1 /*
2 * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import com.sun.net.httpserver.*;
25 import java.io.ByteArrayOutputStream;
26 import java.io.File;
27 import java.io.IOException;
28 import java.io.InputStream;
29 import java.io.OutputStream;
30 import java.math.BigInteger;
31 import java.net.InetSocketAddress;
32 import java.nio.file.Files;
33 import java.nio.file.Paths;
34 import java.security.KeyStore;
35 import java.security.PrivateKey;
36 import java.security.Signature;
37 import java.security.cert.Certificate;
38 import java.security.cert.X509Certificate;
39 import java.util.ArrayList;
40 import java.util.Arrays;
41 import java.util.Calendar;
42 import java.util.List;
43 import java.util.jar.JarEntry;
44 import java.util.jar.JarFile;
45
46 import jdk.testlibrary.*;
47 import jdk.testlibrary.JarUtils;
48 import sun.security.pkcs.ContentInfo;
49 import sun.security.pkcs.PKCS7;
50 import sun.security.pkcs.PKCS9Attribute;
51 import sun.security.pkcs.SignerInfo;
52 import sun.security.timestamp.TimestampToken;
53 import sun.security.util.DerOutputStream;
54 import sun.security.util.DerValue;
55 import sun.security.util.ObjectIdentifier;
56 import sun.security.x509.AlgorithmId;
57 import sun.security.x509.X500Name;
58
59 /*
60 * @test
61 * @bug 6543842 6543440 6939248 8009636 8024302 8163304 8169911
62 * @summary checking response of timestamp
63 * @modules java.base/sun.security.pkcs
64 * java.base/sun.security.timestamp
65 * java.base/sun.security.x509
66 * java.base/sun.security.util
67 * java.base/sun.security.tools.keytool
68 * @library /lib/testlibrary
69 * @run main/timeout=600 TimestampCheck
70 */
71 public class TimestampCheck {
72
73 static final String defaultPolicyId = "2.3.4";
74 static String host = null;
75
76 static class Handler implements HttpHandler, AutoCloseable {
77
78 private final HttpServer httpServer;
79 private final String keystore;
80
81 @Override
82 public void handle(HttpExchange t) throws IOException {
83 int len = 0;
84 for (String h: t.getRequestHeaders().keySet()) {
85 if (h.equalsIgnoreCase("Content-length")) {
86 len = Integer.valueOf(t.getRequestHeaders().get(h).get(0));
87 }
88 }
89 byte[] input = new byte[len];
90 t.getRequestBody().read(input);
91
92 try {
93 String path = t.getRequestURI().getPath().substring(1);
94 byte[] output = sign(input, path);
95 Headers out = t.getResponseHeaders();
96 out.set("Content-Type", "application/timestamp-reply");
97
98 t.sendResponseHeaders(200, output.length);
99 OutputStream os = t.getResponseBody();
100 os.write(output);
101 } catch (Exception e) {
102 e.printStackTrace();
103 t.sendResponseHeaders(500, 0);
104 }
105 t.close();
106 }
107
108 /**
109 * @param input The data to sign
110 * @param path different cases to simulate, impl on URL path
111 * @returns the signed
112 */
113 byte[] sign(byte[] input, String path) throws Exception {
114
115 DerValue value = new DerValue(input);
116 System.err.println("\nIncoming Request\n===================");
117 System.err.println("Version: " + value.data.getInteger());
118 DerValue messageImprint = value.data.getDerValue();
119 AlgorithmId aid = AlgorithmId.parse(
120 messageImprint.data.getDerValue());
121 System.err.println("AlgorithmId: " + aid);
122
123 ObjectIdentifier policyId = new ObjectIdentifier(defaultPolicyId);
124 BigInteger nonce = null;
125 while (value.data.available() > 0) {
126 DerValue v = value.data.getDerValue();
127 if (v.tag == DerValue.tag_Integer) {
128 nonce = v.getBigInteger();
129 System.err.println("nonce: " + nonce);
130 } else if (v.tag == DerValue.tag_Boolean) {
131 System.err.println("certReq: " + v.getBoolean());
132 } else if (v.tag == DerValue.tag_ObjectId) {
133 policyId = v.getOID();
134 System.err.println("PolicyID: " + policyId);
135 }
136 }
137
