1 /*
   2  * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 import jdk.testlibrary.OutputAnalyzer;
  25 import jdk.test.lib.util.JarUtils;
  26 
  27 /**
  28  * @test
  29  * @bug 8024302 8026037 8176320
  30  * @summary The test signs and verifies a jar file with -tsacert option
  31  * @library /lib/testlibrary warnings
  32  * @library /test/lib
  33  * @modules java.base/sun.security.pkcs
  34  *          java.base/sun.security.timestamp
  35  *          java.base/sun.security.tools.keytool
  36  *          java.base/sun.security.util
  37  *          java.base/sun.security.x509
  38  *          java.management
  39  * @build jdk.test.lib.util.JarUtils
  40  * @run main TsacertOptionTest
  41  */
  42 public class TsacertOptionTest extends Test {
  43 
  44     private static final String FILENAME = TsacertOptionTest.class.getName()
  45             + ".txt";
  46     private static final String SIGNING_KEY_ALIAS = "sign_alias";
  47     private static final String TSA_KEY_ALIAS = "ts";
  48 
  49     private static final String PASSWORD = "changeit";
  50 
  51     /**
  52      * The test signs and verifies a jar file with -tsacert option,
  53      * and checks that no warning was shown.
  54      * A certificate that is addressed in -tsacert option contains URL to TSA
  55      * in Subject Information Access extension.
  56      */
  57     public static void main(String[] args) throws Throwable {
  58         TsacertOptionTest test = new TsacertOptionTest();
  59         test.start();
  60     }
  61 
  62     void start() throws Throwable {
  63         // create a jar file that contains one file
  64         Utils.createFiles(FILENAME);
  65         JarUtils.createJar(UNSIGNED_JARFILE, FILENAME);
  66 
  67         // create key pair for jar signing
  68         keytool(
  69                 "-genkey",
  70                 "-alias", CA_KEY_ALIAS,
  71                 "-keyalg", KEY_ALG,
  72                 "-keysize", Integer.toString(KEY_SIZE),
  73                 "-keystore", KEYSTORE,
  74                 "-storepass", PASSWORD,
  75                 "-keypass", PASSWORD,
  76                 "-dname", "CN=CA",
  77                 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
  78         keytool(
  79                 "-genkey",
  80                 "-alias", SIGNING_KEY_ALIAS,
  81                 "-keyalg", KEY_ALG,
  82                 "-keysize", Integer.toString(KEY_SIZE),
  83                 "-keystore", KEYSTORE,
  84                 "-storepass", PASSWORD,
  85                 "-keypass", PASSWORD,
  86                 "-dname", "CN=Test").shouldHaveExitValue(0);
  87         keytool(
  88                 "-certreq",
  89                 "-alias", SIGNING_KEY_ALIAS,
  90                 "-keystore", KEYSTORE,
  91                 "-storepass", PASSWORD,
  92                 "-keypass", PASSWORD,
  93                 "-file", "certreq").shouldHaveExitValue(0);
  94         keytool(
  95                 "-gencert",
  96                 "-alias", CA_KEY_ALIAS,
  97                 "-keystore", KEYSTORE,
  98                 "-storepass", PASSWORD,
  99                 "-keypass", PASSWORD,
 100                 "-validity", Integer.toString(VALIDITY),
 101                 "-infile", "certreq",
 102                 "-outfile", "cert").shouldHaveExitValue(0);
 103         keytool(
 104                 "-importcert",
 105                 "-alias", SIGNING_KEY_ALIAS,
 106                 "-keystore", KEYSTORE,
 107                 "-storepass", PASSWORD,
 108                 "-keypass", PASSWORD,
 109                 "-file", "cert").shouldHaveExitValue(0);
 110 
 111 
 112         try (TimestampCheck.Handler tsa = TimestampCheck.Handler.init(0,
 113                 KEYSTORE)) {
 114 
 115             // look for free network port for TSA service
 116             int port = tsa.getPort();
 117             String host = "127.0.0.1";
 118             String tsaUrl = "http://" + host + ":" + port;
 119 
 120             // create key pair for TSA service
 121             // SubjectInfoAccess extension contains URL to TSA service
 122             keytool(
 123                     "-genkey",
 124                     "-v",
 125                     "-alias", TSA_KEY_ALIAS,
 126                     "-keyalg", KEY_ALG,
 127                     "-keysize", Integer.toString(KEY_SIZE),
 128                     "-keystore", KEYSTORE,
 129                     "-storepass", PASSWORD,
 130                     "-keypass", PASSWORD,
 131                     "-dname", "CN=TSA",
 132                     "-ext", "ExtendedkeyUsage:critical=timeStamping",
 133                     "-ext", "SubjectInfoAccess=timeStamping:URI:" + tsaUrl,
 134                     "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
 135 
 136             // start TSA
 137             tsa.start();
 138 
 139             // sign jar file
 140             // specify -tsadigestalg option because
 141             // TSA server uses SHA-1 digest algorithm
 142              OutputAnalyzer analyzer = jarsigner(
 143                     "-J-Dhttp.proxyHost=",
 144                     "-J-Dhttp.proxyPort=",
 145                     "-J-Djava.net.useSystemProxies=",
 146                     "-verbose",
 147                     "-keystore", KEYSTORE,
 148                     "-storepass", PASSWORD,
 149                     "-keypass", PASSWORD,
 150                     "-signedjar", SIGNED_JARFILE,
 151                     "-tsacert", TSA_KEY_ALIAS,
 152                     "-tsadigestalg", "SHA-1",
 153                     UNSIGNED_JARFILE,
 154                     SIGNING_KEY_ALIAS);
 155 
 156             analyzer.shouldHaveExitValue(0);
 157             analyzer.stdoutShouldNotContain(WARNING);
 158             analyzer.shouldContain(JAR_SIGNED);
 159 
 160             // verify signed jar
 161             analyzer = jarsigner(
 162                     "-verbose",
 163                     "-verify",
 164                     "-keystore", KEYSTORE,
 165                     "-storepass", PASSWORD,
 166                     SIGNED_JARFILE);
 167 
 168             analyzer.shouldHaveExitValue(0);
 169             analyzer.stdoutShouldNotContain(WARNING);
 170             analyzer.shouldContain(JAR_VERIFIED);
 171         }
 172 
 173         System.out.println("Test passed");
 174     }
 175 
 176 }