From 9eda16c50d53b4097b0763ec73f1a3da7d0b926f Mon Sep 17 00:00:00 2001
From: Weijun Wang <weijun@openjdk.org>
Date: Wed, 14 Sep 2016 00:29:30 +0800
Subject: [PATCH] 8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
Reviewed-by: mullan
---
.../share/classes/sun/security/pkcs/SignerInfo.java | 5 ++++-
.../classes/sun/security/tools/jarsigner/Main.java | 12 ++++++++++--
.../sun/security/tools/jarsigner/Resources.java | 6 ++++--
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java b/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
index c04d07b9ec7..44241d3b712 100644
--- a/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
+++ b/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
@@ -55,6 +55,7 @@ import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.util.HexDumpEncoder;
+import sun.security.util.KeyUtil;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
import sun.security.x509.X500Name;
@@ -399,7 +400,9 @@ public class SignerInfo implements DerEncoder {
// check if the public key is restricted
if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
throw new SignatureException("Public key check failed. " +
- "Disabled algorithm used: " + key.getAlgorithm());
+ "Disabled key used: " +
+ KeyUtil.getKeySize(key) + " bit " +
+ key.getAlgorithm());
}
if (cert.hasUnsupportedCriticalExtension()) {
diff --git a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
index 15b6c6d637e..6a032bcdd1a 100644
--- a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
+++ b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
@@ -653,6 +653,7 @@ public class Main {
}
Manifest man = jf.getManifest();
+ boolean hasSignature = false;
// The map to record display info, only used when -verbose provided
// key: signer info string
@@ -668,6 +669,10 @@ public class Main {
while (e.hasMoreElements()) {
JarEntry je = e.nextElement();
String name = je.getName();
+
+ hasSignature = hasSignature
+ || SignatureFileVerifier.isBlockOrSF(name);
+
CodeSigner[] signers = je.getCodeSigners();
boolean isSigned = (signers != null);
anySigned |= isSigned;
@@ -812,8 +817,11 @@ public class Main {
}
if (!anySigned) {
- System.out.println(rb.getString(
- "jar.is.unsigned.signatures.missing.or.not.parsable."));
+ if (hasSignature) {
+ System.out.println(rb.getString("jar.treated.unsigned"));
+ } else {
+ System.out.println(rb.getString("jar.is.unsigned"));
+ }
} else {
boolean warningAppeared = false;
boolean errorAppeared = false;
diff --git a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
index 97ea20eb939..802044e5ff0 100644
--- a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
+++ b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
@@ -142,8 +142,10 @@ public class Resources extends java.util.ListResourceBundle {
{"no.manifest.", "no manifest."},
{".Signature.related.entries.","(Signature related entries)"},
{".Unsigned.entries.", "(Unsigned entries)"},
- {"jar.is.unsigned.signatures.missing.or.not.parsable.",
- "jar is unsigned. (signatures missing or not parsable)"},
+ {"jar.is.unsigned",
+ "jar is unsigned."},
+ {"jar.treated.unsigned",
+ "Signature not parsable or verifiable. The jar will be treated as unsigned. The jar may have been signed with a weak algorithm that is now disabled. For more information, rerun jarsigner with debug enabled (-J-Djava.security.debug=jar)."},
{"jar.signed.", "jar signed."},
{"jar.signed.with.signer.errors.", "jar signed, with signer errors."},
{"jar.verified.", "jar verified."},