1 /*
2 * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import com.sun.net.httpserver.*;
25 import java.io.ByteArrayOutputStream;
26 import java.io.File;
27 import java.io.IOException;
28 import java.io.InputStream;
29 import java.io.OutputStream;
30 import java.math.BigInteger;
31 import java.net.InetSocketAddress;
32 import java.nio.file.Files;
33 import java.nio.file.Paths;
34 import java.security.KeyStore;
35 import java.security.PrivateKey;
36 import java.security.Signature;
37 import java.security.cert.Certificate;
38 import java.security.cert.X509Certificate;
39 import java.util.ArrayList;
40 import java.util.Arrays;
41 import java.util.Calendar;
42 import java.util.List;
43 import java.util.jar.JarEntry;
44 import java.util.jar.JarFile;
45
46 import jdk.testlibrary.*;
47 import jdk.testlibrary.JarUtils;
48 import sun.security.pkcs.ContentInfo;
49 import sun.security.pkcs.PKCS7;
50 import sun.security.pkcs.PKCS9Attribute;
51 import sun.security.pkcs.SignerInfo;
52 import sun.security.timestamp.TimestampToken;
53 import sun.security.util.DerOutputStream;
54 import sun.security.util.DerValue;
55 import sun.security.util.ObjectIdentifier;
56 import sun.security.x509.AlgorithmId;
57 import sun.security.x509.X500Name;
58
59 /*
60 * @test
61 * @bug 6543842 6543440 6939248 8009636 8024302 8163304
62 * @summary checking response of timestamp
63 * @modules java.base/sun.security.pkcs
64 * java.base/sun.security.timestamp
65 * java.base/sun.security.x509
66 * java.base/sun.security.util
67 * java.base/sun.security.tools.keytool
68 * @library /lib/testlibrary
69 * @run main/timeout=600 TimestampCheck
70 */
71 public class TimestampCheck {
72
73 static final String defaultPolicyId = "2.3.4";
74 static String host = null;
75
76 static class Handler implements HttpHandler, AutoCloseable {
77
78 private final HttpServer httpServer;
79 private final String keystore;
80
81 @Override
82 public void handle(HttpExchange t) throws IOException {
83 int len = 0;
84 for (String h: t.getRequestHeaders().keySet()) {
85 if (h.equalsIgnoreCase("Content-length")) {
86 len = Integer.valueOf(t.getRequestHeaders().get(h).get(0));
87 }
88 }
89 byte[] input = new byte[len];
90 t.getRequestBody().read(input);
91
92 try {
93 String path = t.getRequestURI().getPath().substring(1);
94 byte[] output = sign(input, path);
95 Headers out = t.getResponseHeaders();
96 out.set("Content-Type", "application/timestamp-reply");
97
98 t.sendResponseHeaders(200, output.length);
99 OutputStream os = t.getResponseBody();
100 os.write(output);
101 } catch (Exception e) {
102 e.printStackTrace();
103 t.sendResponseHeaders(500, 0);
104 }
105 t.close();
106 }
107
108 /**
109 * @param input The data to sign
110 * @param path different cases to simulate, impl on URL path
111 * @returns the signed
112 */
113 byte[] sign(byte[] input, String path) throws Exception {
114
115 DerValue value = new DerValue(input);
116 System.err.println("\nIncoming Request\n===================");
117 System.err.println("Version: " + value.data.getInteger());
118 DerValue messageImprint = value.data.getDerValue();
119 AlgorithmId aid = AlgorithmId.parse(
120 messageImprint.data.getDerValue());
121 System.err.println("AlgorithmId: " + aid);
122
123 ObjectIdentifier policyId = new ObjectIdentifier(defaultPolicyId);
124 BigInteger nonce = null;
125 while (value.data.available() > 0) {
126 DerValue v = value.data.getDerValue();
127 if (v.tag == DerValue.tag_Integer) {
128 nonce = v.getBigInteger();
129 System.err.println("nonce: " + nonce);
130 } else if (v.tag == DerValue.tag_Boolean) {
131 System.err.println("certReq: " + v.getBoolean());
132 } else if (v.tag == DerValue.tag_ObjectId) {
133 policyId = v.getOID();
