提交 3cdc2649 编写于 作者: A asaha

Merge

...@@ -882,6 +882,8 @@ ac700f67341a20ddae093c319da1c65e41edcacd jdk8u171-b04 ...@@ -882,6 +882,8 @@ ac700f67341a20ddae093c319da1c65e41edcacd jdk8u171-b04
db8272cb8c99eea536a66c4c368c4bf2bf013a81 jdk8u172-b02 db8272cb8c99eea536a66c4c368c4bf2bf013a81 jdk8u172-b02
bd24ee3a9a0494121fd1d96c308b9738f585001b jdk8u172-b03 bd24ee3a9a0494121fd1d96c308b9738f585001b jdk8u172-b03
cf952b84daa1e74403a4d1df541c0ecca830717d jdk8u172-b04 cf952b84daa1e74403a4d1df541c0ecca830717d jdk8u172-b04
e7e27f446209924f66a4bf86738f3e5f2fbbef5f jdk8u181-b00
a8746b41e23a1deda3d0f41ed2eca3d3a4cc74de jdk8u191-b00
076daed81c0a851f6d13fac538834ac465cdc122 jdk8u172-b05 076daed81c0a851f6d13fac538834ac465cdc122 jdk8u172-b05
94491d0dc59590535339a2ffae510166bb16f34c jdk8u172-b06 94491d0dc59590535339a2ffae510166bb16f34c jdk8u172-b06
7e9eeb74e84beb6d8a6f562441eb7dd0ab0befa9 jdk8u172-b07 7e9eeb74e84beb6d8a6f562441eb7dd0ab0befa9 jdk8u172-b07
...@@ -889,6 +891,9 @@ cf952b84daa1e74403a4d1df541c0ecca830717d jdk8u172-b04 ...@@ -889,6 +891,9 @@ cf952b84daa1e74403a4d1df541c0ecca830717d jdk8u172-b04
f52ece1d8708024735f06e7e3bdc771efbc073d0 jdk8u172-b09 f52ece1d8708024735f06e7e3bdc771efbc073d0 jdk8u172-b09
9e9009034e5ce97a97f72c00cd37cf2a638fa1a4 jdk8u172-b10 9e9009034e5ce97a97f72c00cd37cf2a638fa1a4 jdk8u172-b10
2a041b1f858dc6a372ac07b8cf5bf6fab879dcc8 jdk8u172-b11 2a041b1f858dc6a372ac07b8cf5bf6fab879dcc8 jdk8u172-b11
d902fae6241006af3c4cfc4ce82ebcb3efb9d725 jdk8u181-b01
baac18e216fb47b4cfa04169b3c3de58d667de7c jdk8u181-b02
d237c59d14e1c1fb1f750e9cdabcea6e711f4d34 jdk8u181-b03
f3185b46a35b82727f39d52ac7fad7c4c78ddcdd jdk8u172-b31 f3185b46a35b82727f39d52ac7fad7c4c78ddcdd jdk8u172-b31
0939503b7477ba081484c54f26f177f9a66d92e4 jdk8u172-b32 0939503b7477ba081484c54f26f177f9a66d92e4 jdk8u172-b32
f4b138a6c95cf17f6138598fe04a90dfe1086bf4 jdk8u172-b33 f4b138a6c95cf17f6138598fe04a90dfe1086bf4 jdk8u172-b33
......
/* /*
* Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -37,6 +37,7 @@ import java.security.AccessController; ...@@ -37,6 +37,7 @@ import java.security.AccessController;
import java.io.ObjectStreamException; import java.io.ObjectStreamException;
import java.io.ObjectStreamField; import java.io.ObjectStreamField;
import java.io.IOException; import java.io.IOException;
import java.io.InvalidObjectException;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
import java.io.ObjectInputStream.GetField; import java.io.ObjectInputStream.GetField;
import java.io.ObjectOutputStream; import java.io.ObjectOutputStream;
...@@ -1602,8 +1603,11 @@ class InetAddress implements java.io.Serializable { ...@@ -1602,8 +1603,11 @@ class InetAddress implements java.io.Serializable {
} }
GetField gf = s.readFields(); GetField gf = s.readFields();
String host = (String)gf.get("hostName", null); String host = (String)gf.get("hostName", null);
int address= gf.get("address", 0); int address = gf.get("address", 0);
int family= gf.get("family", 0); int family = gf.get("family", 0);
if (family != IPv4 && family != IPv6) {
throw new InvalidObjectException("invalid address family type: " + family);
}
InetAddressHolder h = new InetAddressHolder(host, address, family); InetAddressHolder h = new InetAddressHolder(host, address, family);
UNSAFE.putObject(this, FIELDS_OFFSET, h); UNSAFE.putObject(this, FIELDS_OFFSET, h);
} }
......
/* /*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -319,8 +319,20 @@ public final class NetworkInterface { ...@@ -319,8 +319,20 @@ public final class NetworkInterface {
if (addr == null) { if (addr == null) {
throw new NullPointerException(); throw new NullPointerException();
} }
if (!(addr instanceof Inet4Address || addr instanceof Inet6Address)) { if (addr instanceof Inet4Address) {
throw new IllegalArgumentException ("invalid address type"); Inet4Address inet4Address = (Inet4Address) addr;
if (inet4Address.holder.family != InetAddress.IPv4) {
throw new IllegalArgumentException("invalid family type: "
+ inet4Address.holder.family);
}
} else if (addr instanceof Inet6Address) {
Inet6Address inet6Address = (Inet6Address) addr;
if (inet6Address.holder.family != InetAddress.IPv6) {
throw new IllegalArgumentException("invalid family type: "
+ inet6Address.holder.family);
}
} else {
throw new IllegalArgumentException("invalid address type: " + addr);
} }
return getByInetAddress0(addr); return getByInetAddress0(addr);
} }
......
/* /*
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -50,6 +50,7 @@ import java.util.jar.Attributes.Name; ...@@ -50,6 +50,7 @@ import java.util.jar.Attributes.Name;
import java.util.jar.JarFile; import java.util.jar.JarFile;
import java.util.jar.Manifest; import java.util.jar.Manifest;
import sun.misc.Resource; import sun.misc.Resource;
import sun.misc.SharedSecrets;
import sun.misc.URLClassPath; import sun.misc.URLClassPath;
import sun.net.www.ParseUtil; import sun.net.www.ParseUtil;
import sun.security.util.SecurityConstants; import sun.security.util.SecurityConstants;
...@@ -486,13 +487,13 @@ public class URLClassLoader extends SecureClassLoader implements Closeable { ...@@ -486,13 +487,13 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
protected Package definePackage(String name, Manifest man, URL url) protected Package definePackage(String name, Manifest man, URL url)
throws IllegalArgumentException throws IllegalArgumentException
{ {
String path = name.replace('.', '/').concat("/");
String specTitle = null, specVersion = null, specVendor = null; String specTitle = null, specVersion = null, specVendor = null;
String implTitle = null, implVersion = null, implVendor = null; String implTitle = null, implVersion = null, implVendor = null;
String sealed = null; String sealed = null;
URL sealBase = null; URL sealBase = null;
Attributes attr = man.getAttributes(path); Attributes attr = SharedSecrets.javaUtilJarAccess()
.getTrustedAttributes(man, name.replace('.', '/').concat("/"));
if (attr != null) { if (attr != null) {
specTitle = attr.getValue(Name.SPECIFICATION_TITLE); specTitle = attr.getValue(Name.SPECIFICATION_TITLE);
specVersion = attr.getValue(Name.SPECIFICATION_VERSION); specVersion = attr.getValue(Name.SPECIFICATION_VERSION);
...@@ -536,10 +537,12 @@ public class URLClassLoader extends SecureClassLoader implements Closeable { ...@@ -536,10 +537,12 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
/* /*
* Returns true if the specified package name is sealed according to the * Returns true if the specified package name is sealed according to the
* given manifest. * given manifest.
*
* @throws SecurityException if the package name is untrusted in the manifest
*/ */
private boolean isSealed(String name, Manifest man) { private boolean isSealed(String name, Manifest man) {
String path = name.replace('.', '/').concat("/"); Attributes attr = SharedSecrets.javaUtilJarAccess()
Attributes attr = man.getAttributes(path); .getTrustedAttributes(man, name.replace('.', '/').concat("/"));
String sealed = null; String sealed = null;
if (attr != null) { if (attr != null) {
sealed = attr.getValue(Name.SEALED); sealed = attr.getValue(Name.SEALED);
......
/* /*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -191,10 +191,10 @@ class JarFile extends ZipFile { ...@@ -191,10 +191,10 @@ class JarFile extends ZipFile {
if (manEntry != null) { if (manEntry != null) {
if (verify) { if (verify) {
byte[] b = getBytes(manEntry); byte[] b = getBytes(manEntry);
man = new Manifest(new ByteArrayInputStream(b));
if (!jvInitialized) { if (!jvInitialized) {
jv = new JarVerifier(b); jv = new JarVerifier(b);
} }
man = new Manifest(jv, new ByteArrayInputStream(b));
} else { } else {
man = new Manifest(super.getInputStream(manEntry)); man = new Manifest(super.getInputStream(manEntry));
} }
......
