validityTimeForm = null;
1100     private static MessageFormat notYetTimeForm = null;
1101     private static MessageFormat expiredTimeForm = null;
1102     private static MessageFormat expiringTimeForm = null;
1103 
1104     /*
1105      * Display some details about a certificate:
1106      *
1107      * [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"]
1108      * [<validity-period> | <expiry-warning>]
1109      *
1110      * Note: no newline character at the end
1111      */
1112     String printCert(String tab, Certificate c, boolean checkValidityPeriod,
1113         Date timestamp, boolean checkUsage) {
1114 
1115         StringBuilder certStr = new StringBuilder();
1116         String space = rb.getString("SPACE");
1117         X509Certificate x509Cert = null;
1118 
1119         if (c instanceof X509Certificate) {
1120             x509Cert = (X509Certificate) c;
1121             certStr.append(tab).append(x509Cert.getType())
1122                 .append(rb.getString("COMMA"))
1123                 .append(x509Cert.getSubjectDN().getName());
1124         } else {
1125             certStr.append(tab).append(c.getType());
1126         }
1127 
1128         String alias = storeHash.get(c);
1129         if (alias != null) {
1130             certStr.append(space).append(alias);
1131         }
1132 
1133         if (checkValidityPeriod && x509Cert != null) {
1134 
1135             certStr.append("\n").append(tab).append("[");
1136             Date notAfter = x509Cert.getNotAfter();
1137             try {
1138                 boolean printValidity = true;
1139                 if (timestamp == null) {
1140                     if (expireDate.getTime() == 0 || expireDate.after(notAfter)) {
1141                         expireDate = notAfter;
1142                     }
1143                     x509Cert.checkValidity();
1144                     // test if cert will expire within six months
1145                     if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
1146                         hasExpiringCert = true;
1147                         if (expiringTimeForm == null) {
1148                             expiringTimeForm = new MessageFormat(
1149                                 rb.getString("certificate.will.expire.on"));
1150                         }
1151                         Object[] source = { notAfter };
1152                         certStr.append(expiringTimeForm.format(source));
1153                         printValidity = false;
1154                     }
1155                 } else {
1156                     x509Cert.checkValidity(timestamp);
1157                 }
1158                 if (printValidity) {
1159                     if (validityTimeForm == null) {
1160                         validityTimeForm = new MessageFormat(
1161                             rb.getString("certificate.is.valid.from"));
1162                     }
1163                     Object[] source = { x509Cert.getNotBefore(), notAfter };
1164                     certStr.append(validityTimeForm.format(source));
1165                 }
1166             } catch (CertificateExpiredException cee) {
1167                 hasExpiredCert = true;
1168 
1169                 if (expiredTimeForm == null) {
1170                     expiredTimeForm = new MessageFormat(
1171                         rb.getString("certificate.expired.on"));
1172                 }
1173                 Object[] source = { notAfter };
1174                 certStr.append(expiredTimeForm.format(source));
1175 
1176             } catch (CertificateNotYetValidException cnyve) {
1177                 notYetValidCert = true;
1178 
1179                 if (notYetTimeForm == null) {
1180                     notYetTimeForm = new MessageFormat(
1181                         rb.getString("certificate.is.not.valid.until"));
1182                 }
1183                 Object[] source = { x509Cert.getNotBefore() };
1184                 certStr.append(notYetTimeForm.format(source));
1185             }
1186             certStr.append("]");
1187 
1188             if (checkUsage) {
1189                 boolean[] bad = new boolean[3];
1190                 checkCertUsage(x509Cert, bad);
1191                 if (bad[0] || bad[1] || bad[2]) {
1192                     String x = "";
1193                     if (bad[0]) {
1194                         x ="KeyUsage";
1195                     }
1196                     if (bad[1]) {
1197                         if (x.length() > 0) x = x + ", ";
1198                         x = x + "ExtendedKeyUsage";
1199                     }
