Skip to content

Commit 51107ab

Browse files
GoeLinGoeLin
committed
8257722: Improve "keytool -printcert -jarfile" output
Backport-of: de93b1d0e83a9428dae4a9609996fe7b7e9b4932
1 parent 6624f71 commit 51107ab

File tree

4 files changed

+169
-87
lines changed

4 files changed

+169
-87
lines changed

src/java.base/share/classes/sun/security/tools/keytool/Main.java

Lines changed: 67 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -2845,6 +2845,23 @@ private static String oneInMany(String label, int i, int num) {
28452845
}
28462846
}
28472847

2848+
private static String oneInManys(String label, int certNo, int certCnt, int signerNo,
2849+
int signerCnt) {
2850+
if (certCnt == 1 && signerCnt == 1) {
2851+
return label;
2852+
}
2853+
if (certCnt > 1 && signerCnt == 1) {
2854+
return String.format(rb.getString("one.in.many1"), label, certNo);
2855+
}
2856+
if (certCnt == 1 && signerCnt > 1) {
2857+
return String.format(rb.getString("one.in.many2"), label, signerNo);
2858+
}
2859+
if (certCnt > 1 && signerCnt > 1) {
2860+
return String.format(rb.getString("one.in.many3"), label, certNo, signerNo);
2861+
}
2862+
return label;
2863+
}
2864+
28482865
private void doPrintCert(final PrintStream out) throws Exception {
28492866
if (jarfile != null) {
28502867
// reset "jdk.certpath.disabledAlgorithms" security property
@@ -2853,7 +2870,7 @@ private void doPrintCert(final PrintStream out) throws Exception {
28532870

28542871
JarFile jf = new JarFile(jarfile, true);
28552872
Enumeration<JarEntry> entries = jf.entries();
2856-
Set<CodeSigner> ss = new HashSet<>();
2873+
LinkedHashSet<CodeSigner> ss = new LinkedHashSet<>();
28572874
byte[] buffer = new byte[8192];
28582875
int pos = 0;
28592876
while (entries.hasMoreElements()) {
@@ -2870,48 +2887,59 @@ private void doPrintCert(final PrintStream out) throws Exception {
28702887
for (CodeSigner signer: signers) {
28712888
if (!ss.contains(signer)) {
28722889
ss.add(signer);
2873-
out.printf(rb.getString("Signer.d."), ++pos);
2874-
out.println();
2875-
out.println();
2876-
out.println(rb.getString("Signature."));
2877-
out.println();
2878-
2879-
List<? extends Certificate> certs
2880-
= signer.getSignerCertPath().getCertificates();
2881-
int cc = 0;
2882-
for (Certificate cert: certs) {
2883-
X509Certificate x = (X509Certificate)cert;
2884-
if (rfc) {
2885-
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
2886-
dumpCert(x, out);
2887-
} else {
2888-
printX509Cert(x, out);
2889-
}
2890-
out.println();
2891-
checkWeak(oneInMany(rb.getString("the.certificate"), cc++, certs.size()), x);
2892-
}
2893-
Timestamp ts = signer.getTimestamp();
2894-
if (ts != null) {
2895-
out.println(rb.getString("Timestamp."));
2896-
out.println();
2897-
certs = ts.getSignerCertPath().getCertificates();
2898-
cc = 0;
2899-
for (Certificate cert: certs) {
2900-
X509Certificate x = (X509Certificate)cert;
2901-
if (rfc) {
2902-
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
2903-
dumpCert(x, out);
2904-
} else {
2905-
printX509Cert(x, out);
2906-
}
2907-
out.println();
2908-
checkWeak(oneInMany(rb.getString("the.tsa.certificate"), cc++, certs.size()), x);
2909-
}
2910-
}
29112890
}
29122891
}
29132892
}
29142893
}
2894+
2895+
for (CodeSigner signer: ss) {
2896+
out.printf(rb.getString("Signer.d."), ++pos);
2897+
out.println();
2898+
out.println();
2899+
2900+
List<? extends Certificate> certs
2901+
= signer.getSignerCertPath().getCertificates();
2902+
int cc = 0;
2903+
for (Certificate cert: certs) {
2904+
out.printf(rb.getString("Certificate.d."), ++cc);
2905+
out.println();
2906+
X509Certificate x = (X509Certificate)cert;
2907+
if (rfc) {
2908+
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
2909+
dumpCert(x, out);
2910+
} else {
2911+
printX509Cert(x, out);
2912+
}
2913+
out.println();
2914+
checkWeak(oneInManys(rb.getString(
2915+
"the.certificate"), cc,
2916+
certs.size(), pos,
2917+
ss.size()), x);
2918+
}
2919+
Timestamp ts = signer.getTimestamp();
2920+
if (ts != null) {
2921+
out.println(rb.getString("Timestamp."));
2922+
out.println();
2923+
certs = ts.getSignerCertPath().getCertificates();
2924+
cc = 0;
2925+
for (Certificate cert: certs) {
2926+
out.printf(rb.getString("Certificate.d."), ++cc);
2927+
out.println();
2928+
X509Certificate x = (X509Certificate)cert;
2929+
if (rfc) {
2930+
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
2931+
dumpCert(x, out);
2932+
} else {
2933+
printX509Cert(x, out);
2934+
}
2935+
out.println();
2936+
checkWeak(oneInManys(rb.getString(
2937+
"the.tsa.certificate"), cc,
2938+
certs.size(), pos,
2939+
ss.size()), x);
2940+
}
2941+
}
2942+
}
29152943
jf.close();
29162944
if (ss.isEmpty()) {
29172945
out.println(rb.getString("Not.a.signed.jar.file"));

