Mercurial > hg > release > icedtea-1.10
view netx/net/sourceforge/jnlp/tools/JarSigner.java @ 1842:31b0ba36a6b7
Completely restructure the building and inclusion of netx and plugin code.
We were relying on the binary plugs process (and thus importing unneeded
SNMP classes). We now use the same method as jaxws, jaxp, langtools and corba,
and the binary plugs process is turned off (the default, we were turning
it on by setting ALT_BINARY_PLUGS_PATH).
2009-05-27 Andrew John Hughes <ahughes@redhat.com>
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/BasicService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/ClipboardService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/DownloadService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/DownloadServiceListener.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/ExtensionInstallerService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/FileContents.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/FileOpenService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/FileSaveService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/JNLPRandomAccessFile.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/PersistenceService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/PrintService.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/ServiceManager.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/ServiceManagerStub.java,
* overlays/openjdk/jdk/src/share/classes/javax/jnlp/UnavailableServiceException.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/AppletDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/ApplicationDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/ComponentDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/DefaultLaunchHandler.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/ExtensionDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/IconDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/InformationDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/InstallerDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/JARDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/JNLPFile.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/JNLPSplashScreen.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/JREDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/LaunchException.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/LaunchHandler.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/Launcher.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/NetxPanel.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/Node.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/PackageDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/ParseException.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/Parser.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/PluginBridge.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/PropertyDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/ResourcesDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/SecurityDesc.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/Version.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/CacheEntry.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/CacheUtil.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/DefaultDownloadIndicator.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/DownloadIndicator.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/Resource.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/ResourceTracker.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/UpdatePolicy.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/cache/package.html,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/event/ApplicationEvent.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/event/ApplicationListener.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/event/DownloadEvent.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/event/DownloadListener.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/event/package.html,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/package.html,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/resources/Manifest.mf,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/resources/Messages.properties,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/resources/about.jnlp,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/resources/default.jnlp,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/AppThreadGroup.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/AppletAudioClip.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/AppletEnvironment.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/AppletInstance.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/ApplicationInstance.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/Boot.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/Boot13.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/JNLPClassLoader.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/JNLPPolicy.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/runtime/package.html,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/AccessWarningPane.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/AppletWarningPane.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/CertVerifier.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/CertWarningPane.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/CertsInfoPane.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/HttpsCertVerifier.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/MoreInfoPane.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/SecurityDialogUI.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/SecurityUtil.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/SecurityWarningDialog.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/SingleCertInfoPane.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/VariableX509TrustManager.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/viewer/CertificatePane.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/security/viewer/CertificateViewer.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/ServiceUtil.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XBasicService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XClipboardService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XDownloadService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XExtensionInstallerService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XFileContents.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XFileOpenService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XFileSaveService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XJNLPRandomAccessFile.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XPersistenceService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XPrintService.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/XServiceManagerStub.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/services/package.html,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/CharacterEncoder.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/HexDumpEncoder.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/JarRunner.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/JarSigner.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/JarSignerResources.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/KeyStoreUtil.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/KeyTool.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/util/PropertiesFile.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/util/Reflect.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/util/WeakList.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/nanoxml/XMLElement.java,
* overlays/openjdk/jdk/src/share/classes/net/sourceforge/nanoxml/XMLParseException.java:
Moved to...
* Makefile.am:
Remove use of ALT_BINARY_PLUGS_PATH (and thus turn off the binary plugs build),
add a INITIAL_BOOTSTRAP_LINK_STAMP target which allows us to depend on $(ICEDTEA_BOOT_DIR)
for both types of build, output to lib/tools.jar not jre/lib/tools.jar, add targets
for building netx and liveconnect classes and make icedtea targets dependent on this.
