8048360: Test signed jar files

Reviewed-by: weijun Contributed-by: N Amanda Jiang <amanda.jiang@oracle.com>

8048360: Test signed jar files
Reviewed-by: weijun Contributed-by: N Amanda Jiang <amanda.jiang@oracle.com>
1f031b2b · weijun · c3cbdf63 · 1f031b2b · 1f031b2b · 1f031b2b
4 changed file
--- a/test/java/security/Policy/SignedJar/SignedJarTest.java
+++ b/test/java/security/Policy/SignedJar/SignedJarTest.java
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.AccessControlException;
+import java.security.AccessController;
+import java.security.Permission;
+import java.security.PrivilegedAction;
+import jdk.testlibrary.ProcessTools;
+
+/**
+ * @test
+ * @bug 8048360
+ * @summary test policy entry with signedBy alias
+ * @library /lib/testlibrary
+ * @run main/othervm SignedJarTest
+ */
+public class SignedJarTest {
+
+    private static final String FS = File.separator;
+    private static final String JAVA_HOME = System.getProperty("test.jdk");
+    private static final String TESTCLASSES = System.getProperty("test.classes", "");
+    private static final String TESTSRC = System.getProperty("test.src", "");
+    private static final String KEYTOOL = JAVA_HOME + FS + "bin" + FS + "keytool";
+    private static final String JAR = JAVA_HOME + FS + "bin" + FS + "jar";
+    private static final String JARSIGNER = JAVA_HOME + FS + "bin" + FS + "jarsigner";
+    private static final String PASSWORD = "password";
+    private static final String PWDFILE = "keypass";
+    private static final String POLICY1 = "SignedJarTest_1.policy";
+    private static final String POLICY2 = "SignedJarTest_2.policy";
+    private static final String KEYSTORE1 = "both.jks";
+    private static final String KEYSTORE2 = "first.jks";
+
+    public static void main(String args[]) throws Throwable {
+        //copy PrivilegeTest.class, policy files and keystore password file into current direcotry
+        Files.copy(Paths.get(TESTCLASSES, "PrivilegeTest.class"), Paths.get("PrivilegeTest.class"));
+        Files.copy(Paths.get(TESTSRC, POLICY1), Paths.get(POLICY1));
+        Files.copy(Paths.get(TESTSRC, POLICY2), Paths.get(POLICY2));
+        Files.copy(Paths.get(TESTSRC, PWDFILE), Paths.get(PWDFILE));
+
+        //create Jar file
+        ProcessTools.executeCommand(JAR, "-cvf", "test.jar", "PrivilegeTest.class");
+
+        //Creating first key , keystore both.jks
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", "first",
+                "-keystore", KEYSTORE1,
+                "-keypass", PASSWORD,
+                "-dname", "cn=First",
+                "-storepass", PASSWORD
+        ).shouldHaveExitValue(0);
+
+        //Creating Second key, keystore both.jks
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                // "-storetype","JKS",
+                "-alias", "second",
+                "-keystore", KEYSTORE1,
+                "-keypass", PASSWORD,
+                "-dname", "cn=Second",
+                "-storepass", PASSWORD
+        ).shouldHaveExitValue(0);
+
+        //copy both.jks to first.jks, remove second Keypair from first.jks
+        Files.copy(Paths.get(KEYSTORE1), Paths.get(KEYSTORE2));
+        ProcessTools.executeCommand(KEYTOOL,
+                "-delete",
+                "-keystore", KEYSTORE2,
+                "-alias", "second",
+                "-storepass", PASSWORD
+        ).shouldHaveExitValue(0);
+
+        //sign jar with first key, first.jar is only signed by first signer
+        ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE1,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", "first.jar", "test.jar",
+                "first").shouldHaveExitValue(0);
+
+        //sign jar with second key, both.jar is signed by first and second signer
+        ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE1,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", "both.jar", "first.jar",
+                "second").shouldHaveExitValue(0);
+
+        //test case 1
