jdk.testlibrary.JarUtils Java Examples

The following examples show how to use jdk.testlibrary.JarUtils. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: JavaAgentBuilder.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Build a java agent jar file with a given agent class.
 * The agent class will be added as both premain class and agent class.
 *
 * @param agentClass fully qualified name of an agent class
 * @param agentJar   file name of the agent jar to be created
 *                   the file will be placed in a current work directory
 * @throws IOException
 */
public static void build(String agentClass, String agentJar) throws IOException {
    Manifest mf = new Manifest();
    Attributes attrs = mf.getMainAttributes();
    attrs.put(Attributes.Name.MANIFEST_VERSION, "1.0");
    attrs.putValue("Premain-Class", agentClass);
    attrs.putValue("Agent-Class", agentClass);

    Path jarFile = Paths.get(".", agentJar);
    String testClasses = Utils.TEST_CLASSES;
    String agentPath = agentClass.replace(".", File.separator) + ".class";
    Path agentFile = Paths.get(testClasses, agentPath);
    Path dir = Paths.get(testClasses);
    JarUtils.createJarFile(jarFile, mf, dir, agentFile);
    System.out.println("Agent built:" + jarFile.toAbsolutePath());
}
 
Example #2
Source File: TimestampCheck.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
private static void checkMissingOrInvalidFiles(String s)
        throws Throwable {

    JarUtils.updateJar(s, "1.jar", mapOf("META-INF/SIGNER.SF", Boolean.FALSE));
    verify("1.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing signature-related file META-INF/SIGNER.SF");
    JarUtils.updateJar(s, "2.jar", mapOf("META-INF/SIGNER.RSA", Boolean.FALSE));
    verify("2.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing block file for signature-related file META-INF/SIGNER.SF");
    JarUtils.updateJar(s, "3.jar", mapOf("META-INF/SIGNER.SF", "dummy"));
    verify("3.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/SIGNER.SF");
    JarUtils.updateJar(s, "4.jar", mapOf("META-INF/SIGNER.RSA", "dummy"));
    verify("4.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/SIGNER.RSA");
}
 
Example #3
Source File: TimestampCheck.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
private static void checkMissingOrInvalidFiles(String s)
        throws Throwable {
    JarUtils.updateJar(s, "1.jar", "-", "META-INF/OLD.SF");
    verify("1.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing signature-related file META-INF/OLD.SF");
    JarUtils.updateJar(s, "2.jar", "-", "META-INF/OLD.RSA");
    verify("2.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing block file for signature-related file META-INF/OLD.SF");
    JarUtils.updateJar(s, "3.jar", "META-INF/OLD.SF");
    verify("3.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/OLD.SF");
    JarUtils.updateJar(s, "4.jar", "META-INF/OLD.RSA");
    verify("4.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/OLD.RSA");
}
 
Example #4
Source File: TimestampCheck.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
static void prepare() throws Exception {
    jdk.testlibrary.JarUtils.createJar("old.jar", "A");
    Files.deleteIfExists(Paths.get("tsks"));
    keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
    keytool("-alias old -genkeypair -dname CN=old");
    keytool("-alias dsakey -genkeypair -keyalg DSA -dname CN=dsakey");
    keytool("-alias weakkeysize -genkeypair -keysize 512 -dname CN=weakkeysize");
    keytool("-alias badku -genkeypair -dname CN=badku");
    keytool("-alias ts -genkeypair -dname CN=ts");
    keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsbad1");
    keytool("-alias tsbad1 -genkeypair -dname CN=tsbad1");
    keytool("-alias tsbad2 -genkeypair -dname CN=tsbad2");
    keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");

    gencert("old");
    gencert("dsakey");
    gencert("weakkeysize");
    gencert("badku", "-ext ku:critical=keyAgreement");
    gencert("ts", "-ext eku:critical=ts");
    gencert("tsweak", "-ext eku:critical=ts");
    gencert("tsbad1");
    gencert("tsbad2", "-ext eku=ts");
    gencert("tsbad3", "-ext eku:critical=cs");
}
 
Example #5
Source File: TimestampCheck.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
private static void checkMissingOrInvalidFiles(String s)
        throws Throwable {

    JarUtils.updateJar(s, "1.jar", mapOf("META-INF/SIGNER.SF", Boolean.FALSE));
    verify("1.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing signature-related file META-INF/SIGNER.SF");
    JarUtils.updateJar(s, "2.jar", mapOf("META-INF/SIGNER.RSA", Boolean.FALSE));
    verify("2.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing block file for signature-related file META-INF/SIGNER.SF");
    JarUtils.updateJar(s, "3.jar", mapOf("META-INF/SIGNER.SF", "dummy"));
    verify("3.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/SIGNER.SF");
    JarUtils.updateJar(s, "4.jar", mapOf("META-INF/SIGNER.RSA", "dummy"));
    verify("4.jar", "-verbose")
            .shouldHaveExitValue(16)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/SIGNER.RSA");
}
 
