Several Enhancements for JarSigner

There're several enhancements to the jarsigner tool in OpenJDK lately.

First, jarsigner accepts a new option -certchain file to use a certificate chain in an external file. People can using PKCS #11 tokens to store their private keys. Some of these tokens are so small that there's no place to store the certificate chain inside it. Although you can access it with a KeyStore.getInstance("pkcs11"), the getCertificateChain() method returns nothing. Now you can use jarsigner with this kind of tokens, using the token as the keystore, but point your certchain to another file that contains the full chain.

Second, people see jarsigner showing warnings now and then, like certificate expired, or keyusage not correct. if they want to know this information if jarsigner is called in a script, they can only grep the words. Now, if you add a new option -strict, not only the warnings will be printed, a System.exit(n) is called when there is/are warning(s). Here, n is a binary sum of these pre-defined warning codes:
  • 2: hasExpiringCert
  • 4: chainNotValidated (including hasExpiredCert, notYetValidCert)
  • 8: Usages problems (including badKeyUsage, badExtendedKeyUsage, badNetscapeCertType)
  • 16: hasUnsignedEntry
  • 32: notSignedByAlias or aliasNotInStore
Noticed the new warning type notSignedByAlias? Now you can call jarsigner -verify jarfile alias0 alias1... with zero+ of aliases to check if certificates of the signed entries inside the file match any of these aliases.

Third, people complain jarfiles show too little or too much output at verifying. If you simply verify a jarfile, it might tell you some warnings, call with -verbose -certs to read details. You verify again with those two options on, and huala... thousands of lines fly through and you cannot catch a word. Now -verbose has sub options so you can precisely tell it how verbose the output should be:
  • -verbose:all, this is the default -verbose, which shows as much information as it did
  • -verbose:grouped, this shows less information. The entries with the same signer info are grouped together. This means the names of the entries are listed together, with the signer info only printed once. Something like this:
          smk   A.class
          smk   B.class
          ...
     
          Certificate A (CN=A, OU=B)
    
  • -verbose:summary. This is the simplest one. Besides grouping the entries with same signer info together, not all the entry names are printed, but only one line of summary. Something like this:
    smk   A.class (and N-1 more)
     
          Certificate A (CN=A, OU=B)
    
    Using this option, unless your jar file is signed by dozens of different signers, no matter how many entries inside, the output should not exceeds two screens.
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today