1200                     if (bad[2]) {
1201                         if (x.length() > 0) x = x + ", ";
1202                         x = x + "NetscapeCertType";
1203                     }
1204                     certStr.append("\n").append(tab)
1205                         .append(MessageFormat.format(rb.getString(
1206                         ".{0}.extension.does.not.support.code.signing."), x));
1207                 }
1208             }
1209         }
1210         return certStr.toString();
1211     }
1212 
1213     private static MessageFormat signTimeForm = null;
1214 
1215     private String printTimestamp(String tab, Timestamp timestamp) {
1216 
1217         if (signTimeForm == null) {
1218             signTimeForm =
1219                 new MessageFormat(rb.getString("entry.was.signed.on"));
1220         }
1221         Object[] source = { timestamp.getTimestamp() };
1222 
1223         return new StringBuilder().append(tab).append("[")
1224             .append(signTimeForm.format(source)).append("]").toString();
1225     }
1226 
1227     private Map<CodeSigner,Integer> cacheForInKS = new IdentityHashMap<>();
1228 
1229     private int inKeyStoreForOneSigner(CodeSigner signer) {
1230         if (cacheForInKS.containsKey(signer)) {
1231             return cacheForInKS.get(signer);
1232         }
1233 
1234         int result = 0;
1235         List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
1236         for (Certificate c : certs) {
1237             String alias = storeHash.get(c);
1238             if (alias != null) {
1239                 if (alias.startsWith("(")) {
1240                     result |= IN_KEYSTORE;
1241                 }
1242                 if (ckaliases.contains(alias.substring(1, alias.length() - 1))) {
1243                     result |= SIGNED_BY_ALIAS;
1244                 }
1245             } else {
1246                 if (store != null) {
1247                     try {
1248                         alias = store.getCertificateAlias(c);
1249                     } catch (KeyStoreException kse) {
1250                         // never happens, because keystore has been loaded
1251                     }
1252                     if (alias != null) {
1253                         storeHash.put(c, "(" + alias + ")");
1254                         result |= IN_KEYSTORE;
1255                     }
1256                 }
1257                 if (ckaliases.contains(alias)) {
1258                     result |= SIGNED_BY_ALIAS;
1259                 }
1260             }
1261         }
1262         cacheForInKS.put(signer, result);
1263         return result;
1264     }
1265 
1266     Hashtable<Certificate, String> storeHash = new Hashtable<>();
1267 
1268     int inKeyStore(CodeSigner[] signers) {
1269 
1270         if (signers == null)
1271             return 0;
1272 
1273         int output = 0;
1274 
1275         for (CodeSigner signer: signers) {
1276             int result = inKeyStoreForOneSigner(signer);
1277             output |= result;
1278         }
1279         if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) {
1280             output |= NOT_ALIAS;
1281         }
1282         return output;
1283     }
1284 
1285     void signJar(String jarName, String alias)
1286             throws Exception {
1287 
1288         if (digestalg != null && !DISABLED_CHECK.permits(
1289                 DIGEST_PRIMITIVE_SET, digestalg, null)) {




1290             weakAlg |= 1;
1291         }
1292         if (tSADigestAlg != null && !DISABLED_CHECK.permits(
1293                 DIGEST_PRIMITIVE_SET, tSADigestAlg, null)) {
1294             weakAlg |= 4;
1295         }
1296         if (sigalg != null && !DISABLED_CHECK.permits(
1297                 SIG_PRIMITIVE_SET , sigalg, null)) {
1298             weakAlg |= 2;
1299         }
1300         if (!DISABLED_CHECK.permits(
1301                 SIG_PRIMITIVE_SET, privateKey)) {
1302             weakAlg |= 8;
1303         }
1304 
1305         boolean aliasUsed = false;
1306         X509Certificate tsaCert = null;
1307 
1308         if (sigfile == null) {
1309             sigfile = alias;
1310             aliasUsed = true;
1311         }
1312 
1313         if (sigfile.length() > 8) {
1314             sigfile = sigfile.substring(0, 8).toUpperCase(Locale.ENGLISH);
1315         } else {
1316             sigfile = sigfile.toUpperCase(Locale.ENGLISH);
1317         }
1318 
1319         StringBuilder tmpSigFile = new StringBuilder(sigfile.length());
1320         for (int j = 0; j < sigfile.length(); j++) {
1321             char c = sigfile.charAt(j);
1322             if (!
