1 /*
2 * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import java.io.File;
25 import jdk.testlibrary.OutputAnalyzer;
26 import jdk.testlibrary.ProcessTools;
27 import jdk.test.lib.util.JarUtils;
28
29 /**
30 * @test
31 * @bug 8024302 8026037
32 * @summary Test for chainNotValidated warning
33 * @library /lib/testlibrary /test/lib ../
34 * @run main ChainNotValidatedTest
35 */
36 public class ChainNotValidatedTest extends Test {
37
38 private static final String CHAIN = "chain";
39
40 /**
41 * The test signs and verifies a jar that contains entries
42 * whose cert chain can't be correctly validated (chainNotValidated).
43 * Warning message is expected.
44 */
45 public static void main(String[] args) throws Throwable {
46 ChainNotValidatedTest test = new ChainNotValidatedTest();
47 test.start();
48 }
49
50 private void start() throws Throwable {
51 // create a jar file that contains one class file
52 Utils.createFiles(FIRST_FILE);
53 JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
54
55 // create self-signed certificate whose BasicConstraints extension
56 // is set to false, so the certificate may not be used
57 // as a parent certificate (certpath validation should fail)
58 keytool(
59 "-genkeypair",
60 "-alias", CA_KEY_ALIAS,
61 "-keyalg", KEY_ALG,
62 "-keysize", Integer.toString(KEY_SIZE),
63 "-keystore", KEYSTORE,
64 "-storepass", PASSWORD,
65 "-keypass", PASSWORD,
66 "-dname", "CN=CA",
67 "-ext", "BasicConstraints:critical=ca:false",
68 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
69
70 // create a certificate that is signed by self-signed certificate
71 // despite of it may not be used as a parent certificate
72 // (certpath validation should fail)
73 keytool(
74 "-genkeypair",
75 "-alias", KEY_ALIAS,
76 "-keyalg", KEY_ALG,
77 "-keysize", Integer.toString(KEY_SIZE),
78 "-keystore", KEYSTORE,
79 "-storepass", PASSWORD,
80 "-keypass", PASSWORD,
81 "-dname", "CN=Test",
82 "-ext", "BasicConstraints:critical=ca:false",
83 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
84
85 keytool(
86 "-certreq",
87 "-alias", KEY_ALIAS,
88 "-keystore", KEYSTORE,
89 "-storepass", PASSWORD,
90 "-keypass", PASSWORD,
91 "-file", CERT_REQUEST_FILENAME).shouldHaveExitValue(0);
92
93 keytool(
94 "-gencert",
95 "-alias", CA_KEY_ALIAS,
96 "-keystore", KEYSTORE,
97 "-storepass", PASSWORD,
98 "-keypass", PASSWORD,
99 "-infile", CERT_REQUEST_FILENAME,
100 "-validity", Integer.toString(VALIDITY),
101 "-outfile", CERT_FILENAME).shouldHaveExitValue(0);
102
103 keytool(
104 "-importcert",
105 "-alias", KEY_ALIAS,
106 "-keystore", KEYSTORE,
107 "-storepass", PASSWORD,
108 "-keypass", PASSWORD,
109 "-file", CERT_FILENAME).shouldHaveExitValue(0);
110
111 ProcessBuilder pb = new ProcessBuilder(KEYTOOL,
112 "-export",
113 "-rfc",
114 "-alias", KEY_ALIAS,
115 "-keystore", KEYSTORE,
116 "-storepass", PASSWORD,
117 "-keypass", PASSWORD);
118 pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
119 ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
120
121 pb = new ProcessBuilder(KEYTOOL,
122 "-export",
123 "-rfc",
124 "-alias", CA_KEY_ALIAS,
125 "-keystore", KEYSTORE,
126 "-storepass", PASSWORD,
127 "-keypass", PASSWORD);
128 pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
129 ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
130
131 // remove CA certificate
132 keytool(
133 "-delete",
134 "-alias", CA_KEY_ALIAS,
135 "-keystore", KEYSTORE,
136 "-storepass", PASSWORD,
137 "-keypass", PASSWORD).shouldHaveExitValue(0);
138
139 // sign jar
140 OutputAnalyzer analyzer = jarsigner(
141 "-keystore", KEYSTORE,
142 "-storepass", PASSWORD,
143 "-keypass", PASSWORD,
144 "-certchain", CHAIN,
145 "-signedjar", SIGNED_JARFILE,
146 UNSIGNED_JARFILE,
147 KEY_ALIAS);
148
149 checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
150
151 // verify signed jar
152 analyzer = jarsigner(
153 "-verify",
154 "-verbose",
155 "-keystore", KEYSTORE,
156 "-storepass", PASSWORD,
157 "-keypass", PASSWORD,
158 "-certchain", CHAIN,
159 SIGNED_JARFILE);
160
161 checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
162
163 // verify signed jar in strict mode
164 analyzer = jarsigner(
165 "-verify",
166 "-verbose",
167 "-strict",
168 "-keystore", KEYSTORE,
169 "-storepass", PASSWORD,
170 "-keypass", PASSWORD,
171 "-certchain", CHAIN,
172 SIGNED_JARFILE);
173
174 checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
175 CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
176
177 System.out.println("Test passed");
178 }
179
180 }