changeset 11311:5c61ccd9c162

8049171: Additional tests for jarsigner's warnings Reviewed-by: weijun
author asmotrak
date Mon, 26 Jan 2015 18:13:42 +0800
parents 0f6be80ba02c
children 1f8bdf15726f
files test/ProblemList.txt test/lib/testlibrary/jdk/testlibrary/JarUtils.java test/lib/testlibrary/jdk/testlibrary/ProcessTools.java test/sun/security/tools/jarsigner/TimestampCheck.java test/sun/security/tools/jarsigner/TsacertOptionTest.java test/sun/security/tools/jarsigner/Utils.java test/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest.java test/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java test/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java test/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java test/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java test/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java test/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java test/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java test/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java test/sun/security/tools/jarsigner/warnings/NoTimestampTest.java test/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java test/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java test/sun/security/tools/jarsigner/warnings/Test.java test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.jks.base64 test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.sh
diffstat 21 files changed, 2168 insertions(+), 27 deletions(-) [+]
line wrap: on
line diff
--- a/test/ProblemList.txt	Mon Jan 26 12:36:32 2015 +0300
+++ b/test/ProblemList.txt	Mon Jan 26 18:13:42 2015 +0800
@@ -246,6 +246,9 @@
 # 8062758
 java/security/Security/ClassLoaderDeadlock/Deadlock2.sh         generic-all
 
+# 8026393
+sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java      generic-all
+
 ############################################################################
 
 # jdk_sound
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/lib/testlibrary/jdk/testlibrary/JarUtils.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.testlibrary;
+
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Manifest;
+
+/**
+ * Common library for various test jar file utility functions.
+ */
+public final class JarUtils {
+
+    /**
+     * Create jar file with specified files.
+     */
+    public static void createJar(String dest, String... files)
+            throws IOException {
+        try (JarOutputStream jos = new JarOutputStream(
+                new FileOutputStream(dest), new Manifest())) {
+            for (String file : files) {
+                System.out.println(String.format("Adding %s to %s",
+                        file, dest));
+
+                // add an archive entry, and write a file
+                jos.putNextEntry(new JarEntry(file));
+                try (FileInputStream fis = new FileInputStream(file)) {
+                    fis.transferTo(jos);
+                }
+            }
+        }
+        System.out.println();
+    }
+
+    /**
+     * Add specified files to existing jar file.
+     */
+    public static void updateJar(String src, String dest, String... files)
+            throws IOException {
+        try (JarOutputStream jos = new JarOutputStream(
+                new FileOutputStream(dest))) {
+
+            // copy each old entry into destination unless the entry name
+            // is in the updated list
+            List<String> updatedFiles = new ArrayList<>();
+            try (JarFile srcJarFile = new JarFile(src)) {
+                Enumeration entries = srcJarFile.entries();
+                while (entries.hasMoreElements()) {
+                    JarEntry entry = (JarEntry) entries.nextElement();
+                    String name = entry.getName();
+                    boolean found = false;
+                    for (String file : files) {
+                        if (name.equals(file)) {
+                            updatedFiles.add(file);
+                            found = true;
+                            break;
+                        }
+                    }
+
+                    if (found) {
+                        System.out.println(String.format("Updating %s with %s",
+                                dest, name));
+                        jos.putNextEntry(new JarEntry(name));
+                        try (FileInputStream fis = new FileInputStream(name)) {
+                            fis.transferTo(jos);
+                        }
+                    } else {
+                        System.out.println(String.format("Copying %s to %s",
+                                name, dest));
+                        jos.putNextEntry(entry);
+                        srcJarFile.getInputStream(entry).transferTo(jos);
+                    }
+                }
+            }
+
+            // append new files
+            for (String file : files) {
+                if (!updatedFiles.contains(file)) {
+                    System.out.println(String.format("Adding %s with %s",
+                            dest, file));
+                    jos.putNextEntry(new JarEntry(file));
+                    try (FileInputStream fis = new FileInputStream(file)) {
+                        fis.transferTo(jos);
+                    }
+                }
+            }
+        }
+        System.out.println();
+    }
+
+}
--- a/test/lib/testlibrary/jdk/testlibrary/ProcessTools.java	Mon Jan 26 12:36:32 2015 +0300
+++ b/test/lib/testlibrary/jdk/testlibrary/ProcessTools.java	Mon Jan 26 18:13:42 2015 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.concurrent.CountDownLatch;
 import java.util.Map;
@@ -378,4 +379,40 @@
         }
         return cmd.toString().trim();
     }
+
+    /**
+     * Executes a process, waits for it to finish, prints the process output
+     * to stdout, and returns the process output.
+     *
+     * The process will have exited before this method returns.
+     *
+     * @param cmds The command line to execute.
+     * @return The {@linkplain OutputAnalyzer} instance wrapping the process.
+     */
+    public static OutputAnalyzer executeCommand(String... cmds)
+            throws Throwable {
+        String cmdLine = Arrays.stream(cmds).collect(Collectors.joining(" "));
+        System.out.println("Command line: [" + cmdLine + "]");
+        OutputAnalyzer analyzer = ProcessTools.executeProcess(cmds);
+        System.out.println(analyzer.getOutput());
+        return analyzer;
+    }
+
+    /**
+     * Executes a process, waits for it to finish, prints the process output
+     * to stdout and returns the process output.
+     *
+     * The process will have exited before this method returns.
+     *
+     * @param pb The ProcessBuilder to execute.
+     * @return The {@linkplain OutputAnalyzer} instance wrapping the process.