/* /*
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -879,4 +879,24 @@ class JarVerifier { ...@@ -879,4 +879,24 @@ class JarVerifier {
static CodeSource getUnsignedCS(URL url) { static CodeSource getUnsignedCS(URL url) {
return new VerifierCodeSource(null, url, (java.security.cert.Certificate[]) null); return new VerifierCodeSource(null, url, (java.security.cert.Certificate[]) null);
} }
/**
* Returns whether the name is trusted. Used by
* {@link Manifest#getTrustedAttributes(String)}.
*/
boolean isTrustedManifestEntry(String name) {
// How many signers? MANIFEST.MF is always verified
CodeSigner[] forMan = verifiedSigners.get(JarFile.MANIFEST_NAME);
if (forMan == null) {
return true;
}
// Check sigFileSigners first, because we are mainly dealing with
// non-file entries which will stay in sigFileSigners forever.
CodeSigner[] forName = sigFileSigners.get(name);
if (forName == null) {
forName = verifiedSigners.get(name);
}
// Returns trusted if all signers sign the entry
return forName != null && forName.length == forMan.length;
}
} }
/* /*
* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -60,4 +60,9 @@ class JavaUtilJarAccessImpl implements JavaUtilJarAccess { ...@@ -60,4 +60,9 @@ class JavaUtilJarAccessImpl implements JavaUtilJarAccess {
public List<Object> getManifestDigests(JarFile jar) { public List<Object> getManifestDigests(JarFile jar) {
return jar.getManifestDigests(); return jar.getManifestDigests();
} }
public Attributes getTrustedAttributes(Manifest man, String name) {
return man.getTrustedAttributes(name);
}
} }
/* /*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -48,15 +48,19 @@ import java.util.Iterator; ...@@ -48,15 +48,19 @@ import java.util.Iterator;
*/ */
public class Manifest implements Cloneable { public class Manifest implements Cloneable {
// manifest main attributes // manifest main attributes
private Attributes attr = new Attributes(); private final Attributes attr = new Attributes();
// manifest entries // manifest entries
private Map<String, Attributes> entries = new HashMap<>(); private final Map<String, Attributes> entries = new HashMap<>();
// associated JarVerifier, not null when called by JarFile::getManifest.
private final JarVerifier jv;
/** /**
* Constructs a new, empty Manifest. * Constructs a new, empty Manifest.
*/ */
public Manifest() { public Manifest() {
jv = null;
} }
/** /**
...@@ -66,7 +70,16 @@ public class Manifest implements Cloneable { ...@@ -66,7 +70,16 @@ public class Manifest implements Cloneable {
* @throws IOException if an I/O error has occurred * @throws IOException if an I/O error has occurred
*/ */
public Manifest(InputStream is) throws IOException { public Manifest(InputStream is) throws IOException {
this(null, is);
}
/**
* Constructs a new Manifest from the specified input stream
* and associates it with a JarVerifier.
*/
Manifest(JarVerifier jv, InputStream is) throws IOException {
read(is); read(is);
this.jv = jv;
} }
/** /**
...@@ -77,6 +90,7 @@ public class Manifest implements Cloneable { ...@@ -77,6 +90,7 @@ public class Manifest implements Cloneable {
public Manifest(Manifest man) { public Manifest(Manifest man) {
attr.putAll(man.getMainAttributes()); attr.putAll(man.getMainAttributes());
entries.putAll(man.getEntries()); entries.putAll(man.getEntries());
jv = man.jv;
} }
/** /**
...@@ -126,6 +140,23 @@ public class Manifest implements Cloneable { ...@@ -126,6 +140,23 @@ public class Manifest implements Cloneable {
return getEntries().get(name); return getEntries().get(name);
} }
/**
* Returns the Attributes for the specified entry name, if trusted.
*
* @param name entry name
* @return returns the same result as {@link #getAttributes(String)}
* @throws SecurityException if the associated jar is signed but this entry
* has been modified after signing (i.e. the section in the manifest
* does not exist in SF files of all signers).
*/
Attributes getTrustedAttributes(String name) {
Attributes result = getAttributes(name);
if (result != null && jv != null && ! jv.isTrustedManifestEntry(name)) {
throw new SecurityException("Untrusted manifest entry: " + name);
}
return result;
}
/** /**
* Clears the main Attributes as well as the entries in this Manifest. * Clears the main Attributes as well as the entries in this Manifest.
*/ */
......
/* /*
* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -30,8 +30,10 @@ import java.net.URL; ...@@ -30,8 +30,10 @@ import java.net.URL;
import java.security.CodeSource; import java.security.CodeSource;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.List; import java.util.List;
import java.util.jar.Attributes;
import java.util.jar.JarEntry; import java.util.jar.JarEntry;
import java.util.jar.JarFile; import java.util.jar.JarFile;
import java.util.jar.Manifest;
public interface JavaUtilJarAccess { public interface JavaUtilJarAccess {
public boolean jarFileHasClassPathAttribute(JarFile jar) throws IOException; public boolean jarFileHasClassPathAttribute(JarFile jar) throws IOException;
...@@ -41,4 +43,5 @@ public interface JavaUtilJarAccess { ...@@ -41,4 +43,5 @@ public interface JavaUtilJarAccess {
public Enumeration<JarEntry> entries2(JarFile jar); public Enumeration<JarEntry> entries2(JarFile jar);
public void setEagerValidation(JarFile jar, boolean eager); public void setEagerValidation(JarFile jar, boolean eager);
public List<Object> getManifestDigests(JarFile jar); public List<Object> getManifestDigests(JarFile jar);
public Attributes getTrustedAttributes(Manifest man, String name);
} }
...@@ -35,6 +35,7 @@ import java.net.URL; ...@@ -35,6 +35,7 @@ import java.net.URL;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.text.Collator; import java.text.Collator;
import java.util.Locale; import java.util.Locale;
...@@ -58,6 +59,25 @@ public class KeyStoreUtil { ...@@ -58,6 +59,25 @@ public class KeyStoreUtil {
collator.setStrength(Collator.PRIMARY); collator.setStrength(Collator.PRIMARY);
}; };
/**
* Returns true if the certificate is self-signed, false otherwise.
*/
public static boolean isSelfSigned(X509Certificate cert) {
return signedBy(cert, cert);
}
public static boolean signedBy(X509Certificate end, X509Certificate ca) {
if (!ca.getSubjectX500Principal().equals(end.getIssuerX500Principal())) {
return false;
}
try {
end.verify(ca.getPublicKey());
return true;
} catch (Exception e) {
return false;
}
}
/** /**
* Returns true if KeyStore has a password. This is true except for * Returns true if KeyStore has a password. This is true except for
* MSCAPI KeyStores * MSCAPI KeyStores
......
