8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304
Reviewed-by: weijun
--- a/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java Mon Nov 21 17:17:21 2016 -0800
+++ b/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java Mon Nov 21 22:50:22 2016 -0800
@@ -58,7 +58,7 @@
/*
* @test
- * @bug 6543842 6543440 6939248 8009636 8024302 8163304
+ * @bug 6543842 6543440 6939248 8009636 8024302 8163304 8169911
* @summary checking response of timestamp
* @modules java.base/sun.security.pkcs
* java.base/sun.security.timestamp
@@ -349,6 +349,18 @@
.shouldMatch("MD5withRSA.*-sigalg.*risk");
checkWeak("weak.jar");
+ signWithAliasAndTsa("halfWeak", "old.jar", "old", "-digestalg", "MD5")
+ .shouldHaveExitValue(0);
+ checkHalfWeak("halfWeak.jar");
+
+ // sign with DSA key
+ signWithAliasAndTsa("sign1", "old.jar", "dsakey")
+ .shouldHaveExitValue(0);
+ // sign with RSAkeysize < 1024
+ signWithAliasAndTsa("sign2", "sign1.jar", "weakkeysize")
+ .shouldHaveExitValue(0);
+ checkMultiple("sign2.jar");
+
// When .SF or .RSA is missing or invalid
checkMissingOrInvalidFiles("normal.jar");
} else { // Run as a standalone server
@@ -447,6 +459,37 @@
.shouldMatch("SignatureException:.*Disabled");
}
+ static void checkHalfWeak(String file) throws Throwable {
+ verify(file)
+ .shouldHaveExitValue(0)
+ .shouldContain("treated as unsigned")
+ .shouldMatch("weak algorithm that is now disabled.")
+ .shouldMatch("Re-run jarsigner with the -verbose option for more details");
+ verify(file, "-verbose")
+ .shouldHaveExitValue(0)
+ .shouldContain("treated as unsigned")
+ .shouldMatch("weak algorithm that is now disabled by")
+ .shouldMatch("Digest algorithm: .*weak")
+ .shouldNotMatch("Signature algorithm: .*weak")
+ .shouldNotMatch("Timestamp digest algorithm: .*weak")
+ .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak")
+ .shouldNotMatch("Timestamp signature algorithm: .*key.*weak");
+ }
+
+ static void checkMultiple(String file) throws Throwable {
+ verify(file)
+ .shouldHaveExitValue(0)
+ .shouldContain("jar verified");
+ verify(file, "-verbose", "-certs")
+ .shouldHaveExitValue(0)
+ .shouldContain("jar verified")
+ .shouldMatch("X.509.*CN=dsakey")
+ .shouldNotMatch("X.509.*CN=weakkeysize")
+ .shouldMatch("Signed by .*CN=dsakey")
+ .shouldMatch("Signed by .*CN=weakkeysize")
+ .shouldMatch("Signature algorithm: .*key.*weak");
+ }
+
static void checkTimestamp(String file, String policyId, String digestAlg)
throws Exception {
try (JarFile jf = new JarFile(file)) {
@@ -480,11 +523,16 @@
*/
static OutputAnalyzer sign(String path, String... extra)
throws Throwable {
+ String alias = path.equals("badku") ? "badku" : "old";
+ return signWithAliasAndTsa(path, "old.jar", alias, extra);
+ }
+
+ static OutputAnalyzer signWithAliasAndTsa (String path, String jar,
+ String alias, String...extra) throws Throwable {
which++;
System.err.println("\n>> Test #" + which + ": " + Arrays.toString(extra));
List<String> args = List.of("-J-Djava.security.egd=file:/dev/./urandom",
- "-debug", "-signedjar", path + ".jar", "old.jar",
- path.equals("badku") ? "badku" : "old");
+ "-debug", "-signedjar", path + ".jar", jar, alias);
args = new ArrayList<>(args);
if (!path.equals("none") && !path.equals("badku")) {
args.add("-tsa");
@@ -499,6 +547,8 @@
Files.deleteIfExists(Paths.get("tsks"));
keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
keytool("-alias old -genkeypair -dname CN=old");
+ keytool("-alias dsakey -genkeypair -keyalg DSA -dname CN=dsakey");
+ keytool("-alias weakkeysize -genkeypair -keysize 512 -dname CN=weakkeysize");
keytool("-alias badku -genkeypair -dname CN=badku");
keytool("-alias ts -genkeypair -dname CN=ts");
keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsbad1");
@@ -507,6 +557,8 @@
keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
gencert("old");
+ gencert("dsakey");
+ gencert("weakkeysize");
gencert("badku", "-ext ku:critical=keyAgreement");
gencert("ts", "-ext eku:critical=ts");
gencert("tsweak", "-ext eku:critical=ts");