8259401: Add checking to jarsigner to warn weak algorithms used in signer’s cert chain

Reviewed-by: mullan, weijun, rhalade

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1401,6 +1401,35 @@ public class Main {
         }
     }
 
+    private static String checkWeakKey(PublicKey key) {
+        int kLen = KeyUtil.getKeySize(key);
+        if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
+            if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
+                if (kLen >= 0) {
+                    return String.format(rb.getString("key.bit"), kLen);
+                } else {
+                    return rb.getString("unknown.size");
+                }
+            } else {
+                return String.format(rb.getString("key.bit.weak"), kLen);
+            }
+        } else {
+           return String.format(rb.getString("key.bit.disabled"), kLen);
+        }
+    }
+
+    private static String checkWeakAlg(String alg) {
+        if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
+            if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
+                return alg;
+            } else {
+                return String.format(rb.getString("with.weak"), alg);
+            }
+        } else {
+            return String.format(rb.getString("with.disabled"), alg);
+        }
+    }
+
     private static MessageFormat validityTimeForm = null;
     private static MessageFormat notYetTimeForm = null;
     private static MessageFormat expiredTimeForm = null;
@@ -1444,12 +1473,31 @@ public class Main {
         }
 
         if (x509Cert != null) {
+            PublicKey key = x509Cert.getPublicKey();
+            String sigalg = x509Cert.getSigAlgName();
+
+            // Process the certificate in the signer's cert chain to see if
+            // weak algorithms are used, and provide warnings as needed.
+            if (trustedCerts.contains(x509Cert)) {
+                // If the cert is trusted, only check its key size, but not its
+                // signature algorithm.
+                certStr.append("\n").append(tab)
+                        .append("Signature algorithm: ")
+                        .append(sigalg)
+                        .append(rb.getString("COMMA"))
+                        .append(checkWeakKey(key));
+
+                certStr.append("\n").append(tab).append("[");
+                certStr.append(rb.getString("trusted.certificate"));
+            } else {
+                certStr.append("\n").append(tab)
+                        .append("Signature algorithm: ")
+                        .append(checkWeakAlg(sigalg))
+                        .append(rb.getString("COMMA"))
+                        .append(checkWeakKey(key));
 
                 certStr.append("\n").append(tab).append("[");
 
-            if (trustedCerts.contains(x509Cert)) {
-                certStr.append(rb.getString("trusted.certificate"));
-            } else {
                 Date notAfter = x509Cert.getNotAfter();
                 try {
                     boolean printValidity = true;

test/jdk/sun/security/tools/jarsigner/CheckSignerCertChain.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8259401
+ * @summary Check certificates in signer's cert chain to see if warning emitted
+ * @library /test/lib
+ */
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.process.OutputAnalyzer;
+import jdk.test.lib.util.JarUtils;
+
+import java.nio.file.Path;
+
+public class CheckSignerCertChain {
+
+    static OutputAnalyzer kt(String cmd, String ks) throws Exception {
+        return SecurityTools.keytool("-storepass changeit " + cmd +
+                " -keystore " + ks);
+    }
+
+    static void gencert(String owner, String cmd) throws Exception {
+        kt("-certreq -alias " + owner + " -file tmp.req", "ks");
+        kt("-gencert -infile tmp.req -outfile tmp.cert " + cmd, "ks");
+        kt("-importcert -alias " + owner + " -file tmp.cert", "ks");
+    }
+
+    public static void main(String[] args) throws Exception {
+
+        // root certificate using SHA1withRSA and 1024-bit key
+        System.out.println("Generating a root cert using SHA1withRSA and 1024-bit key");
+        kt("-genkeypair -keyalg rsa -alias ca -dname CN=CA -ext bc:c " +
+                "-keysize 1024 -sigalg SHA1withRSA", "ks");
+        kt("-genkeypair -keyalg rsa -alias ca1 -dname CN=CA1", "ks");
+        kt("-genkeypair -keyalg rsa -alias e1 -dname CN=E1", "ks");
+
+        // intermediate certificate using SHA1withRSA and 2048-bit key
+        System.out.println("Generating an intermediate cert using SHA1withRSA and 2048-bit key");
+        gencert("ca1", "-alias ca -ext san=dns:ca1 -ext bc:c " +
+                "-sigalg SHA1withRSA ");
+
+        // end entity certificate using SHA256withRSA and 2048-bit key
+        System.out.println("Generating an end entity cert using SHA256withRSA and 2048-bit key");
+        gencert("e1", "-alias ca1 -ext san=dns:e1 ");
+
+        JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("ks"));
+
+        SecurityTools.jarsigner("-keystore ks -storepass changeit " +
+                "-signedjar signeda.jar " +
+                "-sigalg SHA256withRSA " +
+                "-verbose" +
+                " a.jar e1")
+                .shouldContain("Signature algorithm: SHA1withRSA (weak), 2048-bit key")
+                // For trusted cert, warning should be generated for its weak 1024-bit
+                // key, but not for its SHA1withRSA algorithm.
+                .shouldContain("Signature algorithm: SHA1withRSA, 1024-bit key (weak)")
+                .shouldHaveExitValue(0);
+
+        kt("-exportcert -alias ca -rfc -file cacert", "ks");
+        kt("-importcert -noprompt -file cacert", "caks");
+
+        SecurityTools.jarsigner("-verify -certs signeda.jar " +
+                "-keystore caks -storepass changeit -verbose -debug")
+                .shouldContain("Signature algorithm: SHA1withRSA (weak), 2048-bit key")
+                // For trusted cert, warning should be generated for its weak 1024-bit
+                // key, but not for its SHA1withRSA algorithm.
+                .shouldContain("Signature algorithm: SHA1withRSA, 1024-bit key (weak)")
+                .shouldHaveExitValue(0);
+    }
+}