/* /*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -199,7 +199,8 @@ public class Resources extends java.util.ListResourceBundle { ...@@ -199,7 +199,8 @@ public class Resources extends java.util.ListResourceBundle {
{"certificate.is.not.valid.until", {"certificate.is.not.valid.until",
"certificate is not valid until {0}"}, "certificate is not valid until {0}"},
{"certificate.will.expire.on", "certificate will expire on {0}"}, {"certificate.will.expire.on", "certificate will expire on {0}"},
{".CertPath.not.validated.", "[CertPath not validated: "}, {".Invalid.certificate.chain.", "[Invalid certificate chain: "},
{".Invalid.TSA.certificate.chain.", "[Invalid TSA certificate chain: "},
{"requesting.a.signature.timestamp", {"requesting.a.signature.timestamp",
"requesting a signature timestamp"}, "requesting a signature timestamp"},
{"TSA.location.", "TSA location: "}, {"TSA.location.", "TSA location: "},
...@@ -216,6 +217,8 @@ public class Resources extends java.util.ListResourceBundle { ...@@ -216,6 +217,8 @@ public class Resources extends java.util.ListResourceBundle {
{"entry.was.signed.on", "entry was signed on {0}"}, {"entry.was.signed.on", "entry was signed on {0}"},
{"Warning.", "Warning: "}, {"Warning.", "Warning: "},
{"Error.", "Error: "}, {"Error.", "Error: "},
{"...Signer", ">>> Signer"},
{"...TSA", ">>> TSA"},
{"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.", {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
"This jar contains unsigned entries which have not been integrity-checked. "}, "This jar contains unsigned entries which have not been integrity-checked. "},
{"This.jar.contains.entries.whose.signer.certificate.has.expired.", {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
...@@ -224,6 +227,8 @@ public class Resources extends java.util.ListResourceBundle { ...@@ -224,6 +227,8 @@ public class Resources extends java.util.ListResourceBundle {
"This jar contains entries whose signer certificate will expire within six months. "}, "This jar contains entries whose signer certificate will expire within six months. "},
{"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.", {"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.",
"This jar contains entries whose signer certificate is not yet valid. "}, "This jar contains entries whose signer certificate is not yet valid. "},
{"This.jar.contains.entries.whose.signer.certificate.is.self.signed.",
"This jar contains entries whose signer certificate is self-signed."},
{"Re.run.with.the.verbose.option.for.more.details.", {"Re.run.with.the.verbose.option.for.more.details.",
"Re-run with the -verbose option for more details."}, "Re-run with the -verbose option for more details."},
{"Re.run.with.the.verbose.and.certs.options.for.more.details.", {"Re.run.with.the.verbose.and.certs.options.for.more.details.",
...@@ -248,14 +253,24 @@ public class Resources extends java.util.ListResourceBundle { ...@@ -248,14 +253,24 @@ public class Resources extends java.util.ListResourceBundle {
"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."}, "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
{".{0}.extension.does.not.support.code.signing.", {".{0}.extension.does.not.support.code.signing.",
"[{0} extension does not support code signing]"}, "[{0} extension does not support code signing]"},
{"The.signer.s.certificate.chain.is.not.validated.", {"The.signer.s.certificate.chain.is.invalid.reason.1",
"The signer's certificate chain is not validated."}, "The signer's certificate chain is invalid. Reason: %s"},
{"This.jar.contains.entries.whose.certificate.chain.is.not.validated.", {"The.tsa.certificate.chain.is.invalid.reason.1",
"This jar contains entries whose certificate chain is not validated."}, "The TSA certificate chain is invalid. Reason: %s"},
{"The.signer.s.certificate.is.self.signed.",
"The signer's certificate is self-signed."},
{"The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk.",
"The %1$s algorithm specified for the %2$s option is considered a security risk."},
{"This.jar.contains.entries.whose.certificate.chain.is.invalid.reason.1",
"This jar contains entries whose certificate chain is invalid. Reason: %s"},
{"This.jar.contains.entries.whose.tsa.certificate.chain.is.invalid.reason.1",
"This jar contains entries whose TSA certificate chain is invalid. Reason: %s"},
{"no.timestamp.signing", {"no.timestamp.signing",
"No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."}, "No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
{"no.timestamp.verifying", {"no.timestamp.verifying",
"This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."}, "This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
{"bad.timestamp.verifying",
"This jar contains signatures that include an invalid timestamp. Without a valid timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td).\nRerun jarsigner with -J-Djava.security.debug=jar for more information."},
{"Unknown.password.type.", "Unknown password type: "}, {"Unknown.password.type.", "Unknown password type: "},
{"Cannot.find.environment.variable.", {"Cannot.find.environment.variable.",
"Cannot find environment variable: "}, "Cannot find environment variable: "},
......
...@@ -1352,7 +1352,7 @@ public final class Main { ...@@ -1352,7 +1352,7 @@ public final class Main {
for (Certificate ca: keyStore.getCertificateChain(alias)) { for (Certificate ca: keyStore.getCertificateChain(alias)) {
if (ca instanceof X509Certificate) { if (ca instanceof X509Certificate) {
X509Certificate xca = (X509Certificate)ca; X509Certificate xca = (X509Certificate)ca;
if (!isSelfSigned(xca)) { if (!KeyStoreUtil.isSelfSigned(xca)) {
dumpCert(xca, out); dumpCert(xca, out);
} }
} }
...@@ -2857,7 +2857,7 @@ public final class Main { ...@@ -2857,7 +2857,7 @@ public final class Main {
// if certificate is self-signed, make sure it verifies // if certificate is self-signed, make sure it verifies
boolean selfSigned = false; boolean selfSigned = false;
if (isSelfSigned(cert)) { if (KeyStoreUtil.isSelfSigned(cert)) {
cert.verify(cert.getPublicKey()); cert.verify(cert.getPublicKey());
selfSigned = true; selfSigned = true;
} }
...@@ -3160,25 +3160,6 @@ public final class Main { ...@@ -3160,25 +3160,6 @@ public final class Main {
} }
} }
/**
* Returns true if the certificate is self-signed, false otherwise.
*/
private boolean isSelfSigned(X509Certificate cert) {
return signedBy(cert, cert);
}
private boolean signedBy(X509Certificate end, X509Certificate ca) {
if (!ca.getSubjectDN().equals(end.getIssuerDN())) {
return false;
}
try {
end.verify(ca.getPublicKey());
return true;
} catch (Exception e) {
return false;
}
}
/** /**
* Locates a signer for a given certificate from a given keystore and * Locates a signer for a given certificate from a given keystore and
* returns the signer's certificate. * returns the signer's certificate.
...@@ -3519,7 +3500,7 @@ public final class Main { ...@@ -3519,7 +3500,7 @@ public final class Main {
// find a cert in the reply who signs thisCert // find a cert in the reply who signs thisCert
int j; int j;
for (j=i; j<replyCerts.length; j++) { for (j=i; j<replyCerts.length; j++) {
if (signedBy(thisCert, (X509Certificate)replyCerts[j])) { if (KeyStoreUtil.signedBy(thisCert, (X509Certificate)replyCerts[j])) {
tmpCert = replyCerts[i]; tmpCert = replyCerts[i];
replyCerts[i] = replyCerts[j]; replyCerts[i] = replyCerts[j];
replyCerts[j] = tmpCert; replyCerts[j] = tmpCert;
...@@ -3677,7 +3658,7 @@ public final class Main { ...@@ -3677,7 +3658,7 @@ public final class Main {
private boolean buildChain(Pair<String,X509Certificate> certToVerify, private boolean buildChain(Pair<String,X509Certificate> certToVerify,
Vector<Pair<String,X509Certificate>> chain, Vector<Pair<String,X509Certificate>> chain,
Hashtable<Principal, Vector<Pair<String,X509Certificate>>> certs) { Hashtable<Principal, Vector<Pair<String,X509Certificate>>> certs) {
if (isSelfSigned(certToVerify.snd)) { if (KeyStoreUtil.isSelfSigned(certToVerify.snd)) {
// reached self-signed root cert; // reached self-signed root cert;
// no verification needed because it's trusted. // no verification needed because it's trusted.
chain.addElement(certToVerify); chain.addElement(certToVerify);
......
...@@ -718,7 +718,8 @@ public class SignatureFileVerifier { ...@@ -718,7 +718,8 @@ public class SignatureFileVerifier {
if (signers == null) { if (signers == null) {
signers = new ArrayList<>(); signers = new ArrayList<>();
} }
// Append the new code signer // Append the new code signer. If timestamp is invalid, this
// jar will be treated as unsigned.
signers.add(new CodeSigner(certChain, info.getTimestamp())); signers.add(new CodeSigner(certChain, info.getTimestamp()));
if (debug != null) { if (debug != null) {
......
...@@ -335,10 +335,18 @@ JNIEXPORT jobject JNICALL Java_java_net_NetworkInterface_getByInetAddress0 ...@@ -335,10 +335,18 @@ JNIEXPORT jobject JNICALL Java_java_net_NetworkInterface_getByInetAddress0
jobject obj = NULL; jobject obj = NULL;
jboolean match = JNI_FALSE; jboolean match = JNI_FALSE;
#if defined(AF_INET6) #if defined(AF_INET6)
int family = (getInetAddress_family(env, iaObj) == IPv4) ? AF_INET : AF_INET6; int family = getInetAddress_family(env, iaObj);
JNU_CHECK_EXCEPTION_RETURN(env, NULL); JNU_CHECK_EXCEPTION_RETURN(env, NULL);
if (family == IPv4) {
family = AF_INET;
} else if (family == IPv6) {
family = AF_INET6;
} else {
return NULL; // Invalid family
}
#else #else
int family = AF_INET; int family = AF_INET;
#endif #endif
ifs = enumInterfaces(env); ifs = enumInterfaces(env);
if (ifs == NULL) { if (ifs == NULL) {
......
...@@ -159,7 +159,6 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed ...@@ -159,7 +159,6 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed
{ {
HCRYPTPROV hCryptProv = NULL; HCRYPTPROV hCryptProv = NULL;
BYTE* pbData = NULL;
jbyte* reseedBytes = NULL; jbyte* reseedBytes = NULL;
jbyte* seedBytes = NULL; jbyte* seedBytes = NULL;
jbyteArray result = NULL; jbyteArray result = NULL;
...@@ -203,25 +202,17 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed ...@@ -203,25 +202,17 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed
result = NULL; result = NULL;
} else if (length > 0) { } else {
pbData = new BYTE[length];
if (::CryptGenRandom(
hCryptProv,
length,
pbData) == FALSE) {
ThrowException(env, PROVIDER_EXCEPTION, GetLastError()); if (length > 0) {
__leave; seed = env->NewByteArray(length);
if (seed == NULL) {
__leave;
}
} else {
length = env->GetArrayLength(seed);
} }
result = env->NewByteArray(length);
env->SetByteArrayRegion(result, 0, length, (jbyte*) pbData);
} else { // length == 0
length = env->GetArrayLength(seed);
if ((seedBytes = env->GetByteArrayElements(seed, 0)) == NULL) { if ((seedBytes = env->GetByteArrayElements(seed, 0)) == NULL) {
__leave; __leave;
} }
...@@ -246,9 +237,6 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed ...@@ -246,9 +237,6 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed
if (reseedBytes) if (reseedBytes)
env->ReleaseByteArrayElements(seed, reseedBytes, JNI_ABORT); env->ReleaseByteArrayElements(seed, reseedBytes, JNI_ABORT);
if (pbData)
delete [] pbData;
if (seedBytes) if (seedBytes)
env->ReleaseByteArrayElements(seed, seedBytes, 0); // update orig env->ReleaseByteArrayElements(seed, seedBytes, 0); // update orig
......
