1
/*
2
 * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/*
25
 * @test
26
 * @bug 8242184 8242068
27
 * @summary keytool and jarsigner for all algorithms
28
 * @library /test/lib
29
 * @modules java.base/sun.security.util
30
 * @run testng/timeout=300 GenerateAll
31
 */
32

33
import jdk.test.lib.SecurityTools;
34
import jdk.test.lib.process.OutputAnalyzer;
35
import jdk.test.lib.security.DerUtils;
36
import jdk.test.lib.util.JarUtils;
37
import org.testng.annotations.AfterTest;
38
import org.testng.annotations.BeforeTest;
39
import org.testng.annotations.DataProvider;
40
import org.testng.annotations.Test;
41
import static org.testng.Assert.*;
42

43
import static sun.security.util.KnownOIDs.*;
44

45
import sun.security.util.KnownOIDs;
46
import sun.security.util.ObjectIdentifier;
47
import sun.security.util.SignatureUtil;
48

49
import java.io.File;
50
import java.io.IOException;
51
import java.nio.file.Files;
52
import java.nio.file.Path;
53
import java.security.KeyStore;
54
import java.security.PrivateKey;
55
import java.util.Base64;
56
import java.util.jar.JarEntry;
57
import java.util.jar.JarFile;
58
import java.util.stream.Collectors;
59

60
public class GenerateAll {
61

62
    @BeforeTest
63
    public void beforeTest() throws Exception {
64
        // Create a CA in a separate keystore
65
        kt("-genkeypair -alias ca -dname CN=CA -keyalg ec -ext bc -keystore ca");
66
        kt("-export -alias ca -file ca.crt -rfc -keystore ca");
67

68
        // Import CA cert to user keystore so we can import reply later
69
        kt("-import -alias root -file ca.crt -noprompt");
70

71
        JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("ks"));
72
    }
73

74
    @DataProvider(name = "eddsa")
75
    public Object[][] eddsaData() {
76
        return new Object[][]{
77
                {"eddsa", null, Ed25519},
78
                {"eddsa", "eddsa", Ed25519},
79
                {"eddsa", "ed25519", Ed25519},
80
                {"eddsa", "ed448", null},
81
                {"ed25519", null, Ed25519},
82
                {"ed25519", "eddsa", Ed25519},
83
                {"ed25519", "ed25519", Ed25519},
84
                {"ed25519", "ed448", null},
85
                {"ed448", null, Ed448},
86
                {"ed448", "eddsa", Ed448},
87
                {"ed448", "ed25519", null},
88
                {"ed448", "ed448", Ed448},
89
        };
90
    }
91

92
    /**
93
     * Test various names of EdDSA
94
     * @param keyAlg keytool -keyalg
95
     * @param sigAlg (optional) keytool -sigalg
96
     * @param expected expected algorithm of generated signature
97
     */
98
    @Test(dataProvider = "eddsa")
99
    public void eddsaTest(String keyAlg, String sigAlg, KnownOIDs expected)
100
            throws Exception {
101
        String alias = keyAlg + "-" + sigAlg;
102
        OutputAnalyzer oa = kt0("-genkeypair -alias " + alias
103
                + " -dname CN=" + alias + " -keyalg " + keyAlg
104
                + (sigAlg == null ? "" : (" -sigalg " + sigAlg)));
105
        if (expected == null) {
106
            oa.shouldNotHaveExitValue(0);
107
        } else {
108
            oa.shouldHaveExitValue(0);
109
            kt("-alias " + alias + " -export -file " + alias + ".crt");
110
            byte[] crt = Files.readAllBytes(Path.of(alias + ".crt"));
111
            DerUtils.checkAlg(crt, "020", expected);     // tbsCertificate.signature
112
            DerUtils.checkAlg(crt, "0600", expected);    // tbsCertificate.subjectPublicKeyInfo.algorithm
113
            DerUtils.checkAlg(crt, "10", expected);      // signatureAlgorithm
114
        }
115
    }
116

117
    @DataProvider(name = "all")
118
    public Object[][] dataProvider() {
119
        return new Object[][]{
120
                {"rsa", "rsa", null, "RSA", SHA_256, SHA256withRSA},
121
                {"dsa", "dsa", null, "DSA", SHA_256, SHA256withDSA},
122
                {"r", "rsa", "rsassa-pss", "RSA", SHA_256, RSASSA_PSS},
123
                {"pss", "rsassa-pss", null, "RSA", SHA_256, RSASSA_PSS},
124
                {"ec", "ec", null, "EC", SHA_256, SHA256withECDSA},
125
                {"ed25519", "ed25519", null, "EC", SHA_512, Ed25519},
126
                {"ed448", "ed448", null, "EC", SHAKE256_LEN, Ed448},
127
        };
128
    }
129

