8234128: jarsigner will not show not-signed-by-alias warning if an intermediate cert is in this keystore

Reviewed-by: jnimeh
2022-04-07 15:52:43 +00:00 · 2022-04-07 15:52:43 +00:00 · d6f01e9d6f
commit d6f01e9d6f
parent 5bafcfdc17
2 changed files with 101 additions and 2 deletions
--- a/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
+++ b/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
@ -126,6 +126,8 @@ public class Main {
    static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and
    // signer is not in alias list
    static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
+    static final int SOME_ALIASES_NOT_FOUND = 0x10;
+    // at least one signer alias is not in keystore

    static final JavaUtilZipFileAccess JUZFA = SharedSecrets.getJavaUtilZipFileAccess();

@ -222,6 +224,7 @@ public class Main {
    private boolean badExtendedKeyUsage = false;
    private boolean badNetscapeCertType = false;
    private boolean signerSelfSigned = false;
+    private boolean allAliasesFound = true;

    private Throwable chainNotValidatedReason = null;
    private Throwable tsaChainNotValidatedReason = null;
@ -854,6 +857,8 @@ public class Main {
                        aliasNotInStore |= isSigned && !inStore;
                    }

+                    allAliasesFound =
+                        (inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;
                    // Only used when -verbose provided
                    StringBuilder sb = null;
                    if (verbose != null) {
@ -1195,8 +1200,8 @@ public class Main {
        }

        // only in verifying
-        if (aliasNotInStore) {
-            errors.add(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
+        if (!allAliasesFound) {
+            warnings.add(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
        }

        if (signerSelfSigned) {
@ -1748,6 +1753,7 @@ public class Main {
        }

        int result = 0;
+        boolean allAliasesFound = true;
        if (store != null) {
            try {
                List<? extends Certificate> certs =
@ -1758,6 +1764,8 @@ public class Main {
                        alias = store.getCertificateAlias(c);
                        if (alias != null) {
                            storeHash.put(c, alias);
+                        } else {
+                            allAliasesFound = false;
                        }
                    }
                    if (alias != null) {
@ -1777,6 +1785,9 @@ public class Main {
                // never happens, because keystore has been loaded
            }
        }
+        if (!allAliasesFound) {
+            result |= SOME_ALIASES_NOT_FOUND;
+        }
        cacheForInKS.put(signer, result);
        return result;
    }
--- a/test/jdk/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest2.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest2.java
@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.test.lib.process.OutputAnalyzer;
+import jdk.test.lib.util.JarUtils;
+
+/**
+ * @test
+ * @bug 8234128
+ * @summary Additional test for aliasNotInStore warning
+ * @library /test/lib ../
+ * @build jdk.test.lib.util.JarUtils
+ * @run main AliasNotInStoreTest2
+ */
+public class AliasNotInStoreTest2 extends Test {
+
+    /**
+     * The test signs and verifies a jar that contains signed entries
+     * that are not signed by any alias in keystore (aliasNotInStore).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        AliasNotInStoreTest2 test = new AliasNotInStoreTest2();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+
+        createAlias(CA_KEY_ALIAS, "-ext", "bc");
+        createAlias(FIRST_KEY_ALIAS);
+
+        issueCert(FIRST_KEY_ALIAS);
+
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // sign jar with first key
+        OutputAnalyzer analyzer = jarsigner(
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                FIRST_KEY_ALIAS);
+
+        checkSigning(analyzer);
+
+        // remove signer
+        keytool(
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-delete",
+                "-alias", FIRST_KEY_ALIAS);
+
+        // "not signed by any alias in the keystore" warning should be present
+        analyzer = jarsigner(
+                "-verify",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, ALIAS_NOT_IN_STORE_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}