Example #6
Source File: TimestampCheck.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
private static void checkMissingOrInvalidFiles(String s)
        throws Throwable {
    JarUtils.updateJar(s, "1.jar", "-", "META-INF/OLD.SF");
    verify("1.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing signature-related file META-INF/OLD.SF");
    JarUtils.updateJar(s, "2.jar", "-", "META-INF/OLD.RSA");
    verify("2.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Missing block file for signature-related file META-INF/OLD.SF");
    JarUtils.updateJar(s, "3.jar", "META-INF/OLD.SF");
    verify("3.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/OLD.SF");
    JarUtils.updateJar(s, "4.jar", "META-INF/OLD.RSA");
    verify("4.jar", "-verbose")
            .shouldHaveExitValue(0)
            .shouldContain("treated as unsigned")
            .shouldContain("Unparsable signature-related file META-INF/OLD.RSA");
}
 
Example #7
Source File: TimestampCheck.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
static void prepare() throws Exception {
    jdk.testlibrary.JarUtils.createJar("old.jar", "A");
    Files.deleteIfExists(Paths.get("tsks"));
    keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
    keytool("-alias old -genkeypair -dname CN=old");
    keytool("-alias dsakey -genkeypair -keyalg DSA -dname CN=dsakey");
    keytool("-alias weakkeysize -genkeypair -keysize 512 -dname CN=weakkeysize");
    keytool("-alias badku -genkeypair -dname CN=badku");
    keytool("-alias ts -genkeypair -dname CN=ts");
    keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsbad1");
    keytool("-alias tsbad1 -genkeypair -dname CN=tsbad1");
    keytool("-alias tsbad2 -genkeypair -dname CN=tsbad2");
    keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");

    gencert("old");
    gencert("dsakey");
    gencert("weakkeysize");
    gencert("badku", "-ext ku:critical=keyAgreement");
    gencert("ts", "-ext eku:critical=ts");
    gencert("tsweak", "-ext eku:critical=ts");
    gencert("tsbad1");
    gencert("tsbad2", "-ext eku=ts");
    gencert("tsbad3", "-ext eku:critical=cs");
}
 
Example #8
Source File: ReadJar.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
private static void testWithMD5() throws Throwable {
    // create jar files
    JarUtils.createJar("test_md5.jar", "test");
    JarUtils.createJar("test_rsa.jar", "test");

    // create a keystore and generate keys for jar signing
    Files.deleteIfExists(Paths.get("keystore"));

    OutputAnalyzer out = SecurityTools.keytool("-genkeypair "
            + "-keystore keystore -storepass password "
            + "-keypass password -keyalg rsa -alias rsa_alias -dname CN=A");
    System.out.println(out.getOutput());
    out.shouldHaveExitValue(0);

    out = SecurityTools.jarsigner("-keystore keystore -storepass password "
            + "test_rsa.jar rsa_alias");
    System.out.println(out.getOutput());
    out.shouldHaveExitValue(0);

    printCert("test_rsa.jar");

    out = SecurityTools.jarsigner("-keystore keystore -storepass password "
            + "-sigalg MD5withRSA -digestalg MD5 test_md5.jar rsa_alias");
    System.out.println(out.getOutput());
    out.shouldHaveExitValue(0);

    printCert("test_md5.jar");
}
 
Example #9
Source File: JarClassPathFileEntry.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Throwable {
    // Create Other.class in OTHER_DIR, off the default classpath
    byte klassbuf[] = InMemoryJavaCompiler.compile("Other",
                                                   "public class Other {}");
    ClassFileInstaller.writeClassToDisk("Other", klassbuf, OTHER_DIR);

    // Create Other.jar in OTHER_DIR
    JarUtils.createJarFile(OTHER_JAR_PATH,
                           Paths.get(OTHER_DIR),
                           Paths.get(OTHER_DIR, "Other.class"));

    // Create Context.class
    klassbuf = InMemoryJavaCompiler.compile("Context",
                                            "public class Context {}");
    ClassFileInstaller.writeClassToDisk("Context", klassbuf, TEST_CLASSES);

    // Create Context.jar w/ "file:" entry for Other.jar
    Manifest mf = new Manifest();
    Attributes attrs = mf.getMainAttributes();
    attrs.put(Attributes.Name.MANIFEST_VERSION, "1.0");

    String classPathEntry = "file:" + (IS_WINDOWS ? toUnixPath(OTHER_JAR_PATH.toString())
                                                  :            OTHER_JAR_PATH.toString());
    attrs.put(Attributes.Name.CLASS_PATH, classPathEntry);

    System.out.println("Creating Context.jar with Class-Path: " + classPathEntry);
    JarUtils.createJarFile(CONTEXT_JAR_PATH, mf,
                           Paths.get(TEST_CLASSES),
                           Paths.get(TEST_CLASSES, "Context.class"));

    // Use URLClassLoader w/ Context.jar to load Other.class, which will
    // load via the Class-Path entry
    URL url = CONTEXT_JAR_PATH.toUri().toURL();
    URLClassLoader ucl = new URLClassLoader(new URL[]{ url },
                                            null); // don't delegate to App CL
    Class<?> otherClass = Class.forName("Other", true, ucl); // ClassNotFoundException -> fail
    System.out.println("Loaded: " + otherClass);
}
 
Example #10
Source File: TimestampCheck.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
private static void checkInvalidTsaCertKeyUsage() throws Exception {

        // Hack: Rewrite the TSA cert inside normal.jar into ts2.jar.