+     */
+    public static OutputAnalyzer executeCommand(ProcessBuilder pb)
+            throws Throwable {
+        String cmdLine = pb.command().stream().collect(Collectors.joining(" "));
+        System.out.println("Command line: [" + cmdLine + "]");
+        OutputAnalyzer analyzer = ProcessTools.executeProcess(pb);
+        System.out.println(analyzer.getOutput());
+        return analyzer;
+    }
 }
--- a/test/sun/security/tools/jarsigner/TimestampCheck.java	Mon Jan 26 12:36:32 2015 +0300
+++ b/test/sun/security/tools/jarsigner/TimestampCheck.java	Mon Jan 26 18:13:42 2015 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -58,7 +58,12 @@
 
     static final String defaultPolicyId = "2.3.4.5";
 
-    static class Handler implements HttpHandler {
+    static class Handler implements HttpHandler, AutoCloseable {
+
+        private final HttpServer httpServer;
+        private final String keystore;
+
+        @Override
         public void handle(HttpExchange t) throws IOException {
             int len = 0;
             for (String h: t.getRequestHeaders().keySet()) {
@@ -136,7 +141,9 @@
             // Write TSResponse
             System.err.println("\nResponse\n===================");
             KeyStore ks = KeyStore.getInstance("JKS");
-            ks.load(new FileInputStream(TSKS), "changeit".toCharArray());
+            try (FileInputStream fis = new FileInputStream(keystore)) {
+                ks.load(fis, "changeit".toCharArray());
+            }
 
             String alias = "ts";
             if (path == 6) alias = "tsbad1";
@@ -240,33 +247,74 @@
 
             return out.toByteArray();
         }
+
+        private Handler(HttpServer httpServer, String keystore) {
+            this.httpServer = httpServer;
+            this.keystore = keystore;
+        }
+
+        /**
+         * Initialize TSA instance.
+         *
+         * Extended Key Info extension of certificate that is used for
+         * signing TSA responses should contain timeStamping value.
+         */
+        static Handler init(int port, String keystore) throws IOException {
+            HttpServer httpServer = HttpServer.create(
+                    new InetSocketAddress(port), 0);
+            Handler tsa = new Handler(httpServer, keystore);
+            httpServer.createContext("/", tsa);
+            return tsa;
+        }
+
+        /**
+         * Start TSA service.
+         */
+        void start() {
+            httpServer.start();
+        }
+
+        /**
+         * Stop TSA service.
+         */
+        void stop() {
+            httpServer.stop(0);
+        }
+
+        /**
+         * Return server port number.
+         */
+        int getPort() {
+            return httpServer.getAddress().getPort();
+        }
+
+        @Override
+        public void close() throws Exception {
+            stop();
+        }
     }
 
     public static void main(String[] args) throws Exception {
+        try (Handler tsa = Handler.init(0, TSKS);) {
+            tsa.start();
+            int port = tsa.getPort();
 
-        Handler h = new Handler();
-        HttpServer server = HttpServer.create(new InetSocketAddress(0), 0);
-        int port = server.getAddress().getPort();
-        HttpContext ctx = server.createContext("/", h);
-        server.start();
+            String cmd;
+            // Use -J-Djava.security.egd=file:/dev/./urandom to speed up
+            // nonce generation in timestamping request. Not avaibale on
+            // Windows and defaults to thread seed generator, not too bad.
+            if (System.getProperty("java.home").endsWith("jre")) {
+                cmd = System.getProperty("java.home") + "/../bin/jarsigner";
+            } else {
+                cmd = System.getProperty("java.home") + "/bin/jarsigner";
+            }
 
-        String cmd = null;
-        // Use -J-Djava.security.egd=file:/dev/./urandom to speed up
-        // nonce generation in timestamping request. Not avaibale on
-        // Windows and defaults to thread seed generator, not too bad.
-        if (System.getProperty("java.home").endsWith("jre")) {
-            cmd = System.getProperty("java.home") + "/../bin/jarsigner";
-        } else {
-            cmd = System.getProperty("java.home") + "/bin/jarsigner";
-        }
+            cmd += System.getProperty("test.tool.vm.opts")
+                    + " -J-Djava.security.egd=file:/dev/./urandom"
+                    + " -debug -keystore " + TSKS + " -storepass changeit"
+                    + " -tsa http://localhost:" + port + "/%d"
+                    + " -signedjar new_%d.jar " + JAR + " old";
 
-        cmd +=  " " + System.getProperty("test.tool.vm.opts") +
-                " -J-Djava.security.egd=file:/dev/./urandom" +
-                " -debug -keystore " + TSKS + " -storepass changeit" +
-                " -tsa http://localhost:" + port + "/%d" +
-                " -signedjar new_%d.jar " + JAR + " old";
-
-        try {
             if (args.length == 0) {         // Run this test
                 jarsigner(cmd, 0, true);    // Success, normal call
                 jarsigner(cmd, 1, false);   // These 4 should fail
@@ -287,8 +335,6 @@
                 System.err.println("Press Enter to quit server");
                 System.in.read();
             }
-        } finally {
-            server.stop(0);
         }
     }
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/TsacertOptionTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary The test signs and verifies a jar file with -tsacert option
+ * @library /lib/testlibrary
+ * @run main TsacertOptionTest
+ */
+public class TsacertOptionTest {
+
+    private static final String FS = System.getProperty("file.separator");
+    private static final String JAVA_HOME = System.getProperty("java.home");
+    private static final String KEYTOOL = JAVA_HOME + FS + "bin" + FS
+            + "keytool";
+    private static final String JARSIGNER = JAVA_HOME + FS + "bin" + FS
+            + "jarsigner";
+    private static final String UNSIGNED_JARFILE = "unsigned.jar";
+    private static final String SIGNED_JARFILE = "signed.jar";
+    private static final String FILENAME = TsacertOptionTest.class.getName()
+            + ".txt";
+    private static final String PASSWORD = "changeit";
+    private static final String KEYSTORE = "ks.jks";
+    private static final String SIGNING_KEY_ALIAS = "sign_alias";
+    private static final String TSA_KEY_ALIAS = "ts";
+    private static final String KEY_ALG = "RSA";
+    private static final int KEY_SIZE = 2048;
+    private static final int VALIDITY = 365;
+    private static final String WARNING = "Warning:";
+    private static final String JAR_SIGNED = "jar signed.";
+    private static final String JAR_VERIFIED = "jar verified.";
+
+    /**
+     * The test signs and verifies a jar file with -tsacert option,
+     * and checks that no warning was shown.
