RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

Weijun Wang weijun.wang at oracle.com
Wed Jul 15 10:06:01 UTC 2020 

Oops,

1101             if (hasExpiredTsaCert) {
1102                 errors.add(rb.getString("The.timestamp.has.expired."));
1103             }

was inside 

1058                 (hasExpiredTsaCert && !signerNotExpired)) {

and it should be combined with

1210             if (hasExpiredTsaCert && signerNotExpired) {
1211                 if (expireDate != null) {
1212                     warnings.add(String.format(
1213                             rb.getString("The.timestamp.expired.1.but.usable.2"),
1214                             tsaExpireDate,
1215                             expireDate));
1216                 }
1217                 // Reset the flag so exit code is 0
1218                 hasExpiredTsaCert = false;
1219             }

to be something like

if (hasExpiredTsaCert) {
    if (signerNotExpired) {
        warnings...
    } else {
        errors....
    }
}

Thanks,
Max

> On Jul 15, 2020, at 3:16 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> 
> The following lines are useless now:
> 
> 1053         if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
> 1054                 notYetValidCert || chainNotValidated || hasExpiredCert ||
> 1055                 hasUnsignedEntry || signerSelfSigned || (legacyAlg != 0) ||
> 1056                 (disabledAlg != 0) || aliasNotInStore || notSignedByAlias ||
> 1057                 tsaChainNotValidated ||
> 1058                 (hasExpiredTsaCert && !signerNotExpired)) {
> 
> 1198         }
> 
> 1205         if (hasExpiringCert ||
> 1206                 (hasExpiringTsaCert  && expireDate != null) ||
> 1207                 (noTimestamp && expireDate != null) ||
> 1208                 (hasExpiredTsaCert && signerNotExpired)) {
> 
> 1245         }
> 
> I would even suggest you remove the "result" variable and move the "System.out.println(result)" line into branches of the if-else block on lines 1254-1272.
> 
> No other comments.
> 
> Thanks,
> Max
> 
> 
> 
>> On Jul 15, 2020, at 4:09 AM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>> 
>> Hi,
>> 
>> I’d like to request a review for:
>> 
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8247960
>> Webrev: https://cr.openjdk.java.net/~hchao/8247960/webrev.00/
>> 
>> Jarsigner is changed to emit “with signer errors” only when there are errors detected during sign and verify with -strict specified.
>> 
>> Thanks,
>> Hai-May
>> 
>

More information about the security-dev mailing list