        // Both the cert and the serial number must be rewritten.
        byte[] tsCert = Files.readAllBytes(Paths.get("ts.cert"));
        byte[] ts2Cert = Files.readAllBytes(Paths.get("ts2.cert"));
        byte[] tsSerial = getCert(tsCert)
                .getSerialNumber().toByteArray();
        byte[] ts2Serial = getCert(ts2Cert)
                .getSerialNumber().toByteArray();

        byte[] oldBlock;
        try (JarFile normal = new JarFile("normal.jar")) {
            oldBlock = Utils.readAllBytes(normal.getInputStream(
                    normal.getJarEntry("META-INF/SIGNER.RSA")));
        }

        JarUtils.updateJar("normal.jar", "ts2.jar",
                mapOf("META-INF/SIGNER.RSA",
                        updateBytes(updateBytes(oldBlock, tsCert, ts2Cert),
                                tsSerial, ts2Serial)));

        verify("ts2.jar", "-verbose", "-certs")
                .shouldHaveExitValue(64)
                .shouldContain("jar verified")
                .shouldContain("Invalid TSA certificate chain: Extended key usage does not permit use for TSA server");
    }
 
Example #11
Source File: TimestampCheck.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
private static void checkInvalidTsaCertKeyUsage() throws Exception {

        // Hack: Rewrite the TSA cert inside normal.jar into ts2.jar.

        // Both the cert and the serial number must be rewritten.
        byte[] tsCert = Files.readAllBytes(Paths.get("ts.cert"));
        byte[] ts2Cert = Files.readAllBytes(Paths.get("ts2.cert"));
        byte[] tsSerial = getCert(tsCert)
                .getSerialNumber().toByteArray();
        byte[] ts2Serial = getCert(ts2Cert)
                .getSerialNumber().toByteArray();

        byte[] oldBlock;
        try (JarFile normal = new JarFile("normal.jar")) {
            oldBlock = Utils.readAllBytes(normal.getInputStream(
                    normal.getJarEntry("META-INF/SIGNER.RSA")));
        }

        JarUtils.updateJar("normal.jar", "ts2.jar",
                mapOf("META-INF/SIGNER.RSA",
                        updateBytes(updateBytes(oldBlock, tsCert, ts2Cert),
                                tsSerial, ts2Serial)));

        verify("ts2.jar", "-verbose", "-certs")
                .shouldHaveExitValue(64)
                .shouldContain("jar verified")
                .shouldContain("Invalid TSA certificate chain: Extended key usage does not permit use for TSA server");
    }
 
Example #12
Source File: JarClassPathFileEntry.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Throwable {
    // Create Other.class in OTHER_DIR, off the default classpath
    byte klassbuf[] = InMemoryJavaCompiler.compile("Other",
                                                   "public class Other {}");
    ClassFileInstaller.writeClassToDisk("Other", klassbuf, OTHER_DIR);

    // Create Other.jar in OTHER_DIR
    JarUtils.createJarFile(OTHER_JAR_PATH,
                           Paths.get(OTHER_DIR),
                           Paths.get(OTHER_DIR, "Other.class"));

    // Create Context.class
    klassbuf = InMemoryJavaCompiler.compile("Context",
                                            "public class Context {}");
    ClassFileInstaller.writeClassToDisk("Context", klassbuf, TEST_CLASSES);

    // Create Context.jar w/ "file:" entry for Other.jar
    Manifest mf = new Manifest();
    Attributes attrs = mf.getMainAttributes();
    attrs.put(Attributes.Name.MANIFEST_VERSION, "1.0");

    String classPathEntry = "file:" + (IS_WINDOWS ? toUnixPath(OTHER_JAR_PATH.toString())
                                                  :            OTHER_JAR_PATH.toString());
    attrs.put(Attributes.Name.CLASS_PATH, classPathEntry);

    System.out.println("Creating Context.jar with Class-Path: " + classPathEntry);
    JarUtils.createJarFile(CONTEXT_JAR_PATH, mf,
                           Paths.get(TEST_CLASSES),
                           Paths.get(TEST_CLASSES, "Context.class"));

    // Use URLClassLoader w/ Context.jar to load Other.class, which will
    // load via the Class-Path entry
    URL url = CONTEXT_JAR_PATH.toUri().toURL();
    URLClassLoader ucl = new URLClassLoader(new URL[]{ url },
                                            null); // don't delegate to App CL
    Class<?> otherClass = Class.forName("Other", true, ucl); // ClassNotFoundException -> fail
    System.out.println("Loaded: " + otherClass);
}
 
Example #13
Source File: NestedActions.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws IOException {
    if (args.length > 0) {
        if ("jar".equals(args[0]) && args.length > 2) {
            JarUtils.createJar(args[1], Paths.get(TEST_CLASSES + FS),
                Arrays.copyOfRange(args, 2, args.length));
        } else {
            runJava(args);
        }
    } else {
        throw new RuntimeException("Wrong parameters");
    }
}
 
Example #14
Source File: TimestampCheck.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
private static void checkInvalidTsaCertKeyUsage() throws Exception {

        // Hack: Rewrite the TSA cert inside normal.jar into ts2.jar.

