/* * Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /* * @test * @bug 7004168 * @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs * instead of just signing cert * @library /test/lib */ import jdk.test.lib.SecurityTools; import jdk.test.lib.process.OutputAnalyzer; import jdk.test.lib.util.JarUtils; import java.nio.file.Files; import java.nio.file.Path; import java.util.List; public class CheckUsage { static OutputAnalyzer keytool(String cmd) throws Exception { return SecurityTools.keytool("-keypass changeit -storepass changeit " + "-keyalg rsa " + cmd); } public static void main(String[] args) throws Exception { Files.write(Path.of("x"), List.of("x")); JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("x")); // ################### 3 Keystores ####################### // Keystore js.jks: including CA and Publisher // CA contains a non-empty KeyUsage keytool("-keystore js.jks -genkeypair -alias ca -dname CN=CA " + "-ext KU=kCS -ext bc -validity 365"); keytool("-keystore js.jks -genkeypair -alias pub -dname CN=Publisher"); // Publisher contains the correct KeyUsage keytool("-keystore js.jks -certreq -alias pub -file pub.req"); keytool("-keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 " + "-infile pub.req -outfile pub.cert"); keytool("-keystore js.jks -importcert -alias pub -file pub.cert"); // Keystore trust.jks: including CA only keytool("-keystore js.jks -exportcert -alias ca -file ca.cert"); keytool("-keystore trust.jks -importcert -alias ca -noprompt -file ca.cert"); // Keystore unrelated.jks: unrelated keytool("-keystore unrelated.jks -genkeypair -alias nothing " + "-dname CN=Nothing -validity 365"); // ################### 4 Tests ####################### // Test 1: Sign should be OK SecurityTools.jarsigner("-keystore js.jks -storepass changeit a.jar pub") .shouldHaveExitValue(0); // Test 2: Verify should be OK SecurityTools.jarsigner("-keystore trust.jks -storepass changeit " + "-strict -verify a.jar") .shouldHaveExitValue(0); // Test 3: When no keystore is specified, the error is only // "chain invalid" SecurityTools.jarsigner("-strict -verify a.jar") .shouldHaveExitValue(4); // Test 4: When unrelated keystore is specified, the error is // "chain invalid" and "not alias in keystore" SecurityTools.jarsigner("-keystore unrelated.jks -storepass changeit " + "-strict -verify a.jar") .shouldHaveExitValue(36); } }