138 System.err.println("\nResponse\n===================");
139 KeyStore ks = KeyStore.getInstance(
140 new File(keystore), "changeit".toCharArray());
141
142 String alias = "ts";
143 if (path.startsWith("bad") || path.equals("weak")) {
144 alias = "ts" + path;
145 }
146
147 if (path.equals("diffpolicy")) {
148 policyId = new ObjectIdentifier(defaultPolicyId);
149 }
150
151 DerOutputStream statusInfo = new DerOutputStream();
152 statusInfo.putInteger(0);
153
154 AlgorithmId[] algorithms = {aid};
155 Certificate[] chain = ks.getCertificateChain(alias);
156 X509Certificate[] signerCertificateChain;
157 X509Certificate signer = (X509Certificate)chain[0];
158
159 if (path.equals("fullchain")) { // Only case 5 uses full chain
160 signerCertificateChain = new X509Certificate[chain.length];
161 for (int i=0; i<chain.length; i++) {
162 signerCertificateChain[i] = (X509Certificate)chain[i];
163 }
164 } else if (path.equals("nocert")) {
165 signerCertificateChain = new X509Certificate[0];
166 } else {
167 signerCertificateChain = new X509Certificate[1];
168 signerCertificateChain[0] = (X509Certificate)chain[0];
169 }
170
171 DerOutputStream tst = new DerOutputStream();
172
173 tst.putInteger(1);
174 tst.putOID(policyId);
175
176 if (!path.equals("baddigest") && !path.equals("diffalg")) {
177 tst.putDerValue(messageImprint);
178 } else {
179 byte[] data = messageImprint.toByteArray();
180 if (path.equals("diffalg")) {
181 data[6] = (byte)0x01;
182 } else {
183 data[data.length-1] = (byte)0x01;
184 data[data.length-2] = (byte)0x02;
185 data[data.length-3] = (byte)0x03;
186 }
187 tst.write(data);
188 }
189
190 tst.putInteger(1);
191
192 Calendar cal = Calendar.getInstance();
193 tst.putGeneralizedTime(cal.getTime());
194
195 if (path.equals("diffnonce")) {
196 tst.putInteger(1234);
197 } else if (path.equals("nononce")) {
198 // no noce
199 } else {
200 tst.putInteger(nonce);
201 }
202
203 DerOutputStream tstInfo = new DerOutputStream();
204 tstInfo.write(DerValue.tag_Sequence, tst);
205
206 DerOutputStream tstInfo2 = new DerOutputStream();
207 tstInfo2.putOctetString(tstInfo.toByteArray());
208
209 // Always use the same algorithm at timestamp signing
210 // so it is different from the hash algorithm.
211 Signature sig = Signature.getInstance("SHA1withRSA");
212 sig.initSign((PrivateKey)(ks.getKey(
213 alias, "changeit".toCharArray())));
214 sig.update(tstInfo.toByteArray());
215
216 ContentInfo contentInfo = new ContentInfo(new ObjectIdentifier(
217 "1.2.840.113549.1.9.16.1.4"),
218 new DerValue(tstInfo2.toByteArray()));
219
220 System.err.println("Signing...");
221 System.err.println(new X500Name(signer
222 .getIssuerX500Principal().getName()));
223 System.err.println(signer.getSerialNumber());
224
225 SignerInfo signerInfo = new SignerInfo(
226 new X500Name(signer.getIssuerX500Principal().getName()),
227 signer.getSerialNumber(),
228 AlgorithmId.get("SHA-1"), AlgorithmId.get("RSA"), sig.sign());
229
230 SignerInfo[] signerInfos = {signerInfo};
231 PKCS7 p7 = new PKCS7(algorithms, contentInfo,
232 signerCertificateChain, signerInfos);
233 ByteArrayOutputStream p7out = new ByteArrayOutputStream();
234 p7.encodeSignedData(p7out);
235
236 DerOutputStream response = new DerOutputStream();
237 response.write(DerValue.tag_Sequence, statusInfo);
238 response.putDerValue(new DerValue(p7out.toByteArray()));
239
240 DerOutputStream out = new DerOutputStream();
241 out.write(DerValue.tag_Sequence, response);
242
243 return out.toByteArray();
244 }
245
246 private Handler(HttpServer httpServer, String keystore) {
247 this.httpServer = httpServer;
248 this.keystore = keystore;
249 }
250
251 /**
252 * Initialize TSA instance.
253 *
254 * Extended Key Info extension of certificate that is used for
255 * signing TSA responses should contain timeStamping value.
