From 692684aa31f719bcbe5cfbcfa70a9f6b65fb0286 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 28 Oct 2009 15:32:49 +0800 Subject: [PATCH] 6890872: keytool -printcert to recognize signed jar files Reviewed-by: mullan --- .../classes/sun/security/tools/JarSigner.java | 1 + .../classes/sun/security/tools/KeyTool.java | 76 ++++++++++++++++++- .../classes/sun/security/util/Resources.java | 9 +++ .../sun/security/tools/keytool/readjar.sh | 56 ++++++++++++++ 4 files changed, 140 insertions(+), 2 deletions(-) create mode 100644 jdk/test/sun/security/tools/keytool/readjar.sh diff --git a/jdk/src/share/classes/sun/security/tools/JarSigner.java b/jdk/src/share/classes/sun/security/tools/JarSigner.java index b373ebc23ef..005d8aa1bfd 100644 --- a/jdk/src/share/classes/sun/security/tools/JarSigner.java +++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java @@ -1483,6 +1483,7 @@ public class JarSigner { Timestamp timestamp = signer.getTimestamp(); if (timestamp != null) { s.append(printTimestamp(tab, timestamp)); + s.append('\n'); } // display the certificate(s) for (Certificate c : certs) { diff --git a/jdk/src/share/classes/sun/security/tools/KeyTool.java b/jdk/src/share/classes/sun/security/tools/KeyTool.java index 3ce402a65d0..b3b0f7365ab 100644 --- a/jdk/src/share/classes/sun/security/tools/KeyTool.java +++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java @@ -26,6 +26,7 @@ package sun.security.tools; import java.io.*; +import java.security.CodeSigner; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.MessageDigest; @@ -34,6 +35,7 @@ import java.security.PublicKey; import java.security.PrivateKey; import java.security.Security; import java.security.Signature; +import java.security.Timestamp; import java.security.UnrecoverableEntryException; import java.security.UnrecoverableKeyException; import java.security.Principal; @@ -46,6 +48,8 @@ import java.security.cert.CertificateException; import java.text.Collator; import java.text.MessageFormat; import java.util.*; +import java.util.jar.JarEntry; +import java.util.jar.JarFile; import java.lang.reflect.Constructor; import java.net.URL; import java.net.URLClassLoader; @@ -130,6 +134,7 @@ public final class KeyTool { private File ksfile = null; private InputStream ksStream = null; // keystore stream private String sslserver = null; + private String jarfile = null; private KeyStore keyStore = null; private boolean token = false; private boolean nullStream = false; @@ -206,7 +211,7 @@ public final class KeyTool { "-providername", "-providerclass", "-providerarg", "-providerpath", "-v", "-protected"), PRINTCERT("Prints the content of a certificate", - "-rfc", "-file", "-sslserver", "-v"), + "-rfc", "-file", "-sslserver", "-jarfile", "-v"), PRINTCERTREQ("Prints the content of a certificate request", "-file", "-v"), SELFCERT("Generates a self-signed certificate", @@ -266,6 +271,7 @@ public final class KeyTool { {"-srcstorepass", "", "source keystore password"}, {"-srcstoretype", "", "source keystore type"}, {"-sslserver", "", "SSL server host and port"}, + {"-jarfile", "", "signed jar file"}, {"-startdate", "", "certificate validity start date/time"}, {"-storepass", "", "keystore password"}, {"-storetype", "", "keystore type"}, @@ -453,6 +459,8 @@ public final class KeyTool { outfilename = args[++i]; } else if (collator.compare(flags, "-sslserver") == 0) { sslserver = args[++i]; + } else if (collator.compare(flags, "-jarfile") == 0) { + jarfile = args[++i]; } else if (collator.compare(flags, "-srckeystore") == 0) { srcksfname = args[++i]; } else if ((collator.compare(flags, "-provider") == 0) || @@ -2065,7 +2073,71 @@ public final class KeyTool { } private void doPrintCert(final PrintStream out) throws Exception { - if (sslserver != null) { + if (jarfile != null) { + JarFile jf = new JarFile(jarfile, true); + Enumeration entries = jf.entries(); + Set ss = new HashSet(); + byte[] buffer = new