1 #
2 # Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 #
5 # This code is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License version 2 only, as
7 # published by the Free Software Foundation.
8 #
9 # This code is distributed in the hope that it will be useful, but WITHOUT
10 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 # version 2 for more details (a copy is included in the LICENSE file that
13 # accompanied this code).
14 #
15 # You should have received a copy of the GNU General Public License version
16 # 2 along with this work; if not, write to the Free Software Foundation,
17 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 #
19 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 # or visit www.oracle.com if you need additional information or have any
21 # questions.
22 #
23
24 # @test
25 # @bug 6802846
26 # @summary jarsigner needs enhanced cert validation(options)
27 #
28 # @run shell concise_jarsigner.sh
29 #
30
31 if [ "${TESTJAVA}" = "" ] ; then
32 JAVAC_CMD=`which javac`
33 TESTJAVA=`dirname $JAVAC_CMD`/..
34 fi
35
36 # set platform-dependent variables
37 OS=`uname -s`
38 case "$OS" in
39 Windows_* )
40 FS="\\"
41 ;;
42 * )
43 FS="/"
44 ;;
45 esac
46
47 # Choose 1024-bit RSA to make sure it runs fine and fast on all platforms. In
48 # fact, every keyalg/keysize combination is OK for this test.
49
50 KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks -keyalg rsa -keysize 1024"
51 JAR=$TESTJAVA${FS}bin${FS}jar
52 JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
53 JAVAC=$TESTJAVA${FS}bin${FS}javac
54
55 rm js.jks
56
57 echo class A1 {} > A1.java
58 echo class A2 {} > A2.java
59 echo class A3 {} > A3.java
60 echo class A4 {} > A4.java
61 echo class A5 {} > A5.java
62 echo class A6 {} > A6.java
63
64 $JAVAC A1.java A2.java A3.java A4.java A5.java A6.java
65 YEAR=`date +%Y`
66
67 # ==========================================================
68 # First part: output format
69 # ==========================================================
70
71 $KT -genkeypair -alias a1 -dname CN=a1 -validity 365
72 $KT -genkeypair -alias a2 -dname CN=a2 -validity 365
73
74 # a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
75 $JAR cvf a.jar A1.class A2.class
76 $JARSIGNER -keystore js.jks -storepass changeit a.jar a1
77 $JAR uvf a.jar A3.class A4.class
78 $JARSIGNER -keystore js.jks -storepass changeit a.jar a2
79 $JAR uvf a.jar A5.class A6.class
80
81 # Verify OK
82 $JARSIGNER -verify a.jar
83 [ $? = 0 ] || exit $LINENO
84
85 # 4(chainNotValidated)+16(hasUnsignedEntry)
86 $JARSIGNER -verify a.jar -strict
87 [ $? = 20 ] || exit $LINENO
88
89 # 16(hasUnsignedEntry)
90 $JARSIGNER -verify a.jar -strict -keystore js.jks
91 [ $? = 16 ] || exit $LINENO
92
93 # 16(hasUnsignedEntry)+32(notSignedByAlias)
94 $JARSIGNER -verify a.jar a1 -strict -keystore js.jks
95 [ $? = 48 ] || exit $LINENO
96
97 # 16(hasUnsignedEntry)
98 $JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks
99 [ $? = 16 ] || exit $LINENO
100
101 # 12 entries all together
102 LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l`
103 [ $LINES = 12 ] || exit $LINENO
104
105 # 12 entries all listed
106 LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l`
107 [ $LINES = 12 ] || exit $LINENO
108
109 # 4 groups: MANIFST, unrelated, signed, unsigned
110 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l`
111 [ $LINES = 4 ] || exit $LINENO
112
113 # still 4 groups, but MANIFEST group has no other file
114 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep "more)" | wc -l`
115 [ $LINES = 3 ] || exit $LINENO
116
117 # 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned
118 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l`
119 [ $LINES = 5 ] || exit $LINENO
120
121 # 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4
122 LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l`
123 [ $LINES = 8 ] || exit $LINENO
124
125 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
126 LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l`
127 [ $LINES = 5 ] || exit $LINENO
128
129 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
130 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l`
131 [ $LINES = 5 ] || exit $LINENO
132
133 # still 5 groups, but MANIFEST group has no other file
134 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
135 [ $LINES = 4 ] || exit $LINENO
136
137 # ==========================================================
138 # Second part: exit code 2, 4, 8
139 # 16 and 32 already covered in the first part
140 # ==========================================================
141
142 $KT -genkeypair -alias expired -dname CN=expired -startdate -10m
143 $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
144 $KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
145 $KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365
146 $KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365
147 $KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365
148
149 # badchain signed by ca, but ca is removed later
150 $KT -genkeypair -alias badchain -dname CN=badchain -validity 365
151 $KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
152 $KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \
153 $KT -importcert -alias badchain
154 $KT -delete -alias ca
155
156 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired
157 [ $? = 4 ] || exit $LINENO
158
159 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid
160 [ $? = 4 ] || exit $LINENO
161
162 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku
163 [ $? = 8 ] || exit $LINENO
164
165 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku
166 [ $? = 8 ] || exit $LINENO
167
168 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku
169 [ $? = 0 ] || exit $LINENO
170
171 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku
172 [ $? = 0 ] || exit $LINENO
173
174 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain
175 [ $? = 4 ] || exit $LINENO
176
177 $JARSIGNER -verify a.jar
178 [ $? = 0 ] || exit $LINENO
179
180 # ==========================================================
181 # Third part: -certchain test
182 # ==========================================================
183
184 # altchain signed by ca2, but ca2 is removed later
185 $KT -genkeypair -alias altchain -dname CN=altchain -validity 365
186 $KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
187 $KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
188 $KT -exportcert -alias ca2 -rfc >> certchain
189 $KT -delete -alias ca2
190
191 # Now altchain is still self-signed
192 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain
193 [ $? = 0 ] || exit $LINENO
194
195 # If -certchain is used, then it's bad
196 $JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain
197 [ $? = 4 ] || exit $LINENO
198
199 $JARSIGNER -verify a.jar
200 [ $? = 0 ] || exit $LINENO
201
202 echo OK
203 exit 0