1 /* 2 * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import com.sun.net.httpserver.*; 25 import java.io.ByteArrayOutputStream; 26 import java.io.File; 27 import java.io.IOException; 28 import java.io.InputStream; 29 import java.io.OutputStream; 30 import java.math.BigInteger; 31 import java.net.InetSocketAddress; 32 import java.nio.file.Files; 33 import java.nio.file.Paths; 34 import java.security.KeyStore; 35 import java.security.PrivateKey; 36 import java.security.Signature; 37 import java.security.cert.Certificate; 38 import java.security.cert.X509Certificate; 39 import java.util.ArrayList; 40 import java.util.Arrays; 41 import java.util.Calendar; 42 import java.util.List; 43 import java.util.jar.JarEntry; 44 import java.util.jar.JarFile; 45 46 import jdk.testlibrary.*; 47 import jdk.testlibrary.JarUtils; 48 import sun.security.pkcs.ContentInfo; 49 import sun.security.pkcs.PKCS7; 50 import sun.security.pkcs.PKCS9Attribute; 51 import sun.security.pkcs.SignerInfo; 52 import sun.security.timestamp.TimestampToken; 53 import sun.security.util.DerOutputStream; 54 import sun.security.util.DerValue; 55 import sun.security.util.ObjectIdentifier; 56 import sun.security.x509.AlgorithmId; 57 import sun.security.x509.X500Name; 58 59 /* 60 * @test 61 * @bug 6543842 6543440 6939248 8009636 8024302 8163304 8169911 62 * @summary checking response of timestamp 63 * @modules java.base/sun.security.pkcs 64 * java.base/sun.security.timestamp 65 * java.base/sun.security.x509 66 * java.base/sun.security.util 67 * java.base/sun.security.tools.keytool 68 * @library /lib/testlibrary 69 * @run main/timeout=600 TimestampCheck 70 */ 71 public class TimestampCheck { 72 73 static final String defaultPolicyId = "2.3.4"; 74 static String host = null; 75 76 static class Handler implements HttpHandler, AutoCloseable { 77 78 private final HttpServer httpServer; 79 private final String keystore; 80 81 @Override 82 public void handle(HttpExchange t) throws IOException { 83 int len = 0; 84 for (String h: t.getRequestHeaders().keySet()) { 85 if (h.equalsIgnoreCase("Content-length")) { 86 len = Integer.valueOf(t.getRequestHeaders().get(h).get(0)); 87 } 88 } 89 byte[] input = new byte[len]; 90 t.getRequestBody().read(input); 91 92 try { 93 String path = t.getRequestURI().getPath().substring(1); 94 byte[] output = sign(input, path); 95 Headers out = t.getResponseHeaders(); 96 out.set("Content-Type", "application/timestamp-reply"); 97 98 t.sendResponseHeaders(200, output.length); 99 OutputStream os = t.getResponseBody(); 100 os.write(output); 101 } catch (Exception e) { 102 e.printStackTrace(); 103 t.sendResponseHeaders(500, 0); 104 } 105 t.close(); 106 } 107 108 /** 109 * @param input The data to sign 110 * @param path different cases to simulate, impl on URL path 111 * @returns the signed 112 */ 113 byte[] sign(byte[] input, String path) throws Exception { 114 115 DerValue value = new DerValue(input); 116 System.err.println("\nIncoming Request\n==================="); 117 System.err.println("Version: " + value.data.getInteger()); 118 DerValue messageImprint = value.data.getDerValue(); 119 AlgorithmId aid = AlgorithmId.parse( 120 messageImprint.data.getDerValue()); 121 System.err.println("AlgorithmId: " + aid); 122 123 ObjectIdentifier policyId = new ObjectIdentifier(defaultPolicyId); 124 BigInteger nonce = null; 125 while (value.data.available() > 0) { 126 DerValue v = value.data.getDerValue(); 127 if (v.tag == DerValue.tag_Integer) { 128 nonce = v.getBigInteger(); 129 System.err.println("nonce: " + nonce); 130 } else if (v.tag == DerValue.tag_Boolean) { 131 System.err.println("certReq: " + v.getBoolean()); 132 } else if (v.tag == DerValue.tag_ObjectId) { 133 policyId = v.getOID(); 134 System.err.println("PolicyID: " + policyId); 135 } 136 } 137 138 System.err.println("\nResponse\n==================="); 139 KeyStore ks = KeyStore.getInstance( 140 new File(keystore), "changeit".toCharArray()); 141 142 String alias = "ts"; 143 if (path.startsWith("bad") || path.equals("weak")) { 144 alias = "ts" + path; 145 } 146 147 if (path.equals("diffpolicy")) { 148 policyId = new ObjectIdentifier(defaultPolicyId); 149 } 150 151 DerOutputStream statusInfo = new DerOutputStream(); 152 statusInfo.putInteger(0); 153 154 AlgorithmId[] algorithms = {aid}; 155 Certificate[] chain = ks.getCertificateChain(alias); 156 X509Certificate[] signerCertificateChain; 157 X509Certificate signer = (X509Certificate)chain[0]; 158 159 if (path.equals("fullchain")) { // Only case 5 uses full chain 160 signerCertificateChain = new X509Certificate[chain.length]; 161 for (int i=0; i<chain.length; i++) { 162 signerCertificateChain[i] = (X509Certificate)chain[i]; 163 } 164 } else if (path.equals("nocert")) { 165 signerCertificateChain = new X509Certificate[0]; 166 } else { 167 signerCertificateChain = new X509Certificate[1]; 168 signerCertificateChain[0] = (X509Certificate)chain[0]; 169 } 170 171 DerOutputStream tst = new DerOutputStream(); 172 173 tst.putInteger(1); 174 tst.putOID(policyId); 175 176 if (!path.equals("baddigest") && !path.equals("diffalg")) { 177 tst.putDerValue(messageImprint); 178 } else { 179 byte[] data = messageImprint.toByteArray(); 180 if (path.equals("diffalg")) { 181 data[6] = (byte)0x01; 182 } else { 183 data[data.length-1] = (byte)0x01; 184 data[data.length-2] = (byte)0x02; 185 data[data.length-3] = (byte)0x03; 186 } 187 tst.write(data); 188 } 189 190 tst.putInteger(1); 191 192 Calendar cal = Calendar.getInstance(); 193 tst.putGeneralizedTime(cal.getTime()); 194 195 if (path.equals("diffnonce")) { 196 tst.putInteger(1234); 197 } else if (path.equals("nononce")) { 198 // no noce 199 } else { 200 tst.putInteger(nonce); 201 } 202 203 DerOutputStream tstInfo = new DerOutputStream(); 204 tstInfo.write(DerValue.tag_Sequence, tst); 205 206 DerOutputStream tstInfo2 = new DerOutputStream(); 207 tstInfo2.putOctetString(tstInfo.toByteArray()); 208 209 // Always use the same algorithm at timestamp signing 210 // so it is different from the hash algorithm. 211 Signature sig = Signature.getInstance("SHA1withRSA"); 212 sig.initSign((PrivateKey)(ks.getKey( 213 alias, "changeit".toCharArray()))); 214 sig.update(tstInfo.toByteArray()); 215 216 ContentInfo contentInfo = new ContentInfo(new ObjectIdentifier( 217 "1.2.840.113549.1.9.16.1.4"), 218 new DerValue(tstInfo2.toByteArray())); 219 220 System.err.println("Signing..."); 221 System.err.println(new X500Name(signer 222 .getIssuerX500Principal().getName())); 223 System.err.println(signer.getSerialNumber()); 224 225 SignerInfo signerInfo = new SignerInfo( 226 new X500Name(signer.getIssuerX500Principal().getName()), 227 signer.getSerialNumber(), 228 AlgorithmId.get("SHA-1"), AlgorithmId.get("RSA"), sig.sign()); 229 230 SignerInfo[] signerInfos = {signerInfo}; 231 PKCS7 p7 = new PKCS7(algorithms, contentInfo, 232 signerCertificateChain, signerInfos); 233 ByteArrayOutputStream p7out = new ByteArrayOutputStream(); 234 p7.encodeSignedData(p7out); 235 236 DerOutputStream response = new DerOutputStream(); 237 response.write(DerValue.tag_Sequence, statusInfo); 238 response.putDerValue(new DerValue(p7out.toByteArray())); 239 240 DerOutputStream out = new DerOutputStream(); 241 out.write(DerValue.tag_Sequence, response); 242 243 return out.toByteArray(); 244 } 245 246 private Handler(HttpServer httpServer, String keystore) { 247 this.httpServer = httpServer; 248 this.keystore = keystore; 249 } 250 251 /** 252 * Initialize TSA instance. 