8191438: jarsigner should print when a timestamp will expire

Reviewed-by: mullan

8191438: jarsigner should print when a timestamp will expire
Reviewed-by: mullan
2fa97175 · weijun · 28e4c64d · 2fa97175 · 2fa97175 · 2fa97175
18 changed file
--- a/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
+++ b/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
--- a/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
+++ b/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
@@ -229,6 +229,7 @@ public class Resources extends java.util.ListResourceBundle {
        {"Error.", "Error: "},
        {"...Signer", ">>> Signer"},
        {"...TSA", ">>> TSA"},
+        {"trusted.certificate", "trusted certificate"},
        {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                "This jar contains unsigned entries which have not been integrity-checked. "},
        {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
@@ -245,8 +246,16 @@ public class Resources extends java.util.ListResourceBundle {
                "Re-run with the -verbose and -certs options for more details."},
        {"The.signer.certificate.has.expired.",
                "The signer certificate has expired."},
+        {"The.timestamp.expired.1.but.usable.2",
+                "The timestamp expired on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the signer certificate expires on %2$tY-%2$tm-%2$td."},
+        {"The.timestamp.has.expired.",
+                "The timestamp has expired."},
        {"The.signer.certificate.will.expire.within.six.months.",
                "The signer certificate will expire within six months."},
+        {"The.timestamp.will.expire.within.one.year.on.1",
+                "The timestamp will expire within one year on %1$tY-%1$tm-%1$td."},
+        {"The.timestamp.will.expire.within.one.year.on.1.but.2",
+                "The timestamp will expire within one year on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the signer certificate expires on %2$tY-%2$tm-%2$td."},
        {"The.signer.certificate.is.not.yet.valid.",
                "The signer certificate is not yet valid."},
        {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
@@ -279,10 +288,18 @@ public class Resources extends java.util.ListResourceBundle {
                "This jar contains entries whose TSA certificate chain is invalid. Reason: %s"},
        {"no.timestamp.signing",
                "No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td)."},
+        {"invalid.timestamp.signing",
+                "The timestamp is invalid. Without a valid timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td)."},
        {"no.timestamp.verifying",
                "This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td)."},
        {"bad.timestamp.verifying",
                "This jar contains signatures that include an invalid timestamp. Without a valid timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td).\nRerun jarsigner with -J-Djava.security.debug=jar for more information."},
+        {"The.signer.certificate.will.expire.on.1.",
+                "The signer certificate will expire on %1$tY-%1$tm-%1$td."},
+        {"The.timestamp.will.expire.on.1.",
+                "The timestamp will expire on %1$tY-%1$tm-%1$td."},
+        {"signer.cert.expired.1.but.timestamp.good.2.",
+                "The signer certificate expired on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the timestamp expires on %2$tY-%2$tm-%2$td."},
        {"Unknown.password.type.", "Unknown password type: "},
        {"Cannot.find.environment.variable.",
                "Cannot find environment variable: "},

--- a/test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
+++ b/test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -79,6 +79,7 @@ import sun.security.x509.X500Name;
 *        jdk.test.lib.JDKToolLauncher
 *        jdk.test.lib.Platform
 *        jdk.test.lib.process.*
+ * @compile -XDignore.symbol.file TimestampCheck.java
 * @run main/timeout=600 TimestampCheck
 */
 public class TimestampCheck {
@@ -126,12 +127,12 @@ public class TimestampCheck {
        byte[] sign(byte[] input, String path) throws Exception {
            DerValue value = new DerValue(input);
-            System.out.println("\nIncoming Request\n===================");
+            System.out.println("#\n# Incoming Request\n===================");
-            System.out.println("Version: " + value.data.getInteger());
+            System.out.println("# Version: " + value.data.getInteger());
            DerValue messageImprint = value.data.getDerValue();
            AlgorithmId aid = AlgorithmId.parse(
                    messageImprint.data.getDerValue());
-            System.out.println("AlgorithmId: " + aid);
+            System.out.println("# AlgorithmId: " + aid);
            ObjectIdentifier policyId = new ObjectIdentifier(defaultPolicyId);
            BigInteger nonce = null;
@@ -139,16 +140,16 @@ public class TimestampCheck {
                DerValue v = value.data.getDerValue();
                if (v.tag == DerValue.tag_Integer) {
                    nonce = v.getBigInteger();
-                    System.out.println("nonce: " + nonce);
+                    System.out.println("# nonce: " + nonce);
                } else if (v.tag == DerValue.tag_Boolean) {
-                    System.out.println("certReq: " + v.getBoolean());
+                    System.out.println("# certReq: " + v.getBoolean());
                } else if (v.tag == DerValue.tag_ObjectId) {
                    policyId = v.getOID();
-                    System.out.println("PolicyID: " + policyId);
+                    System.out.println("# PolicyID: " + policyId);
                }
            }
-            System.out.println("\nResponse\n===================");
+            System.out.println("#\n# Response\n===================");
            KeyStore ks = KeyStore.getInstance(
                    new File(keystore), "changeit".toCharArray());
@@ -232,10 +233,10 @@ public class TimestampCheck {
                    "1.2.840.113549.1.9.16.1.4"),
                    new DerValue(tstInfo2.toByteArray()));
-            System.out.println("Signing...");
+            System.out.println("# Signing...");
-            System.out.println(new X500Name(signer
+            System.out.println("# " + new X500Name(signer
                    .getIssuerX500Principal().getName()));
-            System.out.println(signer.getSerialNumber());
+            System.out.println("# " + signer.getSerialNumber());
            SignerInfo signerInfo = new SignerInfo(
                    new X500Name(signer.getIssuerX500Principal().getName()),
@@ -306,8 +307,6 @@ public class TimestampCheck {
    public static void main(String[] args) throws Throwable {
-        prepare();
        try (Handler tsa = Handler.init(0, "ks");) {
            tsa.start();
            int port = tsa.getPort();
@@ -315,62 +314,99 @@ public class TimestampCheck {
            if (args.length == 0) {         // Run this test
+                prepare();
                sign("normal")
                        .shouldNotContain("Warning")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldContain("The timestamp will expire on")
                        .shouldHaveExitValue(0);
                verify("normal.jar")
                        .shouldNotContain("Warning")
                        .shouldHaveExitValue(0);
+                verify("normal.jar", "-verbose")
+                        .shouldNotContain("Warning")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldContain("The timestamp will expire on")
+                        .shouldHaveExitValue(0);
                // Simulate signing at a previous date:
                // 1. tsold will create a timestamp of 20 days ago.
