Path: blob/master/test/jdk/sun/security/tools/jarsigner/CheckUsage.java
41152 views
/*1* Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 700416826* @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs27* instead of just signing cert28* @library /test/lib29*/3031import jdk.test.lib.SecurityTools;32import jdk.test.lib.process.OutputAnalyzer;33import jdk.test.lib.util.JarUtils;3435import java.nio.file.Files;36import java.nio.file.Path;37import java.util.List;3839public class CheckUsage {4041static OutputAnalyzer keytool(String cmd) throws Exception {42return SecurityTools.keytool("-keypass changeit -storepass changeit "43+ "-keyalg rsa " + cmd);44}4546public static void main(String[] args) throws Exception {47Files.write(Path.of("x"), List.of("x"));48JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("x"));4950// ################### 3 Keystores #######################5152// Keystore js.jks: including CA and Publisher53// CA contains a non-empty KeyUsage54keytool("-keystore js.jks -genkeypair -alias ca -dname CN=CA "55+ "-ext KU=kCS -ext bc -validity 365");56keytool("-keystore js.jks -genkeypair -alias pub -dname CN=Publisher");5758// Publisher contains the correct KeyUsage59keytool("-keystore js.jks -certreq -alias pub -file pub.req");60keytool("-keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 "61+ "-infile pub.req -outfile pub.cert");62keytool("-keystore js.jks -importcert -alias pub -file pub.cert");6364// Keystore trust.jks: including CA only65keytool("-keystore js.jks -exportcert -alias ca -file ca.cert");66keytool("-keystore trust.jks -importcert -alias ca -noprompt -file ca.cert");6768// Keystore unrelated.jks: unrelated69keytool("-keystore unrelated.jks -genkeypair -alias nothing "70+ "-dname CN=Nothing -validity 365");7172// ################### 4 Tests #######################7374// Test 1: Sign should be OK7576SecurityTools.jarsigner("-keystore js.jks -storepass changeit a.jar pub")77.shouldHaveExitValue(0);7879// Test 2: Verify should be OK8081SecurityTools.jarsigner("-keystore trust.jks -storepass changeit "82+ "-strict -verify a.jar")83.shouldHaveExitValue(0);8485// Test 3: When no keystore is specified, the error is only86// "chain invalid"8788SecurityTools.jarsigner("-strict -verify a.jar")89.shouldHaveExitValue(4);9091// Test 4: When unrelated keystore is specified, the error is92// "chain invalid" and "not alias in keystore"9394SecurityTools.jarsigner("-keystore unrelated.jks -storepass changeit "95+ "-strict -verify a.jar")96.shouldHaveExitValue(36);97}98}99100101