7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs...

7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert Reviewed-by: mullan

7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs...
7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert Reviewed-by: mullan
d908ce95 · weijun · 0ab3fb9f · d908ce95 · d908ce95 · d908ce95
3 changed file
--- a/src/share/classes/sun/security/tools/JarSigner.java
+++ b/src/share/classes/sun/security/tools/JarSigner.java
@@ -658,7 +658,9 @@ public class JarSigner {
                    boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
                    notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
+                    if (keystore != null) {
                        aliasNotInStore |= isSigned && (!inStore && !inScope);
+                    }
                    // Only used when -verbose provided
                    StringBuffer sb = null;
@@ -889,7 +891,7 @@ public class JarSigner {
     * Note: no newline character at the end
     */
    String printCert(String tab, Certificate c, boolean checkValidityPeriod,
-        long now) {
+        long now, boolean checkUsage) {
        StringBuilder certStr = new StringBuilder();
        String space = rb.getString("SPACE");
@@ -959,6 +961,7 @@ public class JarSigner {
            }
            certStr.append("]");
+            if (checkUsage) {
                boolean[] bad = new boolean[3];
                checkCertUsage(x509Cert, bad);
                if (bad[0] || bad[1] || bad[2]) {
@@ -979,6 +982,7 @@ public class JarSigner {
                        ".{0}.extension.does.not.support.code.signing."), x));
                }
            }
+        }
        return certStr.toString();
    }
@@ -1335,7 +1339,7 @@ public class JarSigner {
                            certUrl);
                    }
                    System.out.println(rb.getString("TSA.certificate.") +
-                        printCert("", tsaCert, false, 0));
+                        printCert("", tsaCert, false, 0, false));
                }
                if (signingMechanism != null) {
                    System.out.println(
@@ -1544,10 +1548,13 @@ public class JarSigner {
            s.append(printTimestamp(tab, timestamp));
            s.append('\n');
        }
-        // display the certificate(s)
+        // display the certificate(s). The first one is end-enity cert and
+        // its KeyUsage should be checked.
+        boolean first = true;
        for (Certificate c : certs) {
-            s.append(printCert(tab, c, true, now));
+            s.append(printCert(tab, c, true, now, first));
            s.append('\n');
+            first = false;
        }
        try {
            CertPath cp = certificateFactory.generateCertPath(certs);
@@ -1847,7 +1854,7 @@ public class JarSigner {
            // We don't meant to print anything, the next call
            // checks validity and keyUsage etc
-            printCert("", certChain[0], true, 0);
+            printCert("", certChain[0], true, 0, true);
            try {
                CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));

--- a/test/sun/security/tools/jarsigner/checkusage.sh
+++ b/test/sun/security/tools/jarsigner/checkusage.sh
+#
+# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+# @test
+# @bug 7004168
+# @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs
+#  instead of just signing cert
+#
+# @run shell checkusage.sh
+#
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner"
+rm js.jks trust.jks unrelated.jks 2> /dev/null
+echo x > x
+$JAR cvf a.jar x
+################### 3 Keystores #######################
+# Keystore js.jks: including CA and Publisher
+# CA contains a non-empty KeyUsage
+$KT -keystore js.jks -genkeypair -alias ca -dname CN=CA -ext KU=kCS -ext bc -validity 365
+$KT -keystore js.jks -genkeypair -alias pub -dname CN=Publisher
+# Publisher contains the correct KeyUsage
+$KT -keystore js.jks -certreq -alias pub | \
+        $KT -keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 | \
+        $KT -keystore js.jks -importcert -alias pub
+# Keystore trust.jks: including CA only
+$KT -keystore js.jks -exportcert -alias ca | \
+        $KT -keystore trust.jks -importcert -alias ca -noprompt
+# Keystore unrelated.jks: unrelated
+$KT -keystore unrelated.jks -genkeypair -alias nothing -dname CN=Nothing -validity 365
+################### 4 Tests #######################
+# Test 1: Sign should be OK
+$JARSIGNER -keystore js.jks -storepass changeit a.jar pub
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 0 ] || exit 1
+# Test 2: Verify should be OK
+$JARSIGNER -keystore trust.jks -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 0 ] || exit 2
+# Test 3: When no keystore is specified, the error is only
+# "chain not validated"
+$JARSIGNER -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 4 ] || exit 3
+# Test 4: When unrelated keystore is specified, the error is
+# "chain not validated" and "not alias in keystore"
+$JARSIGNER -keystore unrelated.jks -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 36 ] || exit 4
+exit 0
--- a/test/sun/security/tools/jarsigner/concise_jarsigner.sh
+++ b/test/sun/security/tools/jarsigner/concise_jarsigner.sh
@@ -79,9 +79,9 @@ $JAR uvf a.jar A5.class A6.class
 $JARSIGNER -verify a.jar
 [ $? = 0 ] || exit $LINENO
-# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore)
+# 4(chainNotValidated)+16(hasUnsignedEntry)
 $JARSIGNER -verify a.jar -strict
-[ $? = 52 ] || exit $LINENO
+[ $? = 20 ] || exit $LINENO
 # 16(hasUnsignedEntry)
 $JARSIGNER -verify a.jar -strict -keystore js.jks