1 #
2 # Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 #
5 # This code is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License version 2 only, as
7 # published by the Free Software Foundation.
8 #
9 # This code is distributed in the hope that it will be useful, but WITHOUT
10 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 # version 2 for more details (a copy is included in the LICENSE file that
13 # accompanied this code).
14 #
15 # You should have received a copy of the GNU General Public License version
16 # 2 along with this work; if not, write to the Free Software Foundation,
17 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 #
19 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 # or visit www.oracle.com if you need additional information or have any
21 # questions.
22 #
23
24 # @test
25 # @bug 6802846 8172529
26 # @summary jarsigner needs enhanced cert validation(options)
27 #
28 # @run shell/timeout=240 concise_jarsigner.sh
29 #
30
31 if [ "${TESTJAVA}" = "" ] ; then
32 JAVAC_CMD=`which javac`
33 TESTJAVA=`dirname $JAVAC_CMD`/..
34 fi
35
36 # set platform-dependent variables
37 OS=`uname -s`
38 case "$OS" in
39 Windows_* )
40 FS="\\"
41 ;;
42 * )
43 FS="/"
44 ;;
45 esac
46
47 # Choose 1024-bit RSA to make sure it runs fine and fast on all platforms. In
48 # fact, every keyalg/keysize combination is OK for this test.
49
50 TESTTOOLVMOPTS="$TESTTOOLVMOPTS -J-Duser.language=en -J-Duser.country=US"
51
52 KS=js.ks
53 KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit -keypass changeit -keystore $KS -keyalg rsa -keysize 1024"
54 JAR="$TESTJAVA${FS}bin${FS}jar ${TESTTOOLVMOPTS}"
55 JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner ${TESTTOOLVMOPTS} -debug"
56 JAVAC="$TESTJAVA${FS}bin${FS}javac ${TESTTOOLVMOPTS} ${TESTJAVACOPTS}"
57
58 rm $KS
59
60 echo class A1 {} > A1.java
61 echo class A2 {} > A2.java
62 echo class A3 {} > A3.java
63 echo class A4 {} > A4.java
64 echo class A5 {} > A5.java
65 echo class A6 {} > A6.java
66
67 $JAVAC A1.java A2.java A3.java A4.java A5.java A6.java
68 YEAR=`date +%Y`
69
70 # ==========================================================
71 # First part: output format
72 # ==========================================================
73
74 $KT -genkeypair -alias a1 -dname CN=a1 -validity 366
75 $KT -genkeypair -alias a2 -dname CN=a2 -validity 366
76
77 # a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
78 $JAR cvf a.jar A1.class A2.class
79 $JARSIGNER -keystore $KS -storepass changeit a.jar a1
80 $JAR uvf a.jar A3.class A4.class
81 $JARSIGNER -keystore $KS -storepass changeit a.jar a2
82 $JAR uvf a.jar A5.class A6.class
83
84 # Verify OK
85 $JARSIGNER -verify a.jar
86 [ $? = 0 ] || exit $LINENO
87
88 # 4(chainNotValidated)+16(hasUnsignedEntry)
89 $JARSIGNER -verify a.jar -strict
90 [ $? = 20 ] || exit $LINENO
91
92 # 16(hasUnsignedEntry)
93 $JARSIGNER -verify a.jar -strict -keystore $KS -storepass changeit
94 [ $? = 16 ] || exit $LINENO
95
96 # 16(hasUnsignedEntry)+32(notSignedByAlias)
97 $JARSIGNER -verify a.jar a1 -strict -keystore $KS -storepass changeit
98 [ $? = 48 ] || exit $LINENO
99
100 # 16(hasUnsignedEntry)
101 $JARSIGNER -verify a.jar a1 a2 -strict -keystore $KS -storepass changeit
102 [ $? = 16 ] || exit $LINENO
103
104 # 12 entries all together
105 LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l`
106 [ $LINES = 12 ] || exit $LINENO
107
108 # 12 entries all listed
109 LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l`
110 [ $LINES = 12 ] || exit $LINENO
111
112 # 4 groups: MANIFST, unrelated, signed, unsigned
113 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l`
114 [ $LINES = 4 ] || exit $LINENO
115
116 # still 4 groups, but MANIFEST group has no other file
117 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep "more)" | wc -l`
118 [ $LINES = 3 ] || exit $LINENO
119
120 # 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned
121 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l`
122 [ $LINES = 5 ] || exit $LINENO
123
124 # 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4
125 LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l`
126 [ $LINES = 8 ] || exit $LINENO
127
128 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
129 LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l`
130 [ $LINES = 5 ] || exit $LINENO
131
132 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
133 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l`
134 [ $LINES = 5 ] || exit $LINENO
135
136 # still 5 groups, but MANIFEST group has no other file
137 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
138 [ $LINES = 4 ] || exit $LINENO
139
140 # ==========================================================
141 # Second part: exit code 2, 4, 8.
