1# 2# Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved. 3# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4# 5# This code is free software; you can redistribute it and/or modify it 6# under the terms of the GNU General Public License version 2 only, as 7# published by the Free Software Foundation. 8# 9# This code is distributed in the hope that it will be useful, but WITHOUT 10# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12# version 2 for more details (a copy is included in the LICENSE file that 13# accompanied this code). 14# 15# You should have received a copy of the GNU General Public License version 16# 2 along with this work; if not, write to the Free Software Foundation, 17# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18# 19# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20# or visit www.oracle.com if you need additional information or have any 21# questions. 22# 23 24# @test 25# @bug 7004168 26# @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs 27# instead of just signing cert 28# 29# @run shell checkusage.sh 30# 31 32if [ "${TESTJAVA}" = "" ] ; then 33 JAVAC_CMD=`which javac` 34 TESTJAVA=`dirname $JAVAC_CMD`/.. 35fi 36 37# set platform-dependent variables 38OS=`uname -s` 39case "$OS" in 40 Windows_* ) 41 FS="\\" 42 ;; 43 * ) 44 FS="/" 45 ;; 46esac 47 48KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit -keypass changeit -keyalg rsa" 49JAR="$TESTJAVA${FS}bin${FS}jar ${TESTTOOLVMOPTS}" 50JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner ${TESTTOOLVMOPTS}" 51 52rm js.jks trust.jks unrelated.jks 2> /dev/null 53 54echo x > x 55$JAR cvf a.jar x 56 57################### 3 Keystores ####################### 58 59# Keystore js.jks: including CA and Publisher 60# CA contains a non-empty KeyUsage 61$KT -keystore js.jks -genkeypair -alias ca -dname CN=CA -ext KU=kCS -ext bc -validity 365 62$KT -keystore js.jks -genkeypair -alias pub -dname CN=Publisher 63 64# Publisher contains the correct KeyUsage 65$KT -keystore js.jks -certreq -alias pub | \ 66 $KT -keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 | \ 67 $KT -keystore js.jks -importcert -alias pub 68 69# Keystore trust.jks: including CA only 70$KT -keystore js.jks -exportcert -alias ca | \ 71 $KT -keystore trust.jks -importcert -alias ca -noprompt 72 73# Keystore unrelated.jks: unrelated 74$KT -keystore unrelated.jks -genkeypair -alias nothing -dname CN=Nothing -validity 365 75 76 77################### 4 Tests ####################### 78 79# Test 1: Sign should be OK 80 81$JARSIGNER -keystore js.jks -storepass changeit a.jar pub 82RESULT=$? 83echo $RESULT 84#[ $RESULT = 0 ] || exit 1 85 86# Test 2: Verify should be OK 87 88$JARSIGNER -keystore trust.jks -strict -verify a.jar 89RESULT=$? 90echo $RESULT 91#[ $RESULT = 0 ] || exit 2 92 93# Test 3: When no keystore is specified, the error is only 94# "chain not validated" 95 96$JARSIGNER -strict -verify a.jar 97RESULT=$? 98echo $RESULT 99#[ $RESULT = 4 ] || exit 3 100 101# Test 4: When unrelated keystore is specified, the error is 102# "chain not validated" and "not alias in keystore" 103 104$JARSIGNER -keystore unrelated.jks -strict -verify a.jar 105RESULT=$? 106echo $RESULT 107#[ $RESULT = 36 ] || exit 4 108 109exit 0 110