[10] RFR 8166222: Don't treat signed jars with invalid timestamps as unsigned

[Weijun Wang]

I assume we will backport this to jdk9u.

So I'd like to fix the newly found regression JDK-8180289 along with 
this bug, since both are about CertPath validation warning messages.

I'll need some time thinking about a proper fix. The current warning 
message on cert expiration is only on "signer certificate", and CertPath 
validation will report expirations on intermediate CA certs as well as 
TSA certs. I don't think it's a good idea to print different warnings 
for them (and their -strict exit codes are all 4) and might show the 
info in -verbose -certs outputs.

Thanks
Max


On 05/12/2017 11:19 AM, Anthony Scarpino wrote:
> I think your code looks good.
>
> You should check the CertPathValidator tests, I think one of them might
> fail after this change.
>
> Tony
>
>
> On 05/10/2017 04:36 PM, Weijun Wang wrote:
>> Ping again.
>>
>> On 04/12/2017 11:52 PM, Weijun Wang wrote:
>>> Please take a review at
>>>
>>>    http://cr.openjdk.java.net/~weijun/8166222/webrev.00/
>>>
>>> The major code change is inside SignatureFileVerifier.java. Now if the
>>> timestamp on a signed jar is invalid (For example, using a weak
>>> algorithm now disabled), the jar file will be treated as a signed jar
>>> without a timestamp. Before this change, it was treated unsigned.
>>>
>>> In jarsigner/Main.java, I also add a line to validate the TSA cert
>>> chain. If not validated, a warning will be shown which is similar to the
>>> one when signer cert chain is not validated. If -strict is on, exit code
>>> will change too.
>>>
>>> I also make a small change at
>>>
>>>    http://cr.openjdk.java.net/~weijun/8166222/root/webrev.00/
>>>
>>> The executeCommand() method shows more info (mainly stdout and stderr
>>> outputs) than executeProcess().
>>>
>>> Because of the behavior change and new warnings, this change will need a
>>> Compatibility and Specification Review (CSR). At the moment, please
>>> review the code change first.
>>>
>>> Thanks
>>> Max
>