dc6d76f518
Reviewed-by: alanb, mullan, xuelei
167 lines
6.7 KiB
Java
167 lines
6.7 KiB
Java
/*
|
|
* Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/**
|
|
* @test
|
|
* @bug 8056174 8242260
|
|
* @summary Make sure the jarsigner tool still works after it's modified to
|
|
* be based on JarSigner API
|
|
* @library /test/lib
|
|
* @modules java.base/sun.security.pkcs
|
|
* java.base/sun.security.x509
|
|
*/
|
|
|
|
import com.sun.jarsigner.ContentSigner;
|
|
import com.sun.jarsigner.ContentSignerParameters;
|
|
import jdk.test.lib.Asserts;
|
|
import jdk.test.lib.SecurityTools;
|
|
import jdk.test.lib.util.JarUtils;
|
|
import sun.security.pkcs.PKCS7;
|
|
|
|
import java.io.ByteArrayInputStream;
|
|
import java.io.InputStream;
|
|
import java.nio.file.Files;
|
|
import java.nio.file.Path;
|
|
import java.util.*;
|
|
import java.util.jar.Attributes;
|
|
import java.util.jar.JarEntry;
|
|
import java.util.jar.JarFile;
|
|
import java.util.jar.Manifest;
|
|
|
|
public class Options {
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
|
|
// Help
|
|
boolean lastLineHasAltSigner = false;
|
|
for (String line : SecurityTools.jarsigner("--help").asLines()) {
|
|
if (line.contains("-altsigner")) {
|
|
lastLineHasAltSigner = true;
|
|
} else {
|
|
if (lastLineHasAltSigner) {
|
|
Asserts.assertTrue(line.contains("deprecated and will be removed"));
|
|
}
|
|
lastLineHasAltSigner = false;
|
|
}
|
|
}
|
|
|
|
// Prepares raw file
|
|
Files.write(Path.of("a"), List.of("a"));
|
|
|
|
// Pack
|
|
JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("a"));
|
|
|
|
// Prepare a keystore
|
|
SecurityTools.keytool(
|
|
"-keystore jks -storepass changeit -keypass changeit -dname" +
|
|
" CN=A -alias a -genkeypair -keyalg rsa")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// -altsign
|
|
SecurityTools.jarsigner(
|
|
"-debug -signedjar altsign.jar -keystore jks -storepass changeit" +
|
|
" -altsigner Options$X" +
|
|
" -altsignerpath " + System.getProperty("test.classes") +
|
|
" a.jar a")
|
|
.shouldContain("removed in a future release: -altsigner")
|
|
.shouldContain("removed in a future release: -altsignerpath")
|
|
.shouldContain("PKCS7.parse"); // signature not parseable
|
|
// but signing succeeds
|
|
|
|
try (JarFile jf = new JarFile("altsign.jar")) {
|
|
JarEntry je = jf.getJarEntry("META-INF/A.RSA");
|
|
try (InputStream is = jf.getInputStream(je)) {
|
|
if (!Arrays.equals(is.readAllBytes(), "1234".getBytes())) {
|
|
throw new Exception("altsign go wrong");
|
|
}
|
|
}
|
|
}
|
|
|
|
// -altsign with no -altsignerpath
|
|
Files.copy(Path.of(System.getProperty("test.classes"), "Options$X.class"),
|
|
Path.of("Options$X.class"));
|
|
SecurityTools.jarsigner(
|
|
"-debug -signedjar altsign.jar -keystore jks -storepass changeit" +
|
|
" -altsigner Options$X" +
|
|
" a.jar a")
|
|
.shouldContain("removed in a future release: -altsigner")
|
|
.shouldNotContain("removed in a future release: -altsignerpath")
|
|
.shouldContain("PKCS7.parse"); // signature not parseable
|
|
// but signing succeeds
|
|
|
|
// -sigfile, -digestalg, -sigalg, -internalsf, -sectionsonly
|
|
SecurityTools.jarsigner(
|
|
"-debug -signedjar new.jar -keystore jks -storepass changeit" +
|
|
" -sigfile olala -digestalg SHA1 -sigalg SHA224withRSA" +
|
|
" -internalsf -sectionsonly a.jar a")
|
|
.shouldHaveExitValue(0)
|
|
.shouldNotContain("Exception"); // a real success
|
|
|
|
try (JarFile jf = new JarFile("new.jar")) {
|
|
JarEntry je = jf.getJarEntry("META-INF/OLALA.SF");
|
|
Objects.requireNonNull(je); // check -sigfile
|
|
byte[] sf = null; // content of .SF
|
|
try (InputStream is = jf.getInputStream(je)) {
|
|
sf = is.readAllBytes(); // save for later comparison
|
|
Attributes attrs = new Manifest(new ByteArrayInputStream(sf))
|
|
.getMainAttributes();
|
|
// check -digestalg
|
|
if (!attrs.containsKey(new Attributes.Name(
|
|
"SHA1-Digest-Manifest-Main-Attributes"))) {
|
|
throw new Exception("digestalg incorrect");
|
|
}
|
|
// check -sectionsonly
|
|
if (attrs.containsKey(new Attributes.Name(
|
|
"SHA1-Digest-Manifest"))) {
|
|
throw new Exception("SF should not have file digest");
|
|
}
|
|
}
|
|
|
|
je = jf.getJarEntry("META-INF/OLALA.RSA");
|
|
try (InputStream is = jf.getInputStream(je)) {
|
|
PKCS7 p7 = new PKCS7(is.readAllBytes());
|
|
String alg = p7.getSignerInfos()[0]
|
|
.getDigestAlgorithmId().getName();
|
|
if (!alg.equals("SHA-224")) { // check -sigalg
|
|
throw new Exception("PKCS7 signing is using " + alg);
|
|
}
|
|
// check -internalsf
|
|
if (!Arrays.equals(sf, p7.getContentInfo().getData())) {
|
|
throw new Exception("SF not in RSA");
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
// TSA-related ones are checked in ts.sh
|
|
}
|
|
|
|
public static class X extends ContentSigner {
|
|
@Override
|
|
public byte[] generateSignedData(ContentSignerParameters parameters,
|
|
boolean omitContent, boolean applyTimestamp) {
|
|
return "1234".getBytes();
|
|
}
|
|
}
|
|
}
|