1 # 2 # Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. 3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 # 5 # This code is free software; you can redistribute it and/or modify it 6 # under the terms of the GNU General Public License version 2 only, as 7 # published by the Free Software Foundation. 8 # 9 # This code is distributed in the hope that it will be useful, but WITHOUT 10 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 # version 2 for more details (a copy is included in the LICENSE file that 13 # accompanied this code). 14 # 15 # You should have received a copy of the GNU General Public License version 16 # 2 along with this work; if not, write to the Free Software Foundation, 17 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 # 19 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 # or visit www.oracle.com if you need additional information or have any 21 # questions. 22 # 23 24 # @test 25 # @bug 6802846 26 # @summary jarsigner needs enhanced cert validation(options) 27 # 28 # @run shell concise_jarsigner.sh 29 # 30 31 if [ "${TESTJAVA}" = "" ] ; then 32 JAVAC_CMD=`which javac` 33 TESTJAVA=`dirname $JAVAC_CMD`/.. 34 fi 35 36 # set platform-dependent variables 37 OS=`uname -s` 38 case "$OS" in 39 Windows_* ) 40 FS="\\" 41 ;; 42 * ) 43 FS="/" 44 ;; 45 esac 46 47 # Choose 1024-bit RSA to make sure it runs fine and fast on all platforms. In 48 # fact, every keyalg/keysize combination is OK for this test. 49 50 KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks -keyalg rsa -keysize 1024" 51 JAR=$TESTJAVA${FS}bin${FS}jar 52 JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner 53 JAVAC=$TESTJAVA${FS}bin${FS}javac 54 55 rm js.jks 56 57 echo class A1 {} > A1.java 58 echo class A2 {} > A2.java 59 echo class A3 {} > A3.java 60 echo class A4 {} > A4.java 61 echo class A5 {} > A5.java 62 echo class A6 {} > A6.java 63 64 $JAVAC ${TESTTOOLVMOPTS} ${TESTJAVACOPTS} A1.java A2.java A3.java A4.java A5.java A6.java 65 YEAR=`date +%Y` 66 67 # ========================================================== 68 # First part: output format 69 # ========================================================== 70 71 $KT -genkeypair -alias a1 -dname CN=a1 -validity 365 72 $KT -genkeypair -alias a2 -dname CN=a2 -validity 365 73 74 # a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3 75 $JAR cvf a.jar A1.class A2.class 76 $JARSIGNER -keystore js.jks -storepass changeit a.jar a1 77 $JAR uvf a.jar A3.class A4.class 78 $JARSIGNER -keystore js.jks -storepass changeit a.jar a2 79 $JAR uvf a.jar A5.class A6.class 80 81 # Verify OK 82 $JARSIGNER -verify a.jar 83 [ $? = 0 ] || exit $LINENO 84 85 # 4(chainNotValidated)+16(hasUnsignedEntry) 86 $JARSIGNER -verify a.jar -strict 87 [ $? = 20 ] || exit $LINENO 88 89 # 16(hasUnsignedEntry) 90 $JARSIGNER -verify a.jar -strict -keystore js.jks 91 [ $? = 16 ] || exit $LINENO 92 93 # 16(hasUnsignedEntry)+32(notSignedByAlias) 94 $JARSIGNER -verify a.jar a1 -strict -keystore js.jks 95 [ $? = 48 ] || exit $LINENO 96 97 # 16(hasUnsignedEntry) 98 $JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks 99 [ $? = 16 ] || exit $LINENO 100 101 # 12 entries all together 102 LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l` 103 [ $LINES = 12 ] || exit $LINENO 104 105 # 12 entries all listed 106 LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l` 107 [ $LINES = 12 ] || exit $LINENO 108 109 # 4 groups: MANIFST, unrelated, signed, unsigned 110 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l` 111 [ $LINES = 4 ] || exit $LINENO 112 113 # still 4 groups, but MANIFEST group has no other file 114 LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep "more)" | wc -l` 115 [ $LINES = 3 ] || exit $LINENO 116 117 # 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned 118 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l` 119 [ $LINES = 5 ] || exit $LINENO 120 121 # 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4 122 LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l` 123 [ $LINES = 8 ] || exit $LINENO 124 125 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4 126 LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l` 127 [ $LINES = 5 ] || exit $LINENO 128 129 # a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4 130 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l` 131 [ $LINES = 5 ] || exit $LINENO 132 133 # still 5 groups, but MANIFEST group has no other file 134 LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l` 135 [ $LINES = 4 ] || exit $LINENO 136 137 # ========================================================== 138 # Second part: exit code 2, 4, 8 139 # 16 and 32 already covered in the first part 140 # ========================================================== 141 142 $KT -genkeypair -alias expired -dname CN=expired -startdate -10m 143 $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m 144 $KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365 145 $KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365 146 $KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365 147 $KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365 148 149 # badchain signed by ca, but ca is removed later 150 $KT -genkeypair -alias badchain -dname CN=badchain -validity 365 151 $KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365 152 $KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \ 153 $KT -importcert -alias badchain 154 $KT -delete -alias ca 155 156 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired 157 [ $? = 4 ] || exit $LINENO 158 159 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid 160 [ $? = 4 ] || exit $LINENO 161 162 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku 163 [ $? = 8 ] || exit $LINENO 164 165 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku 166 [ $? = 8 ] || exit $LINENO 167 168 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku 169 [ $? = 0 ] || exit $LINENO 170 171 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku 172 [ $? = 0 ] || exit $LINENO 173 174 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain 175 [ $? = 4 ] || exit $LINENO 176 177 $JARSIGNER -verify a.jar 178 [ $? = 0 ] || exit $LINENO 179 180 # ========================================================== 181 # Third part: -certchain test 182 # ========================================================== 183 184 # altchain signed by ca2, but ca2 is removed later 185 $KT -genkeypair -alias altchain -dname CN=altchain -validity 365 186 $KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365 187 $KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain 188 $KT -exportcert -alias ca2 -rfc >> certchain 189 $KT -delete -alias ca2 190 191 # Now altchain is still self-signed 192 $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain 193 [ $? = 0 ] || exit $LINENO 194 195 # If -certchain is used, then it's bad 196 $JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain 197 [ $? = 4 ] || exit $LINENO 198 199 $JARSIGNER -verify a.jar 200 [ $? = 0 ] || exit $LINENO 201 202 echo OK 203 exit 0