                // 2. oldsigner expired 10 days ago.
-                // jarsigner will show a warning at signing.
                signVerbose("tsold", "unsigned.jar", "tsold.jar", "oldsigner")
-                        .shouldHaveExitValue(4);
+                        .shouldNotContain("Warning")
+                        .shouldMatch("signer certificate expired on .*. "
+                                + "However, the JAR will be valid")
+                        .shouldHaveExitValue(0);
                // It verifies perfectly.
                verify("tsold.jar", "-verbose", "-certs")
                        .shouldNotContain("Warning")
+                        .shouldMatch("signer certificate expired on .*. "
+                                + "However, the JAR will be valid")
                        .shouldHaveExitValue(0);
+                // No timestamp
                signVerbose(null, "unsigned.jar", "none.jar", "signer")
                        .shouldContain("is not timestamped")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldHaveExitValue(0);
+                verify("none.jar", "-verbose")
+                        .shouldContain("do not include a timestamp")
+                        .shouldContain("The signer certificate will expire on")
                        .shouldHaveExitValue(0);
+                // Error cases
                signVerbose(null, "unsigned.jar", "badku.jar", "badku")
+                        .shouldContain("KeyUsage extension doesn't allow code signing")
                        .shouldHaveExitValue(8);
                checkBadKU("badku.jar");
                // 8180289: unvalidated TSA cert chain
                sign("tsnoca")
-                        .shouldContain("TSA certificate chain is invalid")
+                        .shouldContain("The TSA certificate chain is invalid. "
+                                + "Reason: Path does not chain with any of the trust anchors")
                        .shouldHaveExitValue(64);
                verify("tsnoca.jar", "-verbose", "-certs")
                        .shouldHaveExitValue(64)
                        .shouldContain("jar verified")
-                        .shouldContain("Invalid TSA certificate chain")
+                        .shouldContain("Invalid TSA certificate chain: "
-                        .shouldContain("TSA certificate chain is invalid");
+                                + "Path does not chain with any of the trust anchors")
+                        .shouldContain("TSA certificate chain is invalid."
+                                + " Reason: Path does not chain with any of the trust anchors");
                sign("nononce")
+                        .shouldContain("Nonce missing in timestamp token")
                        .shouldHaveExitValue(1);
                sign("diffnonce")
+                        .shouldContain("Nonce changed in timestamp token")
                        .shouldHaveExitValue(1);
                sign("baddigest")
+                        .shouldContain("Digest octets changed in timestamp token")
                        .shouldHaveExitValue(1);
                sign("diffalg")
+                        .shouldContain("Digest algorithm not")
                        .shouldHaveExitValue(1);
                sign("fullchain")
                        .shouldHaveExitValue(0);   // Success, 6543440 solved.
