CoCalc -- ConciseJarsigner.java

GitHub Repository: PojavLauncherTeam/mobile
Path: blob/master/test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java
⁴¹¹⁵² views
1
/*
2
 * Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/*
25
 * @test
26
 * @bug 6802846 8172529 8227758
27
 * @summary jarsigner needs enhanced cert validation(options)
28
 * @library /test/lib
29
 * @run main/timeout=240 ConciseJarsigner
30
 */
31

32
import jdk.test.lib.Asserts;
33
import jdk.test.lib.SecurityTools;
34
import jdk.test.lib.process.OutputAnalyzer;
35

36
import java.nio.file.Files;
37
import java.nio.file.Path;
38
import java.util.Calendar;
39
import java.util.List;
40

41
public class ConciseJarsigner {
42

43
    static OutputAnalyzer kt(String cmd) throws Exception {
44
        // Choose 2048-bit RSA to make sure it runs fine and fast. In
45
        // fact, every keyalg/keysize combination is OK for this test.
46
        return SecurityTools.keytool("-storepass changeit -keypass changeit "
47
                + "-keystore ks -keyalg rsa -keysize 2048 " + cmd);
48
    }
49

50
    static void gencert(String owner, String cmd) throws Exception {
51
        kt("-certreq -alias " + owner + " -file tmp.req");
52
        kt("-gencert -infile tmp.req -outfile tmp.cert " + cmd);
53
        kt("-import -alias " + owner + " -file tmp.cert");
54
    }
55

56
    static OutputAnalyzer js(String cmd) throws Exception {
57
        return SecurityTools.jarsigner("-debug " + cmd);
58
    }
59

60
    public static void main(String[] args) throws Exception {
61

62
        Files.write(Path.of("A1"), List.of("a1"));
63
        Files.write(Path.of("A2"), List.of("a2"));
64
        Files.write(Path.of("A3"), List.of("a3"));
65
        Files.write(Path.of("A4"), List.of("a4"));
66
        Files.write(Path.of("A5"), List.of("a5"));
67
        Files.write(Path.of("A6"), List.of("a6"));
68

69
        String year = "" + Calendar.getInstance().get(Calendar.YEAR);
70

71
        // ==========================================================
72
        // First part: output format
73
        // ==========================================================
74

75
        kt("-genkeypair -alias a1 -dname CN=a1 -validity 366");
76
        kt("-genkeypair -alias a2 -dname CN=a2 -validity 366");
77

78
        // a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
79
        SecurityTools.jar("cvf a.jar A1 A2");
80
        js("-keystore ks -storepass changeit a.jar a1");
81
        SecurityTools.jar("uvf a.jar A3 A4");
82
        js("-keystore ks -storepass changeit a.jar a2");
83
        SecurityTools.jar("uvf a.jar A5 A6");
84

85
        // Verify OK
86
        js("-verify a.jar").shouldHaveExitValue(0);
87

88
        // 4(chainNotValidated)+16(hasUnsignedEntry)
89
        js("-verify a.jar -strict").shouldHaveExitValue(20);
90

91
        // 16(hasUnsignedEntry)
92
        js("-verify a.jar -strict -keystore ks -storepass changeit")
93
                .shouldHaveExitValue(16);
94

95
        // 16(hasUnsignedEntry)+32(notSignedByAlias)
96
        js("-verify a.jar a1 -strict -keystore ks -storepass changeit")
97
                .shouldHaveExitValue(48);
98

99
        // 16(hasUnsignedEntry)
100
        js("-verify a.jar a1 a2 -strict -keystore ks -storepass changeit")
101
                .shouldHaveExitValue(16);
102

103
        // 12 entries all together
104
        Asserts.assertTrue(js("-verify a.jar -verbose")
105
                .asLines().stream()
106
                .filter(s -> s.contains(year))
107
                .count() == 12);
108

109
        // 12 entries all listed
110
        Asserts.assertTrue(js("-verify a.jar -verbose:grouped")
111
                .asLines().stream()
112
                .filter(s -> s.contains(year))
113
                .count() == 12);
114

115
        // 4 groups: MANIFST, unrelated, signed, unsigned
116
        Asserts.assertTrue(js("-verify a.jar -verbose:summary")
117
                .asLines().stream()
118
                .filter(s -> s.contains(year))
119
                .count() == 4);
120

121
        // still 4 groups, but MANIFEST group has no other file
122
        Asserts.assertTrue(js("-verify a.jar -verbose:summary")
123
                .asLines().stream()
124
                .filter(s -> s.contains("more)"))
125
                .count() == 3);
126

127
        // 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned
128
        Asserts.assertTrue(js("-verify a.jar -verbose:summary -certs")
129
                .asLines().stream()
130
                .filter(s -> s.contains(year))
131
                .count() == 5);
132

133
        // 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4
134
        Asserts.assertTrue(js("-verify a.jar -verbose -certs")
135
                .asLines().stream()
136
                .filter(s -> s.contains("[certificate"))
137
                .count() == 8);
138

139
        // a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
140
        Asserts.assertTrue(js("-verify a.jar -verbose:grouped -certs")
141
                .asLines().stream()
142
                .filter(s -> s.contains("[certificate"))
143
                .count() == 5);
144

145
        // a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
146
        Asserts.assertTrue(js("-verify a.jar -verbose:summary -certs")
147
                .asLines().stream()
148
                .filter(s -> s.contains("[certificate"))
149
                .count() == 5);
150

