stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

6802846: jarsigner needs enhanced cert validation(options)

Browse Source 
Reviewed-by: xuelei
This commit is contained in:
Weijun Wang 2009-03-27 11:05:45 +08:00
parent ec207ef682
commit 739414c177
4 changed files with 706 additions and 255 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

706
jdk/src/share/classes/sun/security/tools/JarSigner.java
View File

File diff suppressed because it is too large Load Diff

53
jdk/src/share/classes/sun/security/tools/JarSignerResources.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2005 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -54,8 +54,8 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"If keystore is not password protected, then -storepass and -keypass must not be specified"},
{"Usage: jarsigner [options] jar-file alias",
"Usage: jarsigner [options] jar-file alias"},
{" jarsigner -verify [options] jar-file",
" jarsigner -verify [options] jar-file"},
{" jarsigner -verify [options] jar-file [alias...]",
" jarsigner -verify [options] jar-file [alias...]"},
{"[-keystore <url>] keystore location",
"[-keystore <url>] keystore location"},
{"[-storepass <password>] password for keystore integrity",
@ -64,6 +64,8 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"[-storetype <type>] keystore type"},
{"[-keypass <password>] password for private key (if different)",
"[-keypass <password>] password for private key (if different)"},
{"[-certchain <file>] name of alternative certchain file",
"[-certchain <file>] name of alternative certchain file"},
{"[-sigfile <file>] name of .SF/.DSA file",
"[-sigfile <file>] name of .SF/.DSA file"},
{"[-signedjar <file>] name of signed JAR file",
@ -74,8 +76,10 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"[-sigalg <algorithm>] name of signature algorithm"},
{"[-verify] verify a signed JAR file",
"[-verify] verify a signed JAR file"},
{"[-verbose] verbose output when signing/verifying",
"[-verbose] verbose output when signing/verifying"},
{"[-verbose[:suboptions]] verbose output when signing/verifying.",
"[-verbose[:suboptions]] verbose output when signing/verifying."},
{" suboptions can be all, grouped or summary",
" suboptions can be all, grouped or summary"},
{"[-certs] display certificates when verbose and verifying",
"[-certs] display certificates when verbose and verifying"},
{"[-tsa <url>] location of the Timestamping Authority",
@ -98,10 +102,22 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"[-providerClass <class> name of cryptographic service provider's"},
{" [-providerArg <arg>]] ... master class file and constructor argument",
" [-providerArg <arg>]] ... master class file and constructor argument"},
{"[-strict] treat warnings as errors",
"[-strict] treat warnings as errors"},
{"Option lacks argument", "Option lacks argument"},
{"Please type jarsigner -help for usage", "Please type jarsigner -help for usage"},
{"Please specify jarfile name", "Please specify jarfile name"},
{"Please specify alias name", "Please specify alias name"},
{"Only one alias can be specified", "Only one alias can be specified"},
{"This jar contains signed entries which is not signed by the specified alias(es).",
"This jar contains signed entries which is not signed by the specified alias(es)."},
{"This jar contains signed entries that's not signed by alias in this keystore.",
"This jar contains signed entries that's not signed by alias in this keystore."},
{"s", "s"},
{"m", "m"},
{"k", "k"},
{"i", "i"},
{"(and %d more)", "(and %d more)"},
{" s = signature was verified ",
" s = signature was verified "},
{" m = entry is listed in manifest",
@ -110,7 +126,11 @@ public class JarSignerResources extends java.util.ListResourceBundle {
" k = at least one certificate was found in keystore"},
{" i = at least one certificate was found in identity scope",
" i = at least one certificate was found in identity scope"},
{" X = not signed by specified alias(es)",
" X = not signed by specified alias(es)"},
{"no manifest.", "no manifest."},
{"(Signature related entries)","(Signature related entries)"},
{"(Unsigned entries)", "(Unsigned entries)"},
{"jar is unsigned. (signatures missing or not parsable)",
"jar is unsigned. (signatures missing or not parsable)"},
{"jar verified.", "jar verified."},
@ -134,6 +154,12 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"unable to instantiate keystore class: "},
{"Certificate chain not found for: alias. alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.",
"Certificate chain not found for: {0}. {1} must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."},
{"File specified by -certchain does not exist",
"File specified by -certchain does not exist"},
{"Cannot restore certchain from file specified",
"Cannot restore certchain from file specified"},
{"Certificate chain not found in the file specified.",
"Certificate chain not found in the file specified."},
{"found non-X.509 certificate in signer's chain",
"found non-X.509 certificate in signer's chain"},
{"incomplete certificate chain", "incomplete certificate chain"},
@ -149,6 +175,7 @@ public class JarSignerResources extends java.util.ListResourceBundle {
{"certificate is not valid until",
"certificate is not valid until {0}"},
{"certificate will expire on", "certificate will expire on {0}"},
{"[CertPath not validated: ", "[CertPath not validated: "},
{"requesting a signature timestamp",
"requesting a signature timestamp"},
{"TSA location: ", "TSA location: "},
@ -189,14 +216,18 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"The signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
{"The signer certificate's NetscapeCertType extension doesn't allow code signing.",
"The signer certificate's NetscapeCertType extension doesn't allow code signing."},
{"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.",
"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
{"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
{"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.",
"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
{"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.",
"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
{"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
{"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.",
"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
{"[{0} extension does not support code signing]",
"[{0} extension does not support code signing]"},
{"The signer's certificate chain is not validated.",
"The signer's certificate chain is not validated."},
{"This jar contains entries whose certificate chain is not validated.",
"This jar contains entries whose certificate chain is not validated."},
};
/**