        // Both the cert and the serial number must be rewritten.
        byte[] tsCert = Files.readAllBytes(Paths.get("ts.cert"));
        byte[] ts2Cert = Files.readAllBytes(Paths.get("ts2.cert"));
        byte[] tsSerial = getCert(tsCert)
                .getSerialNumber().toByteArray();
        byte[] ts2Serial = getCert(ts2Cert)
                .getSerialNumber().toByteArray();

        byte[] oldBlock;
        try (JarFile normal = new JarFile("normal.jar")) {
            oldBlock = Utils.readAllBytes(normal.getInputStream(
                    normal.getJarEntry("META-INF/SIGNER.RSA")));
        }

        JarUtils.updateJar("normal.jar", "ts2.jar",
                mapOf("META-INF/SIGNER.RSA",
                        updateBytes(updateBytes(oldBlock, tsCert, ts2Cert),
                                tsSerial, ts2Serial)));

        verify("ts2.jar", "-verbose", "-certs")
                .shouldHaveExitValue(64)
                .shouldContain("jar verified")
                .shouldContain("Invalid TSA certificate chain: Extended key usage does not permit use for TSA server");
    }
 
Example #15
Source File: JarClassPathFileEntry.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Throwable {
    // Create Other.class in OTHER_DIR, off the default classpath
    byte klassbuf[] = InMemoryJavaCompiler.compile("Other",
                                                   "public class Other {}");
    ClassFileInstaller.writeClassToDisk("Other", klassbuf, OTHER_DIR);

    // Create Other.jar in OTHER_DIR
    JarUtils.createJarFile(OTHER_JAR_PATH,
                           Paths.get(OTHER_DIR),
                           Paths.get(OTHER_DIR, "Other.class"));

    // Create Context.class
    klassbuf = InMemoryJavaCompiler.compile("Context",
                                            "public class Context {}");
    ClassFileInstaller.writeClassToDisk("Context", klassbuf, TEST_CLASSES);

    // Create Context.jar w/ "file:" entry for Other.jar
    Manifest mf = new Manifest();
    Attributes attrs = mf.getMainAttributes();
    attrs.put(Attributes.Name.MANIFEST_VERSION, "1.0");

    String classPathEntry = "file:" + (IS_WINDOWS ? toUnixPath(OTHER_JAR_PATH.toString())
                                                  :            OTHER_JAR_PATH.toString());
    attrs.put(Attributes.Name.CLASS_PATH, classPathEntry);

    System.out.println("Creating Context.jar with Class-Path: " + classPathEntry);
    JarUtils.createJarFile(CONTEXT_JAR_PATH, mf,
                           Paths.get(TEST_CLASSES),
                           Paths.get(TEST_CLASSES, "Context.class"));

    // Use URLClassLoader w/ Context.jar to load Other.class, which will
    // load via the Class-Path entry
    URL url = CONTEXT_JAR_PATH.toUri().toURL();
    URLClassLoader ucl = new URLClassLoader(new URL[]{ url },
                                            null); // don't delegate to App CL
    Class<?> otherClass = Class.forName("Other", true, ucl); // ClassNotFoundException -> fail
    System.out.println("Loaded: " + otherClass);
}
 
Example #16
Source File: NotYetValidCertTest.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
protected void start() throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create certificate that will be valid only tomorrow
    ProcessTools.executeCommand(KEYTOOL,
            "-genkey",
            "-alias", KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=Test",
            "-startdate", "+1d",
            "-validity", Integer.toString(VALIDITY));

    // sign jar
    OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    checkSigning(analyzer, NOT_YET_VALID_CERT_SIGNING_WARNING);

    // verify signed jar
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    checkVerifying(analyzer, 0, NOT_YET_VALID_CERT_VERIFYING_WARNING);

    // verify jar in strict mode
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    checkVerifying(analyzer, HAS_EXPIRED_CERT_EXIT_CODE,
            NOT_YET_VALID_CERT_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #17
Source File: TsacertOptionTest.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
void start() throws Throwable {
    // create a jar file that contains one file
    Utils.createFiles(FILENAME);
    JarUtils.createJar(UNSIGNED_JARFILE, FILENAME);

    // look for free network port for TSA service
    int port = jdk.testlibrary.Utils.getFreePort();
    String host = jdk.testlibrary.Utils.getHostname();
    String tsaUrl = "http://" + host + ":" + port;

