1 /*
2 * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import jdk.testlibrary.OutputAnalyzer;
25 import jdk.testlibrary.ProcessTools;
26 import jdk.testlibrary.JarUtils;
27
28 /**
29 * @test
30 * @bug 8024302 8026037
31 * @summary Checks if jarsigner prints appropriate warnings
32 * @library /lib/testlibrary ../
33 * @run main MultipleWarningsTest
34 */
35 public class MultipleWarningsTest extends Test {
36
37 /**
38 * The test signs and verifies a jar that:
39 * - contains entries whose signer certificate has expired
40 * - contains entries whose signer certificate's ExtendedKeyUsage
41 * extension doesn't allow code signing
42 * - contains unsigned entries which have not been integrity-checked
43 * - contains signed entries which are not signed by the specified alias
44 * Warning messages are expected.
45 */
46 public static void main(String[] args) throws Throwable {
47 MultipleWarningsTest test = new MultipleWarningsTest();
48 test.start();
49 }
50
51 private void start() throws Throwable {
52 Utils.createFiles(FIRST_FILE, SECOND_FILE);
53
54 // create a jar file that contains one class file
55 JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
56
57 // create first expired certificate
58 // whose ExtendedKeyUsage extension does not allow code signing
59 ProcessTools.executeCommand(KEYTOOL,
60 "-genkey",
61 "-alias", FIRST_KEY_ALIAS,
62 "-keyalg", KEY_ALG,
63 "-keysize", Integer.toString(KEY_SIZE),
64 "-keystore", KEYSTORE,
65 "-storepass", PASSWORD,
66 "-keypass", PASSWORD,
67 "-dname", "CN=First",
68 "-ext", "ExtendedkeyUsage=serverAuth",
69 "-startdate", "-" + VALIDITY * 2 + "d",
70 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
71
72 // create second expired certificate
73 // whose KeyUsage extension does not allow code signing
74 ProcessTools.executeCommand(KEYTOOL,
75 "-genkey",
76 "-alias", SECOND_KEY_ALIAS,
77 "-keyalg", KEY_ALG,
78 "-keysize", Integer.toString(KEY_SIZE),
79 "-keystore", KEYSTORE,
80 "-storepass", PASSWORD,
81 "-keypass", PASSWORD,
82 "-dname", "CN=Second",
83 "-ext", "ExtendedkeyUsage=serverAuth",
84 "-startdate", "-" + VALIDITY * 2 + "d",
85 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
86
87 // sign jar with first key
88 OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
89 "-keystore", KEYSTORE,
90 "-storepass", PASSWORD,
91 "-keypass", PASSWORD,
92 "-signedjar", SIGNED_JARFILE,
93 UNSIGNED_JARFILE,
94 FIRST_KEY_ALIAS);
95
96 checkSigning(analyzer, HAS_EXPIRED_CERT_SIGNING_WARNING,
97 BAD_EXTENDED_KEY_USAGE_SIGNING_WARNING);
98
99 // add a second class to created jar, so it contains unsigned entry
100 JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);
101
102 // verify jar with second key
103 analyzer = ProcessTools.executeCommand(JARSIGNER,
104 "-verify",
105 "-keystore", KEYSTORE,
106 "-storepass", PASSWORD,
107 "-keypass", PASSWORD,
108 UPDATED_SIGNED_JARFILE,
109 SECOND_KEY_ALIAS);
110
111 checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
112 HAS_EXPIRED_CERT_VERIFYING_WARNING,
113 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
114 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
115
116 // verify jar with second key in strict mode
117 analyzer = ProcessTools.executeCommand(JARSIGNER,
118 "-verify",
119 "-strict",
120 "-keystore", KEYSTORE,
121 "-storepass", PASSWORD,
122 "-keypass", PASSWORD,
123 UPDATED_SIGNED_JARFILE,
124 SECOND_KEY_ALIAS);
125
126 int expectedExitCode = HAS_EXPIRED_CERT_EXIT_CODE
127 + BAD_EXTENDED_KEY_USAGE_EXIT_CODE
128 + HAS_UNSIGNED_ENTRY_EXIT_CODE
129 + NOT_SIGNED_BY_ALIAS_EXIT_CODE;
130 checkVerifying(analyzer, expectedExitCode,
131 BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
132 HAS_EXPIRED_CERT_VERIFYING_WARNING,
133 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
134 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
135
136 // verify jar with non-exisiting alias
137 analyzer = ProcessTools.executeCommand(JARSIGNER,
138 "-verify",
139 "-keystore", KEYSTORE,
140 "-storepass", PASSWORD,
141 "-keypass", PASSWORD,
142 UPDATED_SIGNED_JARFILE,
143 "bogus");
144
145 checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
146 HAS_EXPIRED_CERT_VERIFYING_WARNING,
147 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
148 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
149
150 // verify jar with non-exisiting alias in strict mode
151 analyzer = ProcessTools.executeCommand(JARSIGNER,
152 "-verify",
153 "-strict",
154 "-keystore", KEYSTORE,
155 "-storepass", PASSWORD,
156 "-keypass", PASSWORD,
157 UPDATED_SIGNED_JARFILE,
158 "bogus");
159
160 checkVerifying(analyzer, expectedExitCode,
161 BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
162 HAS_EXPIRED_CERT_VERIFYING_WARNING,
163 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
164 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
165
166 System.out.println("Test passed");
167 }
168
169 }