1 # 2 # Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. 3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 # 5 # This code is free software; you can redistribute it and/or modify it 6 # under the terms of the GNU General Public License version 2 only, as 7 # published by the Free Software Foundation. 8 # 9 # This code is distributed in the hope that it will be useful, but WITHOUT 10 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 # version 2 for more details (a copy is included in the LICENSE file that 13 # accompanied this code). 14 # 15 # You should have received a copy of the GNU General Public License version 16 # 2 along with this work; if not, write to the Free Software Foundation, 17 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 # 19 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 # or visit www.oracle.com if you need additional information or have any 21 # questions. 22 # 23 24 # @test 25 # @bug 6802846 26 # @summary jarsigner needs enhanced cert validation(options) 27 # 28 # @run shell concise_jarsigner.sh 29 # 30 31 if [ "${TESTJAVA}" = "" ] ; then 32 JAVAC_CMD=`which javac` 33 TESTJAVA=`dirname $JAVAC_CMD`/.. 34 fi 35 36 # set platform-dependent variables 37 OS=`uname -s` 38 case "$OS" in 39 Windows_* ) 40 FS="\\" 41 ;; 42 * ) 43 FS="/" 44 ;; 45 esac 46 47 KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks" 48 JAR=$TESTJAVA${FS}bin${FS}jar 49 JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner 50 JAVAC=$TESTJAVA${FS}bin${FS}javac 51 52 rm js.jks 53 54 echo class A1 {} > A1.java 55 echo class A2 {} > A2.java 56 echo class A3 {} > A3.java 57 echo class A4 {} > A4.java 58 echo class A5 {} > A5.java 59 echo class A6 {} > A6.java 60 61 $JAVAC A1.java A2.java A3.java A4.java A5.java A6.java 62 YEAR=`date +%Y` 63 64 # ========================================================== 65 # First part: output format 66 # ========================================================== 67 68 $KT -genkeypair -alias a1 -dname CN=a1 -validity 365 69 $KT -genkeypair -alias a2 -dname CN=a2 -validity 365 70 71 # a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3 72 $JAR cvf a.jar A1.class A2.class 73 $JARSIGNER -keystore js.jks -storepass changeit a.jar a1 74 $JAR uvf a.jar A3.class A4.class 75 $JARSIGNER -keystore js.jks -storepass changeit a.jar a2 76 $JAR uvf a.jar A5.class A6.class 77 78 # Verify OK 79 $JARSIGNER -verify a.jar 80 [ $? = 0 ] || exit $LINENO 81 82 # 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore) 83 $JARSIGNER -verify a.jar -strict 84 [ $? = 52 ] || exit $LINENO 85 86 # 16(hasUnsignedEntry) 87 $JARSIGNER -verify a.jar -strict -keystore js.jks 88 [ $? = 16 ] || exit $LINENO 89 90 # 16(hasUnsignedEntry)+32(notSignedByAlias) 91 $JARSIGNER -verify a.jar a1 -strict -keystore js.jks 92 [ $? = 48 ] || exit $LINENO 93 94 # 16(hasUnsignedEntry) 95 $JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks 96 [ $? = 16 ] || exit $LINENO 97 98 # 12 entries all together 99 LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l` 100 [ $LINES = 12 ] || exit $LINENO 101 102 # 12 entries all listed 103 LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l` 104 [ $LINES = 12 ] || exit $LINENO 105 106 # 4 groups: MANIFST, unrelated, signed, unsigned 107 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l` 108 [ $LINES = 4 ] || exit $LINENO 109 110 # still 4 groups, but MANIFEST group has no other file 111 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep "more)" | wc -l` 112 [ $LINES = 3 ] || exit $LINENO 113 114 # 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned 115 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l` 116 [ $LINES = 5 ] || exit $LINENO 117 118 # 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4 119 LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l` 120 [ $LINES = 8 ] || exit $LINENO 121 122 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4 123 LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l` 124 [ $LINES = 5 ] || exit $LINENO 125 126 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4 127 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l` 128 [ $LINES = 5 ] || exit $LINENO 129 130 # still 5 groups, but MANIFEST group has no other file 131 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l` 132 [ $LINES = 4 ] || exit $LINENO 133 134 # ========================================================== 135 # Second part: exit code 2, 4, 8 136 # 16 and 32 already covered in the first part 137 # ========================================================== 138 139 $KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m 140 $KT -genkeypair -alias expired -dname CN=expired -startdate -10m 141 $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m 142 $KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365 143 $KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365 144 $KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365 145 $KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365 146 147 # badchain signed by ca, but ca is removed later 148 $KT -genkeypair -alias badchain -dname CN=badchain -validity 365 149 $KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365 150 $KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \ 151 $KT -importcert -alias badchain 152 $KT -delete -alias ca 153 154 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring 155 [ $? = 2 ] || exit $LINENO 156 157 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired 158 [ $? = 4 ] || exit $LINENO 159 160 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid 161 [ $? = 4 ] || exit $LINENO 162 163 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku 164 [ $? = 8 ] || exit $LINENO 165 166 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku 167 [ $? = 8 ] || exit $LINENO 168 169 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku 170 [ $? = 0 ] || exit $LINENO 171 172 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku 173 [ $? = 0 ] || exit $LINENO 174 175 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain 176 [ $? = 4 ] || exit $LINENO 177 178 $JARSIGNER -verify a.jar 179 [ $? = 0 ] || exit $LINENO 180 181 # ========================================================== 182 # Third part: -certchain test 183 # ========================================================== 184 185 # altchain signed by ca2, but ca2 is removed later 186 $KT -genkeypair -alias altchain -dname CN=altchain -validity 365 187 $KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365 188 $KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain 189 $KT -exportcert -alias ca2 -rfc >> certchain 190 $KT -delete -alias ca2 191 192 # Now altchain is still self-signed 193 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain 194 [ $? = 0 ] || exit $LINENO 195 196 # If -certchain is used, then it's bad 197 $JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain 198 [ $? = 4 ] || exit $LINENO 199 200 $JARSIGNER -verify a.jar 201 [ $? = 0 ] || exit $LINENO 202 203 echo OK 204 exit 0