1 /*

     2  * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.

     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

     4  *

     5  * This code is free software; you can redistribute it and/or modify it

     6  * under the terms of the GNU General Public License version 2 only, as

     7  * published by the Free Software Foundation.

     8  *

     9  * This code is distributed in the hope that it will be useful, but WITHOUT

    10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

    11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

    12  * version 2 for more details (a copy is included in the LICENSE file that

    13  * accompanied this code).

    14  *

    15  * You should have received a copy of the GNU General Public License version

    16  * 2 along with this work; if not, write to the Free Software Foundation,

    17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

    18  *

    19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

    20  * or visit www.oracle.com if you need additional information or have any

    21  * questions.

    22  */

    23 

    24 import jdk.testlibrary.OutputAnalyzer;

    25 import jdk.testlibrary.ProcessTools;

    26 import jdk.testlibrary.JarUtils;

    27 

    28 /**

    29  * @test

    30  * @bug 8024302 8026037

    31  * @summary Checks if jarsigner prints appropriate warnings

    32  * @library /lib/testlibrary ../

    33  * @run main MultipleWarningsTest

    34  */

    35 public class MultipleWarningsTest extends Test {

    36 

    37     /**

    38      * The test signs and verifies a jar that:

    39      *   - contains entries whose signer certificate has expired

    40      *   - contains entries whose signer certificate's ExtendedKeyUsage

    41      *     extension doesn't allow code signing

    42      *   - contains unsigned entries which have not been integrity-checked

    43      *   - contains signed entries which are not signed by the specified alias

    44      * Warning messages are expected.

    45      */

    46     public static void main(String[] args) throws Throwable {

    47         MultipleWarningsTest test = new MultipleWarningsTest();

    48         test.start();

    49     }

    50 

    51     private void start() throws Throwable {

    52         Utils.createFiles(FIRST_FILE, SECOND_FILE);

    53 

    54         // create a jar file that contains one class file

    55         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    56 

    57         // create first expired certificate

    58         // whose ExtendedKeyUsage extension does not allow code signing

    59         ProcessTools.executeCommand(KEYTOOL,

    60                 "-genkey",

    61                 "-alias", FIRST_KEY_ALIAS,

    62                 "-keyalg", KEY_ALG,

    63                 "-keysize", Integer.toString(KEY_SIZE),

    64                 "-keystore", KEYSTORE,

    65                 "-storepass", PASSWORD,

    66                 "-keypass", PASSWORD,

    67                 "-dname", "CN=First",

    68                 "-ext", "ExtendedkeyUsage=serverAuth",

    69                 "-startdate", "-" + VALIDITY * 2 + "d",

    70                 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    71 

    72         // create second expired certificate

    73         // whose KeyUsage extension does not allow code signing

    74         ProcessTools.executeCommand(KEYTOOL,

    75                 "-genkey",

    76                 "-alias", SECOND_KEY_ALIAS,

    77                 "-keyalg", KEY_ALG,

    78                 "-keysize", Integer.toString(KEY_SIZE),

    79                 "-keystore", KEYSTORE,

    80                 "-storepass", PASSWORD,

    81                 "-keypass", PASSWORD,

    82                 "-dname", "CN=Second",

    83                 "-ext", "ExtendedkeyUsage=serverAuth",

    84                 "-startdate", "-" + VALIDITY * 2 + "d",

    85                 "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    86 

    87         // sign jar with first key

    88         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,

    89                 "-keystore", KEYSTORE,

    90                 "-storepass", PASSWORD,

    91                 "-keypass", PASSWORD,

    92                 "-signedjar", SIGNED_JARFILE,

    93                 UNSIGNED_JARFILE,

    94                 FIRST_KEY_ALIAS);

    95 

    96         checkSigning(analyzer, HAS_EXPIRED_CERT_SIGNING_WARNING,

    97                 BAD_EXTENDED_KEY_USAGE_SIGNING_WARNING);

    98 

    99         // add a second class to created jar, so it contains unsigned entry

   100         JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);

   101 

   102         // verify jar with second key

   103         analyzer = ProcessTools.executeCommand(JARSIGNER,

   104                 "-verify",

   105                 "-keystore", KEYSTORE,

   106                 "-storepass", PASSWORD,

   107                 "-keypass", PASSWORD,

   108                 UPDATED_SIGNED_JARFILE,

   109                 SECOND_KEY_ALIAS);

   110 

   111         checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,

   112                 HAS_EXPIRED_CERT_VERIFYING_WARNING,

   113                 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,

   114                 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

   115 

   116         // verify jar with second key in strict mode

   117         analyzer = ProcessTools.executeCommand(JARSIGNER,

   118                 "-verify",

   119                 "-strict",

   120                 "-keystore", KEYSTORE,

   121                 "-storepass", PASSWORD,

   122                 "-keypass", PASSWORD,

   123                 UPDATED_SIGNED_JARFILE,

   124                 SECOND_KEY_ALIAS);

   125 

   126         int expectedExitCode = HAS_EXPIRED_CERT_EXIT_CODE

   127                 + BAD_EXTENDED_KEY_USAGE_EXIT_CODE

   128                 + HAS_UNSIGNED_ENTRY_EXIT_CODE

   129                 + NOT_SIGNED_BY_ALIAS_EXIT_CODE;

   130         checkVerifying(analyzer, expectedExitCode,

   131                 BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,

   132                 HAS_EXPIRED_CERT_VERIFYING_WARNING,

   133                 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,

   134                 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

   135 

   136         // verify jar with non-exisiting alias

   137         analyzer = ProcessTools.executeCommand(JARSIGNER,

   138                 "-verify",

   139                 "-keystore", KEYSTORE,

   140                 "-storepass", PASSWORD,

   141                 "-keypass", PASSWORD,

   142                 UPDATED_SIGNED_JARFILE,

   143                 "bogus");

   144 

   145         checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,

   146                 HAS_EXPIRED_CERT_VERIFYING_WARNING,

   147                 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,

   148                 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

   149 

   150         // verify jar with non-exisiting alias in strict mode

   151         analyzer = ProcessTools.executeCommand(JARSIGNER,

   152                 "-verify",

   153                 "-strict",

   154                 "-keystore", KEYSTORE,

   155                 "-storepass", PASSWORD,

   156                 "-keypass", PASSWORD,

   157                 UPDATED_SIGNED_JARFILE,

   158                 "bogus");

   159 

   160         checkVerifying(analyzer, expectedExitCode,

   161                 BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,

   162                 HAS_EXPIRED_CERT_VERIFYING_WARNING,

   163                 HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,

   164                 NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

   165 

   166         System.out.println("Test passed");

   167     }

   168 

   169 }