src/java.base/share/classes/sun/security/tools/keytool/Resources.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -396,8 +396,8 @@ public class Resources extends java.util.ListResourceBundle {
396396
{".WARNING.WARNING.WARNING.",
397397
"***************** WARNING WARNING WARNING *****************"},
398398
{"Signer.d.", "Signer #%d:"},
399+
{"Certificate.d.", "Certificate #%d:"},
399400
{"Timestamp.", "Timestamp:"},
400-
{"Signature.", "Signature:"},
401401
{"Certificate.owner.", "Certificate owner: "},
402402
{"Not.a.signed.jar.file", "Not a signed jar file"},
403403
{"No.certificate.from.the.SSL.server",
@@ -464,6 +464,9 @@ public class Resources extends java.util.ListResourceBundle {
464464
{"the.input", "The input"},
465465
{"reply", "Reply"},
466466
{"one.in.many", "%1$s #%2$d of %3$d"},
467+
{"one.in.many1", "%1$s #%2$d"},
468+
{"one.in.many2", "%1$s of signer #%2$d"},
469+
{"one.in.many3", "%1$s #%2$d of signer #%3$d"},
467470
{"alias.in.cacerts", "Issuer <%s> in cacerts"},
468471
{"alias.in.keystore", "Issuer <%s>"},
469472
{"with.weak", "%s (weak)"},

test/jdk/sun/security/tools/jarsigner/TimestampCheck.java

Lines changed: 0 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -736,51 +736,6 @@ static void checkMultiple(String file) throws Exception {
736736
.shouldMatch("Signature algorithm: .*key.*(disabled)");
737737
}
738738