                sign("tsbad1")
+                        .shouldContain("Certificate is not valid for timestamping")
                        .shouldHaveExitValue(1);
                sign("tsbad2")
+                        .shouldContain("Certificate is not valid for timestamping")
                        .shouldHaveExitValue(1);
                sign("tsbad3")
+                        .shouldContain("Certificate is not valid for timestamping")
                        .shouldHaveExitValue(1);
                sign("nocert")
+                        .shouldContain("Certificate not included in timestamp token")
                        .shouldHaveExitValue(1);
                sign("policy", "-tsapolicyid",  "1.2.3")
@@ -378,6 +414,7 @@ public class TimestampCheck {
                checkTimestamp("policy.jar", "1.2.3", "SHA-256");
                sign("diffpolicy", "-tsapolicyid", "1.2.3")
+                        .shouldContain("TSAPolicyID changed in timestamp token")
                        .shouldHaveExitValue(1);
                sign("sha1alg", "-tsadigestalg", "SHA")
@@ -387,6 +424,7 @@ public class TimestampCheck {
                sign("tsweak", "-digestalg", "MD5",
                                "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5")
                        .shouldHaveExitValue(68)
+                        .shouldContain("The timestamp is invalid. Without a valid timestamp")
                        .shouldMatch("MD5.*-digestalg.*risk")
                        .shouldMatch("MD5.*-tsadigestalg.*risk")
                        .shouldMatch("MD5withRSA.*-sigalg.*risk");
@@ -394,6 +432,7 @@ public class TimestampCheck {
                signVerbose("tsweak", "unsigned.jar", "tsweak2.jar", "signer")
                        .shouldHaveExitValue(64)
+                        .shouldContain("The timestamp is invalid. Without a valid timestamp")
                        .shouldContain("TSA certificate chain is invalid");
                // Weak timestamp is an error and jar treated unsigned
@@ -402,19 +441,26 @@ public class TimestampCheck {
                        .shouldContain("treated as unsigned")
                        .shouldMatch("Timestamp.*512.*weak");
+                // Algorithm used in signing is weak
                signVerbose("normal", "unsigned.jar", "halfWeak.jar", "signer",
                        "-digestalg", "MD5")
+                        .shouldContain("-digestalg option is considered a security risk")
                        .shouldHaveExitValue(4);
                checkHalfWeak("halfWeak.jar");
                // sign with DSA key
                signVerbose("normal", "unsigned.jar", "sign1.jar", "dsakey")
                        .shouldHaveExitValue(0);
                // sign with RSAkeysize < 1024
                signVerbose("normal", "sign1.jar", "sign2.jar", "weakkeysize")
+                        .shouldContain("Algorithm constraints check failed on keysize")
                        .shouldHaveExitValue(4);
                checkMultiple("sign2.jar");
+                // 8191438: jarsigner should print when a timestamp will expire
+                checkExpiration();
                // When .SF or .RSA is missing or invalid
                checkMissingOrInvalidFiles("normal.jar");
@@ -422,12 +468,118 @@ public class TimestampCheck {
                    checkInvalidTsaCertKeyUsage();
                }
            } else {                        // Run as a standalone server
-                System.out.println("Press Enter to quit server");
+                System.out.println("TSA started at " + host
+                        + ". Press Enter to quit server");
                System.in.read();
            }
        }
    }
+    private static void checkExpiration() throws Exception {
+        // Warning when expired or expiring
+        signVerbose(null, "unsigned.jar", "expired.jar", "expired")
+                .shouldContain("signer certificate has expired")
+                .shouldHaveExitValue(4);
+        verify("expired.jar")
+                .shouldContain("signer certificate has expired")
+                .shouldHaveExitValue(4);
+        signVerbose(null, "unsigned.jar", "expiring.jar", "expiring")
+                .shouldContain("signer certificate will expire within")
+                .shouldHaveExitValue(0);
+        verify("expiring.jar")
+                .shouldContain("signer certificate will expire within")
+                .shouldHaveExitValue(0);
+        // Info for long
+        signVerbose(null, "unsigned.jar", "long.jar", "long")
+                .shouldNotContain("signer certificate has expired")
+                .shouldNotContain("signer certificate will expire within")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("long.jar")
+                .shouldNotContain("signer certificate has expired")
+                .shouldNotContain("signer certificate will expire within")
+                .shouldNotContain("The signer certificate will expire")
+                .shouldHaveExitValue(0);
+        verify("long.jar", "-verbose")
+                .shouldContain("The signer certificate will expire")
+                .shouldHaveExitValue(0);
+        // Both expired
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-expired.jar", "expired")
+                .shouldContain("The signer certificate has expired.")
+                .shouldContain("The timestamp has expired.")
+                .shouldHaveExitValue(4);
+        verify("tsexpired-expired.jar")
+                .shouldContain("signer certificate has expired")
+                .shouldContain("timestamp has expired.")
+                .shouldHaveExitValue(4);
+        // TS expired but signer still good
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-long.jar", "long")
+                .shouldContain("The timestamp expired on")
+                .shouldHaveExitValue(0);
+        verify("tsexpired-long.jar")
+                .shouldMatch("timestamp expired on.*However, the JAR will be valid")
+                .shouldNotContain("Error")
+                .shouldHaveExitValue(0);
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-ca.jar", "ca")
+                .shouldContain("The timestamp has expired.")
+                .shouldHaveExitValue(4);
+        verify("tsexpired-ca.jar")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("Error")
+                .shouldHaveExitValue(0);
+        // Warning when expiring
+        sign("tsexpiring")
+                .shouldContain("timestamp will expire within")
+                .shouldHaveExitValue(0);
+        verify("tsexpiring.jar")
+                .shouldContain("timestamp will expire within")
+                .shouldNotContain("still valid")
+                .shouldHaveExitValue(0);
+        signVerbose("tsexpiring", "unsigned.jar",
+                "tsexpiring-ca.jar", "ca")
+                .shouldContain("self-signed")
+                .stderrShouldNotMatch("The.*expir")
+                .shouldHaveExitValue(4); // self-signed
+        verify("tsexpiring-ca.jar")
+                .stderrShouldNotMatch("The.*expir")
+                .shouldHaveExitValue(0);
+        signVerbose("tsexpiringsoon", "unsigned.jar",
+                "tsexpiringsoon-long.jar", "long")
+                .shouldContain("The timestamp will expire")
+                .shouldHaveExitValue(0);
+        verify("tsexpiringsoon-long.jar")
+                .shouldMatch("timestamp will expire.*However, the JAR will be valid until")
+                .shouldHaveExitValue(0);
+        // Info for long
+        sign("tslong")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("timestamp will expire within")
+                .shouldContain("timestamp will expire on")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("tslong.jar")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("timestamp will expire within")
+                .shouldNotContain("timestamp will expire on")
+                .shouldNotContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("tslong.jar", "-verbose")
+                .shouldContain("timestamp will expire on")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+    }
    private static void checkInvalidTsaCertKeyUsage() throws Exception {
        // Hack: Rewrite the TSA cert inside normal.jar into ts2.jar.