1323                     ((c>= 'A' && c<= 'Z') ||
1324                             (c>= '0' && c<= '9') ||
1325                             (c == '-') ||
1326                             (c == '_'))) {
1327                 if (aliasUsed) {
1328                     // convert illegal characters from the alias to be _'s
1329                     c = '_';
1330                 } else {
1331                     throw new
1332                             RuntimeException(rb.getString
1333                             ("signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or."));
1334                 }
1335             }
1336             tmpSigFile.append(c);
1337         }
1338 
1339         sigfile = tmpSigFile.toString();
1340 
1341         String tmpJarName;
1342         if (signedjar == null) tmpJarName = jarName+".sig";
1343         else tmpJarName = signedjar;
1344 
1345         File jarFile = new File(jarName);
1346         File signedJarFile = new File(tmpJarName);
1347 
1348         // Open the jar (zip) file
1349         try {
1350             zipFile = new ZipFile(jarName);
1351         } catch (IOException ioe) {
1352             error(rb.getString("unable.to.open.jar.file.")+jarName, ioe);
1353         }
1354 
1355         FileOutputStream fos = null;
1356         try {
1357             fos = new FileOutputStream(signedJarFile);
1358         } catch (IOException ioe) {
1359             error(rb.getString("unable.to.create.")+tmpJarName, ioe);
1360         }
1361 
1362         CertPath cp = CertificateFactory.getInstance("X.509")
1363                 .generateCertPath(Arrays.asList(certChain));
1364         JarSigner.Builder builder = new JarSigner.Builder(privateKey, cp);
1365 
1366         if (verbose != null) {
1367             builder.eventHandler((action, file) -> {
1368                 System.out.println(rb.getString("." + action + ".") + file);
1369             });
1370         }
1371 
1372         if (digestalg != null) {
1373             builder.digestAlgorithm(digestalg);
1374         }
1375         if (sigalg != null) {
1376             builder.signatureAlgorithm(sigalg);
1377         }
1378 
1379         URI tsaURI = null;
1380 
1381         if (tsaUrl != null) {
1382             tsaURI = new URI(tsaUrl);
1383         } else if (tsaAlias != null) {
1384             tsaCert = getTsaCert(tsaAlias);
1385             tsaURI = TimestampedSigner.getTimestampingURI(tsaCert);
1386         }
1387 
1388         if (tsaURI != null) {
1389             if (verbose != null) {
1390                 System.out.println(
1391                         rb.getString("requesting.a.signature.timestamp"));
1392                 if (tsaUrl != null) {
1393                     System.out.println(rb.getString("TSA.location.") + tsaUrl);
1394                 } else if (tsaCert != null) {
1395                     System.out.println(rb.getString("TSA.certificate.") +
1396                             printCert("", tsaCert, false, null, false));
1397                 }
1398             }
1399             builder.tsa(tsaURI);
1400             if (tSADigestAlg != null) {
1401                 builder.setProperty("tsaDigestAlg", tSADigestAlg);
1402             }
1403 
1404             if (tSAPolicyID != null) {
1405                 builder.setProperty("tsaPolicyId", tSAPolicyID);
1406             }
1407         } else {
1408             noTimestamp = true;
1409         }
1410 
1411         if (altSignerClass != null) {
1412             builder.setProperty("altSigner", altSignerClass);
1413             if (verbose != null) {
1414                 System.out.println(
1415                         rb.getString("using.an.alternative.signing.mechanism"));
1416             }
1417         }
1418 
1419         if (altSignerClasspath != null) {
1420             builder.setProperty("altSignerPath", altSignerClasspath);
1421         }
1422 
1423         builder.signerName(sigfile);
1424 
1425         builder.setProperty("sectionsOnly", Boolean.toString(!signManifest));
1426         builder.setProperty("internalSF", Boolean.toString(!externalSF));
1427 
1428         try {
1429             builder.build().sign(zipFile, fos);
1430         } catch (JarSignerException e) {
1431             Throwable cause = e.getCause();
1432             if (cause != null && cause instanceof SocketTimeoutException) {
1433                 // Provide a helpful message when TSA is beyond a firewall
1434                 error(rb.getString("unable.to.sign.jar.") +
1435                         rb.getString("no.response.from.the.Timestamping.Authority.") +
1436                         "\n  -J-Dhttp.proxyHost=<hostname>" +
1437                         "\n  -J-Dhttp.proxyPort=<portnumber>\n" +
1438                         rb.getString("or") +
1439                         "\n  -J-Dhttps.proxyHost=<hostname> " +
1440                         "\n  -J-Dhttps.proxyPort=<portnumber> ", e);
1441             } else {
1442                 error(rb.getString("unable.to.sign.jar.")+e.getCause(), e.getCause());
1443             }
1444         } finally {
1445             // close the resouces
1446             if (zipFile != null) {
1447                 zipFile.close();
1448                 zipFile = null;
1449             }
1450 
1451             if (fos != null) {
1452                 fos.close();
1453             }
1454         }
1455 
1456         // no IOException thrown in the follow try clause, so disable
1457         // the try clause.
