1 /*
   2  * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 import jdk.testlibrary.OutputAnalyzer;
  25 import jdk.test.lib.util.JarUtils;
  26 
  27 /**
  28  * @test
  29  * @bug 8024302 8026037 8176320
  30  * @summary The test signs and verifies a jar file with -tsacert option
  31  * @library /lib/testlibrary warnings
  32  * @library /test/lib
  33  * @modules java.base/sun.security.pkcs
  34  *          java.base/sun.security.timestamp
  35  *          java.base/sun.security.tools.keytool
  36  *          java.base/sun.security.util
  37  *          java.base/sun.security.x509
  38  *          java.management
  39  * @build jdk.test.lib.util.JarUtils
  40  *        jdk.test.lib.SecurityTools
  41  *        jdk.test.lib.Utils
  42  *        jdk.test.lib.Asserts
  43  *        jdk.test.lib.JDKToolFinder
  44  *        jdk.test.lib.JDKToolLauncher
  45  *        jdk.test.lib.Platform
  46  *        jdk.test.lib.process.*
  47  * @run main TsacertOptionTest
  48  */
  49 public class TsacertOptionTest extends Test {
  50 
  51     private static final String FILENAME = TsacertOptionTest.class.getName()
  52             + ".txt";
  53     private static final String SIGNING_KEY_ALIAS = "sign_alias";
  54     private static final String TSA_KEY_ALIAS = "ts";
  55 
  56     private static final String PASSWORD = "changeit";
  57 
  58     /**
  59      * The test signs and verifies a jar file with -tsacert option,
  60      * and checks that no warning was shown.
  61      * A certificate that is addressed in -tsacert option contains URL to TSA
  62      * in Subject Information Access extension.
  63      */
  64     public static void main(String[] args) throws Throwable {
  65         TsacertOptionTest test = new TsacertOptionTest();
  66         test.start();
  67     }
  68 
  69     void start() throws Throwable {
  70         // create a jar file that contains one file
  71         Utils.createFiles(FILENAME);
  72         JarUtils.createJar(UNSIGNED_JARFILE, FILENAME);
  73 
  74         // create key pair for jar signing
  75         keytool(
  76                 "-genkey",
  77                 "-alias", CA_KEY_ALIAS,
  78                 "-keyalg", KEY_ALG,
  79                 "-keysize", Integer.toString(KEY_SIZE),
  80                 "-keystore", KEYSTORE,
  81                 "-storepass", PASSWORD,
  82                 "-keypass", PASSWORD,
  83                 "-dname", "CN=CA",
  84                 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
  85         keytool(
  86                 "-genkey",
  87                 "-alias", SIGNING_KEY_ALIAS,
  88                 "-keyalg", KEY_ALG,
  89                 "-keysize", Integer.toString(KEY_SIZE),
  90                 "-keystore", KEYSTORE,
  91                 "-storepass", PASSWORD,
  92                 "-keypass", PASSWORD,
  93                 "-dname", "CN=Test").shouldHaveExitValue(0);
  94         keytool(
  95                 "-certreq",
  96                 "-alias", SIGNING_KEY_ALIAS,
  97                 "-keystore", KEYSTORE,
  98                 "-storepass", PASSWORD,
  99                 "-keypass", PASSWORD,
 100                 "-file", "certreq").shouldHaveExitValue(0);
 101         keytool(
 102                 "-gencert",
 103                 "-alias", CA_KEY_ALIAS,
 104                 "-keystore", KEYSTORE,
 105                 "-storepass", PASSWORD,
 106                 "-keypass", PASSWORD,
 107                 "-validity", Integer.toString(VALIDITY),
 108                 "-infile", "certreq",
 109                 "-outfile", "cert").shouldHaveExitValue(0);
 110         keytool(
 111                 "-importcert",
 112                 "-alias", SIGNING_KEY_ALIAS,
 113                 "-keystore", KEYSTORE,
 114                 "-storepass", PASSWORD,
 115                 "-keypass", PASSWORD,
 116                 "-file", "cert").shouldHaveExitValue(0);
 117 
 118 
 119         try (TimestampCheck.Handler tsa = TimestampCheck.Handler.init(0,
 120                 KEYSTORE)) {
 121 
 122             // look for free network port for TSA service
 123             int port = tsa.getPort();
 124             String host = "127.0.0.1";
 125             String tsaUrl = "http://" + host + ":" + port;
 126 
 127             // create key pair for TSA service
 128             // SubjectInfoAccess extension contains URL to TSA service
 129             keytool(
 130                     "-genkey",
 131                     "-v",
 132                     "-alias", TSA_KEY_ALIAS,
 133                     "-keyalg", KEY_ALG,
 134                     "-keysize", Integer.toString(KEY_SIZE),
 135                     "-keystore", KEYSTORE,
 136                     "-storepass", PASSWORD,
 137                     "-keypass", PASSWORD,
 138                     "-dname", "CN=TSA",
 139                     "-ext", "ExtendedkeyUsage:critical=timeStamping",
 140                     "-ext", "SubjectInfoAccess=timeStamping:URI:" + tsaUrl,
 141                     "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
 142 
 143             // start TSA
 144             tsa.start();
 145 
 146             // sign jar file
 147             // specify -tsadigestalg option because
 148             // TSA server uses SHA-1 digest algorithm
 149              OutputAnalyzer analyzer = jarsigner(
 150                     "-J-Dhttp.proxyHost=",
 151                     "-J-Dhttp.proxyPort=",
 152                     "-J-Djava.net.useSystemProxies=",
 153                     "-verbose",
 154                     "-keystore", KEYSTORE,
 155                     "-storepass", PASSWORD,
 156                     "-keypass", PASSWORD,
 157                     "-signedjar", SIGNED_JARFILE,
 158                     "-tsacert", TSA_KEY_ALIAS,
 159                     "-tsadigestalg", "SHA-1",
 160                     UNSIGNED_JARFILE,
 161                     SIGNING_KEY_ALIAS);
 162 
 163             analyzer.shouldHaveExitValue(0);
 164             analyzer.stdoutShouldNotContain(WARNING);
 165             analyzer.shouldContain(JAR_SIGNED);
 166 
 167             // verify signed jar
 168             analyzer = jarsigner(
 169                     "-verbose",
 170                     "-verify",
 171                     "-keystore", KEYSTORE,
 172                     "-storepass", PASSWORD,
 173                     SIGNED_JARFILE);
 174 
 175             analyzer.shouldHaveExitValue(0);
 176             analyzer.stdoutShouldNotContain(WARNING);
 177             analyzer.shouldContain(JAR_VERIFIED);
 178         }
 179 
 180         System.out.println("Test passed");
 181     }
 182 
 183 }