+     * A certificate that is addressed in -tsacert option contains URL to TSA
+     * in Subject Information Access extension.
+     */
+    public static void main(String[] args) throws Throwable {
+        TsacertOptionTest test = new TsacertOptionTest();
+        test.start();
+    }
+
+    void start() throws Throwable {
+        // create a jar file that contains one file
+        Utils.createFiles(FILENAME);
+        JarUtils.createJar(UNSIGNED_JARFILE, FILENAME);
+
+        // look for free network port for TSA service
+        int port = jdk.testlibrary.Utils.getFreePort();
+        String host = jdk.testlibrary.Utils.getHostname();
+        String tsaUrl = "http://" + host + ":" + port;
+
+        // create key pair for jar signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", SIGNING_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // create key pair for TSA service
+        // SubjectInfoAccess extension contains URL to TSA service
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-v",
+                "-alias", TSA_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=TSA",
+                "-ext", "ExtendedkeyUsage:critical=timeStamping",
+                "-ext", "SubjectInfoAccess=timeStamping:URI:" + tsaUrl,
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        try (TimestampCheck.Handler tsa = TimestampCheck.Handler.init(port,
+                KEYSTORE);) {
+
+            // start TSA
+            tsa.start();
+
+            // sign jar file
+            // specify -tsadigestalg option because
+            // TSA server uses SHA-1 digest algorithm
+             OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                    "-verbose",
+                    "-keystore", KEYSTORE,
+                    "-storepass", PASSWORD,
+                    "-keypass", PASSWORD,
+                    "-signedjar", SIGNED_JARFILE,
+                    "-tsacert", TSA_KEY_ALIAS,
+                    "-tsadigestalg", "SHA-1",
+                    UNSIGNED_JARFILE,
+                    SIGNING_KEY_ALIAS);
+
+            analyzer.shouldHaveExitValue(0);
+            analyzer.stdoutShouldNotContain(WARNING);
+            analyzer.shouldContain(JAR_SIGNED);
+
+            // verify signed jar
+            analyzer = ProcessTools.executeCommand(JARSIGNER,
+                    "-verbose",
+                    "-verify",
+                    "-keystore", KEYSTORE,
+                    "-storepass", PASSWORD,
+                    SIGNED_JARFILE);
+
+            analyzer.shouldHaveExitValue(0);
+            analyzer.stdoutShouldNotContain(WARNING);
+            analyzer.shouldContain(JAR_VERIFIED);
+        }
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/Utils.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.File;
+import java.io.IOException;
+
+/**
+ * Helper class.
+ */
+public class Utils {
+
+    static void createFiles(String... filenames) throws IOException {
+        for (String filename : filenames) {
+            new File(filename).createNewFile();
+        }
+    }
+
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for aliasNotInStore warning
+ * @library /lib/testlibrary ../
+ * @run main AliasNotInStoreTest
+ */
+public class AliasNotInStoreTest extends Test {
+
+    /**
+     * The test signs and verifies a jar that contains signed entries
+     * that are not signed by any alias in keystore (aliasNotInStore).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        AliasNotInStoreTest test = new AliasNotInStoreTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        Utils.createFiles(FIRST_FILE, SECOND_FILE);
+        System.out.println(String.format("Create a %s that contains %s",
+                new Object[]{UNSIGNED_JARFILE, FIRST_FILE}));
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create first key pair for signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", FIRST_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=First",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // create second key pair for signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", SECOND_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Second",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // sign jar with first key
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                FIRST_KEY_ALIAS);
+
+        checkSigning(analyzer);
+
+        System.out.println(String.format("Copy %s to %s, and add %s",
+                new Object[] {SIGNED_JARFILE, UPDATED_SIGNED_JARFILE,
+                    SECOND_FILE}));
+
+        JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);
+
+        // sign jar with second key
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE,
+                SECOND_KEY_ALIAS);
+
+        checkSigning(analyzer);
+
+        // create keystore that contains only first key
+        ProcessTools.executeCommand(KEYTOOL,
+                "-importkeystore",
+                "-srckeystore", BOTH_KEYS_KEYSTORE,
+                "-srcalias", FIRST_KEY_ALIAS,
+                "-srcstorepass", PASSWORD,
+                "-srckeypass", PASSWORD,
+                "-destkeystore", FIRST_KEY_KEYSTORE,
+                "-destalias", FIRST_KEY_ALIAS,
+                "-deststorepass", PASSWORD,
+                "-destkeypass", PASSWORD).shouldHaveExitValue(0);
+
+        // verify jar with keystore that contains only first key in strict mode,
+        // so there is signed entry (FirstClass.class) that is not signed
+        // by any alias in the keystore
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", FIRST_KEY_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING,
+                ALIAS_NOT_IN_STORE_VERIFYING_WARNING);
+
+        // verify jar with keystore that contains only first key in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", FIRST_KEY_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE);
+
+        int expectedExitCode = ALIAS_NOT_IN_STORE_EXIT_CODE
+                + CHAIN_NOT_VALIDATED_EXIT_CODE;
+        checkVerifying(analyzer, expectedExitCode,
+                CHAIN_NOT_VALIDATED_VERIFYING_WARNING,
+                ALIAS_NOT_IN_STORE_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for badExtendedKeyUsage warning
+ * @library /lib/testlibrary ../
+ * @run main BadExtendedKeyUsageTest
+ */
+public class BadExtendedKeyUsageTest extends Test {
+
+    /**
+     * The test signs and verifies a jar that contains entries
+     * whose signer certificate's ExtendedKeyUsage extension
+     * doesn't allow code signing (badExtendedKeyUsage).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        BadExtendedKeyUsageTest test = new BadExtendedKeyUsageTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create a certificate whose signer certificate's
+        // ExtendedKeyUsage extension doesn't allow code signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-ext", "ExtendedkeyUsage=serverAuth",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer, BAD_EXTENDED_KEY_USAGE_SIGNING_WARNING);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING);
+
+        // verity signed jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, BAD_EXTENDED_KEY_USAGE_EXIT_CODE,
+                BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for badKeyUsage warning