134 System.err.println("PolicyID: " + policyId);
135 }
136 }
137
138 System.err.println("\nResponse\n===================");
139 KeyStore ks = KeyStore.getInstance(
140 new File(keystore), "changeit".toCharArray());
141
142 String alias = "ts";
143 if (path.startsWith("bad") || path.equals("weak")) {
144 alias = "ts" + path;
145 }
146
147 if (path.equals("diffpolicy")) {
148 policyId = new ObjectIdentifier(defaultPolicyId);
149 }
150
151 DerOutputStream statusInfo = new DerOutputStream();
152 statusInfo.putInteger(0);
153
154 AlgorithmId[] algorithms = {aid};
155 Certificate[] chain = ks.getCertificateChain(alias);
156 X509Certificate[] signerCertificateChain;
157 X509Certificate signer = (X509Certificate)chain[0];
158
159 if (path.equals("fullchain")) { // Only case 5 uses full chain
160 signerCertificateChain = new X509Certificate[chain.length];
161 for (int i=0; i<chain.length; i++) {
162 signerCertificateChain[i] = (X509Certificate)chain[i];
163 }
164 } else if (path.equals("nocert")) {
165 signerCertificateChain = new X509Certificate[0];
166 } else {
167 signerCertificateChain = new X509Certificate[1];
168 signerCertificateChain[0] = (X509Certificate)chain[0];
169 }
170
171 DerOutputStream tst = new DerOutputStream();
172
173 tst.putInteger(1);
174 tst.putOID(policyId);
175
176 if (!path.equals("baddigest") && !path.equals("diffalg")) {
177 tst.putDerValue(messageImprint);
178 } else {
179 byte[] data = messageImprint.toByteArray();
180 if (path.equals("diffalg")) {
181 data[6] = (byte)0x01;
182 } else {
183 data[data.length-1] = (byte)0x01;
184 data[data.length-2] = (byte)0x02;
185 data[data.length-3] = (byte)0x03;
186 }
187 tst.write(data);
188 }
189
190 tst.putInteger(1);
191
192 Calendar cal = Calendar.getInstance();
193 tst.putGeneralizedTime(cal.getTime());
194
195 if (path.equals("diffnonce")) {
196 tst.putInteger(1234);
197 } else if (path.equals("nononce")) {
198 // no noce
199 } else {
200 tst.putInteger(nonce);
201 }
202
203 DerOutputStream tstInfo = new DerOutputStream();
204 tstInfo.write(DerValue.tag_Sequence, tst);
205
206 DerOutputStream tstInfo2 = new DerOutputStream();
207 tstInfo2.putOctetString(tstInfo.toByteArray());
208
209 // Always use the same algorithm at timestamp signing
210 // so it is different from the hash algorithm.
211 Signature sig = Signature.getInstance("SHA1withRSA");
212 sig.initSign((PrivateKey)(ks.getKey(
213 alias, "changeit".toCharArray())));
214 sig.update(tstInfo.toByteArray());
215
216 ContentInfo contentInfo = new ContentInfo(new ObjectIdentifier(
217 "1.2.840.113549.1.9.16.1.4"),
218 new DerValue(tstInfo2.toByteArray()));
219
220 System.err.println("Signing...");
221 System.err.println(new X500Name(signer
222 .getIssuerX500Principal().getName()));
223 System.err.println(signer.getSerialNumber());
224
225 SignerInfo signerInfo = new SignerInfo(
226 new X500Name(signer.getIssuerX500Principal().getName()),
227 signer.getSerialNumber(),
228 AlgorithmId.get("SHA-1"), AlgorithmId.get("RSA"), sig.sign());
229
230 SignerInfo[] signerInfos = {signerInfo};
231 PKCS7 p7 = new PKCS7(algorithms, contentInfo,
232 signerCertificateChain, signerInfos);
233 ByteArrayOutputStream p7out = new ByteArrayOutputStream();
234 p7.encodeSignedData(p7out);
235
236 DerOutputStream response = new DerOutputStream();
237 response.write(DerValue.tag_Sequence, statusInfo);
238 response.putDerValue(new DerValue(p7out.toByteArray()));
239
240 DerOutputStream out = new DerOutputStream();
241 out.write(DerValue.tag_Sequence, response);
242
243 return out.toByteArray();
244 }
245
246 private Handler(HttpServer httpServer, String keystore) {
247 this.httpServer = httpServer;
248 this.keystore = keystore;
249 }
250
251 /**
252 * Initialize TSA instance.
