1 /* 2 * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import java.io.File; 25 import jdk.testlibrary.OutputAnalyzer; 26 import jdk.testlibrary.ProcessTools; 27 import jdk.test.lib.util.JarUtils; 28 29 /** 30 * @test 31 * @bug 8024302 8026037 32 * @summary Test for chainNotValidated warning 33 * @library /lib/testlibrary /test/lib ../ 34 * @run main ChainNotValidatedTest 35 */ 36 public class ChainNotValidatedTest extends Test { 37 38 private static final String CHAIN = "chain"; 39 40 /** 41 * The test signs and verifies a jar that contains entries 42 * whose cert chain can't be correctly validated (chainNotValidated). 43 * Warning message is expected. 44 */ 45 public static void main(String[] args) throws Throwable { 46 ChainNotValidatedTest test = new ChainNotValidatedTest(); 47 test.start(); 48 } 49 50 private void start() throws Throwable { 51 // create a jar file that contains one class file 52 Utils.createFiles(FIRST_FILE); 53 JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE); 54 55 // create self-signed certificate whose BasicConstraints extension 56 // is set to false, so the certificate may not be used 57 // as a parent certificate (certpath validation should fail) 58 keytool( 59 "-genkeypair", 60 "-alias", CA_KEY_ALIAS, 61 "-keyalg", KEY_ALG, 62 "-keysize", Integer.toString(KEY_SIZE), 63 "-keystore", KEYSTORE, 64 "-storepass", PASSWORD, 65 "-keypass", PASSWORD, 66 "-dname", "CN=CA", 67 "-ext", "BasicConstraints:critical=ca:false", 68 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); 69 70 // create a certificate that is signed by self-signed certificate 71 // despite of it may not be used as a parent certificate 72 // (certpath validation should fail) 73 keytool( 74 "-genkeypair", 75 "-alias", KEY_ALIAS, 76 "-keyalg", KEY_ALG, 77 "-keysize", Integer.toString(KEY_SIZE), 78 "-keystore", KEYSTORE, 79 "-storepass", PASSWORD, 80 "-keypass", PASSWORD, 81 "-dname", "CN=Test", 82 "-ext", "BasicConstraints:critical=ca:false", 83 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); 84 85 keytool( 86 "-certreq", 87 "-alias", KEY_ALIAS, 88 "-keystore", KEYSTORE, 89 "-storepass", PASSWORD, 90 "-keypass", PASSWORD, 91 "-file", CERT_REQUEST_FILENAME).shouldHaveExitValue(0); 92 93 keytool( 94 "-gencert", 95 "-alias", CA_KEY_ALIAS, 96 "-keystore", KEYSTORE, 97 "-storepass", PASSWORD, 98 "-keypass", PASSWORD, 99 "-infile", CERT_REQUEST_FILENAME, 100 "-validity", Integer.toString(VALIDITY), 101 "-outfile", CERT_FILENAME).shouldHaveExitValue(0); 102 103 keytool( 104 "-importcert", 105 "-alias", KEY_ALIAS, 106 "-keystore", KEYSTORE, 107 "-storepass", PASSWORD, 108 "-keypass", PASSWORD, 109 "-file", CERT_FILENAME).shouldHaveExitValue(0); 110 111 ProcessBuilder pb = new ProcessBuilder(KEYTOOL, 112 "-export", 113 "-rfc", 114 "-alias", KEY_ALIAS, 115 "-keystore", KEYSTORE, 116 "-storepass", PASSWORD, 117 "-keypass", PASSWORD); 118 pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN))); 119 ProcessTools.executeCommand(pb).shouldHaveExitValue(0); 120 121 pb = new ProcessBuilder(KEYTOOL, 122 "-export", 123 "-rfc", 124 "-alias", CA_KEY_ALIAS, 125 "-keystore", KEYSTORE, 126 "-storepass", PASSWORD, 127 "-keypass", PASSWORD); 128 pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN))); 129 ProcessTools.executeCommand(pb).shouldHaveExitValue(0); 130 131 // remove CA certificate 132 keytool( 133 "-delete", 134 "-alias", CA_KEY_ALIAS, 135 "-keystore", KEYSTORE, 136 "-storepass", PASSWORD, 137 "-keypass", PASSWORD).shouldHaveExitValue(0); 138 139 // sign jar 140 OutputAnalyzer analyzer = jarsigner( 141 "-keystore", KEYSTORE, 142 "-storepass", PASSWORD, 143 "-keypass", PASSWORD, 144 "-certchain", CHAIN, 145 "-signedjar", SIGNED_JARFILE, 146 UNSIGNED_JARFILE, 147 KEY_ALIAS); 148 149 checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING); 150 151 // verify signed jar 152 analyzer = jarsigner( 153 "-verify", 154 "-verbose", 155 "-keystore", KEYSTORE, 156 "-storepass", PASSWORD, 157 "-keypass", PASSWORD, 158 "-certchain", CHAIN, 159 SIGNED_JARFILE); 160 161 checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING); 162 163 // verify signed jar in strict mode 164 analyzer = jarsigner( 165 "-verify", 166 "-verbose", 167 "-strict", 168 "-keystore", KEYSTORE, 169 "-storepass", PASSWORD, 170 "-keypass", PASSWORD, 171 "-certchain", CHAIN, 172 SIGNED_JARFILE); 173 174 checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE, 175 CHAIN_NOT_VALIDATED_VERIFYING_WARNING); 176 177 System.out.println("Test passed"); 178 } 179 180 }