* netx/javax/jnlp/BasicService.java,
* netx/javax/jnlp/ClipboardService.java,
* netx/javax/jnlp/DownloadService.java,
* netx/javax/jnlp/DownloadServiceListener.java,
* netx/javax/jnlp/ExtensionInstallerService.java,
* netx/javax/jnlp/FileContents.java,
* netx/javax/jnlp/FileOpenService.java,
* netx/javax/jnlp/FileSaveService.java,
* netx/javax/jnlp/JNLPRandomAccessFile.java,
* netx/javax/jnlp/PersistenceService.java,
* netx/javax/jnlp/PrintService.java,
* netx/javax/jnlp/ServiceManager.java,
* netx/javax/jnlp/ServiceManagerStub.java,
* netx/javax/jnlp/UnavailableServiceException.java,
* netx/net/sourceforge/jnlp/AppletDesc.java,
* netx/net/sourceforge/jnlp/ApplicationDesc.java,
* netx/net/sourceforge/jnlp/ComponentDesc.java,
* netx/net/sourceforge/jnlp/DefaultLaunchHandler.java,
* netx/net/sourceforge/jnlp/ExtensionDesc.java,
* netx/net/sourceforge/jnlp/IconDesc.java,
* netx/net/sourceforge/jnlp/InformationDesc.java,
* netx/net/sourceforge/jnlp/InstallerDesc.java,
* netx/net/sourceforge/jnlp/JARDesc.java,
* netx/net/sourceforge/jnlp/JNLPFile.java,
* netx/net/sourceforge/jnlp/JNLPSplashScreen.java,
* netx/net/sourceforge/jnlp/JREDesc.java,
* netx/net/sourceforge/jnlp/LaunchException.java,
* netx/net/sourceforge/jnlp/LaunchHandler.java,
* netx/net/sourceforge/jnlp/Launcher.java,
* netx/net/sourceforge/jnlp/NetxPanel.java,
* netx/net/sourceforge/jnlp/Node.java,
* netx/net/sourceforge/jnlp/PackageDesc.java,
* netx/net/sourceforge/jnlp/ParseException.java,
* netx/net/sourceforge/jnlp/Parser.java,
* netx/net/sourceforge/jnlp/PluginBridge.java,
* netx/net/sourceforge/jnlp/PropertyDesc.java,
* netx/net/sourceforge/jnlp/ResourcesDesc.java,
* netx/net/sourceforge/jnlp/SecurityDesc.java,
* netx/net/sourceforge/jnlp/Version.java,
* netx/net/sourceforge/jnlp/cache/CacheEntry.java,
* netx/net/sourceforge/jnlp/cache/CacheUtil.java,
* netx/net/sourceforge/jnlp/cache/DefaultDownloadIndicator.java,
* netx/net/sourceforge/jnlp/cache/DownloadIndicator.java,
* netx/net/sourceforge/jnlp/cache/Resource.java,
* netx/net/sourceforge/jnlp/cache/ResourceTracker.java,
* netx/net/sourceforge/jnlp/cache/UpdatePolicy.java,
* netx/net/sourceforge/jnlp/cache/package.html,
* netx/net/sourceforge/jnlp/event/ApplicationEvent.java,
* netx/net/sourceforge/jnlp/event/ApplicationListener.java,
* netx/net/sourceforge/jnlp/event/DownloadEvent.java,
* netx/net/sourceforge/jnlp/event/DownloadListener.java,
* netx/net/sourceforge/jnlp/event/package.html,
* netx/net/sourceforge/jnlp/package.html,
* netx/net/sourceforge/jnlp/resources/Manifest.mf,
* netx/net/sourceforge/jnlp/resources/Messages.properties,
* netx/net/sourceforge/jnlp/resources/about.jnlp,
* netx/net/sourceforge/jnlp/resources/default.jnlp,
* netx/net/sourceforge/jnlp/runtime/AppThreadGroup.java,
* netx/net/sourceforge/jnlp/runtime/AppletAudioClip.java,
* netx/net/sourceforge/jnlp/runtime/AppletEnvironment.java,
* netx/net/sourceforge/jnlp/runtime/AppletInstance.java,