    // create key pair for jar signing
    ProcessTools.executeCommand(KEYTOOL,
            "-genkey",
            "-alias", SIGNING_KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=Test",
            "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    // create key pair for TSA service
    // SubjectInfoAccess extension contains URL to TSA service
    ProcessTools.executeCommand(KEYTOOL,
            "-genkey",
            "-v",
            "-alias", TSA_KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=TSA",
            "-ext", "ExtendedkeyUsage:critical=timeStamping",
            "-ext", "SubjectInfoAccess=timeStamping:URI:" + tsaUrl,
            "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    try (TimestampCheck.Handler tsa = TimestampCheck.Handler.init(port,
            KEYSTORE);) {

        // start TSA
        tsa.start();

        // sign jar file
        // specify -tsadigestalg option because
        // TSA server uses SHA-1 digest algorithm
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
                "-J-Dhttp.proxyHost=",
                "-J-Dhttp.proxyPort=",
                "-J-Djava.net.useSystemProxies=",
                "-verbose",
                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
                "-signedjar", SIGNED_JARFILE,
                "-tsacert", TSA_KEY_ALIAS,
                "-tsadigestalg", "SHA-1",
                UNSIGNED_JARFILE,
                SIGNING_KEY_ALIAS);

        analyzer.shouldHaveExitValue(0);
        analyzer.stdoutShouldNotContain(WARNING);
        analyzer.shouldContain(JAR_SIGNED);

        // verify signed jar
        analyzer = ProcessTools.executeCommand(JARSIGNER,
                "-verbose",
                "-verify",
                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                SIGNED_JARFILE);

        analyzer.shouldHaveExitValue(0);
        analyzer.stdoutShouldNotContain(WARNING);
        analyzer.shouldContain(JAR_VERIFIED);
    }

    System.out.println("Test passed");
}
 
Example #18
Source File: Warning.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
static void recreateJar() throws Exception {
    JarUtils.createJar("a.jar", "ks");
}
 
Example #19
Source File: NotYetValidCertTest.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
protected void start() throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create certificate that will be valid only tomorrow
    keytool(
            "-genkey",
            "-alias", KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=Test",
            "-startdate", "+1d",
            "-validity", Integer.toString(VALIDITY));

    // sign jar
    OutputAnalyzer analyzer = jarsigner(
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    checkSigning(analyzer, NOT_YET_VALID_CERT_SIGNING_WARNING);

    // verify signed jar
    analyzer = jarsigner(
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    checkVerifying(analyzer, 0, NOT_YET_VALID_CERT_VERIFYING_WARNING);

    // verify jar in strict mode
    analyzer = jarsigner(
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    checkVerifying(analyzer, HAS_EXPIRED_CERT_EXIT_CODE,
            NOT_YET_VALID_CERT_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #20
Source File: HasExpiringCertTest.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
private void start() throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create key pair for jar signing
    keytool(
            "-genkey",
            "-alias", KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=Test",
            "-validity", Integer.toString(SHORT_VALIDITY))
            .shouldHaveExitValue(0);

    // sign jar
    OutputAnalyzer analyzer = jarsigner(
            "-keystore", KEYSTORE,
            "-verbose",
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    checkSigning(analyzer, HAS_EXPIRING_CERT_SIGNING_WARNING);

    // verify signed jar
    analyzer = jarsigner(
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    checkVerifying(analyzer, 0, HAS_EXPIRING_CERT_VERIFYING_WARNING);

    // verify signed jar in strict mode
    analyzer = jarsigner(
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    checkVerifying(analyzer, 0, HAS_EXPIRING_CERT_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #21
Source File: BadExtendedKeyUsageTest.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
private void start() throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create a certificate whose signer certificate's
    // ExtendedKeyUsage extension doesn't allow code signing
    keytool(
            "-genkey",
            "-alias", KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=Test",
            "-ext", "ExtendedkeyUsage=serverAuth",
            "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    // sign jar
    OutputAnalyzer analyzer = jarsigner(
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    checkSigning(analyzer, BAD_EXTENDED_KEY_USAGE_SIGNING_WARNING);

    // verify signed jar
    analyzer = jarsigner(
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING);

    // verity signed jar in strict mode
    analyzer = jarsigner(
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    checkVerifying(analyzer, BAD_EXTENDED_KEY_USAGE_EXIT_CODE,
            BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #22
Source File: NotSignedByAliasTest.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
protected void start() throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create first key pair for signing
    keytool(
            "-genkey",
            "-alias", FIRST_KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=First",
            "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    // create first key pair for signing
    keytool(
            "-genkey",
            "-alias", SECOND_KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=Second",
            "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    // sign jar with first key
    OutputAnalyzer analyzer = jarsigner(
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            FIRST_KEY_ALIAS);

    checkSigning(analyzer);

    // verify jar with second key
    analyzer = jarsigner(
            "-verify",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            SECOND_KEY_ALIAS);

    checkVerifying(analyzer, 0, NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

    // verify jar with second key in strict mode
    analyzer = jarsigner(
            "-verify",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            SECOND_KEY_ALIAS);

    checkVerifying(analyzer, NOT_SIGNED_BY_ALIAS_EXIT_CODE,
            NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