+        //setIO permission granted to code that was signed by first signer
+        //setFactory permission granted to code that was signed by second signer
+        //Keystore that contains both first and second  keypairs
+        //code was singed by first signer
+        //Expect AccessControlException for setFactory permission
+        System.out.println("Test Case 1");
+        //copy policy file into current directory
+        String[] cmd = constructCMD("first.jar", POLICY1, "false", "true");
+        ProcessTools.executeTestJvm(cmd).shouldHaveExitValue(0);
+
+        //test case 2, test with both.jar
+        //setIO permission granted to code that was signed by first signer
+        //setFactory permission granted to code that was signed by second signer
+        //Keystore that contains both first and second  keypairs
+        //code was singed by first signer and second signer
+        //Expect no AccessControlException
+        System.out.println("Test Case 2");
+        cmd = constructCMD("both.jar", POLICY1, "false", "false");
+        ProcessTools.executeTestJvm(cmd).shouldHaveExitValue(0);
+
+        //test case 3
+        //setIO permission granted to code that was signed by first signer
+        //setFactory permission granted to code that was signed by second signer
+        //Keystore that contains only first keypairs
+        //code was singed by first signer and second signer
+        //Expect AccessControlException for setFactory permission
+        System.out.println("Test Case 3");
+        cmd = constructCMD("both.jar", POLICY2, "false", "true");
+        ProcessTools.executeTestJvm(cmd).shouldHaveExitValue(0);
+
+    }
+
+    private static String[] constructCMD(String classpath, String policy, String arg1, String arg2) {
+        String[] cmd = {
+            "-classpath", classpath,
+            "-Djava.security.manager",
+            "-Djava.security.policy=" + policy,
+            "PrivilegeTest",
+            arg1, arg2};
+        return cmd;
+    }
+}
+
+class PrivilegeTest {
+
+    private static final Permission PERM1 = new RuntimePermission("setIO");
+    private static final Permission PERM2 = new RuntimePermission("setFactory");
+
+    public static void main(String args[]) {
+        boolean expectException1 = Boolean.parseBoolean(args[0]);
+        boolean expectException2 = Boolean.parseBoolean(args[1]);
+        test(PERM1, expectException1);
+        test(PERM2, expectException2);
+    }
+
+    public static void test(Permission perm, boolean expectException) {
+        boolean getException = (Boolean) AccessController.doPrivileged((PrivilegedAction) () -> {
+            try {
+                AccessController.checkPermission(perm);
+                return (Boolean) false;
+            } catch (AccessControlException ex) {
+                return (Boolean) true;
+            }
+        });
+
+        if (expectException ^ getException) {
+            String message = "Check Permission :" + perm + "\n ExpectException = "
+                    + expectException + "\n getException = " + getException;
+            throw new RuntimeException(message);
+        }
+
+    }
+
+}
--- a/test/java/security/Policy/SignedJar/SignedJarTest_1.policy
+++ b/test/java/security/Policy/SignedJar/SignedJarTest_1.policy
+keystore "file:both.jks";
+keystorePasswordURL "file:keypass";
+
+grant signedBy "first" {
+    permission java.lang.RuntimePermission "setIO";
+};
+
+grant signedBy "second" {
+    permission java.lang.RuntimePermission "setFactory";
+};
--- a/test/java/security/Policy/SignedJar/SignedJarTest_2.policy
+++ b/test/java/security/Policy/SignedJar/SignedJarTest_2.policy
+keystore "file:first.jks";
+keystorePasswordURL "file:keypass";
+
+grant signedBy "first" {
+    permission java.lang.RuntimePermission "setIO";
+};
+
+grant signedBy "second" {
+    permission java.lang.RuntimePermission "setFactory";
+};
+
--- a/test/java/security/Policy/SignedJar/keypass
+++ b/test/java/security/Policy/SignedJar/keypass
+password