@@ -680,6 +832,14 @@ public class TimestampCheck {
        keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
        keytool("-alias tsnoca -genkeypair -dname CN=tsnoca");
+        keytool("-alias expired -genkeypair -dname CN=expired");
+        keytool("-alias expiring -genkeypair -dname CN=expiring");
+        keytool("-alias long -genkeypair -dname CN=long");
+        keytool("-alias tsexpired -genkeypair -dname CN=tsexpired");
+        keytool("-alias tsexpiring -genkeypair -dname CN=tsexpiring");
+        keytool("-alias tsexpiringsoon -genkeypair -dname CN=tsexpiringsoon");
+        keytool("-alias tslong -genkeypair -dname CN=tslong");
        // tsnoca's issuer will be removed from keystore later
        keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
        gencert("tsnoca", "-ext eku:critical=ts");
@@ -691,7 +851,15 @@ public class TimestampCheck {
        gencert("dsakey");
        gencert("weakkeysize");
        gencert("badku", "-ext ku:critical=keyAgreement");
-        gencert("ts", "-ext eku:critical=ts");
+        gencert("ts", "-ext eku:critical=ts -validity 500");
+        gencert("expired", "-validity 10 -startdate -12d");
+        gencert("expiring", "-validity 178");
+        gencert("long", "-validity 182");
+        gencert("tsexpired", "-ext eku:critical=ts -validity 10 -startdate -12d");
+        gencert("tsexpiring", "-ext eku:critical=ts -validity 364");
+        gencert("tsexpiringsoon", "-ext eku:critical=ts -validity 170"); // earlier than expiring
+        gencert("tslong", "-ext eku:critical=ts -validity 367");
        for (int i = 0; i < 5; i++) {
@@ -711,7 +879,7 @@ public class TimestampCheck {
            }
        }
-        gencert("tsold", "-ext eku:critical=ts -startdate -40d -validity 45");
+        gencert("tsold", "-ext eku:critical=ts -startdate -40d -validity 500");
        gencert("tsweak", "-ext eku:critical=ts");
        gencert("tsbad1");

--- a/test/jdk/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -51,32 +51,12 @@ public class AliasNotInStoreTest extends Test {
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
        // create first key pair for signing
-        keytool(
+        createAlias(FIRST_KEY_ALIAS);
-                "-genkey",
+        createAlias(SECOND_KEY_ALIAS);
-                "-alias", FIRST_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", BOTH_KEYS_KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=First",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
-        // create second key pair for signing
-        keytool(
-                "-genkey",
-                "-alias", SECOND_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", BOTH_KEYS_KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Second",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
        // sign jar with first key
        OutputAnalyzer analyzer = jarsigner(
-                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
                "-signedjar", SIGNED_JARFILE,
@@ -93,7 +73,7 @@ public class AliasNotInStoreTest extends Test {
        // sign jar with second key
        analyzer = jarsigner(
-                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
                UPDATED_SIGNED_JARFILE,
@@ -104,7 +84,7 @@ public class AliasNotInStoreTest extends Test {
        // create keystore that contains only first key
        keytool(
                "-importkeystore",
-                "-srckeystore", BOTH_KEYS_KEYSTORE,
+                "-srckeystore", KEYSTORE,
                "-srcalias", FIRST_KEY_ALIAS,
                "-srcstorepass", PASSWORD,
                "-srckeypass", PASSWORD,
@@ -113,7 +93,7 @@ public class AliasNotInStoreTest extends Test {
                "-deststorepass", PASSWORD,
                "-destkeypass", PASSWORD).shouldHaveExitValue(0);
-        // verify jar with keystore that contains only first key in strict mode,
+        // verify jar with keystore that contains only first key,
        // so there is signed entry (FirstClass.class) that is not signed
        // by any alias in the keystore
        analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -52,17 +52,14 @@ public class BadExtendedKeyUsageTest extends Test {
        // create a certificate whose signer certificate's
        // ExtendedKeyUsage extension doesn't allow code signing
-        keytool(
+        // create key pair for jar signing
-                "-genkey",
+        createAlias(CA_KEY_ALIAS);
-                "-alias", KEY_ALIAS,
+        createAlias(KEY_ALIAS);
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
+        issueCert(
-                "-keystore", KEYSTORE,
+                KEY_ALIAS,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
                "-ext", "ExtendedkeyUsage=serverAuth",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
        // sign jar
        OutputAnalyzer analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java
@@ -53,17 +53,13 @@ public class BadKeyUsageTest extends Test {
        // create a certificate whose signer certificate's KeyUsage extension
        // doesn't allow code signing
-        keytool(
+        createAlias(CA_KEY_ALIAS);
-                "-genkey",
+        createAlias(KEY_ALIAS);
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
+        issueCert(
-                "-keysize", Integer.toString(KEY_SIZE),
+                KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
                "-ext", "KeyUsage=keyAgreement",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
        // sign jar
        OutputAnalyzer analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -24,10 +24,6 @@
 import jdk.testlibrary.OutputAnalyzer;
 import jdk.test.lib.util.JarUtils;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.util.Base64;
 /**
 * @test
 * @bug 8024302 8026037
@@ -38,25 +34,14 @@ import java.util.Base64;
 */
 public class BadNetscapeCertTypeTest extends Test {
-    private static final String NETSCAPE_KEYSTORE_BASE64 = TEST_SOURCES + FS
-            + "bad_netscape_cert_type.jks.base64";
-    private static final String NETSCAPE_KEYSTORE
-            = "bad_netscape_cert_type.jks";
    /**
     * The test signs and verifies a jar that contains entries
     * whose signer certificate's NetscapeCertType extension
     * doesn't allow code signing (badNetscapeCertType).