    // verify jar with non-existing alias
    analyzer = jarsigner(
            "-verify",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            "bogus");

    checkVerifying(analyzer, 0, NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

    // verify jar with non-existing alias in strict mode
    analyzer = jarsigner(
            "-verify",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            "bogus");

    checkVerifying(analyzer, NOT_SIGNED_BY_ALIAS_EXIT_CODE,
            NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #23
Source File: HasUnsignedEntryTest.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
private void start() throws Throwable {
    System.out.println(String.format("Create a %s that contains %s",
            UNSIGNED_JARFILE, FIRST_FILE));
    Utils.createFiles(FIRST_FILE, SECOND_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create key pair for signing
    ProcessTools.executeCommand(KEYTOOL,
            "-genkey",
            "-alias", KEY_ALIAS,
            "-keyalg", KEY_ALG,
            "-keysize", Integer.toString(KEY_SIZE),
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-dname", "CN=Test",
            "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);

    // sign jar
    OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    checkSigning(analyzer);

    System.out.println(String.format("Copy %s to %s, and add %s.class, "
            + "so it contains unsigned entry",
            new Object[]{SIGNED_JARFILE, UPDATED_SIGNED_JARFILE,
                SECOND_FILE}));

    JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);

    // verify jar
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            UPDATED_SIGNED_JARFILE);

    checkVerifying(analyzer, 0, HAS_UNSIGNED_ENTRY_VERIFYING_WARNING);

    // verify jar in strict mode
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            UPDATED_SIGNED_JARFILE);

    checkVerifying(analyzer, HAS_UNSIGNED_ENTRY_EXIT_CODE,
            HAS_UNSIGNED_ENTRY_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #24
Source File: ExtensiblePolicyWithJarTest.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
public static void main(String args[]) throws Throwable {
    final String FS = File.separator;
    final String PS = File.pathSeparator;
    final String POL = "ExtensiblePolicyTest3.policy";
    final String JAVA_HOME = System.getProperty("test.jdk");
    final String KEYTOOL = JAVA_HOME + FS + "bin" + FS + "keytool";
    final String JARSIGNER = JAVA_HOME + FS + "bin" + FS + "jarsigner";
    final String KEYSTORE = "epkeystore";
    final String PASSWORD = "password";
    final String ALIAS = "duke2";
    final String CLASSPATH = System.getProperty("test.class.path", "");
    final String TESTCLASSES = System.getProperty("test.classes", "");
    final String TVPERMJAR = "tvPerm.jar";
    final String PATHTOJAR = System.getProperty("user.dir", "")
                            + FS + TVPERMJAR;

    // create jar file for TVpermission
    new File("TVJar").mkdir();
    Files.copy(Paths.get(TESTCLASSES + FS + "TVJar", "TVPermission.class"),
            Paths.get("TVJar", "TVPermission.class"));
    Files.copy(Paths.get(TESTCLASSES + FS + "TVJar",
            "TVPermissionCollection.class"),
            Paths.get("TVJar", "TVPermissionCollection.class"));
    JarUtils.createJar(TVPERMJAR, "TVJar/TVPermission.class",
            "TVJar/TVPermissionCollection.class");

    // create key pair for jar signing
    ProcessTools.executeCommand(KEYTOOL,
            "-genkey",
            "-alias", ALIAS,
            "-keystore", KEYSTORE,
            "-storetype", "JKS",
            "-keypass", PASSWORD,
            "-dname", "cn=Blah",
            "-storepass", PASSWORD
    ).shouldHaveExitValue(0);
    // sign jar
    ProcessTools.executeCommand(JARSIGNER,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            TVPERMJAR,
            ALIAS).shouldHaveExitValue(0);
    // add jar file to classpath
    String cp = PATHTOJAR + PS + CLASSPATH;

    // policy file grants permission signed by duke2 to watch TVChanel 5
    try {
        String[] cmd = {
        "-classpath", cp,
        "-Djava.security.manager",
        "-Djava.security.policy=" + POL,
        "ExtensiblePolicyTest_orig$TestMain"};
        ProcessTools.executeTestJvm(cmd).shouldHaveExitValue(0);
    } catch (Exception ex) {
        System.out.println("ExtensiblePolicyWithJarTest Failed");
    }

}
 
Example #25
Source File: TimestampCheck.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
static void prepare() throws Exception {
    JarUtils.createJar("unsigned.jar", "A");
    Files.deleteIfExists(Paths.get("ks"));
    keytool("-alias signer -genkeypair -ext bc -dname CN=signer");
    keytool("-alias oldsigner -genkeypair -dname CN=oldsigner");
    keytool("-alias dsakey -genkeypair -keyalg DSA -dname CN=dsakey");
    keytool("-alias weakkeysize -genkeypair -keysize 512 -dname CN=weakkeysize");
    keytool("-alias badku -genkeypair -dname CN=badku");
    keytool("-alias ts -genkeypair -dname CN=ts");
    keytool("-alias tsold -genkeypair -dname CN=tsold");
    keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsweak");
    keytool("-alias tsbad1 -genkeypair -dname CN=tsbad1");
    keytool("-alias tsbad2 -genkeypair -dname CN=tsbad2");
    keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
    keytool("-alias tsnoca -genkeypair -dname CN=tsnoca");

    keytool("-alias expired -genkeypair -dname CN=expired");
    keytool("-alias expiring -genkeypair -dname CN=expiring");
    keytool("-alias long -genkeypair -dname CN=long");
    keytool("-alias tsexpired -genkeypair -dname CN=tsexpired");
    keytool("-alias tsexpiring -genkeypair -dname CN=tsexpiring");
    keytool("-alias tsexpiringsoon -genkeypair -dname CN=tsexpiringsoon");
    keytool("-alias tslong -genkeypair -dname CN=tslong");