* netx/net/sourceforge/jnlp/runtime/ApplicationInstance.java,
* netx/net/sourceforge/jnlp/runtime/Boot.java,
* netx/net/sourceforge/jnlp/runtime/Boot13.java,
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java,
* netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java,
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java,
* netx/net/sourceforge/jnlp/runtime/package.html,
* netx/net/sourceforge/jnlp/security/AccessWarningPane.java,
* netx/net/sourceforge/jnlp/security/AppletWarningPane.java,
* netx/net/sourceforge/jnlp/security/CertVerifier.java,
* netx/net/sourceforge/jnlp/security/CertWarningPane.java,
* netx/net/sourceforge/jnlp/security/CertsInfoPane.java,
* netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java,
* netx/net/sourceforge/jnlp/security/MoreInfoPane.java,
* netx/net/sourceforge/jnlp/security/SecurityDialogUI.java,
* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
* netx/net/sourceforge/jnlp/security/SecurityWarningDialog.java,
* netx/net/sourceforge/jnlp/security/SingleCertInfoPane.java,
* netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java,
* netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java,
* netx/net/sourceforge/jnlp/security/viewer/CertificateViewer.java,
* netx/net/sourceforge/jnlp/services/ServiceUtil.java,
* netx/net/sourceforge/jnlp/services/XBasicService.java,
* netx/net/sourceforge/jnlp/services/XClipboardService.java,
* netx/net/sourceforge/jnlp/services/XDownloadService.java,
* netx/net/sourceforge/jnlp/services/XExtensionInstallerService.java,
* netx/net/sourceforge/jnlp/services/XFileContents.java,
* netx/net/sourceforge/jnlp/services/XFileOpenService.java,
* netx/net/sourceforge/jnlp/services/XFileSaveService.java,
* netx/net/sourceforge/jnlp/services/XJNLPRandomAccessFile.java,
* netx/net/sourceforge/jnlp/services/XPersistenceService.java,
* netx/net/sourceforge/jnlp/services/XPrintService.java,
* netx/net/sourceforge/jnlp/services/XServiceManagerStub.java,
* netx/net/sourceforge/jnlp/services/package.html,
* netx/net/sourceforge/jnlp/tools/CharacterEncoder.java,
* netx/net/sourceforge/jnlp/tools/HexDumpEncoder.java,
* netx/net/sourceforge/jnlp/tools/JarRunner.java,
* netx/net/sourceforge/jnlp/tools/JarSigner.java,
* netx/net/sourceforge/jnlp/tools/JarSignerResources.java,
* netx/net/sourceforge/jnlp/tools/KeyStoreUtil.java,
* netx/net/sourceforge/jnlp/tools/KeyTool.java,
* netx/net/sourceforge/jnlp/util/PropertiesFile.java,
* netx/net/sourceforge/jnlp/util/Reflect.java,
* netx/net/sourceforge/jnlp/util/WeakList.java,
* netx/net/sourceforge/nanoxml/XMLElement.java,
* netx/net/sourceforge/nanoxml/XMLParseException.java: to here.
* patches/ecj/icedtea.patch:
Recreated.
* patches/icedtea-ant.patch:
Remove hack to jaxws which uses plugs directory (now undefined).
* patches/icedtea-javac-debuginfo.patch: Recreated.
* patches/icedtea-netx.patch:
Include netx and netscape classes via the same import mechanism
as jaxws, jaxp, corba and langtools (extracting a classes.zip).
