Mercurial > hg > icedtea7-forest-aarch64 > jdk
changeset 8149:a50dd6580490
8036709: Java 7 jarsigner displays warning about cert policy tree
Reviewed-by: weijun, coffeys
author | mbankal |
---|---|
date | Wed, 30 Jul 2014 05:09:27 -0700 |
parents | d6c2529b5a24 |
children | 584b227e8efe |
files | src/share/classes/sun/security/tools/JarSigner.java test/sun/security/tools/jarsigner/certpolicy.sh |
diffstat | 2 files changed, 98 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/JarSigner.java Mon Aug 04 16:29:38 2014 +0100 +++ b/src/share/classes/sun/security/tools/JarSigner.java Wed Jul 30 05:09:27 2014 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1547,8 +1547,7 @@ first = false; } try { - CertPath cp = certificateFactory.generateCertPath(certs); - validator.validate(cp, pkixParameters); + validateCertChain(certs); } catch (Exception e) { if (debug) { e.printStackTrace(); @@ -1859,8 +1858,7 @@ printCert("", certChain[0], true, null, true); try { - CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain)); - validator.validate(cp, pkixParameters); + validateCertChain(Arrays.asList(certChain)); } catch (Exception e) { if (debug) { e.printStackTrace(); @@ -1925,6 +1923,22 @@ System.exit(1); } + void validateCertChain(List<? extends Certificate> certs) throws Exception { + int cpLen = 0; + out: for (; cpLen<certs.size(); cpLen++) { + for (TrustAnchor ta: pkixParameters.getTrustAnchors()) { + if (ta.getTrustedCert().equals(certs.get(cpLen))) { + break out; + } + } + } + if (cpLen > 0) { + CertPath cp = certificateFactory.generateCertPath( + (cpLen == certs.size())? certs: certs.subList(0, cpLen)); + validator.validate(cp, pkixParameters); + } + } + char[] getPass(String prompt) { System.err.print(prompt);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/tools/jarsigner/certpolicy.sh Wed Jul 30 05:09:27 2014 -0700 @@ -0,0 +1,79 @@ +# +# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 8036709 +# @summary Java 7 jarsigner displays warning about cert policy tree +# +# @run shell certpolicy.sh +# + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +KT="$TESTJAVA/bin/keytool $TESTTOOLVMOPTS \ + -keypass changeit -storepass changeit -keystore ks -keyalg rsa" +JS="$TESTJAVA/bin/jarsigner $TESTTOOLVMOPTS -storepass changeit -keystore ks" +JAR="$TESTJAVA/bin/jar $TESTTOOLVMOPTS" + +rm ks 2> /dev/null +$KT -genkeypair -alias ca -dname CN=CA -ext bc +$KT -genkeypair -alias int -dname CN=Int +$KT -genkeypair -alias ee -dname CN=EE + +# CertificatePolicies [[PolicyId: [1.2.3]], [PolicyId: [1.2.4]]] +# PolicyConstraints: [Require: 0; Inhibit: unspecified] +$KT -certreq -alias int | \ + $KT -gencert -rfc -alias ca \ + -ext 2.5.29.32="30 0C 30 04 06 02 2A 03 30 04 06 02 2A 04" \ + -ext "2.5.29.36=30 03 80 01 00" -ext bc | \ + $KT -import -alias int + +# CertificatePolicies [[PolicyId: [1.2.3]]] +$KT -certreq -alias ee | \ + $KT -gencert -rfc -alias int \ + -ext 2.5.29.32="30 06 30 04 06 02 2A 03" | \ + $KT -import -alias ee + +$KT -export -alias ee -rfc > cc +$KT -export -alias int -rfc >> cc +$KT -export -alias ca -rfc >> cc + +$KT -delete -alias int + +ERR='' +$JAR cvf a.jar cc + +# Make sure the certchain in the signed jar contains all 3 certs +$JS -strict -certchain cc a.jar ee -debug || ERR="sign" +$JS -strict -verify a.jar -debug || ERR="$ERR verify" + +if [ "$ERR" = "" ]; then + echo "Success" + exit 0 +else + echo "Failed: $ERR" + exit 1 +fi