+ * @library /lib/testlibrary ../
+ * @ignore until 8026393 is fixed
+ * @run main BadKeyUsageTest
+ */
+public class BadKeyUsageTest extends Test {
+
+    /**
+     * The test signs and verifies a jar that contains entries
+     * whose signer certificate's KeyUsage extension
+     * doesn't allow code signing (badKeyUsage).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        BadKeyUsageTest test = new BadKeyUsageTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create a certificate whose signer certificate's KeyUsage extension
+        // doesn't allow code signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-ext", "KeyUsage=keyAgreement",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer, BAD_KEY_USAGE_SIGNING_WARNING);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, BAD_KEY_USAGE_VERIFYING_WARNING);
+
+        // verify signed jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, BAD_KEY_USAGE_EXIT_CODE,
+                BAD_KEY_USAGE_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Base64;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for badNetscapeCertType warning
+ * @library /lib/testlibrary ../
+ * @run main BadNetscapeCertTypeTest
+ */
+public class BadNetscapeCertTypeTest extends Test {
+
+    private static final String NETSCAPE_KEYSTORE_BASE64 = TEST_SOURCES + FS
+            + "bad_netscape_cert_type.jks.base64";
+
+    private static final String NETSCAPE_KEYSTORE
+            = "bad_netscape_cert_type.jks";
+
+    /**
+     * The test signs and verifies a jar that contains entries
+     * whose signer certificate's NetscapeCertType extension
+     * doesn't allow code signing (badNetscapeCertType).
+     * Warning message is expected.
+     * Run bad_netscape_cert_type.sh script to create bad_netscape_cert_type.jks
+     */
+    public static void main(String[] args) throws Throwable {
+
+        Files.write(Paths.get(NETSCAPE_KEYSTORE),
+                Base64.getMimeDecoder().decode(
+                    Files.readAllBytes(Paths.get(NETSCAPE_KEYSTORE_BASE64))));
+
+        BadNetscapeCertTypeTest test = new BadNetscapeCertTypeTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verbose",
+                "-keystore", NETSCAPE_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer, BAD_NETSCAPE_CERT_TYPE_SIGNING_WARNING);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", NETSCAPE_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, BAD_NETSCAPE_CERT_TYPE_VERIFYING_WARNING);
+
+        // verify signed jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", NETSCAPE_KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, BAD_NETSCAPE_CERT_TYPE_EXIT_CODE,
+                BAD_NETSCAPE_CERT_TYPE_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.File;
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for chainNotValidated warning
+ * @library /lib/testlibrary ../
+ * @run main ChainNotValidatedTest
+ */
+public class ChainNotValidatedTest extends Test {
+
+    private static final String CHAIN = "chain";
+
+    /**
+     * The test signs and verifies a jar that contains entries
+     * whose cert chain can't be correctly validated (chainNotValidated).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        ChainNotValidatedTest test = new ChainNotValidatedTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create self-signed certificate whose BasicConstraints extension
+        // is set to false, so the certificate may not be used
+        // as a parent certificate (certpath validation should fail)
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkeypair",
+                "-alias", CA_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=CA",
+                "-ext", "BasicConstraints:critical=ca:false",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // create a certificate that is signed by self-signed certificate
+        // despite of it may not be used as a parent certificate
+        // (certpath validation should fail)
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkeypair",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-ext", "BasicConstraints:critical=ca:false",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        ProcessTools.executeCommand(KEYTOOL,
+                "-certreq",
+                "-alias", KEY_ALIAS,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", CERT_REQUEST_FILENAME).shouldHaveExitValue(0);
+
+        ProcessTools.executeCommand(KEYTOOL,
+                "-gencert",
+                "-alias", CA_KEY_ALIAS,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-infile", CERT_REQUEST_FILENAME,
+                "-validity", Integer.toString(VALIDITY),
+                "-outfile", CERT_FILENAME).shouldHaveExitValue(0);
+
+        ProcessTools.executeCommand(KEYTOOL,
+                "-importcert",
+                "-alias", KEY_ALIAS,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", CERT_FILENAME).shouldHaveExitValue(0);
+
+        ProcessBuilder pb = new ProcessBuilder(KEYTOOL,
+                "-export",
+                "-rfc",
+                "-alias", KEY_ALIAS,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD);
+        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
+        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
+
+        pb = new ProcessBuilder(KEYTOOL,
+                "-export",
+                "-rfc",
+                "-alias", CA_KEY_ALIAS,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD);
+        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
+        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
+
+        // remove CA certificate
+        ProcessTools.executeCommand(KEYTOOL,
+                "-delete",
+                "-alias", CA_KEY_ALIAS,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD).shouldHaveExitValue(0);
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-certchain", CHAIN,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-certchain", CHAIN,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+
+        // verify signed jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-certchain", CHAIN,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
+                CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for hasExpiredCert warning
+ * @library /lib/testlibrary ../
+ * @run main HasExpiredCertTest
+ */
+public class HasExpiredCertTest extends Test {
+
+    static final int SHORT_VALIDITY = 365;
+
+    /**
+     * The test signs and verifies a jar that contains entries
+     * whose signer certificate has expired (hasExpiredCert).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        HasExpiredCertTest test = new HasExpiredCertTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create key pair for jar signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-startdate", "-" + SHORT_VALIDITY * 2 + "d",
+                "-validity", Integer.toString(SHORT_VALIDITY))
+                .shouldHaveExitValue(0);
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer, HAS_EXPIRED_CERT_SIGNING_WARNING);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, HAS_EXPIRED_CERT_VERIFYING_WARNING);
+
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE);
+