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Thu, 28 May 2009 10:18:19 +0100 |
parents | overlays/openjdk/jdk/src/share/classes/net/sourceforge/jnlp/tools/JarSigner.java@97367bcc3bc1 |
children |
line wrap: on
line source
/* * Copyright 1997-2007 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Sun designates this * particular file as subject to the "Classpath" exception as provided * by Sun in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, * CA 95054 USA or visit www.sun.com if you need additional information or * have any questions. */ package net.sourceforge.jnlp.tools; import java.io.*; import java.util.*; import java.util.zip.*; import java.util.jar.*; import java.text.Collator; import java.text.MessageFormat; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.security.cert.CertPath; import java.security.*; import sun.security.x509.*; import sun.security.util.*; import net.sourceforge.jnlp.*; import net.sourceforge.jnlp.cache.*; import net.sourceforge.jnlp.runtime.*; import net.sourceforge.jnlp.security.*; /** * <p>The jarsigner utility. * * @author Roland Schemers * @author Jan Luehe */ public class JarSigner implements CertVerifier { private static String R(String key) { return JNLPRuntime.getMessage(key); } private static final Collator collator = Collator.getInstance(); static { // this is for case insensitive string comparisions collator.setStrength(Collator.PRIMARY); } private static final String META_INF = "META-INF/"; // prefix for new signature-related files in META-INF directory private static final String SIG_PREFIX = META_INF + "SIG-"; private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds static final String VERSION = "1.0"; static final int IN_KEYSTORE = 0x01; static final int IN_SCOPE = 0x02; // signer's certificate chain (when composing) X509Certificate[] certChain; /* * private key */ PrivateKey privateKey; KeyStore store; IdentityScope scope; String keystore; // key store file boolean nullStream = false; // null keystore input stream (NONE) boolean token = false; // token-based keystore String jarfile; // jar file to sign String alias; // alias to sign jar with char[] storepass; // keystore password boolean protectedPath; // protected authentication path String storetype; // keystore type String providerName; // provider name Vector<String> providers = null; // list of providers HashMap<String,String> providerArgs = new HashMap<String, String>(); // arguments for provider constructors char[] keypass; // private key password String sigfile; // name of .SF file String sigalg; // name of signature algorithm String digestalg = "SHA1"; // name of digest algorithm String signedjar; // output filename String tsaUrl; // location of the Timestamping Authority String tsaAlias; // alias for the Timestamping Authority's certificate boolean verify = false; // verify the jar boolean verbose = false; // verbose output when signing/verifying boolean showcerts = false; // show certs when verifying boolean debug = false; // debug boolean signManifest = true; // "sign" the whole manifest boolean externalSF = true; // leave the .SF out of the PKCS7 block private boolean hasExpiredCert = false; private boolean hasExpiringCert = false; private boolean notYetValidCert = false; private boolean badKeyUsage = false; private boolean badExtendedKeyUsage = false; private boolean badNetscapeCertType = false; private boolean alreadyTrustPublisher = false; private boolean rootInCacerts = false; /** * The single certPath used in this JarSiging. We're only keeping * track of one here, since in practice there's only one signer * for a JNLP Application. */ private CertPath certPath = null; private boolean noSigningIssues = true; private boolean anyJarsSigned = false; /** all of the jar files that were verified */ private ArrayList<String> verifiedJars = null; /** all of the jar files that were not verified */ private ArrayList<String> unverifiedJars = null; /** the certificates used for jar verification */ private ArrayList<CertPath> certs = null; /** details of this signing */ private ArrayList<String> details = new ArrayList<String>(); /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#getAlreadyTrustPublisher() */ public boolean getAlreadyTrustPublisher() { return