253 * 254 * Extended Key Info extension of certificate that is used for 255 * signing TSA responses should contain timeStamping value. 256 */ 257 static Handler init(int port, String keystore) throws IOException { 258 HttpServer httpServer = HttpServer.create( 259 new InetSocketAddress(port), 0); 260 Handler tsa = new Handler(httpServer, keystore); 261 httpServer.createContext("/", tsa); 262 return tsa; 263 } 264 265 /** 266 * Start TSA service. 267 */ 268 void start() { 269 httpServer.start(); 270 } 271 272 /** 273 * Stop TSA service. 274 */ 275 void stop() { 276 httpServer.stop(0); 277 } 278 279 /** 280 * Return server port number. 281 */ 282 int getPort() { 283 return httpServer.getAddress().getPort(); 284 } 285 286 @Override 287 public void close() throws Exception { 288 stop(); 289 } 290 } 291 292 public static void main(String[] args) throws Throwable { 293 294 prepare(); 295 296 try (Handler tsa = Handler.init(0, "tsks");) { 297 tsa.start(); 298 int port = tsa.getPort(); 299 host = "http://localhost:" + port + "/"; 300 301 if (args.length == 0) { // Run this test 302 sign("none") 303 .shouldContain("is not timestamped") 304 .shouldHaveExitValue(0); 305 306 sign("badku") 307 .shouldHaveExitValue(0); 308 checkBadKU("badku.jar"); 309 310 sign("normal") 311 .shouldNotContain("is not timestamped") 312 .shouldHaveExitValue(0); 313 314 sign("nononce") 315 .shouldHaveExitValue(1); 316 sign("diffnonce") 317 .shouldHaveExitValue(1); 318 sign("baddigest") 319 .shouldHaveExitValue(1); 320 sign("diffalg") 321 .shouldHaveExitValue(1); 322 sign("fullchain") 323 .shouldHaveExitValue(0); // Success, 6543440 solved. 324 sign("bad1") 325 .shouldHaveExitValue(1); 326 sign("bad2") 327 .shouldHaveExitValue(1); 328 sign("bad3") 329 .shouldHaveExitValue(1); 330 sign("nocert") 331 .shouldHaveExitValue(1); 332 333 sign("policy", "-tsapolicyid", "1.2.3") 334 .shouldHaveExitValue(0); 335 checkTimestamp("policy.jar", "1.2.3", "SHA-256"); 336 337 sign("diffpolicy", "-tsapolicyid", "1.2.3") 338 .shouldHaveExitValue(1); 339 340 sign("tsaalg", "-tsadigestalg", "SHA") 341 .shouldHaveExitValue(0); 342 checkTimestamp("tsaalg.jar", defaultPolicyId, "SHA-1"); 343 344 sign("weak", "-digestalg", "MD5", 345 "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5") 346 .shouldHaveExitValue(0) 347 .shouldMatch("MD5.*-digestalg.*risk") 348 .shouldMatch("MD5.*-tsadigestalg.*risk") 349 .shouldMatch("MD5withRSA.*-sigalg.*risk"); 350 checkWeak("weak.jar"); 351 352 signWithAliasAndTsa("halfWeak", "old.jar", "old", "-digestalg", "MD5") 353 .shouldHaveExitValue(0); 354 checkHalfWeak("halfWeak.jar"); 355 356 // sign with DSA key 357 signWithAliasAndTsa("sign1", "old.jar", "dsakey") 358 .shouldHaveExitValue(0); 359 // sign with RSAkeysize < 1024 360 signWithAliasAndTsa("sign2", "sign1.jar", "weakkeysize") 361 .shouldHaveExitValue(0); 362 checkMultiple("sign2.jar"); 363 364 // When .SF or .RSA is missing or invalid 365 checkMissingOrInvalidFiles("normal.jar"); 366 } else { // Run as a standalone server 367 System.err.println("Press Enter to quit server"); 368 System.in.read(); 369 } 370 } 371 } 372 373 private static void checkMissingOrInvalidFiles(String s) 374 throws Throwable { 375 JarUtils.updateJar(s, "1.jar", "-", "META-INF/OLD.SF"); 376 verify("1.jar", "-verbose") 377 .shouldHaveExitValue(0) 378 .shouldContain("treated as unsigned") 379 .shouldContain("Missing signature-related file META-INF/OLD.SF"); 380 JarUtils.updateJar(s, "2.jar", "-", "META-INF/OLD.RSA"); 381 verify("2.jar", "-verbose") 382 .shouldHaveExitValue(0) 383 .shouldContain("treated as unsigned") 384 .shouldContain("Missing block file for signature-related file META-INF/OLD.SF"); 385 JarUtils.updateJar(s, "3.jar", "META-INF/OLD.SF"); 386 verify("3.jar", "-verbose") 387 .shouldHaveExitValue(0) 