    // tsnoca's issuer will be removed from keystore later
    keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
    gencert("tsnoca", "-ext eku:critical=ts");
    keytool("-delete -alias ca");
    keytool("-alias ca -genkeypair -ext bc -dname CN=CA -startdate -40d");

    gencert("signer");
    gencert("oldsigner", "-startdate -30d -validity 20");
    gencert("dsakey");
    gencert("weakkeysize");
    gencert("badku", "-ext ku:critical=keyAgreement");
    gencert("ts", "-ext eku:critical=ts -validity 500");

    gencert("expired", "-validity 10 -startdate -12d");
    gencert("expiring", "-validity 178");
    gencert("long", "-validity 182");
    gencert("tsexpired", "-ext eku:critical=ts -validity 10 -startdate -12d");
    gencert("tsexpiring", "-ext eku:critical=ts -validity 364");
    gencert("tsexpiringsoon", "-ext eku:critical=ts -validity 170"); // earlier than expiring
    gencert("tslong", "-ext eku:critical=ts -validity 367");


    for (int i = 0; i < 5; i++) {
        // Issue another cert for "ts" with a different EKU.
        // Length might be different because serial number is
        // random. Try several times until a cert with the same
        // length is generated so we can substitute ts.cert
        // embedded in the PKCS7 block with ts2.cert.
        // If cannot create one, related test will be ignored.
        keytool("-gencert -alias ca -infile ts.req -outfile ts2.cert " +
                "-ext eku:critical=1.3.6.1.5.5.7.3.9");
        if (Files.size(Paths.get("ts.cert")) != Files.size(Paths.get("ts2.cert"))) {
            Files.delete(Paths.get("ts2.cert"));
            System.out.println("Warning: cannot create same length");
        } else {
            break;
        }
    }

    gencert("tsold", "-ext eku:critical=ts -startdate -40d -validity 500");

    gencert("tsweak", "-ext eku:critical=ts");
    gencert("tsbad1");
    gencert("tsbad2", "-ext eku=ts");
    gencert("tsbad3", "-ext eku:critical=cs");
}
 
Example #26
Source File: ChainNotValidatedTest.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
private void start(boolean ca2yes) throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // We have 2 @run. Need cleanup.
    Files.deleteIfExists(Paths.get(KEYSTORE));

    // Root CA is not checked at all. If the intermediate CA has
    // BasicConstraints extension set to true, it will be valid.
    // Otherwise, chain validation will fail.
    createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
    createAlias(CA2_KEY_ALIAS);
    issueCert(CA2_KEY_ALIAS,
            "-ext",
            "bc=ca:" + ca2yes);

    createAlias(KEY_ALIAS);
    issueCert(KEY_ALIAS, "-alias", CA2_KEY_ALIAS);

    // remove CA2 certificate so it's not trusted
    ProcessTools.executeCommand(KEYTOOL,
            "-delete",
            "-alias", CA2_KEY_ALIAS,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD).shouldHaveExitValue(0);

    // sign jar
    OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    if (ca2yes) {
        checkSigning(analyzer, "!" + CHAIN_NOT_VALIDATED_SIGNING_WARNING);
    } else {
        checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
    }

    // verify signed jar
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    if (ca2yes) {
        checkVerifying(analyzer, 0, "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
    } else {
        checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
    }

    // verify signed jar in strict mode
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    if (ca2yes) {
        checkVerifying(analyzer, 0,
                "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
    } else {
        checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
                CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
    }

    System.out.println("Test passed");
}
 
Example #27
Source File: BadNetscapeCertTypeTest.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
private void start() throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create a certificate whose signer certificate's
    // NetscapeCertType extension doesn't allow code signing
    // create key pair for jar signing
    createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
    createAlias(KEY_ALIAS);

    issueCert(
            KEY_ALIAS,
            // NetscapeCertType [ SSL client ]
            "-ext", "2.16.840.1.113730.1.1=03020780",
            "-validity", Integer.toString(VALIDITY));

    // sign jar
    OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    checkSigning(analyzer, BAD_NETSCAPE_CERT_TYPE_SIGNING_WARNING);

    // verify signed jar
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    checkVerifying(analyzer, 0, BAD_NETSCAPE_CERT_TYPE_VERIFYING_WARNING);