+        checkVerifying(analyzer, HAS_EXPIRED_CERT_EXIT_CODE,
+                HAS_EXPIRED_CERT_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for hasExpiringCert warning
+ * @library /lib/testlibrary ../
+ * @run main HasExpiringCertTest
+ */
+public class HasExpiringCertTest extends Test {
+
+    static final int SHORT_VALIDITY = 90; // less than 6 month
+
+    /**
+     * The test signs and verifies a jar that contains entries
+     * whose signer certificate will expire within six months (hasExpiringCert).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        HasExpiringCertTest test = new HasExpiringCertTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create key pair for jar signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-validity", Integer.toString(SHORT_VALIDITY))
+                .shouldHaveExitValue(0);
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE,
+                "-verbose",
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer, HAS_EXPIRING_CERT_SIGNING_WARNING);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkVerifying(analyzer, 0, HAS_EXPIRING_CERT_VERIFYING_WARNING);
+
+        // verify signed jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkVerifying(analyzer, 0, HAS_EXPIRING_CERT_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for hasUnsignedEntry warning
+ * @library /lib/testlibrary ../
+ * @run main HasUnsignedEntryTest
+ */
+public class HasUnsignedEntryTest extends Test {
+
+    /**
+     * The test signs and verifies a jar that contains unsigned entries
+     * which have not been integrity-checked (hasUnsignedEntry).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        HasUnsignedEntryTest test = new HasUnsignedEntryTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        System.out.println(String.format("Create a %s that contains %s",
+                UNSIGNED_JARFILE, FIRST_FILE));
+        Utils.createFiles(FIRST_FILE, SECOND_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create key pair for signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer);
+
+        System.out.println(String.format("Copy %s to %s, and add %s.class, "
+                + "so it contains unsigned entry",
+                new Object[]{SIGNED_JARFILE, UPDATED_SIGNED_JARFILE,
+                    SECOND_FILE}));
+
+        JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);
+
+        // verify jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE);
+
+        checkVerifying(analyzer, 0, HAS_UNSIGNED_ENTRY_VERIFYING_WARNING);
+
+        // verify jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE);
+
+        checkVerifying(analyzer, HAS_UNSIGNED_ENTRY_EXIT_CODE,
+                HAS_UNSIGNED_ENTRY_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Checks if jarsigner prints appropriate warnings
+ * @library /lib/testlibrary ../
+ * @run main MultipleWarningsTest
+ */
+public class MultipleWarningsTest extends Test {
+
+    /**
+     * The test signs and verifies a jar that:
+     *   - contains entries whose signer certificate has expired
+     *   - contains entries whose signer certificate's ExtendedKeyUsage
+     *     extension doesn't allow code signing
+     *   - contains unsigned entries which have not been integrity-checked
+     *   - contains signed entries which are not signed by the specified alias
+     * Warning messages are expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        MultipleWarningsTest test = new MultipleWarningsTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        Utils.createFiles(FIRST_FILE, SECOND_FILE);
+
+        // create a jar file that contains one class file
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create first expired certificate
+        // whose ExtendedKeyUsage extension does not allow code signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", FIRST_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=First",
+                "-ext", "ExtendedkeyUsage=serverAuth",
+                "-startdate", "-" + VALIDITY * 2 + "d",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // create second expired certificate
+        // whose KeyUsage extension does not allow code signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", SECOND_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Second",
+                "-ext", "ExtendedkeyUsage=serverAuth",
+                "-startdate", "-" + VALIDITY * 2 + "d",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // sign jar with first key
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                FIRST_KEY_ALIAS);
+
+        checkSigning(analyzer, HAS_EXPIRED_CERT_SIGNING_WARNING,
+                BAD_EXTENDED_KEY_USAGE_SIGNING_WARNING);
+
+        // add a second class to created jar, so it contains unsigned entry
+        JarUtils.updateJar(SIGNED_JARFILE, UPDATED_SIGNED_JARFILE, SECOND_FILE);
+
+        // verify jar with second key
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE,
+                SECOND_KEY_ALIAS);
+
+        checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
+                HAS_EXPIRED_CERT_VERIFYING_WARNING,
+                HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
+                NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        // verify jar with second key in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE,
+                SECOND_KEY_ALIAS);
+
+        int expectedExitCode = HAS_EXPIRED_CERT_EXIT_CODE
+                + BAD_EXTENDED_KEY_USAGE_EXIT_CODE
+                + HAS_UNSIGNED_ENTRY_EXIT_CODE
+                + NOT_SIGNED_BY_ALIAS_EXIT_CODE;
+        checkVerifying(analyzer, expectedExitCode,
+                BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
+                HAS_EXPIRED_CERT_VERIFYING_WARNING,
+                HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
+                NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        // verify jar with non-exisiting alias
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE,
+                "bogus");
+
+        checkVerifying(analyzer, 0, BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
+                HAS_EXPIRED_CERT_VERIFYING_WARNING,
+                HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
+                NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        // verify jar with non-exisiting alias in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                UPDATED_SIGNED_JARFILE,
+                "bogus");
+
+        checkVerifying(analyzer, expectedExitCode,
+                BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING,
+                HAS_EXPIRED_CERT_VERIFYING_WARNING,
+                HAS_UNSIGNED_ENTRY_VERIFYING_WARNING,
+                NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/NoTimestampTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.util.Date;
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Checks warnings if -tsa and -tsacert options are not specified
+ * @library /lib/testlibrary ../
+ * @run main NoTimestampTest
+ */
+public class NoTimestampTest extends Test {
+
+    /**
+     * The test signs and verifies a jar file without -tsa and -tsacert options,
+     * and checks that proper warnings are shown.
