# HG changeset patch
# User weijun
# Date 1291603586 -28800
# Node ID 16d2b5e6517a3f94caae8a0284b6889cf4310f49
# Parent ec12e1e6fa20373f5bedec43a9bb8c9f0d833c65
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
Reviewed-by: mullan
diff -r ec12e1e6fa20 -r 16d2b5e6517a jdk/src/share/classes/sun/security/tools/JarSigner.java
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java Mon Dec 06 10:46:18 2010 +0800
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java Mon Dec 06 10:46:26 2010 +0800
@@ -658,7 +658,9 @@
boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
- aliasNotInStore |= isSigned && (!inStore && !inScope);
+ if (keystore != null) {
+ aliasNotInStore |= isSigned && (!inStore && !inScope);
+ }
// Only used when -verbose provided
StringBuffer sb = null;
@@ -889,7 +891,7 @@
* Note: no newline character at the end
*/
String printCert(String tab, Certificate c, boolean checkValidityPeriod,
- long now) {
+ long now, boolean checkUsage) {
StringBuilder certStr = new StringBuilder();
String space = rb.getString("SPACE");
@@ -959,24 +961,26 @@
}
certStr.append("]");
- boolean[] bad = new boolean[3];
- checkCertUsage(x509Cert, bad);
- if (bad[0] || bad[1] || bad[2]) {
- String x = "";
- if (bad[0]) {
- x ="KeyUsage";
- }
- if (bad[1]) {
- if (x.length() > 0) x = x + ", ";
- x = x + "ExtendedKeyUsage";
- }
- if (bad[2]) {
- if (x.length() > 0) x = x + ", ";
- x = x + "NetscapeCertType";
- }
- certStr.append("\n").append(tab)
+ if (checkUsage) {
+ boolean[] bad = new boolean[3];
+ checkCertUsage(x509Cert, bad);
+ if (bad[0] || bad[1] || bad[2]) {
+ String x = "";
+ if (bad[0]) {
+ x ="KeyUsage";
+ }
+ if (bad[1]) {
+ if (x.length() > 0) x = x + ", ";
+ x = x + "ExtendedKeyUsage";
+ }
+ if (bad[2]) {
+ if (x.length() > 0) x = x + ", ";
+ x = x + "NetscapeCertType";
+ }
+ certStr.append("\n").append(tab)
.append(MessageFormat.format(rb.getString(
".{0}.extension.does.not.support.code.signing."), x));
+ }
}
}
return certStr.toString();
@@ -1335,7 +1339,7 @@
certUrl);
}
System.out.println(rb.getString("TSA.certificate.") +
- printCert("", tsaCert, false, 0));
+ printCert("", tsaCert, false, 0, false));
}
if (signingMechanism != null) {
System.out.println(
@@ -1544,10 +1548,13 @@
s.append(printTimestamp(tab, timestamp));
s.append('\n');
}
- // display the certificate(s)
+ // display the certificate(s). The first one is end-enity cert and
+ // its KeyUsage should be checked.
+ boolean first = true;
for (Certificate c : certs) {
- s.append(printCert(tab, c, true, now));
+ s.append(printCert(tab, c, true, now, first));
s.append('\n');
+ first = false;
}
try {
CertPath cp = certificateFactory.generateCertPath(certs);
@@ -1847,7 +1854,7 @@
// We don't meant to print anything, the next call
// checks validity and keyUsage etc
- printCert("", certChain[0], true, 0);
+ printCert("", certChain[0], true, 0, true);
try {
CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));
diff -r ec12e1e6fa20 -r 16d2b5e6517a jdk/test/sun/security/tools/jarsigner/checkusage.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/jarsigner/checkusage.sh Mon Dec 06 10:46:26 2010 +0800
@@ -0,0 +1,109 @@
+#
+# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# @test
+# @bug 7004168
+# @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs
+# instead of just signing cert
+#
+# @run shell checkusage.sh
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+ JAVAC_CMD=`which javac`
+ TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner"
+
+rm js.jks trust.jks unrelated.jks 2> /dev/null
+
+echo x > x
+$JAR cvf a.jar x
+
+################### 3 Keystores #######################
+
+# Keystore js.jks: including CA and Publisher
+# CA contains a non-empty KeyUsage
+$KT -keystore js.jks -genkeypair -alias ca -dname CN=CA -ext KU=kCS -ext bc -validity 365
+$KT -keystore js.jks -genkeypair -alias pub -dname CN=Publisher
+
+# Publisher contains the correct KeyUsage
+$KT -keystore js.jks -certreq -alias pub | \
+ $KT -keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 | \
+ $KT -keystore js.jks -importcert -alias pub
+
+# Keystore trust.jks: including CA only
+$KT -keystore js.jks -exportcert -alias ca | \
+ $KT -keystore trust.jks -importcert -alias ca -noprompt
+
+# Keystore unrelated.jks: unrelated
+$KT -keystore unrelated.jks -genkeypair -alias nothing -dname CN=Nothing -validity 365
+
+
+################### 4 Tests #######################
+
+# Test 1: Sign should be OK
+
+$JARSIGNER -keystore js.jks -storepass changeit a.jar pub
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 0 ] || exit 1
+
+# Test 2: Verify should be OK
+
+$JARSIGNER -keystore trust.jks -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 0 ] || exit 2
+
+# Test 3: When no keystore is specified, the error is only
+# "chain not validated"
+
+$JARSIGNER -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 4 ] || exit 3
+
+# Test 4: When unrelated keystore is specified, the error is
+# "chain not validated" and "not alias in keystore"
+
+$JARSIGNER -keystore unrelated.jks -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 36 ] || exit 4
+
+exit 0
diff -r ec12e1e6fa20 -r 16d2b5e6517a jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh
--- a/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh Mon Dec 06 10:46:18 2010 +0800
+++ b/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh Mon Dec 06 10:46:26 2010 +0800
@@ -79,9 +79,9 @@
$JARSIGNER -verify a.jar
[ $? = 0 ] || exit $LINENO
-# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore)
+# 4(chainNotValidated)+16(hasUnsignedEntry)
$JARSIGNER -verify a.jar -strict
-[ $? = 52 ] || exit $LINENO
+[ $? = 20 ] || exit $LINENO
# 16(hasUnsignedEntry)
$JARSIGNER -verify a.jar -strict -keystore js.jks