     * Warning message is expected.
-     * Run bad_netscape_cert_type.sh script to create bad_netscape_cert_type.jks
     */
    public static void main(String[] args) throws Throwable {
-        Files.write(Paths.get(NETSCAPE_KEYSTORE),
-                Base64.getMimeDecoder().decode(
-                    Files.readAllBytes(Paths.get(NETSCAPE_KEYSTORE_BASE64))));
        BadNetscapeCertTypeTest test = new BadNetscapeCertTypeTest();
        test.start();
    }
@@ -66,10 +51,22 @@ public class BadNetscapeCertTypeTest extends Test {
        Utils.createFiles(FIRST_FILE);
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+        // create a certificate whose signer certificate's
+        // NetscapeCertType extension doesn't allow code signing
+        // create key pair for jar signing
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+        issueCert(
+                KEY_ALIAS,
+                // NetscapeCertType [ SSL client ]
+                "-ext", "2.16.840.1.113730.1.1=03020780",
+                "-validity", Integer.toString(VALIDITY));
        // sign jar
        OutputAnalyzer analyzer = jarsigner(
                "-verbose",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
                "-signedjar", SIGNED_JARFILE,
@@ -82,7 +79,7 @@ public class BadNetscapeCertTypeTest extends Test {
        analyzer = jarsigner(
                "-verify",
                "-verbose",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
                SIGNED_JARFILE);
@@ -94,7 +91,7 @@ public class BadNetscapeCertTypeTest extends Test {
                "-verify",
                "-verbose",
                "-strict",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
                SIGNED_JARFILE);

--- a/test/jdk/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -21,118 +21,52 @@
 * questions.
 */
-import java.io.File;
 import jdk.testlibrary.OutputAnalyzer;
-import jdk.testlibrary.ProcessTools;
 import jdk.test.lib.util.JarUtils;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 /**
 * @test
 * @bug 8024302 8026037
 * @summary Test for chainNotValidated warning
 * @library /lib/testlibrary /test/lib ../
 * @build jdk.test.lib.util.JarUtils
- * @run main ChainNotValidatedTest
+ * @run main ChainNotValidatedTest ca2yes
+ * @run main ChainNotValidatedTest ca2no
 */
 public class ChainNotValidatedTest extends Test {
-    private static final String CHAIN = "chain";
-    /**
-     * The test signs and verifies a jar that contains entries
-     * whose cert chain can't be correctly validated (chainNotValidated).
-     * Warning message is expected.
-     */
    public static void main(String[] args) throws Throwable {
        ChainNotValidatedTest test = new ChainNotValidatedTest();
-        test.start();
+        test.start(args[0].equals("ca2yes"));
    }
-    private void start() throws Throwable {
+    private void start(boolean ca2yes) throws Throwable {
        // create a jar file that contains one class file
        Utils.createFiles(FIRST_FILE);
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
-        // create self-signed certificate whose BasicConstraints extension
+        // We have 2 @run. Need cleanup.
-        // is set to false, so the certificate may not be used
+        Files.deleteIfExists(Paths.get(KEYSTORE));
-        // as a parent certificate (certpath validation should fail)
-        keytool(
-                "-genkeypair",
-                "-alias", CA_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=CA",
-                "-ext", "BasicConstraints:critical=ca:false",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
-        // create a certificate that is signed by self-signed certificate
+        // Root CA is not checked at all. If the intermediate CA has
-        // despite of it may not be used as a parent certificate
+        // BasicConstraints extension set to true, it will be valid.
-        // (certpath validation should fail)
+        // Otherwise, chain validation will fail.