130
    /**
131
     * Testing all algorithms.
132
     * @param alias alias
133
     * @param keyAlg keytool -keyalg
134
     * @param sigAlg (optional) keytool -sigalg
135
     * @param ext block extension inside signed JAR
136
     * @param expDigAlg expected digAlg in PKCS7 SignerInfo
137
     * @param expEncAlg expected encAlg in PKCS7 SignerInfo
138
     */
139
    @Test(dataProvider = "all")
140
    public void test(String alias, String keyAlg, String sigAlg, String ext,
141
                     KnownOIDs expDigAlg, KnownOIDs expEncAlg) throws Throwable {
142

143
        char[] pass = "changeit".toCharArray();
144

145
        // If no sigAlg, derive automatically
146
        String extra = sigAlg == null ? "" : (" -sigalg " + sigAlg);
147

148
        // gen
149
        kt("-genkeypair -alias " + alias + " -dname CN=" + alias
150
                + " -keyalg " + keyAlg + extra);
151
        kt("-export -alias " + alias + " -rfc -file " + alias + ".self");
152

153
        // req
154
        kt("-certreq -alias " + alias + " -file " + alias + ".req" + extra);
155
        kt("-printcertreq -file " + alias + ".req");
156

157
        // gencert
158
        kt("-gencert -alias ca -infile " + alias
159
                + ".req -outfile " + alias + ".crt -rfc -keystore ca");
160
        kt("-printcert -file " + alias + ".crt");
161
        kt("-importcert -alias " + alias + " -file " + alias + ".crt");
162

163
        // crl
164
        kt("-gencrl -alias " + alias + " -id 0 -rfc -file "
165
                + alias + ".crl" + extra);
166
        kt("-printcrl -file " + alias + ".crl")
167
                .shouldContain("Verified by " + alias);
168

169
        // sign
170
        js("a.jar " + alias + extra);
171

172
        // check data
173
        KeyStore ks = KeyStore.getInstance(new File("ks"), pass);
174
        PrivateKey pk = (PrivateKey)ks.getKey(alias, pass);
175

176
        if (sigAlg == null) {
177
            sigAlg = SignatureUtil.getDefaultSigAlgForKey(pk);
178
        }
179

180
        KnownOIDs sigOID = KnownOIDs.findMatch(sigAlg);
181
        KnownOIDs keyOID = KnownOIDs.findMatch(keyAlg);
182

183
        byte[] crt = read(alias + ".self");
184
        DerUtils.checkAlg(crt, "020", sigOID);  // tbsCertificate.signature
185
        DerUtils.checkAlg(crt, "0600", keyOID); // tbsCertificate.subjectPublicKeyInfo.algorithm
186
        assertEquals(
187
                DerUtils.innerDerValue(crt, "02"),   // tbsCertificate.signature
188
                DerUtils.innerDerValue(crt, "1"));   // signatureAlgorithm
189

190
        byte[] req = read(alias + ".req");
191
        DerUtils.checkAlg(req, "10", sigOID);   // signatureAlgorithm
192
        DerUtils.checkAlg(req, "0200", keyOID); // certificationRequestInfo.subjectPKInfo.algorithm
193

194
        byte[] crl = read(alias + ".crl");
195
        DerUtils.checkAlg(crl, "000", sigOID);  // tbsCertList.signature
196
        assertEquals(
197
                DerUtils.innerDerValue(crl, "00"),   // tbsCertList.signature
198
                DerUtils.innerDerValue(crl, "1"));   // signatureAlgorithm
199

200
        try (JarFile jf = new JarFile("a.jar")) {
201
            JarEntry je = jf.getJarEntry(
202
                    "META-INF/" + alias.toUpperCase() + "." + ext);
203
            byte[] p7 = jf.getInputStream(je).readAllBytes();
204
            // SignerInfo.digestAlgorithm
205
            DerUtils.checkAlg(p7, "104020", expDigAlg);
206
            // SignerInfo.signatureAlgorithm
207
            if (DerUtils.innerDerValue(p7, "10403").isContextSpecific()) {
208
                // SignerInfo has signedAttributes at 104030
209
                DerUtils.checkAlg(p7, "104040", expEncAlg);
210
            } else {
211
                DerUtils.checkAlg(p7, "104030", expEncAlg);
212
            }
213
        }
214
    }
215

216
    @AfterTest
217
    public void afterTest() throws Exception {
218
        js("-verify a.jar -verbose -certs");
219
    }
220

221
    static byte[] read(String f) throws IOException {
222
        try (var v = Files.lines(Path.of(f))) {
223
            return Base64.getDecoder().decode(v.filter(s -> !s.startsWith("-----"))
224
                    .collect(Collectors.joining("")));
225
        }
226
    }
227

228
    static OutputAnalyzer kt(String arg) throws Exception {
229
        return kt0(arg).shouldHaveExitValue(0);
230
    }
231

232
    static OutputAnalyzer kt0(String arg) throws Exception {
233
        return SecurityTools.keytool("-keystore ks -storepass changeit " + arg);
234
    }
235

236
    static OutputAnalyzer js(String arg) throws Exception {
237
        return SecurityTools.jarsigner("-keystore ks -storepass changeit " + arg)
238
                .shouldHaveExitValue(0);
239
    }
240
}
241

242