/*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package jdk.testlibrary;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URI;
import java.util.Arrays;
import javax.tools.ForwardingJavaFileManager;
import javax.tools.ForwardingJavaFileManager;
import javax.tools.FileObject;
import javax.tools.JavaCompiler;
import javax.tools.JavaCompiler.CompilationTask;
import javax.tools.JavaFileManager;
import javax.tools.JavaFileObject;
import javax.tools.JavaFileObject.Kind;
import javax.tools.SimpleJavaFileObject;
import javax.tools.ToolProvider;
/**
* {@code InMemoryJavaCompiler} can be used for compiling a {@link
* CharSequence} to a {@code byte[]}.
*
* The compiler will not use the file system at all, instead using a {@link
* ByteArrayOutputStream} for storing the byte code. For the source code, any
* kind of {@link CharSequence} can be used, e.g. {@link String}, {@link
* StringBuffer} or {@link StringBuilder}.
*
* The {@code InMemoryCompiler} can easily be used together with a {@code
* ByteClassLoader} to easily compile and load source code in a {@link String}:
*
* <pre>
* {@code
* import com.oracle.java.testlibrary.InMemoryJavaCompiler;
* import com.oracle.java.testlibrary.ByteClassLoader;
*
* class Example {
* public static void main(String[] args) {
* String className = "Foo";
* String sourceCode = "public class " + className + " {" +
* " public void bar() {" +
* " System.out.println("Hello from bar!");" +
* " }" +
* "}";
* byte[] byteCode = InMemoryJavaCompiler.compile(className, sourceCode);
* Class fooClass = ByteClassLoader.load(className, byteCode);
* }
* }
* }
* </pre>
*/
public class InMemoryJavaCompiler {
private static class MemoryJavaFileObject extends SimpleJavaFileObject {
private final String className;
private final CharSequence sourceCode;
private final ByteArrayOutputStream byteCode;
public MemoryJavaFileObject(String className, CharSequence sourceCode) {
super(URI.create("string:///" + className.replace('.','/') + Kind.SOURCE.extension), Kind.SOURCE);
this.className = className;
this.sourceCode = sourceCode;
this.byteCode = new ByteArrayOutputStream();
}
@Override
public CharSequence getCharContent(boolean ignoreEncodingErrors) {
return sourceCode;
}
@Override
public OutputStream openOutputStream() throws IOException {
return byteCode;
}
public byte[] getByteCode() {
return byteCode.toByteArray();
}
public String getClassName() {
return className;
}
}
private static class FileManagerWrapper extends ForwardingJavaFileManager {
private MemoryJavaFileObject file;
public FileManagerWrapper(MemoryJavaFileObject file) {
super(getCompiler().getStandardFileManager(null, null, null));
this.file = file;
}
@Override
public JavaFileObject getJavaFileForOutput(Location location, String className,
Kind kind, FileObject sibling)
throws IOException {
if (!file.getClassName().equals(className)) {
throw new IOException("Expected class with name " + file.getClassName() +
", but got " + className);
}
return file;
}
}
/**
* Compiles the class with the given name and source code.
*
* @param className The name of the class
* @param sourceCode The source code for the class with name {@code className}
* @throws RuntimeException if the compilation did not succeed
* @return The resulting byte code from the compilation
*/
public static byte[] compile(String className, CharSequence sourceCode) {
MemoryJavaFileObject file = new MemoryJavaFileObject(className, sourceCode);
CompilationTask task = getCompilationTask(file);
if(!task.call()) {
throw new RuntimeException("Could not compile " + className + " with source code " + sourceCode);
}
return file.getByteCode();
}
private static JavaCompiler getCompiler() {
return ToolProvider.getSystemJavaCompiler();
}
private static CompilationTask getCompilationTask(MemoryJavaFileObject file) {
return getCompiler().getTask(null, new FileManagerWrapper(file), null, null, null, Arrays.asList(file));
}
}
/* /*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -23,6 +23,7 @@ ...@@ -23,6 +23,7 @@
package jdk.testlibrary; package jdk.testlibrary;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.FileNotFoundException; import java.io.FileNotFoundException;
import java.io.FileOutputStream; import java.io.FileOutputStream;
...@@ -126,6 +127,11 @@ public final class JarUtils { ...@@ -126,6 +127,11 @@ public final class JarUtils {
changes = new HashMap<>(changes); changes = new HashMap<>(changes);
System.out.printf("Creating %s from %s...\n", dest, src); System.out.printf("Creating %s from %s...\n", dest, src);
if (dest.equals(src)) {
throw new IOException("src and dest cannot be the same");
}
try (JarOutputStream jos = new JarOutputStream( try (JarOutputStream jos = new JarOutputStream(
new FileOutputStream(dest))) { new FileOutputStream(dest))) {
...@@ -153,6 +159,24 @@ public final class JarUtils { ...@@ -153,6 +159,24 @@ public final class JarUtils {
System.out.println(); System.out.println();
} }
/**
* Update the Manifest inside a jar.
*
* @param src the original jar file name
* @param dest the new jar file name
* @param man the Manifest
*
* @throws IOException
*/
public static void updateManifest(String src, String dest, Manifest man)
throws IOException {
ByteArrayOutputStream bout = new ByteArrayOutputStream();
man.write(bout);
Map<String, Object> map = new HashMap<>();
map.put(JarFile.MANIFEST_NAME, bout.toByteArray());
updateJar(src, dest, map);
}
private static void updateEntry(JarOutputStream jos, String name, Object content) private static void updateEntry(JarOutputStream jos, String name, Object content)
throws IOException { throws IOException {
if (content instanceof Boolean) { if (content instanceof Boolean) {
......
...@@ -39,7 +39,7 @@ public final class OutputAnalyzer { ...@@ -39,7 +39,7 @@ public final class OutputAnalyzer {
private final String stdout; private final String stdout;
private final String stderr; private final String stderr;
private final int exitValue; private final int exitValue; // useless now. output contains exit value.
/** /**
* Create an OutputAnalyzer, a utility class for verifying output and exit * Create an OutputAnalyzer, a utility class for verifying output and exit
......
/* /*
* Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -25,6 +25,7 @@ package jdk.testlibrary; ...@@ -25,6 +25,7 @@ package jdk.testlibrary;
import java.io.ByteArrayOutputStream; import java.io.ByteArrayOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintStream; import java.io.PrintStream;
import java.lang.management.ManagementFactory; import java.lang.management.ManagementFactory;
import java.lang.management.RuntimeMXBean; import java.lang.management.RuntimeMXBean;
...@@ -353,9 +354,31 @@ public final class ProcessTools { ...@@ -353,9 +354,31 @@ public final class ProcessTools {
* @return The output from the process. * @return The output from the process.
*/ */
public static OutputAnalyzer executeProcess(ProcessBuilder pb) throws Throwable { public static OutputAnalyzer executeProcess(ProcessBuilder pb) throws Throwable {
return executeProcess(pb, null);
}
/**
* Executes a process, pipe some text into its STDIN, waits for it
* to finish and returns the process output. The process will have exited
* before this method returns.
* @param pb The ProcessBuilder to execute.
* @param input The text to pipe into STDIN. Can be null.
* @return The {@linkplain OutputAnalyzer} instance wrapping the process.
*/
public static OutputAnalyzer executeProcess(ProcessBuilder pb, String input)
throws Throwable {
OutputAnalyzer output = null; OutputAnalyzer output = null;
Process p = null;
try { try {
output = new OutputAnalyzer(pb.start()); p = pb.start();
if (input != null) {
try (OutputStream os = p.getOutputStream();
PrintStream ps = new PrintStream(os)) {
ps.print(input);
ps.flush();
}
}
output = new OutputAnalyzer(p);
return output; return output;
} catch (Throwable t) { } catch (Throwable t) {
System.out.println("executeProcess() failed: " + t); System.out.println("executeProcess() failed: " + t);
......