alreadyTrustPublisher; } /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#getRootInCacerts() */ public boolean getRootInCacerts() { return rootInCacerts; } public CertPath getCertPath() { return certPath; } /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#hasSigningIssues() */ public boolean hasSigningIssues() { return hasExpiredCert || notYetValidCert || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType; } /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#noSigningIssues() */ public boolean noSigningIssues() { return noSigningIssues; } public boolean anyJarsSigned() { return anyJarsSigned; } /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#getDetails() */ public ArrayList<String> getDetails() { return details; } /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#getCerts() */ public ArrayList<CertPath> getCerts() { return certs; } public void verifyJars(List<JARDesc> jars, ResourceTracker tracker) throws Exception { certs = new ArrayList<CertPath>(); for (int i = 0; i < jars.size(); i++) { JARDesc jar = (JARDesc) jars.get(i); verifiedJars = new ArrayList<String>(); unverifiedJars = new ArrayList<String>(); try { File jarFile = tracker.getCacheFile(jar.getLocation()); // some sort of resource download/cache error. Nothing to add // in that case ... but don't fail here if (jarFile == null) { return; } String localFile = jarFile.getAbsolutePath(); boolean result = verifyJar(localFile); if (!result) { //allVerified is true until we encounter a problem //with one or more jars noSigningIssues = false; unverifiedJars.add(localFile); } else { verifiedJars.add(localFile); } } catch (Exception e){ // We may catch exceptions from using verifyJar() // or from checkTrustedCerts throw e; } } } public boolean verifyJar(String jarName) throws Exception { boolean anySigned = false; boolean hasUnsignedEntry = false; JarInputStream jis = null; // certs could be uninitialized if one calls this method directly if (certs == null) certs = new ArrayList<CertPath>(); try { jis = new JarInputStream(new FileInputStream(jarName), true); Vector<JarEntry> entriesVec = new Vector<JarEntry>(); byte[] buffer = new byte[8192]; JarEntry je; while ((je = jis.getNextJarEntry()) != null) { entriesVec.addElement(je); InputStream is = null; try { int n; while ((n = jis.read(buffer, 0, buffer.length)) != -1) { // we just read. this will throw a SecurityException // if a signature/digest check fails. } } finally { if (is != null) { is.close(); } } } Manifest man = jis.getManifest(); if (man != null) { if (verbose) System.out.println(); Enumeration<JarEntry> e = entriesVec.elements(); long now = System.currentTimeMillis(); while (e.hasMoreElements()) { je = e.nextElement(); String name = je.getName(); CodeSigner[] signers = je.getCodeSigners(); boolean isSigned = (signers != null); anySigned |= isSigned; hasUnsignedEntry |= !je.isDirectory() && !isSigned && !signatureRelated(name); if (isSigned) { // TODO: Perhaps we should check here that // signers.length is only of size 1, and throw an // exception if it's not? for (int i = 0; i < signers.length; i++) { CertPath certPath = signers[i].getSignerCertPath(); if (!certs.contains(certPath)) certs.add(certPath); //we really only want the first certPath if (!certPath.equals(this.certPath)){ this.certPath = certPath; } Certificate cert = signers[i].getSignerCertPath() .getCertificates().get(0); if (cert instanceof X509Certificate) { checkCertUsage((X509Certificate)cert, null); if (!showcerts) { long notAfter = ((X509Certificate)cert) .getNotAfter().getTime(); if (notAfter < now) { hasExpiredCert = true; } else if (notAfter < now + SIX_MONTHS) { hasExpiringCert = true; } } } } } } //while e has more elements } //if man not null //Alert the user if any of the following are true. if (!anySigned) { } else { anyJarsSigned = true; //warnings if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || notYetValidCert) { addToDetails(R("SRunWithoutRestrictions")); if (badKeyUsage) addToDetails(R("SBadKeyUsage")); if (badExtendedKeyUsage) addToDetails(R("SBadExtendedKeyUsage")); if (badNetscapeCertType) addToDetails(R("SBadNetscapeCertType")); if (hasUnsignedEntry) addToDetails(R("SHasUnsignedEntry")); if (hasExpiredCert) addToDetails(R("SHasExpiredCert")); if (hasExpiringCert) addToDetails(R("SHasExpiringCert")); if (notYetValidCert) addToDetails(R("SNotYetValidCert")); } } } catch (Exception e) { e.printStackTrace(); throw e; } finally { // close the resource if (jis != null) { jis.close(); } } // check if the certs added above are in the trusted path checkTrustedCerts(); //anySigned does not guarantee that all files were signed. return anySigned && !