256 */
257 static Handler init(int port, String keystore) throws IOException {
258 HttpServer httpServer = HttpServer.create(
259 new InetSocketAddress(port), 0);
260 Handler tsa = new Handler(httpServer, keystore);
261 httpServer.createContext("/", tsa);
262 return tsa;
263 }
264
265 /**
266 * Start TSA service.
267 */
268 void start() {
269 httpServer.start();
270 }
271
272 /**
273 * Stop TSA service.
274 */
275 void stop() {
276 httpServer.stop(0);
277 }
278
279 /**
280 * Return server port number.
281 */
282 int getPort() {
283 return httpServer.getAddress().getPort();
284 }
285
286 @Override
287 public void close() throws Exception {
288 stop();
289 }
290 }
291
292 public static void main(String[] args) throws Throwable {
293
294 prepare();
295
296 try (Handler tsa = Handler.init(0, "tsks");) {
297 tsa.start();
298 int port = tsa.getPort();
299 host = "http://localhost:" + port + "/";
300
301 if (args.length == 0) { // Run this test
302 sign("none")
303 .shouldContain("is not timestamped")
304 .shouldHaveExitValue(0);
305
306 sign("badku")
307 .shouldHaveExitValue(0);
308 checkBadKU("badku.jar");
309
310 sign("normal")
311 .shouldNotContain("is not timestamped")
312 .shouldHaveExitValue(0);
313
314 sign("nononce")
315 .shouldHaveExitValue(1);
316 sign("diffnonce")
317 .shouldHaveExitValue(1);
318 sign("baddigest")
319 .shouldHaveExitValue(1);
320 sign("diffalg")
321 .shouldHaveExitValue(1);
322 sign("fullchain")
323 .shouldHaveExitValue(0); // Success, 6543440 solved.
324 sign("bad1")
325 .shouldHaveExitValue(1);
326 sign("bad2")
327 .shouldHaveExitValue(1);
328 sign("bad3")
329 .shouldHaveExitValue(1);
330 sign("nocert")
331 .shouldHaveExitValue(1);
332
333 sign("policy", "-tsapolicyid", "1.2.3")
334 .shouldHaveExitValue(0);
335 checkTimestamp("policy.jar", "1.2.3", "SHA-256");
336
337 sign("diffpolicy", "-tsapolicyid", "1.2.3")
338 .shouldHaveExitValue(1);
339
340 sign("tsaalg", "-tsadigestalg", "SHA")
341 .shouldHaveExitValue(0);
342 checkTimestamp("tsaalg.jar", defaultPolicyId, "SHA-1");
343
344 sign("weak", "-digestalg", "MD5",
345 "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5")
346 .shouldHaveExitValue(0)
347 .shouldMatch("MD5.*-digestalg.*risk")
348 .shouldMatch("MD5.*-tsadigestalg.*risk")
349 .shouldMatch("MD5withRSA.*-sigalg.*risk");
350 checkWeak("weak.jar");
351
352 signWithAliasAndTsa("halfWeak", "old.jar", "old", "-digestalg", "MD5")
353 .shouldHaveExitValue(0);
354 checkHalfWeak("halfWeak.jar");
355
356 // sign with DSA key
357 signWithAliasAndTsa("sign1", "old.jar", "dsakey")
358 .shouldHaveExitValue(0);
359 // sign with RSAkeysize < 1024
360 signWithAliasAndTsa("sign2", "sign1.jar", "weakkeysize")
361 .shouldHaveExitValue(0);
362 checkMultiple("sign2.jar");
363
364 // When .SF or .RSA is missing or invalid
365 checkMissingOrInvalidFiles("normal.jar");
366 } else { // Run as a standalone server
367 System.err.println("Press Enter to quit server");
368 System.in.read();
369 }
370 }
371 }
372
373 private static void checkMissingOrInvalidFiles(String s)
374 throws Throwable {
375 JarUtils.updateJar(s, "1.jar", "-", "META-INF/OLD.SF");
376 verify("1.jar", "-verbose")
377 .shouldHaveExitValue(0)
378 .shouldContain("treated as unsigned")
379 .shouldContain("Missing signature-related file META-INF/OLD.SF");