2
jdk/src/share/classes/sun/security/tools/KeyTool.java
View File

@ -3108,7 +3108,7 @@ public final class KeyTool {
/**
* Returns the keystore with the configured CA certificates.
*/
private KeyStore getCacertsKeyStore()
public static KeyStore getCacertsKeyStore()
throws Exception
{
String sep = File.separator;

200
jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh Normal file
View File

@ -0,0 +1,200 @@
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
# @test
# @bug 6802846
# @summary jarsigner needs enhanced cert validation(options)
#
# @run shell concise_jarsigner.sh
#
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* )
FS="\\"
;;
* )
FS="/"
;;
esac
KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks"
JAR=$TESTJAVA${FS}bin${FS}jar
JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
JAVAC=$TESTJAVA${FS}bin${FS}javac
rm js.jks
echo class A1 {} > A1.java
echo class A2 {} > A2.java
echo class A3 {} > A3.java
echo class A4 {} > A4.java
echo class A5 {} > A5.java
echo class A6 {} > A6.java
$JAVAC A1.java A2.java A3.java A4.java A5.java A6.java
YEAR=`date +%Y`
# ==========================================================
# First part: output format
# ==========================================================
$KT -genkeypair -alias a1 -dname CN=a1 -validity 365
$KT -genkeypair -alias a2 -dname CN=a2 -validity 365
# a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
$JAR cvf a.jar A1.class A2.class
$JARSIGNER -keystore js.jks -storepass changeit a.jar a1
$JAR uvf a.jar A3.class A4.class
$JARSIGNER -keystore js.jks -storepass changeit a.jar a2
$JAR uvf a.jar A5.class A6.class
# Verify OK
$JARSIGNER -verify a.jar
[ $? = 0 ] || exit $LINENO
# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore)
$JARSIGNER -verify a.jar -strict
[ $? = 52 ] || exit $LINENO
# 16(hasUnsignedEntry)
$JARSIGNER -verify a.jar -strict -keystore js.jks
[ $? = 16 ] || exit $LINENO
# 16(hasUnsignedEntry)+32(notSignedByAlias)
$JARSIGNER -verify a.jar a1 -strict -keystore js.jks
[ $? = 48 ] || exit $LINENO
# 16(hasUnsignedEntry)
$JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks
[ $? = 16 ] || exit $LINENO
# 12 entries all together
LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l`
[ $LINES = 12 ] || exit $LINENO
# 12 entries all listed
LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l`
[ $LINES = 12 ] || exit $LINENO
# 3 groups: unrelated, signed, unsigned
LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l`
[ $LINES = 3 ] || exit $LINENO
# 4 groups: unrelated, signed by a1/a2, signed by a2, unsigned
LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l`
[ $LINES = 4 ] || exit $LINENO
# 2*2 for A1/A2, 2 for A3/A4
LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l`
[ $LINES = 6 ] || exit $LINENO
# a1,a2 for A1/A2, a2 for A3/A4
LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l`
[ $LINES = 3 ] || exit $LINENO
# a1,a2 for A1/A2, a2 for A3/A4
LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l`
[ $LINES = 3 ] || exit $LINENO
# 4 groups
LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
[ $LINES = 4 ] || exit $LINENO
# ==========================================================
# Second part: exit code 2, 4, 8
# 16 and 32 already covered in the first part
# ==========================================================
$KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m
$KT -genkeypair -alias expired -dname CN=expired -startdate -10m
$KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
$KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
$KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365
$KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365
$KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365
# badchain signed by ca, but ca is removed later
$KT -genkeypair -alias badchain -dname CN=badchain -validity 365
$KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
$KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \
$KT -importcert -alias badchain
$KT -delete -alias ca
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring
[ $? = 2 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired
[ $? = 4 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid
[ $? = 4 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku
[ $? = 8 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku
[ $? = 8 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku
[ $? = 0 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku
[ $? = 0 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain
[ $? = 4 ] || exit $LINENO
$JARSIGNER -verify a.jar
[ $? = 0 ] || exit $LINENO
# ==========================================================
# Third part: -certchain test
# ==========================================================
# altchain signed by ca2, but ca2 is removed later
$KT -genkeypair -alias altchain -dname CN=altchain -validity 365
$KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
$KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
$KT -exportcert -alias ca2 -rfc >> certchain
$KT -delete -alias ca2
# Now altchain is still self-signed
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain
[ $? = 0 ] || exit $LINENO
# If -certchain is used, then it's bad
$JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain
[ $? = 4 ] || exit $LINENO
$JARSIGNER -verify a.jar
[ $? = 0 ] || exit $LINENO
echo OK
exit 0