388 .shouldContain("treated as unsigned") 389 .shouldContain("Unparsable signature-related file META-INF/OLD.SF"); 390 JarUtils.updateJar(s, "4.jar", "META-INF/OLD.RSA"); 391 verify("4.jar", "-verbose") 392 .shouldHaveExitValue(0) 393 .shouldContain("treated as unsigned") 394 .shouldContain("Unparsable signature-related file META-INF/OLD.RSA"); 395 } 396 397 static OutputAnalyzer jarsigner(List<String> extra) 398 throws Throwable { 399 JDKToolLauncher launcher = JDKToolLauncher.createUsingTestJDK("jarsigner") 400 .addVMArg("-Duser.language=en") 401 .addVMArg("-Duser.country=US") 402 .addToolArg("-keystore") 403 .addToolArg("tsks") 404 .addToolArg("-storepass") 405 .addToolArg("changeit"); 406 for (String s : extra) { 407 if (s.startsWith("-J")) { 408 launcher.addVMArg(s.substring(2)); 409 } else { 410 launcher.addToolArg(s); 411 } 412 } 413 return ProcessTools.executeCommand(launcher.getCommand()); 414 } 415 416 static OutputAnalyzer verify(String file, String... extra) 417 throws Throwable { 418 List<String> args = new ArrayList<>(); 419 args.add("-verify"); 420 args.add(file); 421 args.addAll(Arrays.asList(extra)); 422 return jarsigner(args); 423 } 424 425 static void checkBadKU(String file) throws Throwable { 426 verify(file) 427 .shouldHaveExitValue(0) 428 .shouldContain("treated as unsigned") 429 .shouldContain("re-run jarsigner with debug enabled"); 430 verify(file, "-verbose") 431 .shouldHaveExitValue(0) 432 .shouldContain("Signed by") 433 .shouldContain("treated as unsigned") 434 .shouldContain("re-run jarsigner with debug enabled"); 435 verify(file, "-J-Djava.security.debug=jar") 436 .shouldHaveExitValue(0) 437 .shouldContain("SignatureException: Key usage restricted") 438 .shouldContain("treated as unsigned") 439 .shouldContain("re-run jarsigner with debug enabled"); 440 } 441 442 static void checkWeak(String file) throws Throwable { 443 verify(file) 444 .shouldHaveExitValue(0) 445 .shouldContain("treated as unsigned") 446 .shouldMatch("weak algorithm that is now disabled.") 447 .shouldMatch("Re-run jarsigner with the -verbose option for more details"); 448 verify(file, "-verbose") 449 .shouldHaveExitValue(0) 450 .shouldContain("treated as unsigned") 451 .shouldMatch("weak algorithm that is now disabled by") 452 .shouldMatch("Digest algorithm: .*weak") 453 .shouldMatch("Signature algorithm: .*weak") 454 .shouldMatch("Timestamp digest algorithm: .*weak") 455 .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak") 456 .shouldMatch("Timestamp signature algorithm: .*key.*weak"); 457 verify(file, "-J-Djava.security.debug=jar") 458 .shouldHaveExitValue(0) 459 .shouldMatch("SignatureException:.*Disabled"); 460 } 461 462 static void checkHalfWeak(String file) throws Throwable { 463 verify(file) 464 .shouldHaveExitValue(0) 465 .shouldContain("treated as unsigned") 466 .shouldMatch("weak algorithm that is now disabled.") 467 .shouldMatch("Re-run jarsigner with the -verbose option for more details"); 468 verify(file, "-verbose") 469 .shouldHaveExitValue(0) 470 .shouldContain("treated as unsigned") 471 .shouldMatch("weak algorithm that is now disabled by") 472 .shouldMatch("Digest algorithm: .*weak") 473 .shouldNotMatch("Signature algorithm: .*weak") 474 .shouldNotMatch("Timestamp digest algorithm: .*weak") 475 .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak") 476 .shouldNotMatch("Timestamp signature algorithm: .*key.*weak"); 477 } 478 479 static void checkMultiple(String file) throws Throwable { 480 verify(file) 481 .shouldHaveExitValue(0) 482 .shouldContain("jar verified"); 483 verify(file, "-verbose", "-certs") 484 .shouldHaveExitValue(0) 485 .shouldContain("jar verified") 486 .shouldMatch("X.509.*CN=dsakey") 487 .shouldNotMatch("X.509.