-        keytool(
+        createAlias(CA_KEY_ALIAS);
-                "-genkeypair",
+        createAlias(CA2_KEY_ALIAS);
-                "-alias", KEY_ALIAS,
+        issueCert(CA2_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
+                "-ext",
-                "-keysize", Integer.toString(KEY_SIZE),
+                "bc=ca:" + ca2yes);
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
-                "-ext", "BasicConstraints:critical=ca:false",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
-        keytool(
-                "-certreq",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-file", CERT_REQUEST_FILENAME).shouldHaveExitValue(0);
-        keytool(
+        createAlias(KEY_ALIAS);
-                "-gencert",
+        issueCert(KEY_ALIAS, "-alias", CA2_KEY_ALIAS);
-                "-alias", CA_KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-infile", CERT_REQUEST_FILENAME,
-                "-validity", Integer.toString(VALIDITY),
-                "-outfile", CERT_FILENAME).shouldHaveExitValue(0);
-        keytool(
-                "-importcert",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-file", CERT_FILENAME).shouldHaveExitValue(0);
-        ProcessBuilder pb = new ProcessBuilder(KEYTOOL,
-                "-export",
-                "-rfc",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD);
-        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
-        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
-        pb = new ProcessBuilder(KEYTOOL,
-                "-export",
-                "-rfc",
-                "-alias", CA_KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD);
-        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
-        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
-        // remove CA certificate
+        // remove CA2 certificate so it's not trusted
        keytool(
                "-delete",
-                "-alias", CA_KEY_ALIAS,
+                "-alias", CA2_KEY_ALIAS,
                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD).shouldHaveExitValue(0);
@@ -142,12 +76,15 @@ public class ChainNotValidatedTest extends Test {
                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                "-signedjar", SIGNED_JARFILE,
                UNSIGNED_JARFILE,
                KEY_ALIAS);
-        checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        if (ca2yes) {
+            checkSigning(analyzer, "!" + CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        } else {
+            checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        }
        // verify signed jar
        analyzer = jarsigner(
@@ -156,10 +93,13 @@ public class ChainNotValidatedTest extends Test {
                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                SIGNED_JARFILE);
-        checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        if (ca2yes) {
+            checkVerifying(analyzer, 0, "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        } else {
+            checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        }
        // verify signed jar in strict mode
        analyzer = jarsigner(
@@ -169,11 +109,15 @@ public class ChainNotValidatedTest extends Test {
                "-keystore", KEYSTORE,
                "-storepass", PASSWORD,
                "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                SIGNED_JARFILE);
-        checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
+        if (ca2yes) {
-                CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+            checkVerifying(analyzer, 0,
+                    "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        } else {
+            checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
+                    CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        }
        System.out.println("Test passed");
    }

--- a/test/jdk/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -52,18 +52,13 @@ public class HasExpiredCertTest extends Test {
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
        // create key pair for jar signing
-        keytool(
+        createAlias(CA_KEY_ALIAS);
-                "-genkey",
+        createAlias(KEY_ALIAS);
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
+        issueCert(
-                "-keysize", Integer.toString(KEY_SIZE),
+                KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
                "-startdate", "-" + SHORT_VALIDITY * 2 + "d",
-                "-validity", Integer.toString(SHORT_VALIDITY))
+                "-validity", Integer.toString(SHORT_VALIDITY));
-                .shouldHaveExitValue(0);
        // sign jar
        OutputAnalyzer analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -52,17 +52,12 @@ public class HasExpiringCertTest extends Test {
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
        // create key pair for jar signing
-        keytool(
+        createAlias(CA_KEY_ALIAS);
-                "-genkey",
+        createAlias(KEY_ALIAS);
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
+        issueCert(
-                "-keysize", Integer.toString(KEY_SIZE),
+                KEY_ALIAS,
-                "-keystore", KEYSTORE,
+                "-validity", Integer.toString(SHORT_VALIDITY));
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
-                "-validity", Integer.toString(SHORT_VALIDITY))
-                .shouldHaveExitValue(0);
        // sign jar
        OutputAnalyzer analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -51,16 +51,11 @@ public class HasUnsignedEntryTest extends Test {
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
        // create key pair for signing
-        keytool(