142 # 16 and 32 already covered in the first part
143 # ==========================================================
144
145 $KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
146 $KT -genkeypair -alias expired -dname CN=expired
147 $KT -certreq -alias expired | $KT -gencert -alias ca -startdate -10m | $KT -import -alias expired
148 $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid
149 $KT -certreq -alias notyetvalid | $KT -gencert -alias ca -startdate +1m | $KT -import -alias notyetvalid
150 $KT -genkeypair -alias badku -dname CN=badku
151 $KT -certreq -alias badku | $KT -gencert -alias ca -ext KU=cRLSign -validity 365 | $KT -import -alias badku
152 $KT -genkeypair -alias badeku -dname CN=badeku
153 $KT -certreq -alias badeku | $KT -gencert -alias ca -ext EKU=sa -validity 365 | $KT -import -alias badeku
154 $KT -genkeypair -alias goodku -dname CN=goodku
155 $KT -certreq -alias goodku | $KT -gencert -alias ca -ext KU=dig -validity 365 | $KT -import -alias goodku
156 $KT -genkeypair -alias goodeku -dname CN=goodeku
157 $KT -certreq -alias goodeku | $KT -gencert -alias ca -ext EKU=codesign -validity 365 | $KT -import -alias goodeku
158
159 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar expired
160 [ $? = 4 ] || exit $LINENO
161
162 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar notyetvalid
163 [ $? = 4 ] || exit $LINENO
164
165 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar badku
166 [ $? = 8 ] || exit $LINENO
167
168 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar badeku
169 [ $? = 8 ] || exit $LINENO
170
171 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar goodku
172 [ $? = 0 ] || exit $LINENO
173
174 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar goodeku
175 [ $? = 0 ] || exit $LINENO
176
177 # badchain signed by ca1, but ca1 is removed later
178 $KT -genkeypair -alias badchain -dname CN=badchain -validity 365
179 $KT -genkeypair -alias ca1 -dname CN=ca1 -ext bc -validity 365
180 $KT -certreq -alias badchain | $KT -gencert -alias ca1 -validity 365 | \
181 $KT -importcert -alias badchain
182 # save ca1.cert for easy replay
183 $KT -exportcert -file ca1.cert -alias ca1
184 $KT -delete -alias ca1
185
186 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar badchain
187 [ $? = 4 ] || exit $LINENO
188
189 $JARSIGNER -verify a.jar
190 [ $? = 0 ] || exit $LINENO
191
192 # ==========================================================
193 # Third part: -certchain test
194 # ==========================================================
195
196 # altchain signed by ca2
197 $KT -genkeypair -alias altchain -dname CN=altchain -validity 365
198 $KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
199 $KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
200 $KT -exportcert -alias ca2 -rfc >> certchain
201
202 # Self-signed cert does not work
203 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar altchain
204 [ $? = 4 ] || exit $LINENO
205
206 # -certchain works
207 $JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
208 [ $? = 0 ] || exit $LINENO
209
210 # if ca2 is removed, -certchain still work because altchain is a self-signed entry and
211 # it is trusted by jarsigner
212 # save ca2.cert for easy replay
213 $KT -exportcert -file ca2.cert -alias ca2
214 $KT -delete -alias ca2
215 $JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
216 [ $? = 0 ] || exit $LINENO
217
218 # if cert is imported, -certchain won't work because this certificate entry is not trusted
219 $KT -importcert -file certchain -alias altchain -noprompt
220 $JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
221 [ $? = 4 ] || exit $LINENO
222
223 $JARSIGNER -verify a.jar
224 [ $? = 0 ] || exit $LINENO
225
226 # ==========================================================
227 # 8172529
228 # ==========================================================
229
230 $KT -genkeypair -alias ee -dname CN=ee
231 $KT -genkeypair -alias caone -dname CN=caone
232 $KT -genkeypair -alias catwo -dname CN=catwo
233
234 $KT -certreq -alias ee | $KT -gencert -alias catwo -rfc > ee.cert
235 $KT -certreq -alias catwo | $KT -gencert -alias caone -sigalg MD5withRSA -rfc > catwo.cert
236
237 # This certchain contains a cross-signed weak catwo.cert
238 cat ee.cert catwo.cert | $KT -importcert -alias ee -noprompt
239
240 $JAR cvf a.jar A1.class
241 $JARSIGNER -strict -keystore $KS -storepass changeit a.jar ee
242 [ $? = 0 ] || exit $LINENO
243 $JARSIGNER -strict -keystore $KS -storepass changeit -verify a.jar
244 [ $? = 0 ] || exit $LINENO
245
246 echo OK
247 exit 0