CoCalc -- concise_jarsigner.sh

GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh
³⁸⁸⁵⁴ views
1
#
2
# Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
3
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
#
5
# This code is free software; you can redistribute it and/or modify it
6
# under the terms of the GNU General Public License version 2 only, as
7
# published by the Free Software Foundation.
8
#
9
# This code is distributed in the hope that it will be useful, but WITHOUT
10
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
# version 2 for more details (a copy is included in the LICENSE file that
13
# accompanied this code).
14
#
15
# You should have received a copy of the GNU General Public License version
16
# 2 along with this work; if not, write to the Free Software Foundation,
17
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
#
19
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
# or visit www.oracle.com if you need additional information or have any
21
# questions.
22
#
23

24
# @test
25
# @bug 6802846 8172529 8227758
26
# @summary jarsigner needs enhanced cert validation(options)
27
#
28
# @run shell/timeout=240 concise_jarsigner.sh
29
#
30

31
if [ "${TESTJAVA}" = "" ] ; then
32
  JAVAC_CMD=`which javac`
33
  TESTJAVA=`dirname $JAVAC_CMD`/..
34
fi
35

36
# set platform-dependent variables
37
OS=`uname -s`
38
case "$OS" in
39
  Windows_* )
40
    FS="\\"
41
    ;;
42
  * )
43
    FS="/"
44
    ;;
45
esac
46

47
# Choose 2048-bit RSA to make sure it runs fine and fast on all platforms. In
48
# fact, every keyalg/keysize combination is OK for this test.
49

50
TESTTOOLVMOPTS="$TESTTOOLVMOPTS -J-Duser.language=en -J-Duser.country=US"
51

52
KS=js.ks
53
KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit -keypass changeit -keystore $KS -keyalg rsa -keysize 2048"
54
JAR="$TESTJAVA${FS}bin${FS}jar ${TESTTOOLVMOPTS}"
55
JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner ${TESTTOOLVMOPTS} -debug"
56
JAVAC="$TESTJAVA${FS}bin${FS}javac ${TESTTOOLVMOPTS} ${TESTJAVACOPTS}"
57

58
rm $KS
59

60
echo class A1 {} > A1.java
61
echo class A2 {} > A2.java
62
echo class A3 {} > A3.java
63
echo class A4 {} > A4.java
64
echo class A5 {} > A5.java
65
echo class A6 {} > A6.java
66

67
$JAVAC A1.java A2.java A3.java A4.java A5.java A6.java
68
YEAR=`date +%Y`
69

70
# ==========================================================
71
# First part: output format
72
# ==========================================================
73

74
$KT -genkeypair -alias a1 -dname CN=a1 -validity 366
75
$KT -genkeypair -alias a2 -dname CN=a2 -validity 366
76

77
# a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
78
$JAR cvf a.jar A1.class A2.class
79
$JARSIGNER -keystore $KS -storepass changeit a.jar a1
80
$JAR uvf a.jar A3.class A4.class
81
$JARSIGNER -keystore $KS -storepass changeit a.jar a2
82
$JAR uvf a.jar A5.class A6.class
83

84
# Verify OK
85
$JARSIGNER -verify a.jar
86
[ $? = 0 ] || exit $LINENO
87

88
# 4(chainNotValidated)+16(hasUnsignedEntry)
89
$JARSIGNER -verify a.jar -strict
90
[ $? = 20 ] || exit $LINENO
91

92
# 16(hasUnsignedEntry)
93
$JARSIGNER -verify a.jar -strict -keystore $KS -storepass changeit
94
[ $? = 16 ] || exit $LINENO
95

96
# 16(hasUnsignedEntry)+32(notSignedByAlias)
97
$JARSIGNER -verify a.jar a1 -strict -keystore $KS -storepass changeit
98
[ $? = 48 ] || exit $LINENO
99

100
# 16(hasUnsignedEntry)
101
$JARSIGNER -verify a.jar a1 a2 -strict -keystore $KS -storepass changeit
102
[ $? = 16 ] || exit $LINENO
103

104
# 12 entries all together
105
LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l`
106
[ $LINES = 12 ] || exit $LINENO
107

108
# 12 entries all listed
109
LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l`
110
[ $LINES = 12 ] || exit $LINENO
111

112
# 4 groups: MANIFST, unrelated, signed, unsigned
113
LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l`
114
[ $LINES = 4 ] || exit $LINENO
115

116
# still 4 groups, but MANIFEST group has no other file
117
LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep "more)" | wc -l`
118
[ $LINES = 3 ] || exit $LINENO
119

120
# 5 groups: MANIFEST, unrelated, signed by a1/a2, signed by a2, unsigned
121
LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l`
122
[ $LINES = 5 ] || exit $LINENO
123

124
# 2 for MANIFEST, 2*2 for A1/A2, 2 for A3/A4
125
LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l`
126
[ $LINES = 8 ] || exit $LINENO
127

128
# a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
129
LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l`
130
[ $LINES = 5 ] || exit $LINENO
131

