# HG changeset patch # User weijun # Date 1394034242 0 # Node ID 3125559a0cdea7ce0ac2555c0168b5772d253248 # Parent 694eb83ef6136b26f5fe5b27b7f7b4d63f97195f 8024302: Clarify jar verifications 8023338: Update jarsigner to encourage timestamping Reviewed-by: mullan, ahgross diff -r 694eb83ef613 -r 3125559a0cde test/sun/security/tools/jarsigner/TimestampCheck.java --- a/test/sun/security/tools/jarsigner/TimestampCheck.java Wed Oct 16 15:16:21 2013 -0700 +++ b/test/sun/security/tools/jarsigner/TimestampCheck.java Wed Mar 05 15:44:02 2014 +0000 @@ -239,13 +239,13 @@ " -J-Djava.security.egd=file:/dev/./urandom" + " -debug -keystore " + TSKS + " -storepass changeit" + " -tsa http://localhost:" + port + "/%d" + - " -signedjar new.jar " + JAR + " old"; + " -signedjar new_%d.jar " + JAR + " old"; } else { cmd = System.getProperty("java.home") + "/bin/jarsigner" + " -J-Djava.security.egd=file:/dev/./urandom" + " -debug -keystore " + TSKS + " -storepass changeit" + " -tsa http://localhost:" + port + "/%d" + - " -signedjar new.jar " + JAR + " old"; + " -signedjar new_%d.jar " + JAR + " old"; } try { @@ -278,7 +278,7 @@ static void jarsigner(String cmd, int path, boolean expected) throws Exception { System.err.println("Test " + path); - Process p = Runtime.getRuntime().exec(String.format(cmd, path)); + Process p = Runtime.getRuntime().exec(String.format(cmd, path, path)); BufferedReader reader = new BufferedReader( new InputStreamReader(p.getErrorStream())); while (true) { @@ -286,9 +286,25 @@ if (s == null) break; System.err.println(s); } + + // Will not see noTimestamp warning + boolean seeWarning = false; + reader = new BufferedReader( + new InputStreamReader(p.getInputStream())); + while (true) { + String s = reader.readLine(); + if (s == null) break; + System.err.println(s); + if (s.indexOf("Warning:") >= 0) { + seeWarning = true; + } + } int result = p.waitFor(); if (expected && result != 0 || !expected && result == 0) { throw new Exception("Failed"); } + if (seeWarning) { + throw new Exception("See warning"); + } } } diff -r 694eb83ef613 -r 3125559a0cde test/sun/security/tools/jarsigner/concise_jarsigner.sh --- a/test/sun/security/tools/jarsigner/concise_jarsigner.sh Wed Oct 16 15:16:21 2013 -0700 +++ b/test/sun/security/tools/jarsigner/concise_jarsigner.sh Wed Mar 05 15:44:02 2014 +0000 @@ -136,7 +136,6 @@ # 16 and 32 already covered in the first part # ========================================================== -$KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m $KT -genkeypair -alias expired -dname CN=expired -startdate -10m $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m $KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365 @@ -151,9 +150,6 @@ $KT -importcert -alias badchain $KT -delete -alias ca -$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring -[ $? = 2 ] || exit $LINENO - $JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired [ $? = 4 ] || exit $LINENO diff -r 694eb83ef613 -r 3125559a0cde test/sun/security/tools/jarsigner/ts.sh --- a/test/sun/security/tools/jarsigner/ts.sh Wed Oct 16 15:16:21 2013 -0700 +++ b/test/sun/security/tools/jarsigner/ts.sh Wed Mar 05 15:44:02 2014 +0000 @@ -22,7 +22,7 @@ # # @test -# @bug 6543842 6543440 6939248 +# @bug 6543842 6543440 6939248 8024302 # @summary checking response of timestamp # # @run shell/timeout=600 ts.sh @@ -53,7 +53,7 @@ JAR="${TESTJAVA}${FS}bin${FS}jar" JAVA="${TESTJAVA}${FS}bin${FS}java" JAVAC="${TESTJAVA}${FS}bin${FS}javac" -KT="${TESTJAVA}${FS}bin${FS}keytool -keystore tsks -storepass changeit -keypass changeit" +KT="${TESTJAVA}${FS}bin${FS}keytool -keystore tsks -storepass changeit -keypass changeit -validity 200" rm tsks echo Nothing > A diff -r 694eb83ef613 -r 3125559a0cde test/sun/security/tools/jarsigner/warnings.