...@@ -49,10 +49,7 @@ public class SecurityTools { ...@@ -49,10 +49,7 @@ public class SecurityTools {
launcher.addToolArg(arg); launcher.addToolArg(arg);
} }
} }
String[] cmds = launcher.getCommand(); return new ProcessBuilder(launcher.getCommand());
String cmdLine = Arrays.stream(cmds).collect(Collectors.joining(" "));
System.out.println("Command line: [" + cmdLine + "]");
return new ProcessBuilder(cmds);
} }
// keytool // keytool
...@@ -69,7 +66,7 @@ public class SecurityTools { ...@@ -69,7 +66,7 @@ public class SecurityTools {
pb.redirectInput(ProcessBuilder.Redirect.from(new File(RESPONSE_FILE))); pb.redirectInput(ProcessBuilder.Redirect.from(new File(RESPONSE_FILE)));
try { try {
return ProcessTools.executeProcess(pb); return execute(pb);
} catch (Throwable t) { } catch (Throwable t) {
throw new RuntimeException("keytool failure: " + t); throw new RuntimeException("keytool failure: " + t);
} finally { } finally {
...@@ -101,11 +98,20 @@ public class SecurityTools { ...@@ -101,11 +98,20 @@ public class SecurityTools {
public static OutputAnalyzer jarsigner(List<String> args) public static OutputAnalyzer jarsigner(List<String> args)
throws Exception { throws Exception {
return execute(getProcessBuilder("jarsigner", args));
}
private static OutputAnalyzer execute(ProcessBuilder pb) throws Exception {
try { try {
return ProcessTools.executeProcess( OutputAnalyzer oa = ProcessTools.executeCommand(pb);
getProcessBuilder("jarsigner", args)); System.out.println("Exit value: " + oa.getExitValue());
return oa;
} catch (Throwable t) { } catch (Throwable t) {
throw new RuntimeException("jarsigner error: " + t); if (t instanceof Exception) {
throw (Exception) t;
} else {
throw new Exception(t);
}
} }
} }
......
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
*/ */
/* @test /* @test
* @bug 8193833 * @bug 8158963
* *
* @summary Disable RMI over HTTP by default * @summary Disable RMI over HTTP by default
* *
......
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.security.*;
class DigestBase extends MessageDigestSpi {
private MessageDigest digest = null;
public DigestBase(String alg, String provider) throws Exception {
digest = MessageDigest.getInstance(alg, provider);
}
@Override
protected void engineUpdate(byte input) {
digest.update(input);
}
@Override
protected void engineUpdate(byte[] input, int offset, int len) {
digest.update(input, offset, len);
}
@Override
protected byte[] engineDigest() {
return digest.digest();
}
@Override
protected void engineReset() {
digest.reset();
}
public static final class MD5 extends DigestBase {
public MD5() throws Exception {
super("MD5", "SUN");
}
}
public static final class SHA extends DigestBase {
public SHA() throws Exception {
super("SHA", "SUN");
}
}
public static final class SHA256 extends DigestBase {
public SHA256() throws Exception {
super("SHA-256", "SUN");
}
}
}
/*
* Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
//
// Please run in othervm mode. SunJSSE does not support dynamic system
// properties, no way to re-use system properties in samevm/agentvm mode.
//
/*
* @test
* @bug 8148421 8193683
* @summary Transport Layer Security (TLS) Session Hash and Extended
* Master Secret Extension
* @summary Increase the number of clones in the CloneableDigest
* @library /javax/net/ssl/templates
* @compile DigestBase.java
* @run main/othervm HandshakeHashCloneExhaustion
* TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* @run main/othervm HandshakeHashCloneExhaustion
* TLSv1.1 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*/
import java.io.InputStream;
import java.io.OutputStream;
import java.security.MessageDigest;
import java.security.Security;
import javax.net.ssl.SSLSocket;
public class HandshakeHashCloneExhaustion extends SSLSocketTemplate {
private static String[] protocol;
private static String[] ciphersuite;
private static String[] mds = { "SHA", "MD5", "SHA-256" };
/*
* ==================
* Run the test case.
*/
public static void main(String[] args) throws Exception {
// Add in a non-cloneable MD5/SHA1/SHA-256 implementation
Security.insertProviderAt(new MyProvider(), 1);
// make sure our provider is functioning
for (String s : mds) {
MessageDigest md = MessageDigest.getInstance(s);
String p = md.getProvider().getName();
if (!p.equals("MyProvider")) {
throw new RuntimeException("Unexpected provider: " + p);
}
}
if (args.length != 2) {
throw new Exception(
"Usage: HandshakeHashCloneExhaustion protocol ciphersuite");
}
System.out.println("Testing: " + args[0] + " " + args[1]);
protocol = new String [] { args[0] };
ciphersuite = new String[] { args[1] };
(new HandshakeHashCloneExhaustion()).run();
}
@Override
protected void runServerApplication(SSLSocket socket) throws Exception {
socket.setNeedClientAuth(true);
socket.setEnabledProtocols(protocol);
socket.setEnabledCipherSuites(ciphersuite);
// here comes the test logic
InputStream sslIS = socket.getInputStream();
OutputStream sslOS = socket.getOutputStream();
sslIS.read();
sslOS.write(85);
sslOS.flush();
}
@Override
protected void runClientApplication(SSLSocket socket) throws Exception {
InputStream sslIS = socket.getInputStream();
OutputStream sslOS = socket.getOutputStream();
sslOS.write(280);
sslOS.flush();
sslIS.read();
}
}
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.security.*;
public final class MyProvider extends Provider {
public MyProvider() {
super("MyProvider", 1.0d,
"Test Provider: SHA1/MD5/SHA256 exhaustion testing");
put("MessageDigest.SHA", "DigestBase$SHA");
put("MessageDigest.MD5", "DigestBase$MD5");
put("MessageDigest.SHA-256", "DigestBase$SHA256");
}
}
...@@ -46,6 +46,7 @@ public class TsacertOptionTest { ...@@ -46,6 +46,7 @@ public class TsacertOptionTest {
+ ".txt"; + ".txt";
private static final String PASSWORD = "changeit"; private static final String PASSWORD = "changeit";
private static final String KEYSTORE = "ks.jks"; private static final String KEYSTORE = "ks.jks";
private static final String CA_KEY_ALIAS = "ca";
private static final String SIGNING_KEY_ALIAS = "sign_alias"; private static final String SIGNING_KEY_ALIAS = "sign_alias";
private static final String TSA_KEY_ALIAS = "ts"; private static final String TSA_KEY_ALIAS = "ts";
private static final String KEY_ALG = "RSA"; private static final String KEY_ALG = "RSA";
...@@ -73,20 +74,52 @@ public class TsacertOptionTest { ...@@ -73,20 +74,52 @@ public class TsacertOptionTest {
// look for free network port for TSA service // look for free network port for TSA service
int port = jdk.testlibrary.Utils.getFreePort(); int port = jdk.testlibrary.Utils.getFreePort();
String host = jdk.testlibrary.Utils.getHostname(); String host = "127.0.0.1";
String tsaUrl = "http://" + host + ":" + port; String tsaUrl = "http://" + host + ":" + port;
// create key pair for jar signing // create key pair for jar signing
ProcessTools.executeCommand(KEYTOOL, ProcessTools.executeCommand(KEYTOOL,
"-genkey", "-genkey",
"-alias", SIGNING_KEY_ALIAS, "-alias", CA_KEY_ALIAS,
"-keyalg", KEY_ALG, "-keyalg", KEY_ALG,
"-keysize", Integer.toString(KEY_SIZE), "-keysize", Integer.toString(KEY_SIZE),
"-keystore", KEYSTORE, "-keystore", KEYSTORE,
"-storepass", PASSWORD, "-storepass", PASSWORD,
"-keypass", PASSWORD, "-keypass", PASSWORD,
"-dname", "CN=Test", "-dname", "CN=CA",
"-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
ProcessTools.executeCommand(KEYTOOL,
"-genkey",
"-alias", SIGNING_KEY_ALIAS,
"-keyalg", KEY_ALG,
"-keysize", Integer.toString(KEY_SIZE),
"-keystore", KEYSTORE,
"-storepass", PASSWORD,
"-keypass", PASSWORD,
"-dname", "CN=Test").shouldHaveExitValue(0);
ProcessTools.executeCommand(KEYTOOL,
"-certreq",
"-alias", SIGNING_KEY_ALIAS,
"-keystore", KEYSTORE,
"-storepass", PASSWORD,
"-keypass", PASSWORD,
"-file", "certreq").shouldHaveExitValue(0);
ProcessTools.executeCommand(KEYTOOL,
"-gencert",
"-alias", CA_KEY_ALIAS,
"-keystore", KEYSTORE,
"-storepass", PASSWORD,
"-keypass", PASSWORD,
"-validity", Integer.toString(VALIDITY),
"-infile", "certreq",
"-outfile", "cert").shouldHaveExitValue(0);
ProcessTools.executeCommand(KEYTOOL,
"-importcert",
"-alias", SIGNING_KEY_ALIAS,
"-keystore", KEYSTORE,
"-storepass", PASSWORD,
"-keypass", PASSWORD,
"-file", "cert").shouldHaveExitValue(0);
// create key pair for TSA service // create key pair for TSA service
// SubjectInfoAccess extension contains URL to TSA service // SubjectInfoAccess extension contains URL to TSA service
......
