/*

 * Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

/*

 * @test

 * @bug 7004168

 * @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs

 *  instead of just signing cert

 * @library /test/lib

 */

import jdk.test.lib.SecurityTools;

import jdk.test.lib.process.OutputAnalyzer;

import jdk.test.lib.util.JarUtils;

import java.nio.file.Files;

import java.nio.file.Path;

import java.util.List;

public class CheckUsage {

    static OutputAnalyzer keytool(String cmd) throws Exception {

        return SecurityTools.keytool("-keypass changeit -storepass changeit "

                + "-keyalg rsa " + cmd);

    }

    public static void main(String[] args) throws Exception {

        Files.write(Path.of("x"), List.of("x"));

        JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("x"));

        // ################### 3 Keystores #######################

        // Keystore js.jks: including CA and Publisher

        // CA contains a non-empty KeyUsage

        keytool("-keystore js.jks -genkeypair -alias ca -dname CN=CA "

                + "-ext KU=kCS -ext bc -validity 365");

        keytool("-keystore js.jks -genkeypair -alias pub -dname CN=Publisher");

        // Publisher contains the correct KeyUsage

        keytool("-keystore js.jks -certreq -alias pub -file pub.req");

        keytool("-keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 "

                + "-infile pub.req -outfile pub.cert");

        keytool("-keystore js.jks -importcert -alias pub -file pub.cert");

        // Keystore trust.jks: including CA only

        keytool("-keystore js.jks -exportcert -alias ca -file ca.cert");

        keytool("-keystore trust.jks -importcert -alias ca -noprompt -file ca.cert");

        // Keystore unrelated.jks: unrelated

        keytool("-keystore unrelated.jks -genkeypair -alias nothing "

                + "-dname CN=Nothing -validity 365");

        // ################### 4 Tests #######################

        // Test 1: Sign should be OK

        SecurityTools.jarsigner("-keystore js.jks -storepass changeit a.jar pub")

                .shouldHaveExitValue(0);

        // Test 2: Verify should be OK

        SecurityTools.jarsigner("-keystore trust.jks -storepass changeit "

                + "-strict -verify a.jar")

                .shouldHaveExitValue(0);

        // Test 3: When no keystore is specified, the error is only

        // "chain invalid"

        SecurityTools.jarsigner("-strict -verify a.jar")

                .shouldHaveExitValue(4);

        // Test 4: When unrelated keystore is specified, the error is

        // "chain invalid" and "not alias in keystore"

        SecurityTools.jarsigner("-keystore unrelated.jks -storepass changeit "

                + "-strict -verify a.jar")

                .shouldHaveExitValue(36);

    }

}