1 /* 2 * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import jdk.testlibrary.OutputAnalyzer; 25 import jdk.test.lib.util.JarUtils; 26 27 /** 28 * @test 29 * @bug 8024302 8026037 8176320 30 * @summary The test signs and verifies a jar file with -tsacert option 31 * @library /lib/testlibrary warnings 32 * @library /test/lib 33 * @modules java.base/sun.security.pkcs 34 * java.base/sun.security.timestamp 35 * java.base/sun.security.tools.keytool 36 * java.base/sun.security.util 37 * java.base/sun.security.x509 38 * java.management 39 * @build jdk.test.lib.util.JarUtils 40 * jdk.test.lib.SecurityTools 41 * jdk.test.lib.Utils 42 * jdk.test.lib.Asserts 43 * jdk.test.lib.JDKToolFinder 44 * jdk.test.lib.JDKToolLauncher 45 * jdk.test.lib.Platform 46 * jdk.test.lib.process.* 47 * @run main TsacertOptionTest 48 */ 49 public class TsacertOptionTest extends Test { 50 51 private static final String FILENAME = TsacertOptionTest.class.getName() 52 + ".txt"; 53 private static final String SIGNING_KEY_ALIAS = "sign_alias"; 54 private static final String TSA_KEY_ALIAS = "ts"; 55 56 private static final String PASSWORD = "changeit"; 57 58 /** 59 * The test signs and verifies a jar file with -tsacert option, 60 * and checks that no warning was shown. 61 * A certificate that is addressed in -tsacert option contains URL to TSA 62 * in Subject Information Access extension. 63 */ 64 public static void main(String[] args) throws Throwable { 65 TsacertOptionTest test = new TsacertOptionTest(); 66 test.start(); 67 } 68 69 void start() throws Throwable { 70 // create a jar file that contains one file 71 Utils.createFiles(FILENAME); 72 JarUtils.createJar(UNSIGNED_JARFILE, FILENAME); 73 74 // create key pair for jar signing 75 keytool( 76 "-genkey", 77 "-alias", CA_KEY_ALIAS, 78 "-keyalg", KEY_ALG, 79 "-keysize", Integer.toString(KEY_SIZE), 80 "-keystore", KEYSTORE, 81 "-storepass", PASSWORD, 82 "-keypass", PASSWORD, 83 "-dname", "CN=CA", 84 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); 85 keytool( 86 "-genkey", 87 "-alias", SIGNING_KEY_ALIAS, 88 "-keyalg", KEY_ALG, 89 "-keysize", Integer.toString(KEY_SIZE), 90 "-keystore", KEYSTORE, 91 "-storepass", PASSWORD, 92 "-keypass", PASSWORD, 93 "-dname", "CN=Test").shouldHaveExitValue(0); 94 keytool( 95 "-certreq", 96 "-alias", SIGNING_KEY_ALIAS, 97 "-keystore", KEYSTORE, 98 "-storepass", PASSWORD, 99 "-keypass", PASSWORD, 100 "-file", "certreq").shouldHaveExitValue(0); 101 keytool( 102 "-gencert", 103 "-alias", CA_KEY_ALIAS, 104 "-keystore", KEYSTORE, 105 "-storepass", PASSWORD, 106 "-keypass", PASSWORD, 107 "-validity", Integer.toString(VALIDITY), 108 "-infile", "certreq", 109 "-outfile", "cert").shouldHaveExitValue(0); 110 keytool( 111 "-importcert", 112 "-alias", SIGNING_KEY_ALIAS, 113 "-keystore", KEYSTORE, 114 "-storepass", PASSWORD, 115 "-keypass", PASSWORD, 116 "-file", "cert").shouldHaveExitValue(0); 117 118 119 try (TimestampCheck.Handler tsa = TimestampCheck.Handler.init(0, 120 KEYSTORE)) { 121 122 // look for free network port for TSA service 123 int port = tsa.getPort(); 124 String host = "127.0.0.1"; 125 String tsaUrl = "http://" + host + ":" + port; 126 127 // create key pair for TSA service 128 // SubjectInfoAccess extension contains URL to TSA service 129 keytool( 130 "-genkey", 131 "-v", 132 "-alias", TSA_KEY_ALIAS, 133 "-keyalg", KEY_ALG, 134 "-keysize", Integer.toString(KEY_SIZE), 135 "-keystore", KEYSTORE, 136 "-storepass", PASSWORD, 137 "-keypass", PASSWORD, 138 "-dname", "CN=TSA", 139 "-ext", "ExtendedkeyUsage:critical=timeStamping", 140 "-ext", "SubjectInfoAccess=timeStamping:URI:" + tsaUrl, 141 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); 142 143 // start TSA 144 tsa.start(); 145 146 // sign jar file 147 // specify -tsadigestalg option because 148 // TSA server uses SHA-1 digest algorithm 149 OutputAnalyzer analyzer = jarsigner( 150 "-J-Dhttp.proxyHost=", 151 "-J-Dhttp.proxyPort=", 152 "-J-Djava.net.useSystemProxies=", 153 "-verbose", 154 "-keystore", KEYSTORE, 155 "-storepass", PASSWORD, 156 "-keypass", PASSWORD, 157 "-signedjar", SIGNED_JARFILE, 158 "-tsacert", TSA_KEY_ALIAS, 159 "-tsadigestalg", "SHA-1", 160 UNSIGNED_JARFILE, 161 SIGNING_KEY_ALIAS); 162 163 analyzer.shouldHaveExitValue(0); 164 analyzer.stdoutShouldNotContain(WARNING); 165 analyzer.shouldContain(JAR_SIGNED); 166 167 // verify signed jar 168 analyzer = jarsigner( 169 "-verbose", 170 "-verify", 171 "-keystore", KEYSTORE, 172 "-storepass", PASSWORD, 173 SIGNED_JARFILE); 174 175 analyzer.shouldHaveExitValue(0); 176 analyzer.stdoutShouldNotContain(WARNING); 177 analyzer.shouldContain(JAR_VERIFIED); 178 } 179 180 System.out.println("Test passed"); 181 } 182 183 }