+     */
+    public static void main(String[] args) throws Throwable {
+        NoTimestampTest test = new NoTimestampTest();
+        test.start();
+    }
+
+    private void start() throws Throwable {
+        String timezone = System.getProperty("user.timezone");
+        System.out.println(String.format("Timezone = %s", timezone));
+
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // calculate certificate expiration date
+        Date expirationDate = new Date(System.currentTimeMillis() + VALIDITY
+                * 24 * 60 * 60 * 1000L);
+
+        // create key pair
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-validity", Integer.toString(VALIDITY));
+
+        // sign jar file
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-J-Duser.timezone=" + timezone,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        String warning = String.format(NO_TIMESTAMP_SIGNING_WARN_TEMPLATE,
+                expirationDate);
+        checkSigning(analyzer, warning);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-J-Duser.timezone=" + timezone,
+                "-verify",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                KEY_ALIAS);
+
+        warning = String.format(NO_TIMESTAMP_VERIFYING_WARN_TEMPLATE, expirationDate);
+        checkVerifying(analyzer, 0, warning);
+
+        // verify signed jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-J-Duser.timezone=" + timezone,
+                "-verify",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkVerifying(analyzer, 0, warning);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for notSignedByAlias warning
+ * @library /lib/testlibrary ../
+ * @run main NotSignedByAliasTest
+ */
+public class NotSignedByAliasTest extends Test {
+
+    /**
+     * The test signs and verifies a jar that contains signed entries
+     * which are not signed by the specified alias(es) (notSignedByAlias).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        NotSignedByAliasTest test = new NotSignedByAliasTest();
+        test.start();
+    }
+
+    protected void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create first key pair for signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", FIRST_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=First",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // create first key pair for signing
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", SECOND_KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Second",
+                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+
+        // sign jar with first key
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                FIRST_KEY_ALIAS);
+
+        checkSigning(analyzer);
+
+        // verify jar with second key
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                SECOND_KEY_ALIAS);
+
+        checkVerifying(analyzer, 0, NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        // verify jar with second key in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                SECOND_KEY_ALIAS);
+
+        checkVerifying(analyzer, NOT_SIGNED_BY_ALIAS_EXIT_CODE,
+                NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        // verify jar with non-existing alias
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                "bogus");
+
+        checkVerifying(analyzer, 0, NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        // verify jar with non-existing alias in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                "bogus");
+
+        checkVerifying(analyzer, NOT_SIGNED_BY_ALIAS_EXIT_CODE,
+                NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.JarUtils;
+
+/**
+ * @test
+ * @bug 8024302 8026037
+ * @summary Test for notYetValidCert warning
+ * @library /lib/testlibrary ../
+ * @run main NotYetValidCertTest
+ */
+public class NotYetValidCertTest extends Test {
+
+    /**
+     * The test signs and verifies a jar that contains entries
+     * whose signer certificate is not yet valid (notYetValidCert).
+     * Warning message is expected.
+     */
+    public static void main(String[] args) throws Throwable {
+        NotYetValidCertTest test = new NotYetValidCertTest();
+        test.start();
+    }
+
+    protected void start() throws Throwable {
+        // create a jar file that contains one class file
+        Utils.createFiles(FIRST_FILE);
+        JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
+
+        // create certificate that will be valid only tomorrow
+        ProcessTools.executeCommand(KEYTOOL,
+                "-genkey",
+                "-alias", KEY_ALIAS,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=Test",
+                "-startdate", "+1d",
+                "-validity", Integer.toString(VALIDITY));
+
+        // sign jar
+        OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-signedjar", SIGNED_JARFILE,
+                UNSIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkSigning(analyzer, NOT_YET_VALID_CERT_SIGNING_WARNING);
+
+        // verify signed jar
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkVerifying(analyzer, 0, NOT_YET_VALID_CERT_VERIFYING_WARNING);
+
+        // verify jar in strict mode
+        analyzer = ProcessTools.executeCommand(JARSIGNER,
+                "-verify",
+                "-verbose",
+                "-strict",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                SIGNED_JARFILE,
+                KEY_ALIAS);
+
+        checkVerifying(analyzer, HAS_EXPIRED_CERT_EXIT_CODE,
+                NOT_YET_VALID_CERT_VERIFYING_WARNING);
+
+        System.out.println("Test passed");
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/Test.java	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,178 @@
+/*
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.testlibrary.OutputAnalyzer;
+
+/**
+ * Base class.