/*
* Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import jdk.testlibrary.JDKToolLauncher;
import jdk.testlibrary.JarUtils;
import jdk.testlibrary.OutputAnalyzer;
import jdk.testlibrary.ProcessTools;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Arrays;
/**
* @test
* @bug 8024302 8026037 8130132
* @summary warnings, errors and -strict
* @library /lib/testlibrary
*/
public class Warning {
public static void main(String[] args) throws Throwable {
Files.deleteIfExists(Paths.get("ks"));
newCert("ca", "-validity 365000");
recreateJar();
newCert("a");
run("jarsigner", "a.jar a")
.shouldContain("is self-signed");
run("jarsigner", "a.jar a -strict")
.shouldContain("is self-signed")
.shouldHaveExitValue(4);
// Trusted entry can be self-signed without a warning
run("jarsigner", "-verify a.jar")
.shouldNotContain("is self-signed")
.shouldNotContain("not signed by alias in this keystore");
run("keytool", "-delete -alias a");
// otherwise a warning will be shown
run("jarsigner", "-verify a.jar")
.shouldContain("is self-signed")
.shouldContain("not signed by alias in this keystore");
recreateJar();
newCert("b");
issueCert("b");
run("jarsigner", "a.jar b")
.shouldNotContain("is self-signed");
run("jarsigner", "-verify a.jar")
.shouldNotContain("is self-signed");
run("jarsigner", "a.jar b -digestalg MD5")
.shouldContain("-digestalg option is considered a security risk.");
run("jarsigner", "a.jar b -digestalg MD5 -strict")
.shouldHaveExitValue(4)
.shouldContain("-digestalg option is considered a security risk.");
run("jarsigner", "a.jar b -sigalg MD5withRSA")
.shouldContain("-sigalg option is considered a security risk");
issueCert("b", "-sigalg MD5withRSA");
run("jarsigner", "a.jar b")
.shouldMatch("chain is invalid. Reason:.*MD5withRSA");
recreateJar();
newCert("c", "-keysize 512");
issueCert("c");
run("jarsigner", "a.jar c")
.shouldContain("chain is invalid. " +
"Reason: Algorithm constraints check failed");
recreateJar();
newCert("s1"); issueCert("s1", "-startdate 2000/01/01 -validity 36525");
run("jarsigner", "a.jar s1")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp").shouldContain("2100-01-01")
.shouldNotContain("with signer errors");
run("jarsigner", "a.jar s1 -strict")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp").shouldContain("2100-01-01")
.shouldNotContain("with signer errors");
run("jarsigner", "a.jar s1 -verify")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp").shouldContain("2100-01-01")
.shouldNotContain("with signer errors");
run("jarsigner", "a.jar s1 -verify -strict")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp").shouldContain("2100-01-01")
.shouldNotContain("with signer errors");
recreateJar();
newCert("s2"); issueCert("s2", "-validity 100");
run("jarsigner", "a.jar s2")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp")
.shouldContain("will expire")
.shouldNotContain("with signer errors");
run("jarsigner", "a.jar s2 -strict")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp")
.shouldContain("will expire")
.shouldNotContain("with signer errors");
run("jarsigner", "a.jar s2 -verify")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp")
.shouldContain("will expire")
.shouldNotContain("with signer errors");
run("jarsigner", "a.jar s2 -verify -strict")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("Error:")
.shouldContain("timestamp")
.shouldContain("will expire")
.shouldNotContain("with signer errors");
recreateJar();
newCert("s3"); issueCert("s3", "-startdate -200d -validity 100");
run("jarsigner", "a.jar s3")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldContain("has expired")
.shouldNotContain("with signer errors")
.shouldNotContain("Error:");
run("jarsigner", "a.jar s3 -strict")
.shouldHaveExitValue(4)
.shouldContain("with signer errors")
.shouldMatch("(?s).*Error:.*has expired.*Warning:.*");
run("jarsigner", "a.jar s3 -verify")
.shouldHaveExitValue(0)
.shouldContain("Warning:")
.shouldNotContain("with signer errors")
.shouldNotContain("Error:");
run("jarsigner", "a.jar s3 -verify -strict")
.shouldHaveExitValue(4)
.shouldContain("with signer errors")
.shouldMatch("(?s).*Error:.*has expired.*Warning:.*");
}
// Creates a new jar without signature
static void recreateJar() throws Exception {
JarUtils.createJar("a.jar", "ks");
}
// Creates a self-signed cert for alias with zero or more -genkey options
static void newCert(String alias, String... more) throws Throwable {
String args = "-genkeypair -alias " + alias + " -dname CN=" + alias;
for (String s: more) {
args += " " + s;
}
run("keytool", args).shouldHaveExitValue(0);
}
// Asks ca to issue a cert to alias with zero or more -gencert options
static void issueCert(String alias, String...more) throws Throwable {
String req = run("keytool", "-certreq -alias " + alias)
.shouldHaveExitValue(0).getStdout();
String args = "-gencert -alias ca -rfc";
for (String s: more) {
args += " " + s;
}
String cert = run("keytool", args, req)
.shouldHaveExitValue(0).getStdout();
run("keytool", "-import -alias " + alias, cert).shouldHaveExitValue(0);
}
// Runs a java tool with command line arguments
static OutputAnalyzer run(String command, String args)
throws Throwable {
return run(command, args, null);
}
// Runs a java tool with command line arguments and an optional input block
static OutputAnalyzer run(String command, String args, String input)
throws Throwable {
JDKToolLauncher launcher = JDKToolLauncher.createUsingTestJDK(command);
launcher.addVMArg("-Duser.language=en").addVMArg("-Duser.country=US");
switch (command) {
case "keytool":
for (String s: new String[] {
"-keystore", "ks", "-storepass", "changeit",
"-storetype", "jks",
"-keypass", "changeit", "-keyalg", "rsa", "-debug"}) {
launcher.addToolArg(s);
}
break;
case "jarsigner":
for (String s: new String[] {
"-keystore", "ks", "-storepass", "changeit",
"-storetype", "jks"}) {
launcher.addToolArg(s);
}
break;
}
for (String arg: args.split(" ")) {
launcher.addToolArg(arg);
}
String[] cmd = launcher.getCommand();
ProcessBuilder pb = new ProcessBuilder(cmd);
OutputAnalyzer out = ProcessTools.executeProcess(pb, input);
System.out.println("======================");
System.out.println(Arrays.toString(cmd));
String msg = " stdout: [" + out.getStdout() + "];\n"
+ " stderr: [" + out.getStderr() + "]\n"
+ " exitValue = " + out.getExitValue() + "\n";
System.out.println(msg);
return out;
}
}
# #
# Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
# #
# This code is free software; you can redistribute it and/or modify it # This code is free software; you can redistribute it and/or modify it
...@@ -91,7 +91,7 @@ echo $RESULT ...@@ -91,7 +91,7 @@ echo $RESULT
#[ $RESULT = 0 ] || exit 2 #[ $RESULT = 0 ] || exit 2
# Test 3: When no keystore is specified, the error is only # Test 3: When no keystore is specified, the error is only
# "chain not validated" # "chain invalid"
$JARSIGNER -strict -verify a.jar $JARSIGNER -strict -verify a.jar
RESULT=$? RESULT=$?
...@@ -99,7 +99,7 @@ echo $RESULT ...@@ -99,7 +99,7 @@ echo $RESULT
#[ $RESULT = 4 ] || exit 3 #[ $RESULT = 4 ] || exit 3
# Test 4: When unrelated keystore is specified, the error is # Test 4: When unrelated keystore is specified, the error is
# "chain not validated" and "not alias in keystore" # "chain invalid" and "not alias in keystore"
$JARSIGNER -keystore unrelated.jks -strict -verify a.jar $JARSIGNER -keystore unrelated.jks -strict -verify a.jar
RESULT=$? RESULT=$?
......
# #
# Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
# #
# This code is free software; you can redistribute it and/or modify it # This code is free software; you can redistribute it and/or modify it
...@@ -22,10 +22,10 @@ ...@@ -22,10 +22,10 @@
# #
# @test # @test
# @bug 6802846 # @bug 6802846 8172529
# @summary jarsigner needs enhanced cert validation(options) # @summary jarsigner needs enhanced cert validation(options)
# #
# @run shell concise_jarsigner.sh # @run shell/timeout=240 concise_jarsigner.sh
# #
if [ "${TESTJAVA}" = "" ] ; then if [ "${TESTJAVA}" = "" ] ; then
...@@ -47,12 +47,15 @@ esac ...@@ -47,12 +47,15 @@ esac
# Choose 1024-bit RSA to make sure it runs fine and fast on all platforms. In # Choose 1024-bit RSA to make sure it runs fine and fast on all platforms. In
# fact, every keyalg/keysize combination is OK for this test. # fact, every keyalg/keysize combination is OK for this test.
KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks -keyalg rsa -keysize 1024" TESTTOOLVMOPTS="$TESTTOOLVMOPTS -J-Duser.language=en -J-Duser.country=US"
JAR=$TESTJAVA${FS}bin${FS}jar
JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
JAVAC=$TESTJAVA${FS}bin${FS}javac
rm js.jks KS=js.ks
KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit -keypass changeit -keystore $KS -keyalg rsa -keysize 1024"
JAR="$TESTJAVA${FS}bin${FS}jar ${TESTTOOLVMOPTS}"
JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner ${TESTTOOLVMOPTS} -debug"
JAVAC="$TESTJAVA${FS}bin${FS}javac ${TESTTOOLVMOPTS} ${TESTJAVACOPTS}"
rm $KS
echo class A1 {} > A1.java echo class A1 {} > A1.java
echo class A2 {} > A2.java echo class A2 {} > A2.java
...@@ -68,14 +71,14 @@ YEAR=`date +%Y` ...@@ -68,14 +71,14 @@ YEAR=`date +%Y`
# First part: output format # First part: output format
# ========================================================== # ==========================================================
$KT -genkeypair -alias a1 -dname CN=a1 -validity 365 $KT -genkeypair -alias a1 -dname CN=a1 -validity 366
$KT -genkeypair -alias a2 -dname CN=a2 -validity 365 $KT -genkeypair -alias a2 -dname CN=a2 -validity 366
# a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3 # a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
$JAR cvf a.jar A1.class A2.class $JAR cvf a.jar A1.class A2.class
$JARSIGNER -keystore js.jks -storepass changeit a.jar a1 $JARSIGNER -keystore $KS -storepass changeit a.jar a1
$JAR uvf a.jar A3.class A4.class $JAR uvf a.jar A3.class A4.class
$JARSIGNER -keystore js.jks -storepass changeit a.jar a2 $JARSIGNER -keystore $KS -storepass changeit a.jar a2
$JAR uvf a.jar A5.class A6.class $JAR uvf a.jar A5.class A6.class
# Verify OK # Verify OK
...@@ -87,15 +90,15 @@ $JARSIGNER -verify a.jar -strict ...@@ -87,15 +90,15 @@ $JARSIGNER -verify a.jar -strict
[ $? = 20 ] || exit $LINENO [ $? = 20 ] || exit $LINENO
# 16(hasUnsignedEntry) # 16(hasUnsignedEntry)
$JARSIGNER -verify a.jar -strict -keystore js.jks $JARSIGNER -verify a.jar -strict -keystore $KS -storepass changeit
[ $? = 16 ] || exit $LINENO [ $? = 16 ] || exit $LINENO
# 16(hasUnsignedEntry)+32(notSignedByAlias) # 16(hasUnsignedEntry)+32(notSignedByAlias)
$JARSIGNER -verify a.jar a1 -strict -keystore js.jks $JARSIGNER -verify a.jar a1 -strict -keystore $KS -storepass changeit
[ $? = 48 ] || exit $LINENO [ $? = 48 ] || exit $LINENO
# 16(hasUnsignedEntry) # 16(hasUnsignedEntry)
$JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks $JARSIGNER -verify a.jar a1 a2 -strict -keystore $KS -storepass changeit
[ $? = 16 ] || exit $LINENO [ $? = 16 ] || exit $LINENO
# 12 entries all together # 12 entries all together
...@@ -135,43 +138,52 @@ LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l` ...@@ -135,43 +138,52 @@ LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
[ $LINES = 4 ] || exit $LINENO [ $LINES = 4 ] || exit $LINENO
# ========================================================== # ==========================================================
# Second part: exit code 2, 4, 8 # Second part: exit code 2, 4, 8.
# 16 and 32 already covered in the first part # 16 and 32 already covered in the first part
# ========================================================== # ==========================================================
$KT -genkeypair -alias expired -dname CN=expired -startdate -10m
$KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
$KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
$KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365
$KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365
$KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365
# badchain signed by ca, but ca is removed later
$KT -genkeypair -alias badchain -dname CN=badchain -validity 365
$KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365 $KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
$KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \ $KT -genkeypair -alias expired -dname CN=expired
$KT -importcert -alias badchain $KT -certreq -alias expired | $KT -gencert -alias ca -startdate -10m | $KT -import -alias expired
$KT -delete -alias ca $KT -genkeypair -alias notyetvalid -dname CN=notyetvalid
$KT -certreq -alias notyetvalid | $KT -gencert -alias ca -startdate +1m | $KT -import -alias notyetvalid
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired $KT -genkeypair -alias badku -dname CN=badku
$KT -certreq -alias badku | $KT -gencert -alias ca -ext KU=cRLSign -validity 365 | $KT -import -alias badku
$KT -genkeypair -alias badeku -dname CN=badeku
$KT -certreq -alias badeku | $KT -gencert -alias ca -ext EKU=sa -validity 365 | $KT -import -alias badeku
$KT -genkeypair -alias goodku -dname CN=goodku
$KT -certreq -alias goodku | $KT -gencert -alias ca -ext KU=dig -validity 365 | $KT -import -alias goodku
$KT -genkeypair -alias goodeku -dname CN=goodeku
$KT -certreq -alias goodeku | $KT -gencert -alias ca -ext EKU=codesign -validity 365 | $KT -import -alias goodeku
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar expired
[ $? = 4 ] || exit $LINENO [ $? = 4 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid $JARSIGNER -strict -keystore $KS -storepass changeit a.jar notyetvalid
[ $? = 4 ] || exit $LINENO [ $? = 4 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku $JARSIGNER -strict -keystore $KS -storepass changeit a.jar badku
[ $? = 8 ] || exit $LINENO [ $? = 8 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku $JARSIGNER -strict -keystore $KS -storepass changeit a.jar badeku
[ $? = 8 ] || exit $LINENO [ $? = 8 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku $JARSIGNER -strict -keystore $KS -storepass changeit a.jar goodku
[ $? = 0 ] || exit $LINENO [ $? = 0 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku $JARSIGNER -strict -keystore $KS -storepass changeit a.jar goodeku
[ $? = 0 ] || exit $LINENO [ $? = 0 ] || exit $LINENO
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain # badchain signed by ca1, but ca1 is removed later
$KT -genkeypair -alias badchain -dname CN=badchain -validity 365
$KT -genkeypair -alias ca1 -dname CN=ca1 -ext bc -validity 365
$KT -certreq -alias badchain | $KT -gencert -alias ca1 -validity 365 | \
$KT -importcert -alias badchain
# save ca1.cert for easy replay
$KT -exportcert -file ca1.cert -alias ca1
$KT -delete -alias ca1
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar badchain
[ $? = 4 ] || exit $LINENO [ $? = 4 ] || exit $LINENO
$JARSIGNER -verify a.jar $JARSIGNER -verify a.jar
...@@ -181,23 +193,55 @@ $JARSIGNER -verify a.jar ...@@ -181,23 +193,55 @@ $JARSIGNER -verify a.jar
# Third part: -certchain test # Third part: -certchain test
# ========================================================== # ==========================================================
# altchain signed by ca2, but ca2 is removed later # altchain signed by ca2
$KT -genkeypair -alias altchain -dname CN=altchain -validity 365 $KT -genkeypair -alias altchain -dname CN=altchain -validity 365
$KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365 $KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
$KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain $KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
$KT -exportcert -alias ca2 -rfc >> certchain $KT -exportcert -alias ca2 -rfc >> certchain
$KT -delete -alias ca2
# Now altchain is still self-signed # Self-signed cert does not work
$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain $JARSIGNER -strict -keystore $KS -storepass changeit a.jar altchain
[ $? = 4 ] || exit $LINENO
# -certchain works
$JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
[ $? = 0 ] || exit $LINENO [ $? = 0 ] || exit $LINENO
# If -certchain is used, then it's bad # if ca2 is removed, -certchain still work because altchain is a self-signed entry and
$JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain # it is trusted by jarsigner
# save ca2.cert for easy replay
$KT -exportcert -file ca2.cert -alias ca2
$KT -delete -alias ca2
$JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
[ $? = 0 ] || exit $LINENO
# if cert is imported, -certchain won't work because this certificate entry is not trusted
$KT -importcert -file certchain -alias altchain -noprompt
$JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
[ $? = 4 ] || exit $LINENO [ $? = 4 ] || exit $LINENO
$JARSIGNER -verify a.jar $JARSIGNER -verify a.jar
[ $? = 0 ] || exit $LINENO [ $? = 0 ] || exit $LINENO
# ==========================================================
# 8172529
# ==========================================================
$KT -genkeypair -alias ee -dname CN=ee
$KT -genkeypair -alias caone -dname CN=caone
$KT -genkeypair -alias catwo -dname CN=catwo
$KT -certreq -alias ee | $KT -gencert -alias catwo -rfc > ee.cert
$KT -certreq -alias catwo | $KT -gencert -alias caone -sigalg MD5withRSA -rfc > catwo.cert
# This certchain contains a cross-signed weak catwo.cert
cat ee.cert catwo.cert | $KT -importcert -alias ee
$JAR cvf a.jar A1.class
$JARSIGNER -strict -keystore $KS -storepass changeit a.jar ee
[ $? = 0 ] || exit $LINENO
$JARSIGNER -strict -keystore $KS -storepass changeit -verify a.jar
[ $? = 0 ] || exit $LINENO
echo OK echo OK
exit 0 exit 0
...@@ -53,11 +53,20 @@ rm $KS $JFILE ...@@ -53,11 +53,20 @@ rm $KS $JFILE
echo A > A echo A > A
$JAR cvf $JFILE A $JAR cvf $JFILE A
$KT -alias a -dname CN=a -keyalg ec -genkey -validity 300 || exit 11 $KT -alias ca -dname CN=ca -keyalg ec -genkey -validity 300 || exit 11
$KT -alias b -dname CN=b -keyalg ec -genkey -validity 300 || exit 12
$KT -alias a -dname CN=a -keyalg ec -genkey || exit 11
$KT -alias a -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias a || exit 111
$KT -alias b -dname CN=b -keyalg ec -genkey || exit 12
$KT -alias b -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias b || exit 121
# Ensure that key length is sufficient for the intended hash (SHA512withECDSA) # Ensure that key length is sufficient for the intended hash (SHA512withECDSA)
$KT -alias c -dname CN=c -keyalg ec -genkey -validity 300 -keysize 521 || exit 13 $KT -alias c -dname CN=c -keyalg ec -genkey -keysize 521 || exit 13
$KT -alias c -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias c || exit 131
$KT -alias x -dname CN=x -keyalg ec -genkey -validity 300 || exit 14 $KT -alias x -dname CN=x -keyalg ec -genkey -validity 300 || exit 14
$KT -alias x -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias x || exit 141
$JARSIGNER -keystore $KS -storepass changeit $JFILE a -debug -strict || exit 21 $JARSIGNER -keystore $KS -storepass changeit $JFILE a -debug -strict || exit 21
$JARSIGNER -keystore $KS -storepass changeit $JFILE b -debug -strict -sigalg SHA1withECDSA || exit 22 $JARSIGNER -keystore $KS -storepass changeit $JFILE b -debug -strict -sigalg SHA1withECDSA || exit 22
......