1458         // try {
1459             if (signedjar == null) {
1460                 // attempt an atomic rename. If that fails,
1461                 // rename the original jar file, then the signed
1462                 // one, then delete the original.
1463                 if (!signedJarFile.renameTo(jarFile)) {
1464                     File origJar = new File(jarName+".orig");
1465 
1466                     if (jarFile.renameTo(origJar)) {
1467                         if (signedJarFile.renameTo(jarFile)) {
1468                             origJar.delete();
1469                         } else {
1470                             MessageFormat form = new MessageFormat(rb.getString
1471                         ("attempt.to.rename.signedJarFile.to.jarFile.failed"));
1472                             Object[] source = {signedJarFile, jarFile};
1473                             error(form.format(source));
1474                         }
1475                     } else {
1476                         MessageFormat form = new MessageFormat(rb.getString
1477                             ("attempt.to.rename.jarFile.to.origJar.failed"));
1478                         Object[] source = {jarFile, origJar};
1479                         error(form.format(source));
1480                     }
1481                 }
1482             }
1483 
1484             boolean warningAppeared = false;
1485             if (weakAlg != 0 || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
1486                     notYetValidCert || chainNotValidated || hasExpiredCert || signerSelfSigned) {
1487                 if (strict) {
1488                     System.out.println(rb.getString("jar.signed.with.signer.errors."));
1489                     System.out.println();
1490                     System.out.println(rb.getString("Error."));
1491                 } else {
1492                     System.out.println(rb.getString("jar.signed."));
1493                     System.out.println();
1494                     System.out.println(rb.getString("Warning."));
1495                     warningAppeared = true;
1496                 }
1497 
1498                 if (badKeyUsage) {
1499                     System.out.println(
1500                         rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
1501                 }
1502 
1503                 if (badExtendedKeyUsage) {
1504                     System.out.println(
1505                         rb.getString("The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
1506                 }
1507 
1508                 if (badNetscapeCertType) {
1509                     System.out.println(
1510                         rb.getString("The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
1511                 }
1512 
1513                 if (hasExpiredCert) {
1514                     System.out.println(
1515                         rb.getString("The.signer.certificate.has.expired."));
1516                 } else if (notYetValidCert) {
1517                     System.out.println(
1518                         rb.getString("The.signer.certificate.is.not.yet.valid."));
1519                 }
1520 
1521                 if (chainNotValidated) {
1522                     System.out.println(String.format(
1523                             rb.getString("The.signer.s.certificate.chain.is.not.validated.reason.1"),
1524                             chainNotValidatedReason.getLocalizedMessage()));
1525                 }
1526 
1527                 if (signerSelfSigned) {
1528                     System.out.println(
1529                             rb.getString("The.signer.s.certificate.is.self.signed."));
1530                 }
1531 
1532                 if ((weakAlg & 1) == 1) {
1533                     System.out.println(String.format(
1534                             rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
1535                             digestalg, "-digestalg"));
1536                 }
1537 
1538                 if ((weakAlg & 2) == 2) {
1539                     System.out.println(String.format(
1540                             rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
1541                             sigalg, "-sigalg"));
1542                 }
1543                 if ((weakAlg & 4) == 4) {
1544                     System.out.println(String.format(
1545                             rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
1546                             tSADigestAlg, "-tsadigestalg"));
1547                 }
1548                 if ((weakAlg & 8) == 8) {
1549                     System.out.println(String.format(
1550                             rb.getString("The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk."),
1551                             privateKey.getAlgorithm(), KeyUtil.getKeySize(privateKey)));
1552                 }
1553             } else {
1554                 System.out.println(rb.getString("jar.signed."));
1555             }
1556             if (hasExpiringCert || noTimestamp) {
1557                 if (!warningAppeared) {
1558                     System.out.println();
1559                     System.out.println(rb.getString("Warning."));
1560                 }
1561 
1562                 if (hasExpiringCert) {
1563                     System.out.println(
1564                             rb.getString("The.signer.certificate.will.expire.within.six.months."));
1565                 }
1566 
1567                 if (noTimestamp) {
1568                     System.out.println(
1569                             String.format(rb.getString("no.timestamp.signing"), expireDate));
1570                 }
1571             }
1572 
1573         // no IOException thrown in the above try clause, so disable
1574         // the catch clause.