739-
static void checkWeak(String file) throws Exception {
740-
verify(file)
741-
.shouldHaveExitValue(0)
742-
.shouldNotContain("treated as unsigned");
743-
verify(file, "-verbose")
744-
.shouldHaveExitValue(0)
745-
.shouldNotContain("treated as unsigned")
746-
.shouldMatch("Digest algorithm: .*(weak)")
747-
.shouldMatch("Signature algorithm: .*(weak)")
748-
.shouldMatch("Timestamp digest algorithm: .*(weak)")
749-
.shouldNotMatch("Timestamp signature algorithm: .*(weak).*(weak)")
750-
.shouldMatch("Timestamp signature algorithm: .*key.*(weak)");
751-
verify(file, "-J-Djava.security.debug=jar")
752-
.shouldHaveExitValue(0)
753-
.shouldNotMatch("SignatureException:.*disabled");
754-
755-
// keytool should print out warnings when reading or
756-
// generating cert/cert req using legacy algorithms.
757-
String sout = SecurityTools.keytool("-printcert -jarfile " + file)
758-
.stderrShouldContain("The TSA certificate uses a 1024-bit RSA key" +
759-
" which is considered a security risk." +
760-
" This key size will be disabled in a future update.")
761-
.getStdout();
762-
if (sout.indexOf("weak", sout.indexOf("Timestamp:")) < 0) {
763-
throw new RuntimeException("timestamp not weak: " + sout);
764-
}
765-
}
766-
767-
static void checkHalfWeak(String file) throws Exception {
768-
verify(file)
769-
.shouldHaveExitValue(0)
770-
.shouldNotContain("treated as unsigned");
771-
verify(file, "-verbose")
772-
.shouldHaveExitValue(0)
773-
.shouldNotContain("treated as unsigned")
774-
.shouldMatch("Digest algorithm: .*(weak)")
775-
.shouldNotMatch("Signature algorithm: .*(weak)")
776-
.shouldNotMatch("Signature algorithm: .*(disabled)")
777-
.shouldNotMatch("Timestamp digest algorithm: .*(weak)")
778-
.shouldNotMatch("Timestamp signature algorithm: .*(weak).*(weak)")
779-
.shouldNotMatch("Timestamp signature algorithm: .*(disabled).*(disabled)")
780-
.shouldNotMatch("Timestamp signature algorithm: .*key.*(weak)")
781-
.shouldNotMatch("Timestamp signature algorithm: .*key.*(disabled)");
782-
}
783-
784739
static void checkMultipleWeak(String file) throws Exception {
785740
verify(file)
786741
.shouldHaveExitValue(0)

test/jdk/sun/security/tools/keytool/ReadJar.java

Lines changed: 98 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
2+
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
33
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
44
*
55
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
2323

2424
/**
2525
* @test
26-
* @bug 6890872 8168882
26+
* @bug 6890872 8168882 8257722
2727
* @summary keytool -printcert to recognize signed jar files
2828
* @library /test/lib
2929
* @build jdk.test.lib.SecurityTools
@@ -42,11 +42,24 @@
4242
import jdk.test.lib.SecurityTools;
4343
import jdk.test.lib.process.OutputAnalyzer;
4444
import jdk.test.lib.util.JarUtils;
45+
import java.nio.file.Path;
4546

4647
public class ReadJar {
4748

49+
static OutputAnalyzer kt(String cmd, String ks) throws Exception {
50+
return SecurityTools.keytool("-storepass changeit " + cmd +
51+
" -keystore " + ks);
52+
}
53+
54+
static void gencert(String owner, String cmd) throws Exception {
55+
kt("-certreq -alias " + owner + " -file tmp.req", "ks");
56+
kt("-gencert -infile tmp.req -outfile tmp.cert " + cmd, "ks");
57+
kt("-importcert -alias " + owner + " -file tmp.cert", "ks");
58+
}
59+
4860
public static void main(String[] args) throws Throwable {
4961
testWithMD5();
62+
testCertOutput();
5063
}
5164

