Path: blob/master/test/jdk/tools/jpackage/macosx/base/SigningCheck.java
51505 views
/*1* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223import java.util.List;24import java.util.regex.Matcher;25import java.util.regex.Pattern;26import java.util.stream.Collectors;2728import jdk.jpackage.test.TKit;29import jdk.jpackage.test.Executor;3031import jdk.jpackage.internal.MacCertificate;3233public class SigningCheck {3435public static void checkCertificates() {36List<String> result = findCertificate(SigningBase.APP_CERT, SigningBase.KEYCHAIN);37String key = findKey(SigningBase.APP_CERT, result);38validateCertificate(key);39validateCertificateTrust(SigningBase.APP_CERT);4041result = findCertificate(SigningBase.INSTALLER_CERT, SigningBase.KEYCHAIN);42key = findKey(SigningBase.INSTALLER_CERT, result);43validateCertificate(key);44validateCertificateTrust(SigningBase.INSTALLER_CERT);45}4647private static List<String> findCertificate(String name, String keyChain) {48List<String> result = new Executor()49.setExecutable("/usr/bin/security")50.addArguments("find-certificate", "-c", name, "-a", keyChain)51.executeAndGetOutput();5253return result;54}5556private static String findKey(String name, List<String> result) {57Pattern p = Pattern.compile("\"alis\"<blob>=\"([^\"]+)\"");58Matcher m = p.matcher(result.stream().collect(Collectors.joining()));59if (!m.find()) {60TKit.trace("Did not found a key for '" + name + "'");61return null;62}63String matchedKey = m.group(1);64if (m.find()) {65TKit.trace("Found more than one key for '" + name + "'");66return null;67}68TKit.trace("Using key '" + matchedKey);69return matchedKey;70}7172private static void validateCertificate(String key) {73if (key != null) {74MacCertificate certificate = new MacCertificate(key);75if (!certificate.isValid()) {76TKit.throwSkippedException("Certifcate expired: " + key);77} else {78return;79}80}8182TKit.throwSkippedException("Cannot find required certifciates: " + key);83}8485private static void validateCertificateTrust(String name) {86// Certificates using the default user name must be trusted by user.87// User supplied certs whose trust is set to "Use System Defaults"88// will not be listed as trusted by dump-trust-settings89if (SigningBase.DEV_NAME.equals("jpackage.openjdk.java.net")) {90List<String> result = new Executor()91.setExecutable("/usr/bin/security")92.addArguments("dump-trust-settings")93.executeWithoutExitCodeCheckAndGetOutput();94result.stream().forEachOrdered(TKit::trace);95TKit.assertTextStream(name)96.predicate((line, what) -> line.trim().endsWith(what))97.orElseThrow(() -> TKit.throwSkippedException(98"Certifcate not trusted by current user: " + name))99.apply(result.stream());100}101}102103}104105106