    // verify signed jar in strict mode
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    checkVerifying(analyzer, BAD_NETSCAPE_CERT_TYPE_EXIT_CODE,
            BAD_NETSCAPE_CERT_TYPE_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #28
Source File: AliasNotInStoreTest.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
private void start() throws Throwable {
    Utils.createFiles(FIRST_FILE, SECOND_FILE);
    System.out.println(String.format("Create a %s that contains %s",
            new Object[]{UNSIGNED_JARFILE, FIRST_FILE}));
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create first key pair for signing
    createAlias(FIRST_KEY_ALIAS);
    createAlias(SECOND_KEY_ALIAS);

    // sign jar with first key
    OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            FIRST_KEY_ALIAS);

    checkSigning(analyzer);

    System.out.println(String.format("Copy %s to %s, and add %s",
            new Object[] {SIGNED_JARFILE, UPDATED_SIGNED_JARFILE,
                SECOND_FILE}));

    JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);

    // sign jar with second key
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            UPDATED_SIGNED_JARFILE,
            SECOND_KEY_ALIAS);

    checkSigning(analyzer);

    // create keystore that contains only first key
    ProcessTools.executeCommand(KEYTOOL,
            "-importkeystore",
            "-srckeystore", KEYSTORE,
            "-srcalias", FIRST_KEY_ALIAS,
            "-srcstorepass", PASSWORD,
            "-srckeypass", PASSWORD,
            "-destkeystore", FIRST_KEY_KEYSTORE,
            "-destalias", FIRST_KEY_ALIAS,
            "-deststorepass", PASSWORD,
            "-destkeypass", PASSWORD).shouldHaveExitValue(0);

    // verify jar with keystore that contains only first key,
    // so there is signed entry (FirstClass.class) that is not signed
    // by any alias in the keystore
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-keystore", FIRST_KEY_KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            UPDATED_SIGNED_JARFILE);

    checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING,
            ALIAS_NOT_IN_STORE_VERIFYING_WARNING);

    // verify jar with keystore that contains only first key in strict mode
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-strict",
            "-keystore", FIRST_KEY_KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            UPDATED_SIGNED_JARFILE);

    int expectedExitCode = ALIAS_NOT_IN_STORE_EXIT_CODE
            + CHAIN_NOT_VALIDATED_EXIT_CODE;
    checkVerifying(analyzer, expectedExitCode,
            CHAIN_NOT_VALIDATED_VERIFYING_WARNING,
            ALIAS_NOT_IN_STORE_VERIFYING_WARNING);

    System.out.println("Test passed");
}
 
Example #29
Source File: NoTimestampTest.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
private void start() throws Throwable {
    String timezone = System.getProperty("user.timezone");
    System.out.println(String.format("Timezone = %s", timezone));

    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // calculate certificate expiration date
    Date expirationDate = new Date(System.currentTimeMillis() + VALIDITY
            * 24 * 60 * 60 * 1000L);

    // create key pair
    createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
    createAlias(KEY_ALIAS);
    issueCert(KEY_ALIAS,
            "-validity", Integer.toString(VALIDITY));

    // sign jar file
    OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-J-Duser.timezone=" + timezone,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    String warning = String.format(NO_TIMESTAMP_SIGNING_WARN_TEMPLATE,
            expirationDate);
    checkSigning(analyzer, warning);

    // verify signed jar
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-J-Duser.timezone=" + timezone,
            "-verify",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    warning = String.format(NO_TIMESTAMP_VERIFYING_WARN_TEMPLATE, expirationDate);
    checkVerifying(analyzer, 0, warning);

    // verify signed jar in strict mode
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-J-Duser.timezone=" + timezone,
            "-verify",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE,
            KEY_ALIAS);

    checkVerifying(analyzer, 0, warning);

    System.out.println("Test passed");
}
 
Example #30
Source File: HasExpiredCertTest.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
private void start() throws Throwable {
    // create a jar file that contains one class file
    Utils.createFiles(FIRST_FILE);
    JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);

    // create key pair for jar signing
    createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
    createAlias(KEY_ALIAS);

    issueCert(
            KEY_ALIAS,
            "-startdate", "-" + SHORT_VALIDITY * 2 + "d",
            "-validity", Integer.toString(SHORT_VALIDITY));

    // sign jar
    OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            "-signedjar", SIGNED_JARFILE,
            UNSIGNED_JARFILE,
            KEY_ALIAS);

    checkSigning(analyzer, HAS_EXPIRED_CERT_SIGNING_WARNING);

    // verify signed jar
    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-verbose",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    checkVerifying(analyzer, 0, HAS_EXPIRED_CERT_VERIFYING_WARNING);

    analyzer = ProcessTools.executeCommand(JARSIGNER,
            "-verify",
            "-strict",
            "-keystore", KEYSTORE,
            "-storepass", PASSWORD,
            "-keypass", PASSWORD,
            SIGNED_JARFILE);

    checkVerifying(analyzer, HAS_EXPIRED_CERT_EXIT_CODE,
            HAS_EXPIRED_CERT_VERIFYING_WARNING);

    System.out.println("Test passed");
}