380 JarUtils.updateJar(s, "2.jar", "-", "META-INF/OLD.RSA");
381 verify("2.jar", "-verbose")
382 .shouldHaveExitValue(0)
383 .shouldContain("treated as unsigned")
384 .shouldContain("Missing block file for signature-related file META-INF/OLD.SF");
385 JarUtils.updateJar(s, "3.jar", "META-INF/OLD.SF");
386 verify("3.jar", "-verbose")
387 .shouldHaveExitValue(0)
388 .shouldContain("treated as unsigned")
389 .shouldContain("Unparsable signature-related file META-INF/OLD.SF");
390 JarUtils.updateJar(s, "4.jar", "META-INF/OLD.RSA");
391 verify("4.jar", "-verbose")
392 .shouldHaveExitValue(0)
393 .shouldContain("treated as unsigned")
394 .shouldContain("Unparsable signature-related file META-INF/OLD.RSA");
395 }
396
397 static OutputAnalyzer jarsigner(List<String> extra)
398 throws Throwable {
399 JDKToolLauncher launcher = JDKToolLauncher.createUsingTestJDK("jarsigner")
400 .addVMArg("-Duser.language=en")
401 .addVMArg("-Duser.country=US")
402 .addToolArg("-keystore")
403 .addToolArg("tsks")
404 .addToolArg("-storepass")
405 .addToolArg("changeit");
406 for (String s : extra) {
407 if (s.startsWith("-J")) {
408 launcher.addVMArg(s.substring(2));
409 } else {
410 launcher.addToolArg(s);
411 }
412 }
413 return ProcessTools.executeCommand(launcher.getCommand());
414 }
415
416 static OutputAnalyzer verify(String file, String... extra)
417 throws Throwable {
418 List<String> args = new ArrayList<>();
419 args.add("-verify");
420 args.add(file);
421 args.addAll(Arrays.asList(extra));
422 return jarsigner(args);
423 }
424
425 static void checkBadKU(String file) throws Throwable {
426 verify(file)
427 .shouldHaveExitValue(0)
428 .shouldContain("treated as unsigned")
429 .shouldContain("re-run jarsigner with debug enabled");
430 verify(file, "-verbose")
431 .shouldHaveExitValue(0)
432 .shouldContain("Signed by")
433 .shouldContain("treated as unsigned")
434 .shouldContain("re-run jarsigner with debug enabled");
435 verify(file, "-J-Djava.security.debug=jar")
436 .shouldHaveExitValue(0)
437 .shouldContain("SignatureException: Key usage restricted")
438 .shouldContain("treated as unsigned")
439 .shouldContain("re-run jarsigner with debug enabled");
440 }
441
442 static void checkWeak(String file) throws Throwable {
443 verify(file)
444 .shouldHaveExitValue(0)
445 .shouldContain("treated as unsigned")
446 .shouldMatch("weak algorithm that is now disabled.")
447 .shouldMatch("Re-run jarsigner with the -verbose option for more details");
448 verify(file, "-verbose")
449 .shouldHaveExitValue(0)
450 .shouldContain("treated as unsigned")
451 .shouldMatch("weak algorithm that is now disabled by")
452 .shouldMatch("Digest algorithm: .*weak")
453 .shouldMatch("Signature algorithm: .*weak")
454 .shouldMatch("Timestamp digest algorithm: .*weak")
455 .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak")
456 .shouldMatch("Timestamp signature algorithm: .*key.*weak");
457 verify(file, "-J-Djava.security.debug=jar")
458 .shouldHaveExitValue(0)
459 .shouldMatch("SignatureException:.*Disabled");
460 }
461
462 static void checkHalfWeak(String file) throws Throwable {
463 verify(file)
464 .shouldHaveExitValue(0)
465 .shouldContain("treated as unsigned")
466 .shouldMatch("weak algorithm that is now disabled.")
