1st round RFR 8191438: jarsigner should print when a timestamp will expire

Weijun Wang weijun.wang at oracle.com
Tue Dec 5 09:35:59 UTC 2017 

Hi All

Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.

Major changes:

1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation.

2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors.

3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed.

The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near.

An example:

 $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose
requesting a signature timestamp
TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z
 updating: META-INF/A.SF
 updating: META-INF/A.RSA
  signing: ks

>>> Signer
    X.509, CN=a
    [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
    X.509, CN=ca
    [trusted certificate]
>>> TSA
    X.509, CN=ts
    [certificate will expire on 12/15/17, 12:27 PM]
    X.509, CN=ca
    [trusted certificate]

jar signed.

Warning: 
The timestamp will expire within six months on 2017-12-15.
c $ jarsigner ... a.jar -verify -verbose:grouped -certs

s k     145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF

      [entry was signed on 11/20/17, 8:00 AM]
      >>> Signer
      X.509, CN=a (a)
      [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]
      >>> TSA
      X.509, CN=ts
      [certificate will expire on 12/15/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]

        307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF
       3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA

      (Signature related entries)

          0 Tue Dec 05 10:23:42 CST 2017 META-INF/

      (Unsigned entries)

smk    8364 Tue Dec 05 10:23:00 CST 2017 ks

      [entry was signed on 11/20/17, 8:00 AM]
      >>> Signer
      X.509, CN=a (a)
      [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]
      >>> TSA
      X.509, CN=ts
      [certificate will expire on 12/15/17, 12:27 PM]
      X.509, CN=ca (ca)
      [trusted certificate]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=a"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key
  Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

Warning: 
The timestamp will expire within six months on 2017-12-15.

Thanks
Max

More information about the security-dev mailing list