+ */
+public abstract class Test {
+
+    static final String TEST_SOURCES = System.getProperty("test.src", ".");
+    static final String TEST_CLASSES = System.getProperty("test.classes");
+    static final String FS = System.getProperty("file.separator");
+    static final String JAVA_HOME = System.getProperty("java.home");
+    static final String KEYTOOL = JAVA_HOME + FS + "bin" + FS + "keytool";
+    static final String JARSIGNER = JAVA_HOME + FS + "bin" + FS + "jarsigner";
+    static final String UNSIGNED_JARFILE = "unsigned.jar";
+    static final String SIGNED_JARFILE = "signed.jar";
+    static final String UPDATED_SIGNED_JARFILE = "updated_signed.jar";
+    static final String FIRST_FILE = "first.txt";
+    static final String SECOND_FILE = "second.txt";
+    static final String PASSWORD = "password";
+    static final String BOTH_KEYS_KEYSTORE = "both_keys.jks";
+    static final String FIRST_KEY_KEYSTORE = "first_key.jks";
+    static final String KEYSTORE = "keystore.jks";
+    static final String FIRST_KEY_ALIAS = "first";
+    static final String SECOND_KEY_ALIAS = "second";
+    static final String KEY_ALG = "RSA";
+    static final String KEY_ALIAS = "alias";
+    static final String CERT_REQUEST_FILENAME = "test.req";
+    static final String CERT_FILENAME = "test.crt";
+    static final String CA_KEY_ALIAS = "ca";
+    static final int KEY_SIZE = 2048;
+    static final int TIMEOUT = 6 * 60 * 1000;   // in millis
+    static final int VALIDITY = 365;
+
+    static final String WARNING = "Warning:";
+
+    static final String CHAIN_NOT_VALIDATED_VERIFYING_WARNING
+            = "This jar contains entries "
+            + "whose certificate chain is not validated.";
+
+    static final String ALIAS_NOT_IN_STORE_VERIFYING_WARNING
+            = "This jar contains signed entries "
+            + "that are not signed by alias in this keystore.";
+
+    static final String BAD_EXTENDED_KEY_USAGE_SIGNING_WARNING
+            = "The signer certificate's ExtendedKeyUsage extension "
+            + "doesn't allow code signing.";
+
+    static final String BAD_EXTENDED_KEY_USAGE_VERIFYING_WARNING
+            = "This jar contains entries whose signer certificate's "
+            + "ExtendedKeyUsage extension doesn't allow code signing.";
+
+    static final String BAD_KEY_USAGE_SIGNING_WARNING
+            = "The signer certificate's KeyUsage extension "
+            + "doesn't allow code signing.";
+
+    static final String BAD_KEY_USAGE_VERIFYING_WARNING
+            = "This jar contains entries whose signer certificate's KeyUsage "
+            + "extension doesn't allow code signing.";
+
+    static final String BAD_NETSCAPE_CERT_TYPE_SIGNING_WARNING
+            = "The signer certificate's NetscapeCertType extension "
+            + "doesn't allow code signing.";
+
+    static final String BAD_NETSCAPE_CERT_TYPE_VERIFYING_WARNING
+            = "This jar contains entries "
+            + "whose signer certificate's NetscapeCertType extension "
+            + "doesn't allow code signing.";
+
+    static final String CHAIN_NOT_VALIDATED_SIGNING_WARNING
+            = "The signer's certificate chain is not validated.";
+
+    static final String HAS_EXPIRING_CERT_SIGNING_WARNING
+            = "The signer certificate will expire within six months.";
+
+    static final String HAS_EXPIRING_CERT_VERIFYING_WARNING
+            = "This jar contains entries "
+            + "whose signer certificate will expire within six months.";
+
+    static final String HAS_EXPIRED_CERT_SIGNING_WARNING
+            = "The signer certificate has expired.";
+
+    static final String HAS_EXPIRED_CERT_VERIFYING_WARNING
+            = "This jar contains entries whose signer certificate has expired.";
+
+    static final String HAS_UNSIGNED_ENTRY_VERIFYING_WARNING
+            = "This jar contains unsigned entries "
+            + "which have not been integrity-checked.";
+
+    static final String NOT_SIGNED_BY_ALIAS_VERIFYING_WARNING
+            = "This jar contains signed entries "
+            + "which are not signed by the specified alias(es).";
+
+    static final String NO_TIMESTAMP_SIGNING_WARN_TEMPLATE
+            = "No -tsa or -tsacert is provided "
+            + "and this jar is not timestamped. "
+            + "Without a timestamp, users may not be able to validate this jar "
+            + "after the signer certificate's expiration date "
+            + "(%1$tY-%1$tm-%1$td) or after any future revocation date.";
+
+    static final String NO_TIMESTAMP_VERIFYING_WARN_TEMPLATE
+            = "This jar contains signatures that does not include a timestamp. "
+            + "Without a timestamp, users may not be able to validate this jar "
+            + "after the signer certificate's expiration date "
+            + "(%1$tY-%1$tm-%1$td) or after any future revocation date.";
+
+    static final String NOT_YET_VALID_CERT_SIGNING_WARNING
