Mercurial > hg > openjdk > jdk6 > jdk
changeset 1519:33a2f9123ef9
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert
Reviewed-by: mullan
| author | weijun |
|---|---|
| date | Mon, 06 Dec 2010 10:46:26 +0800 |
| parents | 501b5d0a5fc5 |
| children | 0e2d127815a6 |
| files | src/share/classes/sun/security/tools/jarsigner/Main.java test/sun/security/tools/jarsigner/checkusage.sh test/sun/security/tools/jarsigner/concise_jarsigner.sh |
| diffstat | 3 files changed, 140 insertions(+), 24 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/jarsigner/Main.java Mon Dec 05 04:39:10 2016 +0000 +++ b/src/share/classes/sun/security/tools/jarsigner/Main.java Mon Dec 06 10:46:26 2010 +0800 @@ -602,7 +602,9 @@ boolean inScope = (inStoreOrScope & IN_SCOPE) != 0; notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0; - aliasNotInStore |= isSigned && (!inStore && !inScope); + if (keystore != null) { + aliasNotInStore |= isSigned && (!inStore && !inScope); + } // Only used when -verbose provided StringBuffer sb = null; @@ -819,7 +821,7 @@ * Note: no newline character at the end */ String printCert(String tab, Certificate c, boolean checkValidityPeriod, - long now) { + long now, boolean checkUsage) { StringBuilder certStr = new StringBuilder(); String space = rb.getString("SPACE"); @@ -889,24 +891,26 @@ } certStr.append("]"); - boolean[] bad = new boolean[3]; - checkCertUsage(x509Cert, bad); - if (bad[0] || bad[1] || bad[2]) { - String x = ""; - if (bad[0]) { - x ="KeyUsage"; - } - if (bad[1]) { - if (x.length() > 0) x = x + ", "; - x = x + "ExtendedKeyUsage"; - } - if (bad[2]) { - if (x.length() > 0) x = x + ", "; - x = x + "NetscapeCertType"; - } - certStr.append("\n").append(tab) + if (checkUsage) { + boolean[] bad = new boolean[3]; + checkCertUsage(x509Cert, bad); + if (bad[0] || bad[1] || bad[2]) { + String x = ""; + if (bad[0]) { + x ="KeyUsage"; + } + if (bad[1]) { + if (x.length() > 0) x = x + ", "; + x = x + "ExtendedKeyUsage"; + } + if (bad[2]) { + if (x.length() > 0) x = x + ", "; + x = x + "NetscapeCertType"; + } + certStr.append("\n").append(tab) .append(MessageFormat.format(rb.getString( ".{0}.extension.does.not.support.code.signing."), x)); + } } } return certStr.toString(); @@ -1272,7 +1276,7 @@ tsaURI); } System.out.println(rb.getString("TSA.certificate.") + - printCert("", tsaCert, false, 0)); + printCert("", tsaCert, false, 0, false)); } if (signingMechanism != null) { System.out.println( @@ -1466,10 +1470,13 @@ if (timestamp != null) { s.append(printTimestamp(tab, timestamp)); } - // display the certificate(s) + // display the certificate(s). The first one is end-enity cert and + // its KeyUsage should be checked. + boolean first = true; for (Certificate c : certs) { - s.append(printCert(tab, c, true, now)); + s.append(printCert(tab, c, true, now, first)); s.append('\n'); + first = false; } try { CertPath cp = certificateFactory.generateCertPath(certs); @@ -1768,7 +1775,7 @@ // We don't meant to print anything, the next call // checks validity and keyUsage etc - printCert("", certChain[0], true, 0); + printCert("", certChain[0], true, 0, true); try { CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/tools/jarsigner/checkusage.sh Mon Dec 06 10:46:26 2010 +0800 @@ -0,0 +1,109 @@ +# +# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 7004168 +# @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs +# instead of just signing cert +# +# @run shell checkusage.sh +# + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + ;; + * ) + FS="/" + ;; +esac + +KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit" +JAR=$TESTJAVA${FS}bin${FS}jar +JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner" + +rm js.jks trust.jks unrelated.jks 2> /dev/null + +echo x > x +$JAR cvf a.jar x + +################### 3 Keystores ####################### + +# Keystore js.jks: including CA and Publisher +# CA contains a non-empty KeyUsage +$KT -keystore js.jks -genkeypair -alias ca -dname CN=CA -ext KU=kCS -ext bc -validity 365 +$KT -keystore js.jks -genkeypair -alias pub -dname CN=Publisher + +# Publisher contains the correct KeyUsage +$KT -keystore js.jks -certreq -alias pub | \ + $KT -keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 | \ + $KT -keystore js.jks -importcert -alias pub + +# Keystore trust.jks: including CA only +$KT -keystore js.jks -exportcert -alias ca | \ + $KT -keystore trust.jks -importcert -alias ca -noprompt + +# Keystore unrelated.jks: unrelated +$KT -keystore unrelated.jks -genkeypair -alias nothing -dname CN=Nothing -validity 365 + + +################### 4 Tests ####################### + +# Test 1: Sign should be OK + +$JARSIGNER -keystore js.jks -storepass changeit a.jar pub +RESULT=$? +echo $RESULT +#[ $RESULT = 0 ] || exit 1 + +# Test 2: Verify should be OK + +$JARSIGNER -keystore trust.jks -strict -verify a.jar +RESULT=$? +echo $RESULT +#[ $RESULT = 0 ] || exit 2 + +# Test 3: When no keystore is specified, the error is only +# "chain not validated" + +$JARSIGNER -strict -verify a.jar +RESULT=$? +echo $RESULT +#[ $RESULT = 4 ] || exit 3 + +# Test 4: When unrelated keystore is specified, the error is +# "chain not validated" and "not alias in keystore" + +$JARSIGNER -keystore unrelated.jks -strict -verify a.jar +RESULT=$? +echo $RESULT +#[ $RESULT = 36 ] || exit 4 + +exit 0
--- a/test/sun/security/tools/jarsigner/concise_jarsigner.sh Mon Dec 05 04:39:10 2016 +0000 +++ b/test/sun/security/tools/jarsigner/concise_jarsigner.sh Mon Dec 06 10:46:26 2010 +0800 @@ -79,9 +79,9 @@ $JARSIGNER -verify a.jar [ $? = 0 ] || exit $LINENO -# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore) +# 4(chainNotValidated)+16(hasUnsignedEntry) $JARSIGNER -verify a.jar -strict -[ $? = 52 ] || exit $LINENO +[ $? = 20 ] || exit $LINENO # 16(hasUnsignedEntry) $JARSIGNER -verify a.jar -strict -keystore js.jks