1575         // } catch(IOException ioe) {
1576         //     error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
1577         // }
1578     }
1579 
1580     /**
1581      * signature-related files include:
1582      * . META-INF/MANIFEST.MF
1583      * . META-INF/SIG-*
1584      * . META-INF/*.SF
1585      * . META-INF/*.DSA
1586      * . META-INF/*.RSA
1587      * . META-INF/*.EC
1588      */
1589     private boolean signatureRelated(String name) {
1590         return SignatureFileVerifier.isSigningRelated(name);
1591     }
1592 
1593     Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>();
1594 
1595     /**
1596      * Returns a string of singer info, with a newline at the end
1597      */
1598     private String signerInfo(CodeSigner signer, String tab) {
1599         if (cacheForSignerInfo.containsKey(signer)) {
1600             return cacheForSignerInfo.get(signer);
1601         }
1602         StringBuilder sb = new StringBuilder();
1603         List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
1604         // display the signature timestamp, if present
1605         Date timestamp;
1606         Timestamp ts = signer.getTimestamp();
1607         if (ts != null) {
1608             sb.append(printTimestamp(tab, ts));
1609             sb.append('\n');
1610             timestamp = ts.getTimestamp();
1611         } else {
1612             timestamp = null;
1613             noTimestamp = true;
1614         }
1615         // display the certificate(sb). The first one is end-entity cert and
1616         // its KeyUsage should be checked.
1617         boolean first = true;
1618         for (Certificate c : certs) {
1619             sb.append(printCert(tab, c, true, timestamp, first));
1620             sb.append('\n');
1621             first = false;
1622         }
1623         try {
1624             validateCertChain(certs);
1625         } catch (Exception e) {
1626             if (debug) {
1627                 e.printStackTrace();
1628             }
1629             if (e.getCause() != null &&
1630                     (e.getCause() instanceof CertificateExpiredException ||
1631                      e.getCause() instanceof CertificateNotYetValidException)) {
1632                 // No more warning, we alreay have hasExpiredCert or notYetValidCert
1633             } else {
1634                 chainNotValidated = true;
1635                 chainNotValidatedReason = e;
1636                 sb.append(tab).append(rb.getString(".CertPath.not.validated."))
1637                         .append(e.getLocalizedMessage()).append("]\n"); // TODO
1638             }
1639         }
1640         if (certs.size() == 1
1641                 && KeyStoreUtil.isSelfSigned((X509Certificate)certs.get(0))) {
1642             signerSelfSigned = true;
1643         }
1644         String result = sb.toString();
1645         cacheForSignerInfo.put(signer, result);
1646         return result;
1647     }
1648 
1649     void loadKeyStore(String keyStoreName, boolean prompt) {
1650 
1651         if (!nullStream && keyStoreName == null) {
1652             keyStoreName = System.getProperty("user.home") + File.separator
1653                 + ".keystore";
1654         }
1655 
1656         try {
1657 
1658             certificateFactory = CertificateFactory.getInstance("X.509");
1659             validator = CertPathValidator.getInstance("PKIX");
1660             Set<TrustAnchor> tas = new HashSet<>();
1661             try {
1662                 KeyStore caks = KeyStoreUtil.getCacertsKeyStore();
1663                 if (caks != null) {
1664                     Enumeration<String> aliases = caks.aliases();
1665                     while (aliases.hasMoreElements()) {
1666                         String a = aliases.nextElement();
1667                         try {
1668                             tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null));
1669                         } catch (Exception e2) {
1670                             // ignore, when a SecretkeyEntry does not include a cert
1671                         }
1672                     }
1673                 }
1674             } catch (Exception e) {
1675                 // Ignore, if cacerts cannot be loaded
1676             }
1677 
1678             if (providerName == null) {
1679                 store = KeyStore.getInstance(storetype);
1680             } else {
1681                 store = KeyStore.getInstance(storetype, providerName);
1682             }
1683 
1684             // Get pass phrase
1685             // XXX need to disable echo; on UNIX, call getpass(char *prompt)Z
1686             // and on NT call ??