5265
// make sure that -printcert option works
@@ -91,4 +104,87 @@ private static void printCert(String jar) throws Throwable {
91104
out.shouldHaveExitValue(0);
92105
out.shouldNotContain("Not a signed jar file");
93106
}
107+
108+
private static void testCertOutput() throws Throwable {
109+
kt("-genkeypair -keyalg rsa -alias e0 -dname CN=E0 " +
110+
"-keysize 512", "ks");
111+
JarUtils.createJarFile(Path.of("a0.jar"), Path.of("."), Path.of("ks"));
112+
// sign a0.jar file
113+
SecurityTools.jarsigner("-keystore ks -storepass changeit " +
114+
" a0.jar e0")
115+
.shouldHaveExitValue(0);
116+
117+
SecurityTools.keytool("-printcert -jarfile a0.jar")
118+
.shouldNotContain("Signature:")
119+
.shouldContain("Signer #1:")
120+
.shouldContain("Certificate #1:")
121+
.shouldNotContain("Certificate #2:")
122+
.shouldNotContain("Signer #2:")
123+
.shouldMatch("The certificate uses a 512-bit RSA key.*is disabled")
124+
.shouldHaveExitValue(0);
125+
126+
kt("-genkeypair -keyalg rsa -alias ca1 -dname CN=CA1 -ext bc:c " +
127+
"-keysize 512", "ks");
128+
kt("-genkeypair -keyalg rsa -alias e1 -dname CN=E1", "ks");
129+
gencert("e1", "-alias ca1 -ext san=dns:e1");
130+
131+
JarUtils.createJarFile(Path.of("a1.jar"), Path.of("."), Path.of("ks"));
132+
// sign a1.jar file
133+
SecurityTools.jarsigner("-keystore ks -storepass changeit " +
134+
" a1.jar e1")
135+
.shouldHaveExitValue(0);
136+
137+
SecurityTools.keytool("-printcert -jarfile a1.jar")
138+
.shouldNotContain("Signature:")
139+
.shouldContain("Signer #1:")
140+
.shouldContain("Certificate #1:")
141+
.shouldContain("Certificate #2:")
142+
.shouldNotContain("Signer #2:")
143+
.shouldMatch("The certificate #2 uses a 512-bit RSA key.*is disabled")
144+
.shouldHaveExitValue(0);
145+
146+
kt("-genkeypair -keyalg rsa -alias ca2 -dname CN=CA2 -ext bc:c " +
147+
"-sigalg SHA1withRSA", "ks");
148+
kt("-genkeypair -keyalg rsa -alias e2 -dname CN=E2", "ks");
149+
gencert("e2", "-alias ca2 -ext san=dns:e2");
150+
151+
// sign a1.jar file again with different signer
152+
SecurityTools.jarsigner("-keystore ks -storepass changeit " +
153+
" a1.jar e2")
154+
.shouldHaveExitValue(0);
155+
156+
SecurityTools.keytool("-printcert -jarfile a1.jar")
157+
.shouldNotContain("Signature:")
158+
.shouldContain("Signer #1:")
159+
.shouldContain("Certificate #1:")
160+
.shouldContain("Certificate #2:")
161+
.shouldContain("Signer #2:")
162+
.shouldMatch("The certificate #.* of signer #.*" + "uses the SHA1withRSA.*will be disabled")
163+
.shouldMatch("The certificate #.* of signer #.*" + "uses a 512-bit RSA key.*is disabled")
164+
.shouldHaveExitValue(0);
165+
166+
kt("-genkeypair -keyalg rsa -alias e3 -dname CN=E3",
167+
"ks");
168+
JarUtils.createJarFile(Path.of("a2.jar"), Path.of("."), Path.of("ks"));
169+
// sign a2.jar file
170+
SecurityTools.jarsigner("-keystore ks -storepass changeit " +
171+
" a2.jar e3")
172+
.shouldHaveExitValue(0);
173+
174+
kt("-genkeypair -keyalg rsa -alias e4 -dname CN=E4 " +
175+
"-keysize 1024", "ks");
176+
// sign a2.jar file again with different signer
177+
SecurityTools.jarsigner("-keystore ks -storepass changeit " +
178+
" a2.jar e4")
179+
.shouldHaveExitValue(0);
180+
181+
SecurityTools.keytool("-printcert -jarfile a2.jar")
182+
.shouldNotContain("Signature:")
183+
.shouldContain("Signer #1:")
184+
.shouldContain("Certificate #1:")
185+
.shouldNotContain("Certificate #2:")
186+
.shouldContain("Signer #2:")
187+
.shouldMatch("The certificate of signer #.*" + "uses a 1024-bit RSA key.*will be disabled")
188+
.shouldHaveExitValue(0);
189+
}
94190
}

0 commit comments

Comments
 (0)