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/tools/jarsigner/warnings.sh Wed Mar 05 15:44:02 2014 +0000 @@ -0,0 +1,117 @@ +# +# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 8024302 +# @summary Clarify jar verifications +# + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + ;; + * ) + FS="/" + ;; +esac + +KS=warnings.jks +JFILE=warnings.jar + +KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit \ + -keystore $KS" +JAR=$TESTJAVA${FS}bin${FS}jar +JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner -keystore $KS -storepass changeit" + +rm $KS 2> /dev/null + +export LANG=C + +echo 12345 > file + +ERR="" + +# Normal signer expiring on 2100-01-01 +$KT -alias s1 -dname CN=s1 -genkey -startdate 2000/01/01 -validity 36525 || ERR="$ERR keytool s1," +# Cert expiring soon, informational warning +$KT -alias s2 -dname CN=s2 -genkey -validity 100 || ERR="$ERR keytool s2," +# Cert expired, severe warning +$KT -alias s3 -dname CN=s3 -genkey -startdate -200d -validity 100 || ERR="$ERR keytool s3," + +# noTimestamp is informatiional warning and includes a date +$JAR cvf $JFILE file +$JARSIGNER $JFILE s1 > output1 || ERR="$ERR jarsigner s1," +$JARSIGNER -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict," +$JARSIGNER -verify $JFILE s1 >> output1 || ERR="$ERR jarsigner s1," +$JARSIGNER -verify -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict," + +cat output1 | grep Warning || ERR="$ERR s1 warning," +cat output1 | grep Error && ERR="$ERR s1 error," +cat output1 | grep timestamp | grep 2100-01-01 || ERR="$ERR s1 timestamp," +cat output1 | grep "with signer errors" && ERR="$ERR s1 err," + +# hasExpiringCert is informatiional warning +$JAR cvf $JFILE file +$JARSIGNER $JFILE s2 > output2 || ERR="$ERR jarsigner s2," +$JARSIGNER -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict," +$JARSIGNER -verify $JFILE s2 >> output2 || ERR="$ERR jarsigner s2," +$JARSIGNER -verify -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict," + +cat output2 | grep Warning || ERR="$ERR s2 warning," +cat output2 | grep Error && ERR="$ERR s2 error," +cat output2 | grep timestamp || ERR="$ERR s2 timestamp," +cat output2 | grep "will expire" || ERR="$ERR s2 expiring," +cat output2 | grep "with signer errors" && ERR="$ERR s2 err," + +# hasExpiredCert is severe warning +$JAR cvf $JFILE file +$JARSIGNER $JFILE s3 > output3 || ERR="$ERR jarsigner s3," +$JARSIGNER -strict $JFILE s3 > output3s && ERR="$ERR jarsigner s3 strict," +$JARSIGNER -verify $JFILE s3 >> output3 || ERR="$ERR jarsigner s3," +$JARSIGNER -verify -strict $JFILE s3 >> output3s && ERR="$ERR jarsigner s3 strict," + +# warning without -strict +cat output3 | grep Warning || ERR="$ERR s3 warning," +cat output3 | grep Error && ERR="$ERR s3 error," +cat output3 | grep "with signer errors" && ERR="$ERR s3 err," + +# error with -strict +cat output3s | grep Warning || ERR="$ERR s3s warning," +cat output3s | grep Error || ERR="$ERR s3s error," +cat output3s | grep "with signer errors" || ERR="$ERR s3 err," + +if [ "$ERR" = "" ]; then + exit 0 +else + echo "ERR is $ERR" + exit 1 +fi + +