(hasUnsignedEntry || hasExpiredCert || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || notYetValidCert); } /** * Checks the user's trusted.certs file and the cacerts file to see * if a publisher's and/or CA's certificate exists there. */ private void checkTrustedCerts() throws Exception { if (certPath != null) { try { KeyTool kt = new KeyTool(); alreadyTrustPublisher = kt.isTrusted(getPublisher()); rootInCacerts = kt.checkCacertsForCertificate(getRoot()); } catch (Exception e) { // TODO: Warn user about not being able to // look through their cacerts/trusted.certs // file depending on exception. throw e; } if (!rootInCacerts) addToDetails(R("SUntrustedCertificate")); else addToDetails(R("STrustedCertificate")); } } /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#getPublisher() */ public Certificate getPublisher() { if (certPath != null) { List<? extends Certificate> certList = certPath.getCertificates(); if (certList.size() > 0) { return (Certificate)certList.get(0); } else { return null; } } else { return null; } } /* (non-Javadoc) * @see net.sourceforge.jnlp.tools.CertVerifier2#getRoot() */ public Certificate getRoot() { if (certPath != null) { List<? extends Certificate> certList = certPath.getCertificates(); if (certList.size() > 0) { return (Certificate)certList.get( certList.size() - 1); } else { return null; } } else { return null; } } private void addToDetails(String detail) { if (!details.contains(detail)) details.add(detail); } Hashtable<Certificate, String> storeHash = new Hashtable<Certificate, String>(); /** * signature-related files include: * . META-INF/MANIFEST.MF * . META-INF/SIG-* * . META-INF/*.SF * . META-INF/*.DSA * . META-INF/*.RSA * * Required for verifyJar() */ private boolean signatureRelated(String name) { String ucName = name.toUpperCase(); if (ucName.equals(JarFile.MANIFEST_NAME) || ucName.equals(META_INF) || (ucName.startsWith(SIG_PREFIX) && ucName.indexOf("/") == ucName.lastIndexOf("/"))) { return true; } if (ucName.startsWith(META_INF) && SignatureFileVerifier.isBlockOrSF(ucName)) { // .SF/.DSA/.RSA files in META-INF subdirs // are not considered signature-related return (ucName.indexOf("/") == ucName.lastIndexOf("/")); } return false; } /** * Check if userCert is designed to be a code signer * @param userCert the certificate to be examined * @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage, * NetscapeCertType has codeSigning flag turned on. * If null, the class field badKeyUsage, badExtendedKeyUsage, * badNetscapeCertType will be set. * * Required for verifyJar() */ void checkCertUsage(X509Certificate userCert, boolean[] bad) { // Can act as a signer? // 1. if KeyUsage, then [0] should be true // 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING // 3. if NetscapeCertType, then should contains OBJECT_SIGNING // 1,2,3 must be true if (bad != null) { bad[0] = bad[1] = bad[2] = false; } boolean[] keyUsage = userCert.getKeyUsage(); if (keyUsage != null) { if (keyUsage.length < 1 || !keyUsage[0]) { if (bad != null) { bad[0] = true; } else { badKeyUsage = true; } } } try { List<String> xKeyUsage = userCert.getExtendedKeyUsage(); if (xKeyUsage != null) { if (!xKeyUsage.contains("2.5.29.37.0") // anyExtendedKeyUsage && !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning if (bad != null) { bad[1] = true; } else { badExtendedKeyUsage = true; } } } } catch (java.security.cert.CertificateParsingException e) { // shouldn't happen } try { // OID_NETSCAPE_CERT_TYPE byte[] netscapeEx = userCert.getExtensionValue ("2.16.840.1.113730.1.1"); if (netscapeEx != null) { DerInputStream in = new DerInputStream(netscapeEx); byte[] encoded = in.getOctetString(); encoded = new DerValue(encoded).getUnalignedBitString() .toByteArray(); NetscapeCertTypeExtension extn = new NetscapeCertTypeExtension(encoded); Boolean val = (Boolean)extn.get( NetscapeCertTypeExtension.OBJECT_SIGNING); if (!val) { if (bad != null) { bad[2] = true; } else { badNetscapeCertType = true; } } } } catch (IOException e) { // } } }