253 *
254 * Extended Key Info extension of certificate that is used for
255 * signing TSA responses should contain timeStamping value.
256 */
257 static Handler init(int port, String keystore) throws IOException {
258 HttpServer httpServer = HttpServer.create(
259 new InetSocketAddress(port), 0);
260 Handler tsa = new Handler(httpServer, keystore);
261 httpServer.createContext("/", tsa);
262 return tsa;
263 }
264
265 /**
266 * Start TSA service.
267 */
268 void start() {
269 httpServer.start();
270 }
271
272 /**
273 * Stop TSA service.
274 */
275 void stop() {
276 httpServer.stop(0);
277 }
278
279 /**
280 * Return server port number.
281 */
282 int getPort() {
283 return httpServer.getAddress().getPort();
284 }
285
286 @Override
287 public void close() throws Exception {
288 stop();
289 }
290 }
291
292 public static void main(String[] args) throws Throwable {
293
294 prepare();
295
296 try (Handler tsa = Handler.init(0, "tsks");) {
297 tsa.start();
298 int port = tsa.getPort();
299 host = "http://localhost:" + port + "/";
300
301 if (args.length == 0) { // Run this test
302 sign("none")
303 .shouldContain("is not timestamped")
304 .shouldHaveExitValue(0);
305
306 sign("badku")
307 .shouldHaveExitValue(0);
308 checkBadKU("badku.jar");
309
310 sign("normal")
311 .shouldNotContain("is not timestamped")
312 .shouldHaveExitValue(0);
313
314 sign("nononce")
315 .shouldHaveExitValue(1);
316 sign("diffnonce")
317 .shouldHaveExitValue(1);
318 sign("baddigest")
319 .shouldHaveExitValue(1);
320 sign("diffalg")
321 .shouldHaveExitValue(1);
322 sign("fullchain")
323 .shouldHaveExitValue(0); // Success, 6543440 solved.
324 sign("bad1")
325 .shouldHaveExitValue(1);
326 sign("bad2")
327 .shouldHaveExitValue(1);
328 sign("bad3")
329 .shouldHaveExitValue(1);
330 sign("nocert")
331 .shouldHaveExitValue(1);
332
333 sign("policy", "-tsapolicyid", "1.2.3")
334 .shouldHaveExitValue(0);
335 checkTimestamp("policy.jar", "1.2.3", "SHA-256");
336
337 sign("diffpolicy", "-tsapolicyid", "1.2.3")
338 .shouldHaveExitValue(1);
339
340 sign("tsaalg", "-tsadigestalg", "SHA")
341 .shouldHaveExitValue(0);
342 checkTimestamp("tsaalg.jar", defaultPolicyId, "SHA-1");
343
344 sign("weak", "-digestalg", "MD5",
345 "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5")
346 .shouldHaveExitValue(0)
347 .shouldMatch("MD5.*-digestalg.*risk")
348 .shouldMatch("MD5.*-tsadigestalg.*risk")
349 .shouldMatch("MD5withRSA.*-sigalg.*risk");
350 checkWeak("weak.jar");
351
352 // When .SF or .RSA is missing or invalid
353 checkMissingOrInvalidFiles("normal.jar");
354 } else { // Run as a standalone server
355 System.err.println("Press Enter to quit server");
356 System.in.read();
357 }
358 }
359 }
360
