1 /* 2 * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import jdk.testlibrary.OutputAnalyzer; 25 import jdk.test.lib.util.JarUtils; 26 27 /** 28 * @test 29 * @bug 8024302 8026037 8176320 30 * @summary The test signs and verifies a jar file with -tsacert option 31 * @library /lib/testlibrary warnings 32 * @library /test/lib 33 * @modules java.base/sun.security.pkcs 34 * java.base/sun.security.timestamp 35 * java.base/sun.security.tools.keytool 36 * java.base/sun.security.util 37 * java.base/sun.security.x509 38 * java.management 39 * @build jdk.test.lib.util.JarUtils 40 * @run main TsacertOptionTest 41 */ 42 public class TsacertOptionTest extends Test { 43 44 private static final String FILENAME = TsacertOptionTest.class.getName() 45 + ".txt"; 46 private static final String SIGNING_KEY_ALIAS = "sign_alias"; 47 private static final String TSA_KEY_ALIAS = "ts"; 48 49 private static final String PASSWORD = "changeit"; 50 51 /** 52 * The test signs and verifies a jar file with -tsacert option, 53 * and checks that no warning was shown. 54 * A certificate that is addressed in -tsacert option contains URL to TSA 55 * in Subject Information Access extension. 56 */ 57 public static void main(String[] args) throws Throwable { 58 TsacertOptionTest test = new TsacertOptionTest(); 59 test.start(); 60 } 61 62 void start() throws Throwable { 63 // create a jar file that contains one file 64 Utils.createFiles(FILENAME); 65 JarUtils.createJar(UNSIGNED_JARFILE, FILENAME); 66 67 // create key pair for jar signing 68 keytool( 69 "-genkey", 70 "-alias", CA_KEY_ALIAS, 71 "-keyalg", KEY_ALG, 72 "-keysize", Integer.toString(KEY_SIZE), 73 "-keystore", KEYSTORE, 74 "-storepass", PASSWORD, 75 "-keypass", PASSWORD, 76 "-dname", "CN=CA", 77 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); 78 keytool( 79 "-genkey", 80 "-alias", SIGNING_KEY_ALIAS, 81 "-keyalg", KEY_ALG, 82 "-keysize", Integer.toString(KEY_SIZE), 83 "-keystore", KEYSTORE, 84 "-storepass", PASSWORD, 85 "-keypass", PASSWORD, 86 "-dname", "CN=Test").shouldHaveExitValue(0); 87 keytool( 88 "-certreq", 89 "-alias", SIGNING_KEY_ALIAS, 90 "-keystore", KEYSTORE, 91 "-storepass", PASSWORD, 92 "-keypass", PASSWORD, 93 "-file", "certreq").shouldHaveExitValue(0); 94 keytool( 95 "-gencert", 96 "-alias", CA_KEY_ALIAS, 97 "-keystore", KEYSTORE, 98 "-storepass", PASSWORD, 99 "-keypass", PASSWORD, 100 "-validity", Integer.toString(VALIDITY), 101 "-infile", "certreq", 102 "-outfile", "cert").shouldHaveExitValue(0); 103 keytool( 104 "-importcert", 105 "-alias", SIGNING_KEY_ALIAS, 106 "-keystore", KEYSTORE, 107 "-storepass", PASSWORD, 108 "-keypass", PASSWORD, 109 "-file", "cert").shouldHaveExitValue(0); 110 111 112 try (TimestampCheck.Handler tsa = TimestampCheck.Handler.init(0, 113 KEYSTORE)) { 114 115 // look for free network port for TSA service 116 int port = tsa.getPort(); 117 String host = "127.0.0.1"; 118 String tsaUrl = "http://" + host + ":" + port; 119 120 // create key pair for TSA service 121 // SubjectInfoAccess extension contains URL to TSA service 122 keytool( 123 "-genkey", 124 "-v", 125 "-alias", TSA_KEY_ALIAS, 126 "-keyalg", KEY_ALG, 127 "-keysize", Integer.toString(KEY_SIZE), 128 "-keystore", KEYSTORE, 129 "-storepass", PASSWORD, 130 "-keypass", PASSWORD, 131 "-dname", "CN=TSA", 132 "-ext", "ExtendedkeyUsage:critical=timeStamping", 133 "-ext", "SubjectInfoAccess=timeStamping:URI:" + tsaUrl, 134 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); 135 136 // start TSA 137 tsa.start(); 138 139 // sign jar file 140 // specify -tsadigestalg option because 141 // TSA server uses SHA-1 digest algorithm 142 OutputAnalyzer analyzer = jarsigner( 143 "-J-Dhttp.proxyHost=", 144 "-J-Dhttp.proxyPort=", 145 "-J-Djava.net.useSystemProxies=", 146 "-verbose", 147 "-keystore", KEYSTORE, 148 "-storepass", PASSWORD, 149 "-keypass", PASSWORD, 150 "-signedjar", SIGNED_JARFILE, 151 "-tsacert", TSA_KEY_ALIAS, 152 "-tsadigestalg", "SHA-1", 153 UNSIGNED_JARFILE, 154 SIGNING_KEY_ALIAS); 155 156 analyzer.shouldHaveExitValue(0); 157 analyzer.stdoutShouldNotContain(WARNING); 158 analyzer.shouldContain(JAR_SIGNED); 159 160 // verify signed jar 161 analyzer = jarsigner( 162 "-verbose", 163 "-verify", 164 "-keystore", KEYSTORE, 165 "-storepass", PASSWORD, 166 SIGNED_JARFILE); 167 168 analyzer.shouldHaveExitValue(0); 169 analyzer.stdoutShouldNotContain(WARNING); 170 analyzer.shouldContain(JAR_VERIFIED); 171 } 172 173 System.out.println("Test passed"); 174 } 175 176 }