467 .shouldMatch("Re-run jarsigner with the -verbose option for more details");
468 verify(file, "-verbose")
469 .shouldHaveExitValue(0)
470 .shouldContain("treated as unsigned")
471 .shouldMatch("weak algorithm that is now disabled by")
472 .shouldMatch("Digest algorithm: .*weak")
473 .shouldNotMatch("Signature algorithm: .*weak")
474 .shouldNotMatch("Timestamp digest algorithm: .*weak")
475 .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak")
476 .shouldNotMatch("Timestamp signature algorithm: .*key.*weak");
477 }
478
479 static void checkMultiple(String file) throws Throwable {
480 verify(file)
481 .shouldHaveExitValue(0)
482 .shouldContain("jar verified");
483 verify(file, "-verbose", "-certs")
484 .shouldHaveExitValue(0)
485 .shouldContain("jar verified")
486 .shouldMatch("X.509.*CN=dsakey")
487 .shouldNotMatch("X.509.*CN=weakkeysize")
488 .shouldMatch("Signed by .*CN=dsakey")
489 .shouldMatch("Signed by .*CN=weakkeysize")
490 .shouldMatch("Signature algorithm: .*key.*weak");
491 }
492
493 static void checkTimestamp(String file, String policyId, String digestAlg)
494 throws Exception {
495 try (JarFile jf = new JarFile(file)) {
496 JarEntry je = jf.getJarEntry("META-INF/OLD.RSA");
497 try (InputStream is = jf.getInputStream(je)) {
498 byte[] content = is.readAllBytes();
499 PKCS7 p7 = new PKCS7(content);
500 SignerInfo[] si = p7.getSignerInfos();
501 if (si == null || si.length == 0) {
502 throw new Exception("Not signed");
503 }
504 PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes()
505 .getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
506 PKCS7 tsToken = new PKCS7((byte[]) p9.getValue());
507 TimestampToken tt =
508 new TimestampToken(tsToken.getContentInfo().getData());
509 if (!tt.getHashAlgorithm().toString().equals(digestAlg)) {
510 throw new Exception("Digest alg different");
511 }
512 if (!tt.getPolicyID().equals(policyId)) {
513 throw new Exception("policyId different");
514 }
515 }
516 }
517 }
518
519 static int which = 0;
520
521 /**
522 * @param extra more args given to jarsigner
523 */
524 static OutputAnalyzer sign(String path, String... extra)
525 throws Throwable {
526 String alias = path.equals("badku") ? "badku" : "old";
527 return signWithAliasAndTsa(path, "old.jar", alias, extra);
528 }
529
530 static OutputAnalyzer signWithAliasAndTsa (String path, String jar,
531 String alias, String...extra) throws Throwable {
532 which++;
533 System.err.println("\n>> Test #" + which + ": " + Arrays.toString(extra));
534 List<String> args = List.of("-J-Djava.security.egd=file:/dev/./urandom",
535 "-debug", "-signedjar", path + ".jar", jar, alias);
536 args = new ArrayList<>(args);
537 if (!path.equals("none") && !path.equals("badku")) {
538 args.add("-tsa");
539 args.add(host + path);
540 }
541 args.addAll(Arrays.asList(extra));
542 return jarsigner(args);
543 }
544
545 static void prepare() throws Exception {
546 jdk.testlibrary.JarUtils.createJar("old.jar", "A");
547 Files.deleteIfExists(Paths.get("tsks"));
548 keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
549 keytool("-alias old -genkeypair -dname CN=old");
550 keytool("-alias dsakey -genkeypair -keyalg DSA -dname CN=dsakey");
551 keytool("-alias weakkeysize -genkeypair -keysize 512 -dname CN=weakkeysize");
552 keytool("-alias badku -genkeypair -dname CN=badku");
553 keytool("-alias ts -genkeypair -dname CN=ts");
554 keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsbad1");
555 keytool("-alias tsbad1 -genkeypair -dname CN=tsbad1");
556 keytool("-alias tsbad2 -genkeypair -dname CN=tsbad2");
557 keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
558
559 gencert("old");
560 gencert("dsakey");
561 gencert("weakkeysize");
562 gencert("badku", "-ext ku:critical=keyAgreement");
563 gencert("ts", "-ext eku:critical=ts");
564 gencert("tsweak", "-ext eku:critical=ts");
565 gencert("tsbad1");
566 gencert("tsbad2", "-ext eku=ts");
567 gencert("tsbad3", "-ext eku:critical=cs");
568 }
569
570 static void gencert(String alias, String... extra) throws Exception {
571 keytool("-alias " + alias + " -certreq -file " + alias + ".req");
572 String genCmd = "-gencert -alias ca -infile " +
573 alias + ".req -outfile " + alias + ".cert";
574 for (String s : extra) {
575 genCmd += " " + s;
576 }
577 keytool(genCmd);
578 keytool("-alias " + alias + " -importcert -file "
579 + alias + ".cert -noprompt");
580 }
581
582 static void keytool(String cmd) throws Exception {
583 cmd = "-keystore tsks -storepass changeit -keypass changeit " +
584 "-keyalg rsa -validity 200 " + cmd;
585 sun.security.tools.keytool.Main.main(cmd.split(" "));
586 }
587 }