*CN=weakkeysize") 488 .shouldMatch("Signed by .*CN=dsakey") 489 .shouldMatch("Signed by .*CN=weakkeysize") 490 .shouldMatch("Signature algorithm: .*key.*weak"); 491 } 492 493 static void checkTimestamp(String file, String policyId, String digestAlg) 494 throws Exception { 495 try (JarFile jf = new JarFile(file)) { 496 JarEntry je = jf.getJarEntry("META-INF/OLD.RSA"); 497 try (InputStream is = jf.getInputStream(je)) { 498 byte[] content = is.readAllBytes(); 499 PKCS7 p7 = new PKCS7(content); 500 SignerInfo[] si = p7.getSignerInfos(); 501 if (si == null || si.length == 0) { 502 throw new Exception("Not signed"); 503 } 504 PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes() 505 .getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID); 506 PKCS7 tsToken = new PKCS7((byte[]) p9.getValue()); 507 TimestampToken tt = 508 new TimestampToken(tsToken.getContentInfo().getData()); 509 if (!tt.getHashAlgorithm().toString().equals(digestAlg)) { 510 throw new Exception("Digest alg different"); 511 } 512 if (!tt.getPolicyID().equals(policyId)) { 513 throw new Exception("policyId different"); 514 } 515 } 516 } 517 } 518 519 static int which = 0; 520 521 /** 522 * @param extra more args given to jarsigner 523 */ 524 static OutputAnalyzer sign(String path, String... extra) 525 throws Throwable { 526 String alias = path.equals("badku") ? "badku" : "old"; 527 return signWithAliasAndTsa(path, "old.jar", alias, extra); 528 } 529 530 static OutputAnalyzer signWithAliasAndTsa (String path, String jar, 531 String alias, String...extra) throws Throwable { 532 which++; 533 System.err.println("\n>> Test #" + which + ": " + Arrays.toString(extra)); 534 List<String> args = List.of("-J-Djava.security.egd=file:/dev/./urandom", 535 "-debug", "-signedjar", path + ".jar", jar, alias); 536 args = new ArrayList<>(args); 537 if (!path.equals("none") && !path.equals("badku")) { 538 args.add("-tsa"); 539 args.add(host + path); 540 } 541 args.addAll(Arrays.asList(extra)); 542 return jarsigner(args); 543 } 544 545 static void prepare() throws Exception { 546 jdk.testlibrary.JarUtils.createJar("old.jar", "A"); 547 Files.deleteIfExists(Paths.get("tsks")); 548 keytool("-alias ca -genkeypair -ext bc -dname CN=CA"); 549 keytool("-alias old -genkeypair -dname CN=old"); 550 keytool("-alias dsakey -genkeypair -keyalg DSA -dname CN=dsakey"); 551 keytool("-alias weakkeysize -genkeypair -keysize 512 -dname CN=weakkeysize"); 552 keytool("-alias badku -genkeypair -dname CN=badku"); 553 keytool("-alias ts -genkeypair -dname CN=ts"); 554 keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsbad1"); 555 keytool("-alias tsbad1 -genkeypair -dname CN=tsbad1"); 556 keytool("-alias tsbad2 -genkeypair -dname CN=tsbad2"); 557 keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3"); 558 559 gencert("old"); 560 gencert("dsakey"); 561 gencert("weakkeysize"); 562 gencert("badku", "-ext ku:critical=keyAgreement"); 563 gencert("ts", "-ext eku:critical=ts"); 564 gencert("tsweak", "-ext eku:critical=ts"); 565 gencert("tsbad1"); 566 gencert("tsbad2", "-ext eku=ts"); 567 gencert("tsbad3", "-ext eku:critical=cs"); 568 } 569 570 static void gencert(String alias, String... extra) throws Exception { 571 keytool("-alias " + alias + " -certreq -file " + alias + ".req"); 572 String genCmd = "-gencert -alias ca -infile " + 573 alias + ".req -outfile " + alias + ".cert"; 574 for (String s : extra) { 575 genCmd += " " + s; 576 } 577 keytool(genCmd); 578 keytool("-alias " + alias + " -importcert -file " + alias + ".cert"); 579 } 580 581 static void keytool(String cmd) throws Exception { 582 cmd = "-keystore tsks -storepass changeit -keypass changeit " + 583 "-keyalg rsa -validity 200 " + cmd; 584 sun.security.tools.keytool.Main.main(cmd.split(" ")); 585 } 586 }