+            = "The signer certificate is not yet valid.";
+
+    static final String NOT_YET_VALID_CERT_VERIFYING_WARNING
+            = "This jar contains entries "
+            + "whose signer certificate is not yet valid.";
+
+    static final String JAR_SIGNED = "jar signed.";
+
+    static final String JAR_VERIFIED = "jar verified.";
+
+    static final String JAR_VERIFIED_WITH_SIGNER_ERRORS
+            = "jar verified, with signer errors.";
+
+    static final int CHAIN_NOT_VALIDATED_EXIT_CODE = 4;
+    static final int HAS_EXPIRED_CERT_EXIT_CODE = 4;
+    static final int BAD_KEY_USAGE_EXIT_CODE = 8;
+    static final int BAD_EXTENDED_KEY_USAGE_EXIT_CODE = 8;
+    static final int BAD_NETSCAPE_CERT_TYPE_EXIT_CODE = 8;
+    static final int HAS_UNSIGNED_ENTRY_EXIT_CODE = 16;
+    static final int ALIAS_NOT_IN_STORE_EXIT_CODE = 32;
+    static final int NOT_SIGNED_BY_ALIAS_EXIT_CODE = 32;
+
+    protected void checkVerifying(OutputAnalyzer analyzer, int expectedExitCode,
+            String... warnings) {
+        analyzer.shouldHaveExitValue(expectedExitCode);
+        for (String warning : warnings) {
+            analyzer.shouldContain(warning);
+        }
+        if (warnings.length > 0) {
+            analyzer.shouldContain(WARNING);
+        }
+        if (expectedExitCode == 0) {
+            analyzer.shouldContain(JAR_VERIFIED);
+        } else {
+            analyzer.shouldContain(JAR_VERIFIED_WITH_SIGNER_ERRORS);
+        }
+    }
+
+    protected void checkSigning(OutputAnalyzer analyzer, String... warnings) {
+        analyzer.shouldHaveExitValue(0);
+        for (String warning : warnings) {
+            analyzer.shouldContain(warning);
+        }
+        if (warnings.length > 0) {
+            analyzer.shouldContain(WARNING);
+        }
+        analyzer.shouldContain(JAR_SIGNED);
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.jks.base64	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,26 @@
+/u3+7QAAAAIAAAABAAAAAQAFYWxpYXMAAAFBpkwW0gAAAr0wggK5MA4GCisGAQQB
+KgIRAQEFAASCAqWkGJ3PPjYmWNKrV23Y1u413RMAkrRZ+1OLWYRcQt4jtxtIyEH5
+Ho5b9dy9XN9FBKlTOD4c2Pc1T43BLKXeuLu3uLLeIxgXFt0z9CLyGwdYZZ751kXr
+DQ99qY6aNQUO6SeE4Wdty0KPAqid6ZJ8bF7T6wsTZSvNhaBRzyFydEfG7bbUYjOl
+mWC44nlsu6VEU3o9RQpcm1gIMwradOaIVT/HoB2bKmAv8gHqI6kreiEZwTdZkSAI
+IRi2vt1RPllXt5hgjDxUfZe8XOYYweR4Vt2/jVuKLJ80DNTu/9SeUD88zQAz53k4
+r3nRhv6TRcPm6tV/Fh92XLHiskL+TAzTfm+bUAudPCCVxN+yRtxvAgA+UhdV/SuM
+Zn5F6nrmP+YJG1hmprgCJIJJaCEXa9RXYC+vIVpO0WVNRuGlGm+/1afnOuQC8Wss
+ShXwjkaqTwAhqBFq7eYmmP8BK3gflYrt2zDLXvhl4ndVvMhMthFJ3ZvLh2LWpqLI
+/n8EMCf8US3lIEFk9DTHBZjffiHkqK2e7+FXEpG3xrgE6ZYLMdbd5Pb3YjZfhQx+
+ZTtiEFzYSaEGhacek/m7dRq1qmwgFsytng2OdWZe2ln8LJY0odr1dGUfJHfgafvi
+tlfbkg/rgjONtwliChDggbkUwnerrj/D/zrdEufUvfyltSshhHXRNDD3fH6spmEk
+hHKgxEc4yvxqJxzdMGtuib355aSfNegyl+GsnsKzXQCVEK2h3BLTQObzaD+8NZ12
+LQHvbrCiaS34vxJ3rEC+a+SW7itZp0aCdXMWdMJNkRKqyLBD3vG3zN05sN3XrhEM
+8BRT020TWY00tbVFbbBFheYLQRgTjrQtr0Yt6UHWBZc4N20crDLcSH5gqcCOVpla
+1Y2uqFEn8yqrGRwn/kgfNgAAAAEABVguNTA5AAABtTCCAbEwggEaoAMCAQICCQDH
+cEuVvzCuqzANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARUZXN0MB4XDTEzMTAx
+MTA2NTUwNloXDTIzMTAwOTA2NTUwNlowDzENMAsGA1UEAwwEVGVzdDCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEA8hOfp2Dcnvt//ZZQAja9TRiwKqXVS+TiYE3S
+gngCBjIi+YYdo0DsUeO5MBfE6uvCWOr5lwAR/u1iaJOhIoGJDiGoPasZlt+yIgtR
+LzA7j2q+1q6kcwiVxfikI3aUgHV/QsybTriT4Bf7TQNKtJG23MQa4sD7+PjtCWD7
+p3cHTfkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEBBQUA
+A4GBAKoDlTJ8wLRA7G8XdGm4gv733n1cSQzlkcsjfOO6/mA5Jvu8tyFNq9HTf9AT
+VXbrbGcUYJjhzSSY3w5apXK1kXyqTB1LUNEJ45WnmciqSSecVTpJz9TuegyoX0Zf
+HScSgqfDmjqoiiFiNCgn3ZEJ85ykGvoFYGH+php+BVi3S0bj5E/jRpyV3vNnii/S
+wJDSAXF6bYU=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.sh	Mon Jan 26 18:13:42 2015 +0800
@@ -0,0 +1,48 @@
+#
+# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+#!/bin/sh
+
+# This script creates JKS keystore with a certificate
+# that contains Netscape Certificate Type extension
+# that does not allow code signing
+# The keystore is used by BadNetscapeCertTypeTest.java test
+
+rm -rf keystore.jks
+echo "nsCertType = client" > ext.cfg
+
+openssl req -new -out cert.req -keyout key.pem -days 3650 \
+    -passin pass:password -passout pass:password -subj "/CN=Test"
+openssl x509 -in cert.req -out cert.pem -req -signkey key.pem -days 3650 \
+    -passin pass:password -extfile ext.cfg
+openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 \
+    -passin pass:password -passout pass:password -name alias
+
+${JAVA_HOME}/bin/keytool -importkeystore \
+    -srckeystore keystore.p12 -srcstoretype pkcs12 \
+    -srcstorepass password -alias alias \
+    -destkeystore bad_netscape_cert_type.jks -deststoretype jks \
+    -deststorepass password -destalias alias \
+
+openssl base64 < bad_netscape_cert_type.jks > bad_netscape_cert_type.jks.base64
+rm -rf cert.req key.pem cert.pem keystore.p12 ext.cfg bad_netscape_cert_type.jks