...@@ -57,12 +57,14 @@ rm $KS $JFILE 2> /dev/null ...@@ -57,12 +57,14 @@ rm $KS $JFILE 2> /dev/null
echo "Key: Value" > manifest echo "Key: Value" > manifest
$JAR cvfm $JFILE manifest $JAR cvfm $JFILE manifest
$KT -alias a -dname CN=a -genkey -validity 300 || exit 1 $KT -alias ca -dname CN=ca -genkey -validity 300 || exit 1
$JARSIGNER -keystore $KS -storepass changeit $JFILE a -debug -strict || exit 2 $KT -alias a -dname CN=a -genkey -validity 300 || exit 2
$KT -alias a -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias a || exit 3
$JARSIGNER -keystore $KS -storepass changeit $JFILE a -debug -strict || exit 4
$JARSIGNER -keystore $KS -storepass changeit -verify $JFILE a -debug -strict \ $JARSIGNER -keystore $KS -storepass changeit -verify $JFILE a -debug -strict \
> onlymanifest.out || exit 3 > onlymanifest.out || exit 5
grep unsigned onlymanifest.out && exit 4 grep unsigned onlymanifest.out && exit 6
exit 0 exit 0
#
# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
# @test
# @bug 8024302
# @bug 8026037
# @summary Clarify jar verifications
#
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* )
FS="\\"
;;
* )
FS="/"
;;
esac
KS=warnings.jks
JFILE=warnings.jar
KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit \
-keystore $KS"
JAR=$TESTJAVA${FS}bin${FS}jar
JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner -keystore $KS -storepass changeit"
rm $KS 2> /dev/null
LANG=C
export LANG
echo 12345 > file
ERR=""
# Normal signer expiring on 2100-01-01
$KT -alias s1 -dname CN=s1 -genkey -startdate 2000/01/01 -validity 36525 || ERR="$ERR keytool s1,"
# Cert expiring soon, informational warning
$KT -alias s2 -dname CN=s2 -genkey -validity 100 || ERR="$ERR keytool s2,"
# Cert expired, severe warning
$KT -alias s3 -dname CN=s3 -genkey -startdate -200d -validity 100 || ERR="$ERR keytool s3,"
# noTimestamp is informatiional warning and includes a date
$JAR cvf $JFILE file
$JARSIGNER $JFILE s1 > output1 || ERR="$ERR jarsigner s1,"
$JARSIGNER -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict,"
$JARSIGNER -verify $JFILE s1 >> output1 || ERR="$ERR jarsigner s1,"
$JARSIGNER -verify -strict $JFILE s1 >> output1 || ERR="$ERR jarsigner s1 strict,"
cat output1 | grep Warning || ERR="$ERR s1 warning,"
cat output1 | grep Error && ERR="$ERR s1 error,"
cat output1 | grep timestamp | grep 2100-01-01 || ERR="$ERR s1 timestamp,"
cat output1 | grep "with signer errors" && ERR="$ERR s1 err,"
# hasExpiringCert is informatiional warning
$JAR cvf $JFILE file
$JARSIGNER $JFILE s2 > output2 || ERR="$ERR jarsigner s2,"
$JARSIGNER -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict,"
$JARSIGNER -verify $JFILE s2 >> output2 || ERR="$ERR jarsigner s2,"
$JARSIGNER -verify -strict $JFILE s2 >> output2 || ERR="$ERR jarsigner s2 strict,"
cat output2 | grep Warning || ERR="$ERR s2 warning,"
cat output2 | grep Error && ERR="$ERR s2 error,"
cat output2 | grep timestamp || ERR="$ERR s2 timestamp,"
cat output2 | grep "will expire" || ERR="$ERR s2 expiring,"
cat output2 | grep "with signer errors" && ERR="$ERR s2 err,"
# hasExpiredCert is severe warning
$JAR cvf $JFILE file
$JARSIGNER $JFILE s3 > output3 || ERR="$ERR jarsigner s3,"
$JARSIGNER -strict $JFILE s3 > output3s && ERR="$ERR jarsigner s3 strict,"
$JARSIGNER -verify $JFILE s3 >> output3 || ERR="$ERR jarsigner s3,"
$JARSIGNER -verify -strict $JFILE s3 >> output3s && ERR="$ERR jarsigner s3 strict,"
# warning without -strict
cat output3 | grep Warning || ERR="$ERR s3 warning,"
cat output3 | grep Error && ERR="$ERR s3 error,"
cat output3 | grep "with signer errors" && ERR="$ERR s3 err,"
# error with -strict
cat output3s | grep Warning || ERR="$ERR s3s warning,"
cat output3s | grep Error || ERR="$ERR s3s error,"
cat output3s | grep "with signer errors" || ERR="$ERR s3 err,"
if [ "$ERR" = "" ]; then
exit 0
else
echo "ERR is $ERR"
exit 1
fi
/* /*
* Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -63,7 +63,7 @@ public abstract class Test { ...@@ -63,7 +63,7 @@ public abstract class Test {
static final String CHAIN_NOT_VALIDATED_VERIFYING_WARNING static final String CHAIN_NOT_VALIDATED_VERIFYING_WARNING
= "This jar contains entries " = "This jar contains entries "
+ "whose certificate chain is not validated."; + "whose certificate chain is invalid.";
static final String ALIAS_NOT_IN_STORE_VERIFYING_WARNING static final String ALIAS_NOT_IN_STORE_VERIFYING_WARNING
= "This jar contains signed entries " = "This jar contains signed entries "
...@@ -95,7 +95,7 @@ public abstract class Test { ...@@ -95,7 +95,7 @@ public abstract class Test {
+ "doesn't allow code signing."; + "doesn't allow code signing.";
static final String CHAIN_NOT_VALIDATED_SIGNING_WARNING static final String CHAIN_NOT_VALIDATED_SIGNING_WARNING
= "The signer's certificate chain is not validated."; = "The signer's certificate chain is invalid.";
static final String HAS_EXPIRING_CERT_SIGNING_WARNING static final String HAS_EXPIRING_CERT_SIGNING_WARNING
= "The signer certificate will expire within six months."; = "The signer certificate will expire within six months.";
......
#
# Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
# @test
# @bug 8044755
# @summary Add a test for algorithm constraints check in jarsigner
#
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
fi
# The sigalg used is MD2withRSA, which is obsolete.
KT="$TESTJAVA/bin/keytool ${TESTTOOLVMOPTS} -keystore ks
-storepass changeit -keypass changeit
-keyalg rsa -sigalg MD2withRSA -debug"
JS="$TESTJAVA/bin/jarsigner ${TESTTOOLVMOPTS} -keystore ks
-storepass changeit -strict -debug"
JAR="$TESTJAVA/bin/jar ${TESTTOOLVMOPTS}"
rm ks 2> /dev/null
$KT -genkeypair -alias ca -dname CN=CA -ext bc
$KT -genkeypair -alias signer -dname CN=Signer
$KT -certreq -alias signer | \
$KT -gencert -alias ca -ext ku=dS -rfc | \
$KT -importcert -alias signer
$JAR cvf a.jar ks
# We always trust a TrustedCertificateEntry
$JS a.jar ca | grep "chain is invalid" && exit 1
# An end-entity cert must follow algorithm constraints
$JS a.jar signer | grep "chain is invalid" || exit 2
exit 0
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册