361 private static void checkMissingOrInvalidFiles(String s)
362 throws Throwable {
363 JarUtils.updateJar(s, "1.jar", "-", "META-INF/OLD.SF");
364 verify("1.jar", "-verbose")
365 .shouldHaveExitValue(0)
366 .shouldContain("treated as unsigned")
367 .shouldContain("Missing signature-related file META-INF/OLD.SF");
368 JarUtils.updateJar(s, "2.jar", "-", "META-INF/OLD.RSA");
369 verify("2.jar", "-verbose")
370 .shouldHaveExitValue(0)
371 .shouldContain("treated as unsigned")
372 .shouldContain("Missing block file for signature-related file META-INF/OLD.SF");
373 JarUtils.updateJar(s, "3.jar", "META-INF/OLD.SF");
374 verify("3.jar", "-verbose")
375 .shouldHaveExitValue(0)
376 .shouldContain("treated as unsigned")
377 .shouldContain("Unparsable signature-related file META-INF/OLD.SF");
378 JarUtils.updateJar(s, "4.jar", "META-INF/OLD.RSA");
379 verify("4.jar", "-verbose")
380 .shouldHaveExitValue(0)
381 .shouldContain("treated as unsigned")
382 .shouldContain("Unparsable signature-related file META-INF/OLD.RSA");
383 }
384
385 static OutputAnalyzer jarsigner(List<String> extra)
386 throws Throwable {
387 JDKToolLauncher launcher = JDKToolLauncher.createUsingTestJDK("jarsigner")
388 .addVMArg("-Duser.language=en")
389 .addVMArg("-Duser.country=US")
390 .addToolArg("-keystore")
391 .addToolArg("tsks")
392 .addToolArg("-storepass")
393 .addToolArg("changeit");
394 for (String s : extra) {
395 if (s.startsWith("-J")) {
396 launcher.addVMArg(s.substring(2));
397 } else {
398 launcher.addToolArg(s);
399 }
400 }
401 return ProcessTools.executeCommand(launcher.getCommand());
402 }
403
404 static OutputAnalyzer verify(String file, String... extra)
405 throws Throwable {
406 List<String> args = new ArrayList<>();
407 args.add("-verify");
408 args.add(file);
409 args.addAll(Arrays.asList(extra));
410 return jarsigner(args);
411 }
412
413 static void checkBadKU(String file) throws Throwable {
414 verify(file)
415 .shouldHaveExitValue(0)
416 .shouldContain("treated as unsigned")
417 .shouldContain("re-run jarsigner with debug enabled");
418 verify(file, "-verbose")
419 .shouldHaveExitValue(0)
420 .shouldContain("Signed by")
421 .shouldContain("treated as unsigned")
422 .shouldContain("re-run jarsigner with debug enabled");
423 verify(file, "-J-Djava.security.debug=jar")
424 .shouldHaveExitValue(0)
425 .shouldContain("SignatureException: Key usage restricted")
426 .shouldContain("treated as unsigned")
427 .shouldContain("re-run jarsigner with debug enabled");
428 }
429
430 static void checkWeak(String file) throws Throwable {
431 verify(file)
432 .shouldHaveExitValue(0)
433 .shouldContain("treated as unsigned")
434 .shouldMatch("weak algorithm that is now disabled.")