+        createAlias(CA_KEY_ALIAS);
-                "-genkey",
+        createAlias(KEY_ALIAS);
-                "-alias", KEY_ALIAS,
+        issueCert(
-                "-keyalg", KEY_ALG,
+                KEY_ALIAS,
-                "-keysize", Integer.toString(KEY_SIZE),
+                "-validity", Integer.toString(VALIDITY));
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
        // sign jar
        OutputAnalyzer analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -54,35 +54,25 @@ public class MultipleWarningsTest extends Test {
        // create a jar file that contains one class file
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+        createAlias(CA_KEY_ALIAS);
        // create first expired certificate
        // whose ExtendedKeyUsage extension does not allow code signing
-        keytool(
+        createAlias(FIRST_KEY_ALIAS);
-                "-genkey",
+        issueCert(
-                "-alias", FIRST_KEY_ALIAS,
+                FIRST_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=First",
                "-ext", "ExtendedkeyUsage=serverAuth",
                "-startdate", "-" + VALIDITY * 2 + "d",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
        // create second expired certificate
        // whose KeyUsage extension does not allow code signing
-        keytool(
+        createAlias(SECOND_KEY_ALIAS);
-                "-genkey",
+        issueCert(
-                "-alias", SECOND_KEY_ALIAS,
+                SECOND_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Second",
                "-ext", "ExtendedkeyUsage=serverAuth",
                "-startdate", "-" + VALIDITY * 2 + "d",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
        // sign jar with first key
        OutputAnalyzer analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/NoTimestampTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/NoTimestampTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -57,15 +57,9 @@ public class NoTimestampTest extends Test {
                * 24 * 60 * 60 * 1000L);
        // create key pair
-        keytool(
+        createAlias(CA_KEY_ALIAS);
-                "-genkey",
+        createAlias(KEY_ALIAS);
-                "-alias", KEY_ALIAS,
+        issueCert(KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
                "-validity", Integer.toString(VALIDITY));
        // sign jar file

--- a/test/jdk/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -49,29 +49,19 @@ public class NotSignedByAliasTest extends Test {
        Utils.createFiles(FIRST_FILE);
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+        createAlias(CA_KEY_ALIAS);
        // create first key pair for signing
-        keytool(
+        createAlias(FIRST_KEY_ALIAS);
-                "-genkey",
+        issueCert(
-                "-alias", FIRST_KEY_ALIAS,
+                FIRST_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
+                "-validity", Integer.toString(VALIDITY));
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=First",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
        // create first key pair for signing
-        keytool(
+        createAlias(SECOND_KEY_ALIAS);
-                "-genkey",
+        issueCert(
-                "-alias", SECOND_KEY_ALIAS,
+                SECOND_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
+                "-validity", Integer.toString(VALIDITY));
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Second",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
        // sign jar with first key
        OutputAnalyzer analyzer = jarsigner(

--- a/test/jdk/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -50,15 +50,11 @@ public class NotYetValidCertTest extends Test {
        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
        // create certificate that will be valid only tomorrow
-        keytool(
+        createAlias(CA_KEY_ALIAS);
-                "-genkey",
+        createAlias(KEY_ALIAS);
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
+        issueCert(
-                "-keysize", Integer.toString(KEY_SIZE),
+                KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
                "-startdate", "+1d",
                "-validity", Integer.toString(VALIDITY));

--- a/test/jdk/sun/security/tools/jarsigner/warnings/Test.java
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/Test.java
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -45,7 +45,6 @@ public abstract class Test {
    static final String FIRST_FILE = "first.txt";
    static final String SECOND_FILE = "second.txt";
    static final String PASSWORD = "password";
-    static final String BOTH_KEYS_KEYSTORE = "both_keys.jks";
    static final String FIRST_KEY_KEYSTORE = "first_key.jks";
    static final String KEYSTORE = "keystore.jks";
    static final String FIRST_KEY_ALIAS = "first";
@@ -55,11 +54,13 @@ public abstract class Test {
    static final String CERT_REQUEST_FILENAME = "test.req";
    static final String CERT_FILENAME = "test.crt";
    static final String CA_KEY_ALIAS = "ca";
+    static final String CA2_KEY_ALIAS = "ca2";
    static final int KEY_SIZE = 2048;
    static final int TIMEOUT = 6 * 60 * 1000;   // in millis
    static final int VALIDITY = 365;
    static final String WARNING = "Warning:";
+    static final String WARNING_OR_ERROR = "(Warning|Error):";
    static final String CHAIN_NOT_VALIDATED_VERIFYING_WARNING
            = "This jar contains entries "
@@ -154,14 +155,72 @@ public abstract class Test {
    static final int ALIAS_NOT_IN_STORE_EXIT_CODE = 32;
    static final int NOT_SIGNED_BY_ALIAS_EXIT_CODE = 32;
+    protected void createAlias(String alias, String ... options)
+            throws Throwable {
+        List<String> cmd = new ArrayList<>();