1687             if (token && storepass == null && !protectedPath
1688                     && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
1689                 storepass = getPass
1690                         (rb.getString("Enter.Passphrase.for.keystore."));
1691             } else if (!token && storepass == null && prompt) {
1692                 storepass = getPass
1693                         (rb.getString("Enter.Passphrase.for.keystore."));
1694             }
1695 
1696             try {
1697                 if (nullStream) {
1698                     store.load(null, storepass);
1699                 } else {
1700                     keyStoreName = keyStoreName.replace(File.separatorChar, '/');
1701                     URL url = null;
1702                     try {
1703                         url = new URL(keyStoreName);
1704                     } catch (java.net.MalformedURLException e) {
1705                         // try as file
1706                         url = new File(keyStoreName).toURI().toURL();
1707                     }
1708                     InputStream is = null;
1709                     try {
1710                         is = url.openStream();
1711                         store.load(is, storepass);
1712                     } finally {
1713                         if (is != null) {
1714                             is.close();
1715                         }
1716                     }
1717                 }
1718                 Enumeration<String> aliases = store.aliases();
1719                 while (aliases.hasMoreElements()) {
1720                     String a = aliases.nextElement();
1721                     try {
1722                         X509Certificate c = (X509Certificate)store.getCertificate(a);
1723                         // Only add TrustedCertificateEntry and self-signed
1724                         // PrivateKeyEntry
1725                         if (store.isCertificateEntry(a) ||
1726                                 c.getSubjectDN().equals(c.getIssuerDN())) {
1727                             tas.add(new TrustAnchor(c, null));
1728                         }
1729                     } catch (Exception e2) {
1730                         // ignore, when a SecretkeyEntry does not include a cert
1731                     }
1732                 }
1733             } finally {
1734                 try {
1735                     pkixParameters = new PKIXParameters(tas);
1736                     pkixParameters.setRevocationEnabled(false);
1737                 } catch (InvalidAlgorithmParameterException ex) {
1738                     // Only if tas is empty
1739                 }
1740             }
1741         } catch (IOException ioe) {
1742             throw new RuntimeException(rb.getString("keystore.load.") +
1743                                         ioe.getMessage());
1744         } catch (java.security.cert.CertificateException ce) {
1745             throw new RuntimeException(rb.getString("certificate.exception.") +
1746                                         ce.getMessage());
1747         } catch (NoSuchProviderException pe) {
1748             throw new RuntimeException(rb.getString("keystore.load.") +
1749                                         pe.getMessage());
1750         } catch (NoSuchAlgorithmException nsae) {
1751             throw new RuntimeException(rb.getString("keystore.load.") +
1752                                         nsae.getMessage());
1753         } catch (KeyStoreException kse) {
1754             throw new RuntimeException
1755                 (rb.getString("unable.to.instantiate.keystore.class.") +
1756                 kse.getMessage());
1757         }
1758     }
1759 
1760     X509Certificate getTsaCert(String alias) {
1761 
1762         java.security.cert.Certificate cs = null;
1763 
1764         try {
1765             cs = store.getCertificate(alias);
1766         } catch (KeyStoreException kse) {
1767             // this never happens, because keystore has been loaded
1768         }
1769         if (cs == null || (!(cs instanceof X509Certificate))) {
1770             MessageFormat form = new MessageFormat(rb.getString
1771                 ("Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the"));
1772             Object[] source = {alias, alias};
1773             error(form.format(source));
1774         }
1775         return (X509Certificate) cs;
1776     }
1777 
1778     /**
1779      * Check if userCert is designed to be a code signer
1780      * @param userCert the certificate to be examined
1781      * @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage,
1782      *            NetscapeCertType has codeSigning flag turned on.
