1 /*
2 * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import jdk.testlibrary.OutputAnalyzer;
25 import jdk.test.lib.util.JarUtils;
26
27 import java.nio.file.Files;
28 import java.nio.file.Paths;
29
30 /**
31 * @test
32 * @bug 8024302 8026037
33 * @summary Test for chainNotValidated warning
34 * @library /lib/testlibrary /test/lib ../
35 * @build jdk.test.lib.util.JarUtils
36 * @run main ChainNotValidatedTest ca2yes
37 * @run main ChainNotValidatedTest ca2no
38 */
39 public class ChainNotValidatedTest extends Test {
40
41 public static void main(String[] args) throws Throwable {
42 ChainNotValidatedTest test = new ChainNotValidatedTest();
43 test.start(args[0].equals("ca2yes"));
44 }
45
46 private void start(boolean ca2yes) throws Throwable {
47 // create a jar file that contains one class file
48 Utils.createFiles(FIRST_FILE);
49 JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
50
51 // We have 2 @run. Need cleanup.
52 Files.deleteIfExists(Paths.get(KEYSTORE));
53
54 // Root CA is not checked at all. If the intermediate CA has
55 // BasicConstraints extension set to true, it will be valid.
56 // Otherwise, chain validation will fail.
57 createAlias(CA_KEY_ALIAS);
58 createAlias(CA2_KEY_ALIAS);
59 issueCert(CA2_KEY_ALIAS,
60 "-ext",
61 "bc=ca:" + ca2yes);
62
63 createAlias(KEY_ALIAS);
64 issueCert(KEY_ALIAS, "-alias", CA2_KEY_ALIAS);
65
66 // remove CA2 certificate so it's not trusted
67 keytool(
68 "-delete",
69 "-alias", CA2_KEY_ALIAS,
70 "-keystore", KEYSTORE,
71 "-storepass", PASSWORD,
72 "-keypass", PASSWORD).shouldHaveExitValue(0);
73
74 // sign jar
75 OutputAnalyzer analyzer = jarsigner(
76 "-keystore", KEYSTORE,
77 "-storepass", PASSWORD,
78 "-keypass", PASSWORD,
79 "-signedjar", SIGNED_JARFILE,
80 UNSIGNED_JARFILE,
81 KEY_ALIAS);
82
83 if (ca2yes) {
84 checkSigning(analyzer, "!" + CHAIN_NOT_VALIDATED_SIGNING_WARNING);
85 } else {
86 checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
87 }
88
89 // verify signed jar
90 analyzer = jarsigner(
91 "-verify",
92 "-verbose",
93 "-keystore", KEYSTORE,
94 "-storepass", PASSWORD,
95 "-keypass", PASSWORD,
96 SIGNED_JARFILE);
97
98 if (ca2yes) {
99 checkVerifying(analyzer, 0, "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
100 } else {
101 checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
102 }
103
104 // verify signed jar in strict mode
105 analyzer = jarsigner(
106 "-verify",
107 "-verbose",
108 "-strict",
109 "-keystore", KEYSTORE,
110 "-storepass", PASSWORD,
111 "-keypass", PASSWORD,
112 SIGNED_JARFILE);
113
114 if (ca2yes) {
115 checkVerifying(analyzer, 0,
116 "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
117 } else {
118 checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
119 CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
120 }
121
122 System.out.println("Test passed");
123 }
124
125 }