1 /*
2 * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import jdk.testlibrary.OutputAnalyzer;
25 import jdk.testlibrary.JarUtils;
26
27 /**
28 * @test
29 * @bug 8024302 8026037 8176320
30 * @summary The test signs and verifies a jar file with -tsacert option
31 * @library /lib/testlibrary warnings
32 * @library /test/lib
33 * @modules java.base/sun.security.pkcs
34 * java.base/sun.security.timestamp
35 * java.base/sun.security.tools.keytool
36 * java.base/sun.security.util
37 * java.base/sun.security.x509
38 * java.management
39 * @run main TsacertOptionTest
40 */
41 public class TsacertOptionTest extends Test {
42
43 private static final String FILENAME = TsacertOptionTest.class.getName()
44 + ".txt";
45 private static final String SIGNING_KEY_ALIAS = "sign_alias";
46 private static final String TSA_KEY_ALIAS = "ts";
47
48 private static final String PASSWORD = "changeit";
49
50 /**
51 * The test signs and verifies a jar file with -tsacert option,
52 * and checks that no warning was shown.
53 * A certificate that is addressed in -tsacert option contains URL to TSA
54 * in Subject Information Access extension.
55 */
56 public static void main(String[] args) throws Throwable {
57 TsacertOptionTest test = new TsacertOptionTest();
58 test.start();
59 }
60
61 void start() throws Throwable {
62 // create a jar file that contains one file
63 Utils.createFiles(FILENAME);
64 JarUtils.createJar(UNSIGNED_JARFILE, FILENAME);
65
66 // create key pair for jar signing
67 keytool(
68 "-genkey",
69 "-alias", CA_KEY_ALIAS,
70 "-keyalg", KEY_ALG,
71 "-keysize", Integer.toString(KEY_SIZE),
72 "-keystore", KEYSTORE,
73 "-storepass", PASSWORD,
74 "-keypass", PASSWORD,
75 "-dname", "CN=CA",
76 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
77 keytool(
78 "-genkey",
79 "-alias", SIGNING_KEY_ALIAS,
80 "-keyalg", KEY_ALG,
81 "-keysize", Integer.toString(KEY_SIZE),
82 "-keystore", KEYSTORE,
83 "-storepass", PASSWORD,
84 "-keypass", PASSWORD,
85 "-dname", "CN=Test").shouldHaveExitValue(0);
86 keytool(
87 "-certreq",
88 "-alias", SIGNING_KEY_ALIAS,
89 "-keystore", KEYSTORE,
90 "-storepass", PASSWORD,
91 "-keypass", PASSWORD,
92 "-file", "certreq").shouldHaveExitValue(0);
93 keytool(
94 "-gencert",
95 "-alias", CA_KEY_ALIAS,
96 "-keystore", KEYSTORE,
97 "-storepass", PASSWORD,
98 "-keypass", PASSWORD,
99 "-validity", Integer.toString(VALIDITY),
100 "-infile", "certreq",
101 "-outfile", "cert").shouldHaveExitValue(0);
102 keytool(
103 "-importcert",
104 "-alias", SIGNING_KEY_ALIAS,
105 "-keystore", KEYSTORE,
106 "-storepass", PASSWORD,
107 "-keypass", PASSWORD,
108 "-file", "cert").shouldHaveExitValue(0);
109
110
111 try (TimestampCheck.Handler tsa = TimestampCheck.Handler.init(0,
112 KEYSTORE)) {
113
114 // look for free network port for TSA service
115 int port = tsa.getPort();
116 String host = "127.0.0.1";
117 String tsaUrl = "http://" + host + ":" + port;
118
119 // create key pair for TSA service
120 // SubjectInfoAccess extension contains URL to TSA service
121 keytool(
122 "-genkey",
123 "-v",
124 "-alias", TSA_KEY_ALIAS,
125 "-keyalg", KEY_ALG,
126 "-keysize", Integer.toString(KEY_SIZE),
127 "-keystore", KEYSTORE,
128 "-storepass", PASSWORD,
129 "-keypass", PASSWORD,
130 "-dname", "CN=TSA",
131 "-ext", "ExtendedkeyUsage:critical=timeStamping",
132 "-ext", "SubjectInfoAccess=timeStamping:URI:" + tsaUrl,
133 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
134
135 // start TSA
136 tsa.start();
137
138 // sign jar file
139 // specify -tsadigestalg option because
140 // TSA server uses SHA-1 digest algorithm
141 OutputAnalyzer analyzer = jarsigner(
142 "-J-Dhttp.proxyHost=",
143 "-J-Dhttp.proxyPort=",
144 "-J-Djava.net.useSystemProxies=",
145 "-verbose",
146 "-keystore", KEYSTORE,
147 "-storepass", PASSWORD,
148 "-keypass", PASSWORD,
149 "-signedjar", SIGNED_JARFILE,
150 "-tsacert", TSA_KEY_ALIAS,
151 "-tsadigestalg", "SHA-1",
152 UNSIGNED_JARFILE,
153 SIGNING_KEY_ALIAS);
154
155 analyzer.shouldHaveExitValue(0);
156 analyzer.stdoutShouldNotContain(WARNING);
157 analyzer.shouldContain(JAR_SIGNED);
158
159 // verify signed jar
160 analyzer = jarsigner(
161 "-verbose",
162 "-verify",
163 "-keystore", KEYSTORE,
164 "-storepass", PASSWORD,
165 SIGNED_JARFILE);
166
167 analyzer.shouldHaveExitValue(0);
168 analyzer.stdoutShouldNotContain(WARNING);
169 analyzer.shouldContain(JAR_VERIFIED);
170 }
171
172 System.out.println("Test passed");
173 }
174
175 }