151
        // still 5 groups, but MANIFEST group has no other file
152
        Asserts.assertTrue(js("-verify a.jar -verbose:summary -certs")
153
                .asLines().stream()
154
                .filter(s -> s.contains("more)"))
155
                .count() == 4);
156

157
        // ==========================================================
158
        // Second part: exit code 2, 4, 8.
159
        // 16 and 32 already covered in the first part
160
        // ==========================================================
161

162
        kt("-genkeypair -alias ca -dname CN=ca -ext bc -validity 365");
163
        kt("-genkeypair -alias expired -dname CN=expired");
164
        gencert("expired", "-alias ca -startdate -10m");
165
        kt("-genkeypair -alias notyetvalid -dname CN=notyetvalid");
166
        gencert("notyetvalid", "-alias ca -startdate +1m");
167
        kt("-genkeypair -alias badku -dname CN=badku");
168
        gencert("badku", "-alias ca -ext KU=cRLSign -validity 365");
169
        kt("-genkeypair -alias badeku -dname CN=badeku");
170
        gencert("badeku", "-alias ca -ext EKU=sa -validity 365");
171
        kt("-genkeypair -alias goodku -dname CN=goodku");
172
        gencert("goodku", "-alias ca -ext KU=dig -validity 365");
173
        kt("-genkeypair -alias goodeku -dname CN=goodeku");
174
        gencert("goodeku", "-alias ca -ext EKU=codesign -validity 365");
175

176
        js("-strict -keystore ks -storepass changeit a.jar expired")
177
                .shouldHaveExitValue(4);
178

179
        js("-strict -keystore ks -storepass changeit a.jar notyetvalid")
180
                .shouldHaveExitValue(4);
181

182
        js("-strict -keystore ks -storepass changeit a.jar badku")
183
                .shouldHaveExitValue(8);
184

185
        js("-strict -keystore ks -storepass changeit a.jar badeku")
186
                .shouldHaveExitValue(8);
187

188
        js("-strict -keystore ks -storepass changeit a.jar goodku")
189
                .shouldHaveExitValue(0);
190

191
        js("-strict -keystore ks -storepass changeit a.jar goodeku")
192
                .shouldHaveExitValue(0);
193

194
        // badchain signed by ca1, but ca1 is removed later
195
        kt("-genkeypair -alias badchain -dname CN=badchain -validity 365");
196
        kt("-genkeypair -alias ca1 -dname CN=ca1 -ext bc -validity 365");
197
        gencert("badchain", "-alias ca1 -validity 365");
198

199
        // save ca1.cert for easy replay
200
        kt("-exportcert -file ca1.cert -alias ca1");
201
        kt("-delete -alias ca1");
202

203
        js("-strict -keystore ks -storepass changeit a.jar badchain")
204
                .shouldHaveExitValue(4);
205

206
        js("-verify a.jar").shouldHaveExitValue(0);
207

208
        // ==========================================================
209
        // Third part: -certchain test
210
        // ==========================================================
211

212
        // altchain signed by ca2
213
        kt("-genkeypair -alias altchain -dname CN=altchain -validity 365");
214
        kt("-genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365");
215
        kt("-certreq -alias altchain -file altchain.req");
216
        Files.write(Path.of("certchain"), List.of(
217
                kt("-gencert -alias ca2 -validity 365 -rfc -infile altchain.req")
218
                        .getOutput(),
219
                kt("-exportcert -alias ca2 -rfc").getOutput()));
220

221
        // Self-signed cert does not work
222
        js("-strict -keystore ks -storepass changeit a.jar altchain")
223
                .shouldHaveExitValue(4);
224

225
        // -certchain works
226
        js("-strict -keystore ks -storepass changeit -certchain certchain "
227
                + "a.jar altchain")
228
                .shouldHaveExitValue(0);
229

230
        // if ca2 is removed and cert is imported, -certchain won't work
231
        // because this certificate entry is not trusted
232
        // save ca2.cert for easy replay
233
        kt("-exportcert -file ca2.cert -alias ca2");
234
        kt("-delete -alias ca2");
235
        kt("-importcert -file certchain -alias altchain -noprompt");
236
        js("-strict -keystore ks -storepass changeit "
237
                + "-certchain certchain a.jar altchain")
238
                .shouldHaveExitValue(4);
239

240
        js("-verify a.jar").shouldHaveExitValue(0);
241

242
        // ==========================================================
243
        // 8172529
244
        // ==========================================================
245

246
        kt("-genkeypair -alias ee -dname CN=ee");
247
        kt("-genkeypair -alias caone -dname CN=caone -ext bc:c");
248
        kt("-genkeypair -alias catwo -dname CN=catwo -ext bc:c");
249

250
        kt("-certreq -alias ee -file ee.req");
251
        kt("-certreq -alias catwo -file catwo.req");
252

253
        // This certchain contains a cross-signed weak catwo.cert
254
        Files.write(Path.of("ee2"), List.of(
255
                kt("-gencert -alias catwo -rfc -infile ee.req").getOutput(),
256
                kt("-gencert -alias caone -sigalg MD5withRSA -rfc "
257
                        + "-infile catwo.req").getOutput()));
258

259
        kt("-importcert -alias ee -file ee2");
260

261
        SecurityTools.jar("cvf a.jar A1");
262
        js("-strict -keystore ks -storepass changeit a.jar ee")
263
                .shouldHaveExitValue(0);
264
        js("-strict -keystore ks -storepass changeit -verify a.jar")
265
                .shouldHaveExitValue(0);
266
    }
267
}
268

269
Product

Resources

Company
