the fix

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java

@@ -126,8 +126,6 @@ public class Main {
     static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and
     // signer is not in alias list
     static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
-    static final int SOME_ALIASES_NOT_FOUND = 0x10;
-    // at least one signer alias is not in keystore
 
     static final JavaUtilZipFileAccess JUZFA = SharedSecrets.getJavaUtilZipFileAccess();
 
@@ -234,7 +232,6 @@ public ExitException(int errorCode) {
     private boolean badExtendedKeyUsage = false;
     private boolean badNetscapeCertType = false;
     private boolean signerSelfSigned = false;
-    private boolean allAliasesFound = true;
 
     private Throwable chainNotValidatedReason = null;
     private Throwable tsaChainNotValidatedReason = null;
@@ -847,8 +844,6 @@ void verifyJar(String jarName)
                         aliasNotInStore |= isSigned && !inStore;
                     }
 
-                    allAliasesFound =
-                        (inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;
                     // Only used when -verbose provided
                     StringBuilder sb = null;
                     if (verbose != null) {
@@ -1180,7 +1175,7 @@ private void displayMessagesAndResult(boolean isSigning) {
         }
 
         // only in verifying
-        if (!allAliasesFound) {
+        if (aliasNotInStore) {
             warnings.add(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
         }
 
@@ -1733,41 +1728,40 @@ private int inKeyStoreForOneSigner(CodeSigner signer) {
         }
 
         int result = 0;
-        boolean allAliasesFound = true;
         if (store != null) {
             try {
                 List<? extends Certificate> certs =
                         signer.getSignerCertPath().getCertificates();
+                boolean isEndEntityCert = true;
                 for (Certificate c : certs) {
                     String alias = storeHash.get(c);
                     if (alias == null) {
                         alias = store.getCertificateAlias(c);
                         if (alias != null) {
                             storeHash.put(c, alias);
-                        } else {
-                            allAliasesFound = false;
                         }
                     }
-                    if (alias != null) {
-                        result |= IN_KEYSTORE;
-                    }
-                    for (String ckalias : ckaliases) {
-                        if (c.equals(store.getCertificate(ckalias))) {
-                            result |= SIGNED_BY_ALIAS;
-                            // must continue with next certificate c and cannot
-                            // return or break outer loop because has to fill
-                            // storeHash for printCert
-                            break;
+                    if (isEndEntityCert) {
+                        // Only count end-entity cert as signer
+                        if (alias != null) {
+                            result |= IN_KEYSTORE;
+                        }
+                        for (String ckalias : ckaliases) {
+                            if (c.equals(store.getCertificate(ckalias))) {
+                                result |= SIGNED_BY_ALIAS;
+                                break;
+                            }
                         }
                     }
+                    isEndEntityCert = false;
+                    // must continue with next certificate c and cannot
+                    // return or break outer loop because has to fill
+                    // storeHash for printCer
                 }
             } catch (KeyStoreException kse) {
                 // never happens, because keystore has been loaded
             }
         }
-        if (!allAliasesFound) {
-            result |= SOME_ALIASES_NOT_FOUND;
-        }
         cacheForInKS.put(signer, result);
         return result;
     }

test/jdk/sun/security/tools/jarsigner/ByAlias.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8330217
+ * @summary correct warnings on whether signer is in keystore and listed
+ * @library /test/lib
+ */
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.process.OutputAnalyzer;
+import jdk.test.lib.util.JarUtils;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+public class ByAlias {
+    static OutputAnalyzer kt(String cmd) throws Exception {
+        return SecurityTools.keytool("-storepass changeit "
+                + "-keypass changeit -keystore ks " + cmd);
+    }
+
+    static void selfsign(String name) throws Exception {
+        kt("-alias " + name + " -dname CN=" + name + " -keyalg ec -genkey");
+    }
+
+    static void gencert(String signer, String owner) throws Exception {
+        selfsign(owner);
+        kt("-certreq -alias " + owner + " -file tmp.req")
+                .shouldHaveExitValue(0);
+        kt("-gencert -infile tmp.req -outfile tmp.cert -alias " + signer)
+                .shouldHaveExitValue(0);
+        kt("-import -alias " + owner + " -file tmp.cert")
+                .shouldHaveExitValue(0);
+    }
+
+    static OutputAnalyzer js(String cmd) throws Exception {
+        return SecurityTools.jarsigner("-keystore ks -storepass changeit " + cmd);
+    }
+
+    public static void main(String[] args) throws Exception {
+        JarUtils.createJarFile(Path.of("a.jar"), Path.of("."),
+                Files.writeString(Path.of("a"), "a"));
+
+        selfsign("ca");
+        gencert("ca", "ca1");
+        gencert("ca1", "ee");
+        selfsign("n1");
+        selfsign("n2");
+
+        js("a.jar ee");
+
+        // Everything is good at the beginning
+        js("-verify a.jar ee")
+                .shouldNotContain("not signed by the specified alias(es)")
+                .shouldNotContain("not signed by alias in this keystore");
+
+        js("-verify a.jar ca1") // ca1 is not the signer
+                .shouldContain("not signed by the specified alias(es)")
+                .shouldNotContain("not signed by alias in this keystore");
+
+        // Remove intermediate cert from ks. Still good.
+        kt("-delete -alias ca1");
+        js("-verify a.jar ee")
+                .shouldNotContain("not signed by alias in this keystore");
+
+        // End-entity cert is removed. Warn now.
+        kt("-delete -alias ee");
+        js("-verify a.jar")
+                .shouldContain("not signed by alias in this keystore");
+
+        // Sign with different signer n1
+        js("a.jar n1");
+
+        // Add a new file and sign with different signer n2
+        JarUtils.updateJarFile(Path.of("a.jar"), Path.of("."),
+                Files.writeString(Path.of("b"), "b"));
+        js("a.jar n2");
+
+        // Now a signed with n1 and n2, b signed with n2
+        js("-verify a.jar")
+                .shouldNotContain("not signed by alias in this keystore");
+
+        // If n2 is removed, then b has no signer
+        kt("-delete -alias n2");
+        js("-verify a.jar")
+                .shouldContain("not signed by alias in this keystore");
+    }
+}

test/jdk/sun/security/tools/jarsigner/CheckUsage.java

@@ -79,9 +79,14 @@ public static void main(String[] args) throws Exception {
 
         // Test 2: Verify should be OK
 
-        SecurityTools.jarsigner("-keystore trust.jks -storepass changeit "
+        // Verify with own keystore is perfect.
+        SecurityTools.jarsigner("-keystore js.jks -storepass changeit "
                 + "-strict -verify a.jar")
                 .shouldHaveExitValue(0);
+        // Verify with only CA keystore is also mostly OK
+        SecurityTools.jarsigner("-keystore trust.jks -storepass changeit "
+                        + "-strict -verify a.jar")
+                .shouldHaveExitValue(32); //aliasNotInStore(32)
 
         // Test 3: When no keystore is specified, the error is only
         // "chain invalid"

test/jdk/sun/security/tools/jarsigner/EnableRevocation.java

@@ -88,6 +88,6 @@ public static void main(String[] args) throws Exception {
                 "-strict -verbose -debug -revCheck")
                 .shouldContain("Contacting OCSP server at")
                 .shouldContain("Downloading CRL from")
-                .shouldHaveExitValue(4);
+                .shouldHaveExitValue(36); // aliasNotInStore(32), chainNotValidated(4)
     }
 }