7004168: jarsigner -verify checks for KeyUsage codesigning ext on all certs instead of just signing cert

Reviewed-by: mullan

jdk/src/share/classes/sun/security/tools/JarSigner.java

@@ -658,7 +658,9 @@ public class JarSigner {
                     boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
 
                     notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
-                    aliasNotInStore |= isSigned && (!inStore && !inScope);
+                    if (keystore != null) {
+                        aliasNotInStore |= isSigned && (!inStore && !inScope);
+                    }
 
                     // Only used when -verbose provided
                     StringBuffer sb = null;
@@ -889,7 +891,7 @@ public class JarSigner {
      * Note: no newline character at the end
      */
     String printCert(String tab, Certificate c, boolean checkValidityPeriod,
-        long now) {
+        long now, boolean checkUsage) {
 
         StringBuilder certStr = new StringBuilder();
         String space = rb.getString("SPACE");
@@ -959,24 +961,26 @@ public class JarSigner {
             }
             certStr.append("]");
 
-            boolean[] bad = new boolean[3];
-            checkCertUsage(x509Cert, bad);
-            if (bad[0] || bad[1] || bad[2]) {
-                String x = "";
-                if (bad[0]) {
-                    x ="KeyUsage";
-                }
-                if (bad[1]) {
-                    if (x.length() > 0) x = x + ", ";
-                    x = x + "ExtendedKeyUsage";
-                }
-                if (bad[2]) {
-                    if (x.length() > 0) x = x + ", ";
-                    x = x + "NetscapeCertType";
-                }
-                certStr.append("\n").append(tab)
+            if (checkUsage) {
+                boolean[] bad = new boolean[3];
+                checkCertUsage(x509Cert, bad);
+                if (bad[0] || bad[1] || bad[2]) {
+                    String x = "";
+                    if (bad[0]) {
+                        x ="KeyUsage";
+                    }
+                    if (bad[1]) {
+                        if (x.length() > 0) x = x + ", ";
+                        x = x + "ExtendedKeyUsage";
+                    }
+                    if (bad[2]) {
+                        if (x.length() > 0) x = x + ", ";
+                        x = x + "NetscapeCertType";
+                    }
+                    certStr.append("\n").append(tab)
                         .append(MessageFormat.format(rb.getString(
                         ".{0}.extension.does.not.support.code.signing."), x));
+                }
             }
         }
         return certStr.toString();
@@ -1335,7 +1339,7 @@ public class JarSigner {
                             certUrl);
                     }
                     System.out.println(rb.getString("TSA.certificate.") +
-                        printCert("", tsaCert, false, 0));
+                        printCert("", tsaCert, false, 0, false));
                 }
                 if (signingMechanism != null) {
                     System.out.println(
@@ -1544,10 +1548,13 @@ public class JarSigner {
             s.append(printTimestamp(tab, timestamp));
             s.append('\n');
         }
-        // display the certificate(s)
+        // display the certificate(s). The first one is end-enity cert and
+        // its KeyUsage should be checked.
+        boolean first = true;
         for (Certificate c : certs) {
-            s.append(printCert(tab, c, true, now));
+            s.append(printCert(tab, c, true, now, first));
             s.append('\n');
+            first = false;
         }
         try {
             CertPath cp = certificateFactory.generateCertPath(certs);
@@ -1847,7 +1854,7 @@ public class JarSigner {
 
             // We don't meant to print anything, the next call
             // checks validity and keyUsage etc
-            printCert("", certChain[0], true, 0);
+            printCert("", certChain[0], true, 0, true);
 
             try {
                 CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));

jdk/test/sun/security/tools/jarsigner/checkusage.sh

@@ -0,0 +1,109 @@
+#
+# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# @test
+# @bug 7004168
+# @summary jarsigner -verify checks for KeyUsage codesigning ext on all certs
+#  instead of just signing cert
+#
+# @run shell checkusage.sh
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER="$TESTJAVA${FS}bin${FS}jarsigner"
+
+rm js.jks trust.jks unrelated.jks 2> /dev/null
+
+echo x > x
+$JAR cvf a.jar x
+
+################### 3 Keystores #######################
+
+# Keystore js.jks: including CA and Publisher
+# CA contains a non-empty KeyUsage
+$KT -keystore js.jks -genkeypair -alias ca -dname CN=CA -ext KU=kCS -ext bc -validity 365
+$KT -keystore js.jks -genkeypair -alias pub -dname CN=Publisher
+
+# Publisher contains the correct KeyUsage
+$KT -keystore js.jks -certreq -alias pub | \
+        $KT -keystore js.jks -gencert -alias ca -ext KU=dig -validity 365 | \
+        $KT -keystore js.jks -importcert -alias pub
+
+# Keystore trust.jks: including CA only
+$KT -keystore js.jks -exportcert -alias ca | \
+        $KT -keystore trust.jks -importcert -alias ca -noprompt
+
+# Keystore unrelated.jks: unrelated
+$KT -keystore unrelated.jks -genkeypair -alias nothing -dname CN=Nothing -validity 365
+
+
+################### 4 Tests #######################
+
+# Test 1: Sign should be OK
+
+$JARSIGNER -keystore js.jks -storepass changeit a.jar pub
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 0 ] || exit 1
+
+# Test 2: Verify should be OK
+
+$JARSIGNER -keystore trust.jks -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 0 ] || exit 2
+
+# Test 3: When no keystore is specified, the error is only
+# "chain not validated"
+
+$JARSIGNER -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 4 ] || exit 3
+
+# Test 4: When unrelated keystore is specified, the error is
+# "chain not validated" and "not alias in keystore"
+
+$JARSIGNER -keystore unrelated.jks -strict -verify a.jar
+RESULT=$?
+echo $RESULT
+#[ $RESULT = 36 ] || exit 4
+
+exit 0

jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh

@@ -79,9 +79,9 @@ $JAR uvf a.jar A5.class A6.class
 $JARSIGNER -verify a.jar
 [ $? = 0 ] || exit $LINENO
 
-# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore)
+# 4(chainNotValidated)+16(hasUnsignedEntry)
 $JARSIGNER -verify a.jar -strict
-[ $? = 52 ] || exit $LINENO
+[ $? = 20 ] || exit $LINENO
 
 # 16(hasUnsignedEntry)
 $JARSIGNER -verify a.jar -strict -keystore js.jks