1783      *            If null, the class field badKeyUsage, badExtendedKeyUsage,
1784      *            badNetscapeCertType will be set.
1785      */
1786     void checkCertUsage(X509Certificate userCert, boolean[] bad) {
1787 
1788         // Can act as a signer?
1789         // 1. if KeyUsage, then [0:digitalSignature] or
1790         //    [1:nonRepudiation] should be true
1791         // 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING
1792         // 3. if NetscapeCertType, then should contains OBJECT_SIGNING
1793         // 1,2,3 must be true
1794 
1795         if (bad != null) {
1796             bad[0] = bad[1] = bad[2] = false;
1797         }
1798 
1799         boolean[] keyUsage = userCert.getKeyUsage();
1800         if (keyUsage != null) {
1801             keyUsage = Arrays.copyOf(keyUsage, 9);
1802             if (!keyUsage[0] && !keyUsage[1]) {
1803                 if (bad != null) {
1804                     bad[0] = true;
1805                     badKeyUsage = true;
1806                 }
1807             }
1808         }
1809 
1810         try {
1811             List<String> xKeyUsage = userCert.getExtendedKeyUsage();
1812             if (xKeyUsage != null) {
1813                 if (!xKeyUsage.contains("2.5.29.37.0") // anyExtendedKeyUsage
1814                         && !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) {  // codeSigning
1815                     if (bad != null) {
1816                         bad[1] = true;
1817                         badExtendedKeyUsage = true;
1818                     }
1819                 }
1820             }
1821         } catch (java.security.cert.CertificateParsingException e) {
1822             // shouldn't happen
1823         }
1824 
1825         try {
1826             // OID_NETSCAPE_CERT_TYPE
1827             byte[] netscapeEx = userCert.getExtensionValue
1828                     ("2.16.840.1.113730.1.1");
1829             if (netscapeEx != null) {
1830                 DerInputStream in = new DerInputStream(netscapeEx);
1831                 byte[] encoded = in.getOctetString();
1832                 encoded = new DerValue(encoded).getUnalignedBitString()
1833                         .toByteArray();
1834 
1835                 NetscapeCertTypeExtension extn =
1836                         new NetscapeCertTypeExtension(encoded);
1837 
1838                 Boolean val = extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING);
1839                 if (!val) {
1840                     if (bad != null) {
1841                         bad[2] = true;
1842                         badNetscapeCertType = true;
1843                     }
1844                 }
1845             }
1846         } catch (IOException e) {
1847             //
1848         }
1849     }
1850 
1851     void getAliasInfo(String alias) {
1852 
1853         Key key = null;
1854 
1855         try {
1856             java.security.cert.Certificate[] cs = null;
1857             if (altCertChain != null) {
1858                 try (FileInputStream fis = new FileInputStream(altCertChain)) {
1859                     cs = CertificateFactory.getInstance("X.509").
1860                             generateCertificates(fis).