byte[8192]; + int pos = 0; + while (entries.hasMoreElements()) { + JarEntry je = entries.nextElement(); + InputStream is = null; + try { + is = jf.getInputStream(je); + while (is.read(buffer) != -1) { + // we just read. this will throw a SecurityException + // if a signature/digest check fails. This also + // populate the signers + } + } finally { + if (is != null) { + is.close(); + } + } + CodeSigner[] signers = je.getCodeSigners(); + if (signers != null) { + for (CodeSigner signer: signers) { + if (!ss.contains(signer)) { + ss.add(signer); + out.printf(rb.getString("Signer #%d:"), ++pos); + out.println(); + out.println(); + out.println(rb.getString("Signature:")); + out.println(); + for (Certificate cert: signer.getSignerCertPath().getCertificates()) { + X509Certificate x = (X509Certificate)cert; + if (rfc) { + out.println(rb.getString("Certificate owner: ") + x.getSubjectDN() + "\n"); + dumpCert(x, out); + } else { + printX509Cert(x, out); + } + out.println(); + } + Timestamp ts = signer.getTimestamp(); + if (ts != null) { + out.println(rb.getString("Timestamp:")); + out.println(); + for (Certificate cert: ts.getSignerCertPath().getCertificates()) { + X509Certificate x = (X509Certificate)cert; + if (rfc) { + out.println(rb.getString("Certificate owner: ") + x.getSubjectDN() + "\n"); + dumpCert(x, out); + } else { + printX509Cert(x, out); + } + out.println(); + } + } + } + } + } + } + jf.close(); + if (ss.size() == 0) { + out.println(rb.getString("Not a signed jar file")); + } + } else if (sslserver != null) { SSLContext sc = SSLContext.getInstance("SSL"); final boolean[] certPrinted = new boolean[1]; sc.init(null, new TrustManager[] { diff --git a/jdk/src/share/classes/sun/security/util/Resources.java b/jdk/src/share/classes/sun/security/util/Resources.java index 686e91469a8..3911b5479f8 100644 --- a/jdk/src/share/classes/sun/security/util/Resources.java +++ b/jdk/src/share/classes/sun/security/util/Resources.java @@ -162,6 +162,8 @@ public class Resources extends java.util.ListResourceBundle { "source keystore type"}, //-srcstoretype {"SSL server host and port", "SSL server host and port"}, //-sslserver + {"signed jar file", + "signed jar file"}, //=jarfile {"certificate validity start date/time", "certificate validity start date/time"}, //-startdate {"keystore password", @@ -370,6 +372,13 @@ public class Resources extends java.util.ListResourceBundle { {"***************** WARNING WARNING WARNING *****************", "***************** WARNING WARNING WARNING *****************"}, + {"Signer #%d:", "Signer #%d:"}, + {"Timestamp:", "Timestamp:"}, + {"Signature:", "Signature:"}, + {"Certificate owner: ", "Certificate owner: "}, + {"Not a signed jar file", "Not a signed jar file"}, + {"No certificate from the SSL server", + "No certificate from the SSL server"}, // Translators of the following 5 pairs, ATTENTION: // the next 5 string pairs are meant to be combined into 2 paragraphs, diff --git a/jdk/test/sun/security/tools/keytool/readjar.sh b/jdk/test/sun/security/tools/keytool/readjar.sh new file mode 100644 index 00000000000..e9ec824c32f --- /dev/null +++ b/jdk/test/sun/security/tools/keytool/readjar.sh @@ -0,0 +1,56 @@ +# +# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, +# CA 95054 USA or visit www.sun.com if you need additional information or +# have any questions. +# + +# @test +# @bug 6890872 +# @summary keytool -printcert to recognize signed jar files +# + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + ;; + * ) + FS="/" + ;; +esac + +KS=readjar.jks +rm $KS +$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS \ + -alias x -dname CN=X -genkeypair +$TESTJAVA${FS}bin${FS}jar cvf readjar.jar $KS +$TESTJAVA${FS}bin${FS}jarsigner -storepass changeit -keystore $KS readjar.jar x + +$TESTJAVA${FS}bin${FS}keytool -printcert -jarfile readjar.jar || exit 1 +$TESTJAVA${FS}bin${FS}keytool -printcert -jarfile readjar.jar -rfc || exit 1 + +exit 0 +