435 .shouldMatch("Re-run jarsigner with the -verbose option for more details");
436 verify(file, "-verbose")
437 .shouldHaveExitValue(0)
438 .shouldContain("treated as unsigned")
439 .shouldMatch("weak algorithm that is now disabled by")
440 .shouldMatch("Digest algorithm: .*weak")
441 .shouldMatch("Signature algorithm: .*weak")
442 .shouldMatch("Timestamp digest algorithm: .*weak")
443 .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak")
444 .shouldMatch("Timestamp signature algorithm: .*key.*weak");
445 verify(file, "-J-Djava.security.debug=jar")
446 .shouldHaveExitValue(0)
447 .shouldMatch("SignatureException:.*Disabled");
448 }
449
450 static void checkTimestamp(String file, String policyId, String digestAlg)
451 throws Exception {
452 try (JarFile jf = new JarFile(file)) {
453 JarEntry je = jf.getJarEntry("META-INF/OLD.RSA");
454 try (InputStream is = jf.getInputStream(je)) {
455 byte[] content = is.readAllBytes();
456 PKCS7 p7 = new PKCS7(content);
457 SignerInfo[] si = p7.getSignerInfos();
458 if (si == null || si.length == 0) {
459 throw new Exception("Not signed");
460 }
461 PKCS9Attribute p9 = si[0].getUnauthenticatedAttributes()
462 .getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
463 PKCS7 tsToken = new PKCS7((byte[]) p9.getValue());
464 TimestampToken tt =
465 new TimestampToken(tsToken.getContentInfo().getData());
466 if (!tt.getHashAlgorithm().toString().equals(digestAlg)) {
467 throw new Exception("Digest alg different");
468 }
469 if (!tt.getPolicyID().equals(policyId)) {
470 throw new Exception("policyId different");
471 }
472 }
473 }
474 }
475
476 static int which = 0;
477
478 /**
479 * @param extra more args given to jarsigner
480 */
481 static OutputAnalyzer sign(String path, String... extra)
482 throws Throwable {
483 which++;
484 System.err.println("\n>> Test #" + which + ": " + Arrays.toString(extra));
485 List<String> args = List.of("-J-Djava.security.egd=file:/dev/./urandom",
486 "-debug", "-signedjar", path + ".jar", "old.jar",
487 path.equals("badku") ? "badku" : "old");
488 args = new ArrayList<>(args);
489 if (!path.equals("none") && !path.equals("badku")) {
490 args.add("-tsa");
491 args.add(host + path);
492 }
493 args.addAll(Arrays.asList(extra));
494 return jarsigner(args);
495 }
496
497 static void prepare() throws Exception {
498 jdk.testlibrary.JarUtils.createJar("old.jar", "A");
499 Files.deleteIfExists(Paths.get("tsks"));
500 keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
501 keytool("-alias old -genkeypair -dname CN=old");
502 keytool("-alias badku -genkeypair -dname CN=badku");
503 keytool("-alias ts -genkeypair -dname CN=ts");
504 keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsbad1");
505 keytool("-alias tsbad1 -genkeypair -dname CN=tsbad1");
506 keytool("-alias tsbad2 -genkeypair -dname CN=tsbad2");
507 keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
508
509 gencert("old");
510 gencert("badku", "-ext ku:critical=keyAgreement");
511 gencert("ts", "-ext eku:critical=ts");
512 gencert("tsweak", "-ext eku:critical=ts");
513 gencert("tsbad1");
514 gencert("tsbad2", "-ext eku=ts");
515 gencert("tsbad3", "-ext eku:critical=cs");
516 }
517
518 static void gencert(String alias, String... extra) throws Exception {
519 keytool("-alias " + alias + " -certreq -file " + alias + ".req");
520 String genCmd = "-gencert -alias ca -infile " +
521 alias + ".req -outfile " + alias + ".cert";
522 for (String s : extra) {
523 genCmd += " " + s;
524 }
525 keytool(genCmd);
526 keytool("-alias " + alias + " -importcert -file " + alias + ".cert");
527 }
528
529 static void keytool(String cmd) throws Exception {
530 cmd = "-keystore tsks -storepass changeit -keypass changeit " +
531 "-keyalg rsa -validity 200 " + cmd;
532 sun.security.tools.keytool.Main.main(cmd.split(" "));
533 }
534 }