Mercurial > hg > openjdk > jdk8u > jdk
changeset 11982:b1304d71a2ec jdk8u111-b12
8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm
Reviewed-by: mullan
author | igerasim |
---|---|
date | Wed, 14 Sep 2016 11:41:41 +0300 |
parents | 411c93ebd066 |
children | 3f1a07c3a600 |
files | src/share/classes/sun/security/pkcs/SignerInfo.java src/share/classes/sun/security/tools/jarsigner/Main.java src/share/classes/sun/security/tools/jarsigner/Resources.java test/sun/security/tools/jarsigner/warnings/Test.java |
diffstat | 4 files changed, 40 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java Wed Sep 14 11:39:01 2016 +0300 +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java Wed Sep 14 11:41:41 2016 +0300 @@ -55,6 +55,7 @@ import sun.security.util.DerOutputStream; import sun.security.util.DerValue; import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.util.KeyUtil; import sun.security.util.ObjectIdentifier; import sun.security.x509.AlgorithmId; import sun.security.x509.X500Name; @@ -399,7 +400,9 @@ // check if the public key is restricted if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { throw new SignatureException("Public key check failed. " + - "Disabled algorithm used: " + key.getAlgorithm()); + "Disabled key used: " + + KeyUtil.getKeySize(key) + " bit " + + key.getAlgorithm()); } if (cert.hasUnsupportedCriticalExtension()) {
--- a/src/share/classes/sun/security/tools/jarsigner/Main.java Wed Sep 14 11:39:01 2016 +0300 +++ b/src/share/classes/sun/security/tools/jarsigner/Main.java Wed Sep 14 11:41:41 2016 +0300 @@ -603,6 +603,7 @@ } Manifest man = jf.getManifest(); + boolean hasSignature = false; // The map to record display info, only used when -verbose provided // key: signer info string @@ -618,6 +619,10 @@ while (e.hasMoreElements()) { JarEntry je = e.nextElement(); String name = je.getName(); + + hasSignature = hasSignature + || SignatureFileVerifier.isBlockOrSF(name); + CodeSigner[] signers = je.getCodeSigners(); boolean isSigned = (signers != null); anySigned |= isSigned; @@ -757,8 +762,11 @@ System.out.println(rb.getString("no.manifest.")); if (!anySigned) { - System.out.println(rb.getString( - "jar.is.unsigned.signatures.missing.or.not.parsable.")); + if (hasSignature) { + System.out.println(rb.getString("jar.treated.unsigned")); + } else { + System.out.println(rb.getString("jar.is.unsigned")); + } } else { boolean warningAppeared = false; boolean errorAppeared = false;
--- a/src/share/classes/sun/security/tools/jarsigner/Resources.java Wed Sep 14 11:39:01 2016 +0300 +++ b/src/share/classes/sun/security/tools/jarsigner/Resources.java Wed Sep 14 11:41:41 2016 +0300 @@ -135,8 +135,10 @@ {"no.manifest.", "no manifest."}, {".Signature.related.entries.","(Signature related entries)"}, {".Unsigned.entries.", "(Unsigned entries)"}, - {"jar.is.unsigned.signatures.missing.or.not.parsable.", - "jar is unsigned. (signatures missing or not parsable)"}, + {"jar.is.unsigned", + "jar is unsigned."}, + {"jar.treated.unsigned", + "Signature not parsable or verifiable. The jar will be treated as unsigned. The jar may have been signed with a weak algorithm that is now disabled. For more information, rerun jarsigner with debug enabled (-J-Djava.security.debug=jar)."}, {"jar.signed.", "jar signed."}, {"jar.signed.with.signer.errors.", "jar signed, with signer errors."}, {"jar.verified.", "jar verified."},
--- a/test/sun/security/tools/jarsigner/warnings/Test.java Wed Sep 14 11:39:01 2016 +0300 +++ b/test/sun/security/tools/jarsigner/warnings/Test.java Wed Sep 14 11:41:41 2016 +0300 @@ -22,6 +22,11 @@ */ import jdk.testlibrary.OutputAnalyzer; +import jdk.testlibrary.ProcessTools; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; /** * Base class. @@ -175,4 +180,21 @@ } analyzer.shouldContain(JAR_SIGNED); } + + protected OutputAnalyzer keytool(String... cmd) throws Throwable { + return tool(KEYTOOL, cmd); + } + + protected OutputAnalyzer jarsigner(String... cmd) throws Throwable { + return tool(JARSIGNER, cmd); + } + + private OutputAnalyzer tool(String tool, String... args) throws Throwable { + List<String> cmd = new ArrayList<>(); + cmd.add(tool); + cmd.add("-J-Duser.language=en"); + cmd.add("-J-Duser.country=US"); + cmd.addAll(Arrays.asList(args)); + return ProcessTools.executeCommand(cmd.toArray(new String[cmd.size()])); + } }