+        cmd.addAll(List.of(
+                "-genkeypair",
+                "-alias", alias,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=" + alias));
+        cmd.addAll(Arrays.asList(options));
+        keytool(cmd.toArray(new String[cmd.size()]))
+                .shouldHaveExitValue(0);
+    }
+    protected void issueCert(String alias, String ... options)
+            throws Throwable {
+        keytool("-certreq",
+                "-alias", alias,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", alias + ".req")
+                    .shouldHaveExitValue(0);
+        List<String> cmd = new ArrayList<>();
+        cmd.addAll(List.of(
+                "-gencert",
+                "-alias", CA_KEY_ALIAS,
+                "-infile", alias + ".req",
+                "-outfile", alias + ".cert",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", alias + ".req"));
+        cmd.addAll(Arrays.asList(options));
+        keytool(cmd.toArray(new String[cmd.size()]))
+                .shouldHaveExitValue(0);
+        keytool("-importcert",
+                "-alias", alias,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", alias + ".cert")
+                    .shouldHaveExitValue(0);
+    }
    protected void checkVerifying(OutputAnalyzer analyzer, int expectedExitCode,
            String... warnings) {
        analyzer.shouldHaveExitValue(expectedExitCode);
+        int count = 0;
        for (String warning : warnings) {
-            analyzer.shouldContain(warning);
+            if (warning.startsWith("!")) {
+                analyzer.shouldNotContain(warning.substring(1));
+            } else {
+                count++;
+                analyzer.shouldContain(warning);
+            }
        }
-        if (warnings.length > 0) {
+        if (count > 0) {
-            analyzer.shouldContain(WARNING);
+            analyzer.shouldMatch(WARNING_OR_ERROR);
        }
        if (expectedExitCode == 0) {
            analyzer.shouldContain(JAR_VERIFIED);
@@ -172,11 +231,17 @@ public abstract class Test {
    protected void checkSigning(OutputAnalyzer analyzer, String... warnings) {
        analyzer.shouldHaveExitValue(0);
+        int count = 0;
        for (String warning : warnings) {
-            analyzer.shouldContain(warning);
+            if (warning.startsWith("!")) {
+                analyzer.shouldNotContain(warning.substring(1));
+            } else {
+                count++;
+                analyzer.shouldContain(warning);
+            }
        }
-        if (warnings.length > 0) {
+        if (count > 0) {
-            analyzer.shouldContain(WARNING);
+            analyzer.shouldMatch(WARNING_OR_ERROR);
        }
        analyzer.shouldContain(JAR_SIGNED);
    }

--- a/test/jdk/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.jks.base64
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.jks.base64
-/u3+7QAAAAIAAAABAAAAAQAFYWxpYXMAAAFBpkwW0gAAAr0wggK5MA4GCisGAQQB
-KgIRAQEFAASCAqWkGJ3PPjYmWNKrV23Y1u413RMAkrRZ+1OLWYRcQt4jtxtIyEH5
-Ho5b9dy9XN9FBKlTOD4c2Pc1T43BLKXeuLu3uLLeIxgXFt0z9CLyGwdYZZ751kXr
-DQ99qY6aNQUO6SeE4Wdty0KPAqid6ZJ8bF7T6wsTZSvNhaBRzyFydEfG7bbUYjOl
-mWC44nlsu6VEU3o9RQpcm1gIMwradOaIVT/HoB2bKmAv8gHqI6kreiEZwTdZkSAI
-IRi2vt1RPllXt5hgjDxUfZe8XOYYweR4Vt2/jVuKLJ80DNTu/9SeUD88zQAz53k4
-r3nRhv6TRcPm6tV/Fh92XLHiskL+TAzTfm+bUAudPCCVxN+yRtxvAgA+UhdV/SuM
-Zn5F6nrmP+YJG1hmprgCJIJJaCEXa9RXYC+vIVpO0WVNRuGlGm+/1afnOuQC8Wss
-ShXwjkaqTwAhqBFq7eYmmP8BK3gflYrt2zDLXvhl4ndVvMhMthFJ3ZvLh2LWpqLI
-/n8EMCf8US3lIEFk9DTHBZjffiHkqK2e7+FXEpG3xrgE6ZYLMdbd5Pb3YjZfhQx+
-ZTtiEFzYSaEGhacek/m7dRq1qmwgFsytng2OdWZe2ln8LJY0odr1dGUfJHfgafvi
-tlfbkg/rgjONtwliChDggbkUwnerrj/D/zrdEufUvfyltSshhHXRNDD3fH6spmEk
-hHKgxEc4yvxqJxzdMGtuib355aSfNegyl+GsnsKzXQCVEK2h3BLTQObzaD+8NZ12
-LQHvbrCiaS34vxJ3rEC+a+SW7itZp0aCdXMWdMJNkRKqyLBD3vG3zN05sN3XrhEM
-8BRT020TWY00tbVFbbBFheYLQRgTjrQtr0Yt6UHWBZc4N20crDLcSH5gqcCOVpla
-1Y2uqFEn8yqrGRwn/kgfNgAAAAEABVguNTA5AAABtTCCAbEwggEaoAMCAQICCQDH
-cEuVvzCuqzANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARUZXN0MB4XDTEzMTAx
-MTA2NTUwNloXDTIzMTAwOTA2NTUwNlowDzENMAsGA1UEAwwEVGVzdDCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA8hOfp2Dcnvt//ZZQAja9TRiwKqXVS+TiYE3S
-gngCBjIi+YYdo0DsUeO5MBfE6uvCWOr5lwAR/u1iaJOhIoGJDiGoPasZlt+yIgtR
-LzA7j2q+1q6kcwiVxfikI3aUgHV/QsybTriT4Bf7TQNKtJG23MQa4sD7+PjtCWD7
-p3cHTfkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEBBQUA
-A4GBAKoDlTJ8wLRA7G8XdGm4gv733n1cSQzlkcsjfOO6/mA5Jvu8tyFNq9HTf9AT
-VXbrbGcUYJjhzSSY3w5apXK1kXyqTB1LUNEJ45WnmciqSSecVTpJz9TuegyoX0Zf
-HScSgqfDmjqoiiFiNCgn3ZEJ85ykGvoFYGH+php+BVi3S0bj5E/jRpyV3vNnii/S
-wJDSAXF6bYU=
--- a/test/jdk/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.sh
+++ b/test/jdk/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.sh
-#
-# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-#!/bin/sh
-# This script creates JKS keystore with a certificate
-# that contains Netscape Certificate Type extension
-# that does not allow code signing
-# The keystore is used by BadNetscapeCertTypeTest.java test
-rm -rf keystore.jks
-echo "nsCertType = client" > ext.cfg
-openssl req -new -out cert.req -keyout key.pem -days 3650 \
-    -passin pass:password -passout pass:password -subj "/CN=Test"
-openssl x509 -in cert.req -out cert.pem -req -signkey key.pem -days 3650 \
-    -passin pass:password -extfile ext.cfg
-openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 \
-    -passin pass:password -passout pass:password -name alias
-${JAVA_HOME}/bin/keytool -importkeystore \
-    -srckeystore keystore.p12 -srcstoretype pkcs12 \
-    -srcstorepass password -alias alias \
-    -destkeystore bad_netscape_cert_type.jks -deststoretype jks \
-    -deststorepass password -destalias alias \
-openssl base64 < bad_netscape_cert_type.jks > bad_netscape_cert_type.jks.base64
-rm -rf cert.req key.pem cert.pem keystore.p12 ext.cfg bad_netscape_cert_type.jks