1 /*
2 * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import java.io.File;
25 import jdk.testlibrary.OutputAnalyzer;
26 import jdk.testlibrary.ProcessTools;
27 import jdk.test.lib.util.JarUtils;
28
29 /**
30 * @test
31 * @bug 8024302 8026037
32 * @summary Test for chainNotValidated warning
33 * @library /lib/testlibrary /test/lib ../
34 * @build jdk.test.lib.util.JarUtils
35 * @run main ChainNotValidatedTest
36 */
37 public class ChainNotValidatedTest extends Test {
38
39 private static final String CHAIN = "chain";
40
41 /**
42 * The test signs and verifies a jar that contains entries
43 * whose cert chain can't be correctly validated (chainNotValidated).
44 * Warning message is expected.
45 */
46 public static void main(String[] args) throws Throwable {
47 ChainNotValidatedTest test = new ChainNotValidatedTest();
48 test.start();
49 }
50
51 private void start() throws Throwable {
52 // create a jar file that contains one class file
53 Utils.createFiles(FIRST_FILE);
54 JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
55
56 // create self-signed certificate whose BasicConstraints extension
57 // is set to false, so the certificate may not be used
58 // as a parent certificate (certpath validation should fail)
59 keytool(
60 "-genkeypair",
61 "-alias", CA_KEY_ALIAS,
62 "-keyalg", KEY_ALG,
63 "-keysize", Integer.toString(KEY_SIZE),
64 "-keystore", KEYSTORE,
65 "-storepass", PASSWORD,
66 "-keypass", PASSWORD,
67 "-dname", "CN=CA",
68 "-ext", "BasicConstraints:critical=ca:false",
69 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
70
71 // create a certificate that is signed by self-signed certificate
72 // despite of it may not be used as a parent certificate
73 // (certpath validation should fail)
74 keytool(
75 "-genkeypair",
76 "-alias", KEY_ALIAS,
77 "-keyalg", KEY_ALG,
78 "-keysize", Integer.toString(KEY_SIZE),
79 "-keystore", KEYSTORE,
80 "-storepass", PASSWORD,
81 "-keypass", PASSWORD,
82 "-dname", "CN=Test",
83 "-ext", "BasicConstraints:critical=ca:false",
84 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
85
86 keytool(
87 "-certreq",
88 "-alias", KEY_ALIAS,
89 "-keystore", KEYSTORE,
90 "-storepass", PASSWORD,
91 "-keypass", PASSWORD,
92 "-file", CERT_REQUEST_FILENAME).shouldHaveExitValue(0);
93
94 keytool(
95 "-gencert",
96 "-alias", CA_KEY_ALIAS,
97 "-keystore", KEYSTORE,
98 "-storepass", PASSWORD,
99 "-keypass", PASSWORD,
100 "-infile", CERT_REQUEST_FILENAME,
101 "-validity", Integer.toString(VALIDITY),
102 "-outfile", CERT_FILENAME).shouldHaveExitValue(0);
103
104 keytool(
105 "-importcert",
106 "-alias", KEY_ALIAS,
107 "-keystore", KEYSTORE,
108 "-storepass", PASSWORD,
109 "-keypass", PASSWORD,
110 "-file", CERT_FILENAME).shouldHaveExitValue(0);
111
112 ProcessBuilder pb = new ProcessBuilder(KEYTOOL,
113 "-export",
114 "-rfc",
115 "-alias", KEY_ALIAS,
116 "-keystore", KEYSTORE,
117 "-storepass", PASSWORD,
118 "-keypass", PASSWORD);
119 pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
120 ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
121
122 pb = new ProcessBuilder(KEYTOOL,
123 "-export",
124 "-rfc",
125 "-alias", CA_KEY_ALIAS,
126 "-keystore", KEYSTORE,
127 "-storepass", PASSWORD,
128 "-keypass", PASSWORD);
129 pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
130 ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
131
132 // remove CA certificate
133 keytool(
134 "-delete",
135 "-alias", CA_KEY_ALIAS,
136 "-keystore", KEYSTORE,
137 "-storepass", PASSWORD,
138 "-keypass", PASSWORD).shouldHaveExitValue(0);
139
140 // sign jar
141 OutputAnalyzer analyzer = jarsigner(
142 "-keystore", KEYSTORE,
143 "-storepass", PASSWORD,
144 "-keypass", PASSWORD,
145 "-certchain", CHAIN,
146 "-signedjar", SIGNED_JARFILE,
147 UNSIGNED_JARFILE,
148 KEY_ALIAS);
149
150 checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
151
152 // verify signed jar
153 analyzer = jarsigner(
154 "-verify",
155 "-verbose",
156 "-keystore", KEYSTORE,
157 "-storepass", PASSWORD,
158 "-keypass", PASSWORD,
159 "-certchain", CHAIN,
160 SIGNED_JARFILE);
161
162 checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
163
164 // verify signed jar in strict mode
165 analyzer = jarsigner(
166 "-verify",
167 "-verbose",
168 "-strict",
169 "-keystore", KEYSTORE,
170 "-storepass", PASSWORD,
171 "-keypass", PASSWORD,
172 "-certchain", CHAIN,
173 SIGNED_JARFILE);
174
175 checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
176 CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
177
178 System.out.println("Test passed");
179 }
180
181 }