1 /*
2 * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import jdk.testlibrary.OutputAnalyzer;
25 import jdk.testlibrary.JarUtils;
26
27 /**
28 * @test
29 * @bug 8024302 8026037
30 * @summary Checks if jarsigner prints appropriate warnings
31 * @library /lib/testlibrary ../
32 * @run main MultipleWarningsTest
33 */
34 public class MultipleWarningsTest extends Test {
35
36 /**
37 * The test signs and verifies a jar that:
38 * - contains entries whose signer certificate has expired
39 * - contains entries whose signer certificate's ExtendedKeyUsage
40 * extension doesn't allow code signing
41 * - contains unsigned entries which have not been integrity-checked
42 * - contains signed entries which are not signed by the specified alias
43 * Warning messages are expected.
44 */
45 public static void main(String[] args) throws Throwable {
46 MultipleWarningsTest test = new MultipleWarningsTest();
47 test.start();
48 }
49
50 private void start() throws Throwable {
51 Utils.createFiles(FIRST_FILE, SECOND_FILE);
52
53 // create a jar file that contains one class file
54 JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
55
56 // create first expired certificate
57 // whose ExtendedKeyUsage extension does not allow code signing
58 keytool(
59 "-genkey",
60 "-alias", FIRST_KEY_ALIAS,
61 "-keyalg", KEY_ALG,
62 "-keysize", Integer.toString(KEY_SIZE),
63 "-keystore", KEYSTORE,
64 "-storepass", PASSWORD,
65 "-keypass", PASSWORD,
66 "-dname", "CN=First",
67 "-ext", "ExtendedkeyUsage=serverAuth",
68 "-startdate", "-" + VALIDITY * 2 + "d",
69 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
70
71 // create second expired certificate
72 // whose KeyUsage extension does not allow code signing
73 keytool(
74 "-genkey",
75 "-alias", SECOND_KEY_ALIAS,
76 "-keyalg", KEY_ALG,
77 "-keysize", Integer.toString(KEY_SIZE),
78 "-keystore", KEYSTORE,
79 "-storepass", PASSWORD,
80 "-keypass", PASSWORD,
81 "-dname", "CN=Second",
82 "-ext", "ExtendedkeyUsage=serverAuth",
83 "-startdate", "-" + VALIDITY * 2 + "d",
84 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
85
86 // sign jar with first key
87 OutputAnalyzer analyzer = jarsigner(
88 "-keystore", KEYSTORE,
89 "-storepass", PASSWORD,
90 "-keypass", PASSWORD,
91 "-signedjar", SIGNED_JARFILE,
92 UNSIGNED_JARFILE,
93 FIRST_KEY_ALIAS);
94
95 checkSigning(analyzer, HAS_EXPIRED_CERT_SIGNING_WARNING,
96 BAD_EXTENDED_KEY_USAGE_SIGNING_WARNING);
97
98 // add a second class to created jar, so it contains unsigned entry
99 JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);
100
101 // verify jar with second key
102 analyzer = jarsigner(
103 "-verify",
104 "-keystore", KEYSTORE,
105 "-storepass", PASSWORD,
106 "-keypass", PASSWORD,
107 UPDATED_SIGNED_JARFILE,
108 SECOND_KEY_ALIAS);
109
110 checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
111 HAS_EXPIRED_CERT_VERIFYING_WARNING,
112 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
113 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
114
115 // verify jar with second key in strict mode
116 analyzer = jarsigner(
117 "-verify",
118 "-strict",
119 "-keystore", KEYSTORE,
120 "-storepass", PASSWORD,
121 "-keypass", PASSWORD,
122 UPDATED_SIGNED_JARFILE,
123 SECOND_KEY_ALIAS);
124
125 int expectedExitCode = HAS_EXPIRED_CERT_EXIT_CODE
126 + BAD_EXTENDED_KEY_USAGE_EXIT_CODE
127 + HAS_UNSIGNED_ENTRY_EXIT_CODE
128 + NOT_SIGNED_BY_ALIAS_EXIT_CODE;
129 checkVerifying(analyzer, expectedExitCode,
130 BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
131 HAS_EXPIRED_CERT_VERIFYING_WARNING,
132 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
133 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
134
135 // verify jar with non-exisiting alias
136 analyzer = jarsigner(
137 "-verify",
138 "-keystore", KEYSTORE,
139 "-storepass", PASSWORD,
140 "-keypass", PASSWORD,
141 UPDATED_SIGNED_JARFILE,
142 "bogus");
143
144 checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
145 HAS_EXPIRED_CERT_VERIFYING_WARNING,
146 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
147 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
148
149 // verify jar with non-exisiting alias in strict mode
150 analyzer = jarsigner(
151 "-verify",
152 "-strict",
153 "-keystore", KEYSTORE,
154 "-storepass", PASSWORD,
155 "-keypass", PASSWORD,
156 UPDATED_SIGNED_JARFILE,
157 "bogus");
158
159 checkVerifying(analyzer, expectedExitCode,
160 BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
161 HAS_EXPIRED_CERT_VERIFYING_WARNING,
162 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
163 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
164
165 System.out.println("Test passed");
166 }
167
168 }