OpenJDK / amber / amber
changeset 24625:22fb8a68756f
8036709: Java 7 jarsigner displays warning about cert policy tree
Reviewed-by: mullan
author | weijun |
---|---|
date | Thu, 29 May 2014 10:36:06 +0800 |
parents | c46acbd3c30b |
children | 87c5b99a6002 |
files | jdk/src/share/classes/sun/security/tools/jarsigner/Main.java jdk/test/sun/security/tools/jarsigner/certpolicy.sh |
diffstat | 2 files changed, 98 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java Thu May 29 01:50:50 2014 +0400 +++ b/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java Thu May 29 10:36:06 2014 +0800 @@ -1560,8 +1560,7 @@ first = false; } try { - CertPath cp = certificateFactory.generateCertPath(certs); - validator.validate(cp, pkixParameters); + validateCertChain(certs); } catch (Exception e) { if (debug) { e.printStackTrace(); @@ -1871,8 +1870,7 @@ printCert("", certChain[0], true, null, true); try { - CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain)); - validator.validate(cp, pkixParameters); + validateCertChain(Arrays.asList(certChain)); } catch (Exception e) { if (debug) { e.printStackTrace(); @@ -1937,6 +1935,22 @@ System.exit(1); } + void validateCertChain(List<? extends Certificate> certs) throws Exception { + int cpLen = 0; + out: for (; cpLen<certs.size(); cpLen++) { + for (TrustAnchor ta: pkixParameters.getTrustAnchors()) { + if (ta.getTrustedCert().equals(certs.get(cpLen))) { + break out; + } + } + } + if (cpLen > 0) { + CertPath cp = certificateFactory.generateCertPath( + (cpLen == certs.size())? certs: certs.subList(0, cpLen)); + validator.validate(cp, pkixParameters); + } + } + char[] getPass(String prompt) { System.err.print(prompt);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/sun/security/tools/jarsigner/certpolicy.sh Thu May 29 10:36:06 2014 +0800 @@ -0,0 +1,80 @@ +# +# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 8036709 +# @summary Java 7 jarsigner displays warning about cert policy tree +# +# @run shell certpolicy.sh +# + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +KT="$TESTJAVA/bin/keytool $TESTTOOLVMOPTS \ + -keypass changeit -storepass changeit -keystore ks -keyalg rsa" +JS="$TESTJAVA/bin/jarsigner $TESTTOOLVMOPTS -storepass changeit -keystore ks" +JAR="$TESTJAVA/bin/jar $TESTTOOLVMOPTS" + +rm ks 2> /dev/null +$KT -genkeypair -alias ca -dname CN=CA -ext bc +$KT -genkeypair -alias int -dname CN=Int +$KT -genkeypair -alias ee -dname CN=EE + +# CertificatePolicies [[PolicyId: [1.2.3]], [PolicyId: [1.2.4]]] +# PolicyConstraints: [Require: 0; Inhibit: unspecified] +$KT -certreq -alias int | \ + $KT -gencert -rfc -alias ca \ + -ext 2.5.29.32="30 0C 30 04 06 02 2A 03 30 04 06 02 2A 04" \ + -ext "2.5.29.36=30 03 80 01 00" -ext bc | \ + $KT -import -alias int + +# CertificatePolicies [[PolicyId: [1.2.3]]] +$KT -certreq -alias ee | \ + $KT -gencert -rfc -alias int \ + -ext 2.5.29.32="30 06 30 04 06 02 2A 03" | \ + $KT -import -alias ee + +$KT -export -alias ee -rfc > cc +$KT -export -alias int -rfc >> cc +$KT -export -alias ca -rfc >> cc + +$KT -delete -alias int + +ERR='' +$JAR cvf a.jar cc + +# Make sure the certchain in the signed jar contains all 3 certs +$JS -strict -certchain cc a.jar ee -debug || ERR="sign" +$JS -strict -verify a.jar -debug || ERR="$ERR verify" + +if [ "$ERR" = "" ]; then + echo "Success" + exit 0 +else + echo "Failed: $ERR" + exit 1 +fi +