1#
2# Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
3# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4#
5# This code is free software; you can redistribute it and/or modify it
6# under the terms of the GNU General Public License version 2 only, as
7# published by the Free Software Foundation.
8#
9# This code is distributed in the hope that it will be useful, but WITHOUT
10# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12# version 2 for more details (a copy is included in the LICENSE file that
13# accompanied this code).
14#
15# You should have received a copy of the GNU General Public License version
16# 2 along with this work; if not, write to the Free Software Foundation,
17# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18#
19# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20# or visit www.oracle.com if you need additional information or have any
21# questions.
22#
23
24# @test
25# @bug 7004168
26# @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs
27#  instead of just signing cert
28#
29# @run shell checkusage.sh
30#
31
32if [ "${TESTJAVA}" = "" ] ; then
33  JAVAC_CMD=`which javac`
34  TESTJAVA=`dirname $JAVAC_CMD`/..
35fi
36
37# set platform-dependent variables
38OS=`uname -s`
39case "$OS" in
40  Windows_* )
41    FS="\\"
42    ;;
43  * )
44    FS="/"
45    ;;
46esac
47
48KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit -keypass changeit -keyalg rsa"
49JAR="$TESTJAVA${FS}bin${FS}jar ${TESTTOOLVMOPTS}"
50JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner ${TESTTOOLVMOPTS}"
51
52rm js.jks trust.jks unrelated.jks 2> /dev/null
53
54echo x > x
55$JAR cvf a.jar x
56
57################### 3 Keystores #######################
58
59# Keystore js.jks: including CA and Publisher
60# CA contains a non-empty KeyUsage
61$KT -keystore js.jks -genkeypair -alias ca -dname CN=CA -ext KU=kCS -ext bc -validity 365
62$KT -keystore js.jks -genkeypair -alias pub -dname CN=Publisher
63
64# Publisher contains the correct KeyUsage
65$KT -keystore js.jks -certreq -alias pub | \
66        $KT -keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 | \
67        $KT -keystore js.jks -importcert -alias pub
68
69# Keystore trust.jks: including CA only
70$KT -keystore js.jks -exportcert -alias ca | \
71        $KT -keystore trust.jks -importcert -alias ca -noprompt
72
73# Keystore unrelated.jks: unrelated
74$KT -keystore unrelated.jks -genkeypair -alias nothing -dname CN=Nothing -validity 365
75
76
77################### 4 Tests #######################
78
79# Test 1: Sign should be OK
80
81$JARSIGNER -keystore js.jks -storepass changeit a.jar pub
82RESULT=$?
83echo $RESULT
84#[ $RESULT = 0 ] || exit 1
85
86# Test 2: Verify should be OK
87
88$JARSIGNER -keystore trust.jks -strict -verify a.jar
89RESULT=$?
90echo $RESULT
91#[ $RESULT = 0 ] || exit 2
92
93# Test 3: When no keystore is specified, the error is only
94# "chain not validated"
95
96$JARSIGNER -strict -verify a.jar
97RESULT=$?
98echo $RESULT
99#[ $RESULT = 4 ] || exit 3
100
101# Test 4: When unrelated keystore is specified, the error is
102# "chain not validated" and "not alias in keystore"
103
104$JARSIGNER -keystore unrelated.jks -strict -verify a.jar
105RESULT=$?
106echo $RESULT
107#[ $RESULT = 36 ] || exit 4
108
109exit 0
110