100 lines
3.7 KiB
Java
100 lines
3.7 KiB
Java
/*
|
|
* Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @bug 7004168
|
|
* @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs
|
|
* instead of just signing cert
|
|
* @library /test/lib
|
|
*/
|
|
|
|
import jdk.test.lib.SecurityTools;
|
|
import jdk.test.lib.process.OutputAnalyzer;
|
|
import jdk.test.lib.util.JarUtils;
|
|
|
|
import java.nio.file.Files;
|
|
import java.nio.file.Path;
|
|
import java.util.List;
|
|
|
|
public class CheckUsage {
|
|
|
|
static OutputAnalyzer keytool(String cmd) throws Exception {
|
|
return SecurityTools.keytool("-keypass changeit -storepass changeit "
|
|
+ "-keyalg rsa " + cmd);
|
|
}
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
Files.write(Path.of("x"), List.of("x"));
|
|
JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("x"));
|
|
|
|
// ################### 3 Keystores #######################
|
|
|
|
// Keystore js.jks: including CA and Publisher
|
|
// CA contains a non-empty KeyUsage
|
|
keytool("-keystore js.jks -genkeypair -alias ca -dname CN=CA "
|
|
+ "-ext KU=kCS -ext bc -validity 365");
|
|
keytool("-keystore js.jks -genkeypair -alias pub -dname CN=Publisher");
|
|
|
|
// Publisher contains the correct KeyUsage
|
|
keytool("-keystore js.jks -certreq -alias pub -file pub.req");
|
|
keytool("-keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 "
|
|
+ "-infile pub.req -outfile pub.cert");
|
|
keytool("-keystore js.jks -importcert -alias pub -file pub.cert");
|
|
|
|
// Keystore trust.jks: including CA only
|
|
keytool("-keystore js.jks -exportcert -alias ca -file ca.cert");
|
|
keytool("-keystore trust.jks -importcert -alias ca -noprompt -file ca.cert");
|
|
|
|
// Keystore unrelated.jks: unrelated
|
|
keytool("-keystore unrelated.jks -genkeypair -alias nothing "
|
|
+ "-dname CN=Nothing -validity 365");
|
|
|
|
// ################### 4 Tests #######################
|
|
|
|
// Test 1: Sign should be OK
|
|
|
|
SecurityTools.jarsigner("-keystore js.jks -storepass changeit a.jar pub")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// Test 2: Verify should be OK
|
|
|
|
SecurityTools.jarsigner("-keystore trust.jks -storepass changeit "
|
|
+ "-strict -verify a.jar")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// Test 3: When no keystore is specified, the error is only
|
|
// "chain invalid"
|
|
|
|
SecurityTools.jarsigner("-strict -verify a.jar")
|
|
.shouldHaveExitValue(4);
|
|
|
|
// Test 4: When unrelated keystore is specified, the error is
|
|
// "chain invalid" and "not alias in keystore"
|
|
|
|
SecurityTools.jarsigner("-keystore unrelated.jks -storepass changeit "
|
|
+ "-strict -verify a.jar")
|
|
.shouldHaveExitValue(36);
|
|
}
|
|
}
|