1861                             toArray(new Certificate[0]);
1862                 } catch (FileNotFoundException ex) {
1863                     error(rb.getString("File.specified.by.certchain.does.not.exist"));
1864                 } catch (CertificateException | IOException ex) {
1865                     error(rb.getString("Cannot.restore.certchain.from.file.specified"));
1866                 }
1867             } else {
1868                 try {
1869                     cs = store.getCertificateChain(alias);
1870                 } catch (KeyStoreException kse) {
1871                     // this never happens, because keystore has been loaded
1872                 }
1873             }
1874             if (cs == null || cs.length == 0) {
1875                 if (altCertChain != null) {
1876                     error(rb.getString
1877                             ("Certificate.chain.not.found.in.the.file.specified."));
1878                 } else {
1879                     MessageFormat form = new MessageFormat(rb.getString
1880                         ("Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and"));
1881                     Object[] source = {alias, alias};
1882                     error(form.format(source));
1883                 }
1884             }
1885 
1886             certChain = new X509Certificate[cs.length];
1887             for (int i=0; i<cs.length; i++) {
1888                 if (!(cs[i] instanceof X509Certificate)) {
1889                     error(rb.getString
1890                         ("found.non.X.509.certificate.in.signer.s.chain"));
1891                 }
1892                 certChain[i] = (X509Certificate)cs[i];
1893             }
1894 
1895             // We don't meant to print anything, the next call
1896             // checks validity and keyUsage etc
1897             printCert("", certChain[0], true, null, true);
1898 
1899             try {
1900                 validateCertChain(Arrays.asList(certChain));
1901             } catch (Exception e) {
1902                 if (debug) {
1903                     e.printStackTrace();
1904                 }
1905                 if (e.getCause() != null &&
1906                         (e.getCause() instanceof CertificateExpiredException ||
1907                         e.getCause() instanceof CertificateNotYetValidException)) {
1908                     // No more warning, we already have hasExpiredCert or notYetValidCert
1909                 } else {
1910                     chainNotValidated = true;
1911                     chainNotValidatedReason = e;
1912                 }
1913             }
1914 
1915             if (KeyStoreUtil.isSelfSigned(certChain[0])) {
1916                 signerSelfSigned = true;
1917             }
1918 
1919             try {
1920                 if (!token && keypass == null)
1921                     key = store.getKey(alias, storepass);
1922                 else
1923                     key = store.getKey(alias, keypass);
1924             } catch (UnrecoverableKeyException e) {
1925                 if (token) {
1926                     throw e;
1927                 } else if (keypass == null) {
1928                     // Did not work out, so prompt user for key password
1929                     MessageFormat form = new MessageFormat(rb.getString
1930                         ("Enter.key.password.for.alias."));
1931                     Object[] source = {alias};
1932                     keypass = getPass(form.format(source));
1933                     key = store.getKey(alias, keypass);
1934                 }
1935             }
1936         } catch (NoSuchAlgorithmException e) {
1937             error(e.getMessage());
1938         } catch (UnrecoverableKeyException e) {
1939             error(rb.getString("unable.to.recover.key.from.keystore"));
1940         } catch (KeyStoreException kse) {
1941             // this never happens, because keystore has been loaded
1942         }
1943 
1944         if (!(key instanceof PrivateKey)) {
1945             MessageFormat form = new MessageFormat(rb.getString
1946                 ("key.associated.with.alias.not.a.private.key"));
1947             Object[] source = {alias};
1948             error(form.format(source));
1949         } else {
1950             privateKey = (PrivateKey)key;
1951         }
1952     }
1953 
1954     void error(String message) {
1955         System.out.println(rb.getString("jarsigner.")+message);
1956         System.exit(1);
1957     }
1958 
1959 
1960     void error(String message, Throwable e) {
1961         System.out.println(rb.getString("jarsigner.")+message);
1962         if (debug) {
1963             e.printStackTrace();
1964         }
1965         System.exit(1);
1966     }
1967 
1968     void validateCertChain(List<? extends Certificate> certs) throws Exception {
1969         int cpLen = 0;
1970         out: for (; cpLen<certs.size(); cpLen++) {
1971             for (TrustAnchor ta: pkixParameters.getTrustAnchors()) {
1972                 if (ta.getTrustedCert().equals(certs.get(cpLen))) {
1973                     break out;
1974                 }
1975             }
1976         }
1977         if (cpLen > 0) {
1978             CertPath cp = certificateFactory.generateCertPath(
1979                     (cpLen == certs.size())? certs: certs.subList(0, cpLen));
1980             validator.validate(cp, pkixParameters);
1981         }
1982     }
1983 
1984     char[] getPass(String prompt) {
1985         System.err.print(prompt);
1986         System.err.flush();
1987         try {
1988             char[] pass = Password.readPassword(System.in);
1989 
1990             if (pass == null) {
1991                 error(rb.getString("you.must.enter.key.password"));
1992             } else {
1993                 return pass;
1994             }
1995         } catch (IOException ioe) {
1996             error(rb.getString("unable.to.read.password.")+ioe.getMessage());
1997         }
1998         // this shouldn't happen
1999         return null;
2000     }
2001 }
--- EOF ---