Hi All Please take a look at http://cr.openjdk.java.net/~weijun/8191438/webrev.00/. Regression tests not added yet. I'd like to hear your comments on the output format.
Major changes: 1. New flags hasExpiringTsaCert and hasExpiredTsaCert for TSA cert chain. They are set and used similar to flags for the signer cert chain. Note that there is no notYetValidTsaCert, which I think is not very useful, and it's already covered by CertPath validation. 2. No more validity check on trusted certs in printCert(), since CertPath validation also does not check validity of trust anchors. 3. Break getAliasInfo() into 2 parts: getAliasInfo() and showAliasInfo(). showAliasInfo() will set flags and show extra info if -verbose after jar is signed. The expiration date for all signer and TSA cert chains are shown when -verbose -certs are provided. Warning is only shown when expiration date (for either cert chain) is near. An example: $ jarsigner ... a.jar a -tsa http://localhost:8080/time=2017-11-20T00:00:00Z -verbose requesting a signature timestamp TSA location: http://localhost:8080/time=2017-11-20T00:00:00Z updating: META-INF/A.SF updating: META-INF/A.RSA signing: ks >>> Signer X.509, CN=a [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM] X.509, CN=ca [trusted certificate] >>> TSA X.509, CN=ts [certificate will expire on 12/15/17, 12:27 PM] X.509, CN=ca [trusted certificate] jar signed. Warning: The timestamp will expire within six months on 2017-12-15. c $ jarsigner ... a.jar -verify -verbose:grouped -certs s k 145 Tue Dec 05 10:23:46 CST 2017 META-INF/MANIFEST.MF [entry was signed on 11/20/17, 8:00 AM] >>> Signer X.509, CN=a (a) [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM] X.509, CN=ca (ca) [trusted certificate] >>> TSA X.509, CN=ts [certificate will expire on 12/15/17, 12:27 PM] X.509, CN=ca (ca) [trusted certificate] 307 Tue Dec 05 12:27:08 CST 2017 META-INF/A.SF 3811 Tue Dec 05 12:27:08 CST 2017 META-INF/A.RSA (Signature related entries) 0 Tue Dec 05 10:23:42 CST 2017 META-INF/ (Unsigned entries) smk 8364 Tue Dec 05 10:23:00 CST 2017 ks [entry was signed on 11/20/17, 8:00 AM] >>> Signer X.509, CN=a (a) [certificate is valid from 11/5/17, 12:27 PM to 12/10/17, 12:27 PM] X.509, CN=ca (ca) [trusted certificate] >>> TSA X.509, CN=ts [certificate will expire on 12/15/17, 12:27 PM] X.509, CN=ca (ca) [trusted certificate] s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore - Signed by "CN=a" Digest algorithm: SHA-256 Signature algorithm: SHA256withRSA, 2048-bit key Timestamped by "CN=ts" on Mon Nov 20 00:00:00 UTC 2017 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 2048-bit key jar verified. Warning: The timestamp will expire within six months on 2017-12-15. Thanks Max
