1 #
2 # Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 #
5 # This code is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License version 2 only, as
7 # published by the Free Software Foundation.
8 #
9 # This code is distributed in the hope that it will be useful, but WITHOUT
10 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 # version 2 for more details (a copy is included in the LICENSE file that
13 # accompanied this code).
14 #
15 # You should have received a copy of the GNU General Public License version
16 # 2 along with this work; if not, write to the Free Software Foundation,
17 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 #
19 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 # or visit www.oracle.com if you need additional information or have any
21 # questions.
22 #
23
24 # @test
25 # @bug 6802846
26 # @summary jarsigner needs enhanced cert validation(options)
27 #
28 # @run shell concise_jarsigner.sh
29 #
30
31 if [ "${TESTJAVA}" = "" ] ; then
32 JAVAC_CMD=`which javac`
33 TESTJAVA=`dirname $JAVAC_CMD`/..
34 fi
35
36 # set platform-dependent variables
37 OS=`uname -s`
38 case "$OS" in
39 Windows_* )
40 FS="\\"
41 ;;
42 * )
43 FS="/"
44 ;;
45 esac
46
47 KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks"
48 JAR=$TESTJAVA${FS}bin${FS}jar
49 JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
50 JAVAC=$TESTJAVA${FS}bin${FS}javac
51
52 rm js.jks
53
54 echo class A1 {} > A1.java
55 echo class A2 {} > A2.java
56 echo class A3 {} > A3.java
57 echo class A4 {} > A4.java
58 echo class A5 {} > A5.java
59 echo class A6 {} > A6.java
60
61 $JAVAC A1.java A2.java A3.java A4.java A5.java A6.java
62 YEAR=`date +%Y`
63
64 # ==========================================================
65 # First part: output format
66 # ==========================================================
67
68 $KT -genkeypair -alias a1 -dname CN=a1 -validity 365
69 $KT -genkeypair -alias a2 -dname CN=a2 -validity 365
70
71 # a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
72 $JAR cvf a.jar A1.class A2.class
73 $JARSIGNER -keystore js.jks -storepass changeit a.jar a1
74 $JAR uvf a.jar A3.class A4.class
75 $JARSIGNER -keystore js.jks -storepass changeit a.jar a2
76 $JAR uvf a.jar A5.class A6.class
77
78 # Verify OK
79 $JARSIGNER -verify a.jar
80 [ $? = 0 ] || exit $LINENO
81
82 # 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore)
83 $JARSIGNER -verify a.jar -strict
84 [ $? = 52 ] || exit $LINENO
85
86 # 16(hasUnsignedEntry)
87 $JARSIGNER -verify a.jar -strict -keystore js.jks
88 [ $? = 16 ] || exit $LINENO
89
90 # 16(hasUnsignedEntry)+32(notSignedByAlias)
91 $JARSIGNER -verify a.jar a1 -strict -keystore js.jks
92 [ $? = 48 ] || exit $LINENO
93
94 # 16(hasUnsignedEntry)
95 $JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks
96 [ $? = 16 ] || exit $LINENO
97
98 # 12 entries all together
99 LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l`
100 [ $LINES = 12 ] || exit $LINENO
101
102 # 12 entries all listed
103 LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l`
104 [ $LINES = 12 ] || exit $LINENO
105
106 # 4 groups: MANIFST, unrelated, signed, unsigned
107 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l`
108 [ $LINES = 4 ] || exit $LINENO
109
110 # still 4 groups, but MANIFEST group has no other file
111 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep "more)" | wc -l`
112 [ $LINES = 3 ] || exit $LINENO
113
114 # 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned
115 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l`
116 [ $LINES = 5 ] || exit $LINENO
117
118 # 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4
119 LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l`
120 [ $LINES = 8 ] || exit $LINENO
121
122 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
123 LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l`
124 [ $LINES = 5 ] || exit $LINENO
125
126 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
127 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l`
128 [ $LINES = 5 ] || exit $LINENO
129
130 # still 5 groups, but MANIFEST group has no other file
131 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
132 [ $LINES = 4 ] || exit $LINENO
133
134 # ==========================================================
135 # Second part: exit code 2, 4, 8
136 # 16 and 32 already covered in the first part
137 # ==========================================================
138
139 $KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m
140 $KT -genkeypair -alias expired -dname CN=expired -startdate -10m
141 $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
142 $KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
143 $KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365
144 $KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365
145 $KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365
146
147 # badchain signed by ca, but ca is removed later
148 $KT -genkeypair -alias badchain -dname CN=badchain -validity 365
149 $KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
150 $KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \
151 $KT -importcert -alias badchain
152 $KT -delete -alias ca
153
154 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring
155 [ $? = 2 ] || exit $LINENO
156
157 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired
158 [ $? = 4 ] || exit $LINENO
159
160 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid
161 [ $? = 4 ] || exit $LINENO
162
163 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku
164 [ $? = 8 ] || exit $LINENO
165
166 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku
167 [ $? = 8 ] || exit $LINENO
168
169 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku
170 [ $? = 0 ] || exit $LINENO
171
172 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku
173 [ $? = 0 ] || exit $LINENO
174
175 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain
176 [ $? = 4 ] || exit $LINENO
177
178 $JARSIGNER -verify a.jar
179 [ $? = 0 ] || exit $LINENO
180
181 # ==========================================================
182 # Third part: -certchain test
183 # ==========================================================
184
185 # altchain signed by ca2, but ca2 is removed later
186 $KT -genkeypair -alias altchain -dname CN=altchain -validity 365
187 $KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
188 $KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
189 $KT -exportcert -alias ca2 -rfc >> certchain
190 $KT -delete -alias ca2
191
192 # Now altchain is still self-signed
193 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain
194 [ $? = 0 ] || exit $LINENO
195
196 # If -certchain is used, then it's bad
197 $JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain
198 [ $? = 4 ] || exit $LINENO
199
200 $JARSIGNER -verify a.jar
201 [ $? = 0 ] || exit $LINENO
202
203 echo OK
204 exit 0