132
# a1,a2 for MANIFEST, a1,a2 for A1/A2, a2 for A3/A4
133
LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l`
134
[ $LINES = 5 ] || exit $LINENO
135

136
# still 5 groups, but MANIFEST group has no other file
137
LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
138
[ $LINES = 4 ] || exit $LINENO
139

140
# ==========================================================
141
# Second part: exit code 2, 4, 8.
142
# 16 and 32 already covered in the first part
143
# ==========================================================
144

145
$KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
146
$KT -genkeypair -alias expired -dname CN=expired
147
$KT -certreq -alias expired | $KT -gencert -alias ca -startdate -10m | $KT -import -alias expired
148
$KT -genkeypair -alias notyetvalid -dname CN=notyetvalid
149
$KT -certreq -alias notyetvalid | $KT -gencert -alias ca -startdate +1m | $KT -import -alias notyetvalid
150
$KT -genkeypair -alias badku -dname CN=badku
151
$KT -certreq -alias badku | $KT -gencert -alias ca -ext KU=cRLSign -validity 365 | $KT -import -alias badku
152
$KT -genkeypair -alias badeku -dname CN=badeku
153
$KT -certreq -alias badeku | $KT -gencert -alias ca -ext EKU=sa -validity 365 | $KT -import -alias badeku
154
$KT -genkeypair -alias goodku -dname CN=goodku
155
$KT -certreq -alias goodku | $KT -gencert -alias ca -ext KU=dig -validity 365 | $KT -import -alias goodku
156
$KT -genkeypair -alias goodeku -dname CN=goodeku
157
$KT -certreq -alias goodeku | $KT -gencert -alias ca -ext EKU=codesign -validity 365 | $KT -import -alias goodeku
158

159
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar expired
160
[ $? = 4 ] || exit $LINENO
161

162
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar notyetvalid
163
[ $? = 4 ] || exit $LINENO
164

165
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar badku
166
[ $? = 8 ] || exit $LINENO
167

168
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar badeku
169
[ $? = 8 ] || exit $LINENO
170

171
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar goodku
172
[ $? = 0 ] || exit $LINENO
173

174
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar goodeku
175
[ $? = 0 ] || exit $LINENO
176

177
# badchain signed by ca1, but ca1 is removed later
178
$KT -genkeypair -alias badchain -dname CN=badchain -validity 365
179
$KT -genkeypair -alias ca1 -dname CN=ca1 -ext bc -validity 365
180
$KT -certreq -alias badchain | $KT -gencert -alias ca1 -validity 365 | \
181
        $KT -importcert -alias badchain
182
# save ca1.cert for easy replay
183
$KT -exportcert -file ca1.cert -alias ca1
184
$KT -delete -alias ca1
185

186
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar badchain
187
[ $? = 4 ] || exit $LINENO
188

189
$JARSIGNER -verify a.jar
190
[ $? = 0 ] || exit $LINENO
191

192
# ==========================================================
193
# Third part: -certchain test
194
# ==========================================================
195

196
# altchain signed by ca2
197
$KT -genkeypair -alias altchain -dname CN=altchain -validity 365
198
$KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
199
$KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
200
$KT -exportcert -alias ca2 -rfc >> certchain
201

202
# Self-signed cert does not work
203
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar altchain
204
[ $? = 4 ] || exit $LINENO
205

206
# -certchain works
207
$JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
208
[ $? = 0 ] || exit $LINENO
209

210
# if ca2 is removed and cert is imported, -certchain won't work because this certificate
211
# entry is not trusted
212
# save ca2.cert for easy replay
213
$KT -exportcert -file ca2.cert -alias ca2
214
$KT -delete -alias ca2
215
$KT -importcert -file certchain -alias altchain -noprompt
216
$JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
217
[ $? = 4 ] || exit $LINENO
218

219
$JARSIGNER -verify a.jar
220
[ $? = 0 ] || exit $LINENO
221

222
# ==========================================================
223
# 8172529
224
# ==========================================================
225

226
$KT -genkeypair -alias ee -dname CN=ee
227
$KT -genkeypair -alias caone -dname CN=caone -ext bc:c
228
$KT -genkeypair -alias catwo -dname CN=catwo -ext bc:c
229

230
$KT -certreq -alias ee | $KT -gencert -alias catwo -rfc > ee.cert
231
$KT -certreq -alias catwo | $KT -gencert -alias caone -sigalg MD5withRSA -rfc > catwo.cert
232

233
# This certchain contains a cross-signed weak catwo.cert
234
cat ee.cert catwo.cert | $KT -importcert -alias ee
235

236
$JAR cvf a.jar A1.class
237
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar ee
238
[ $? = 0 ] || exit $LINENO
239
$JARSIGNER -strict -keystore $KS -storepass changeit -verify a.jar
240
[ $? = 0 ] || exit $LINENO
241

242
echo OK
243
exit 0
244

245
Product

Resources

Company
