Skip to content
This repository has been archived by the owner. It is now read-only.
Browse files
8248745: Add jarsigner and keytool tests for restricted algorithms
Reviewed-by: mullan, hchao
  • Loading branch information
Abdul Kolarkunnu committed Aug 9, 2020
1 parent 67f5341 commit dcb4a8d1d9fa867e877d5e659a35a5cd585991b5
Showing 1 changed file with 201 additions and 0 deletions.
@@ -0,0 +1,201 @@
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit if you need additional information or have any
* questions.

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import jdk.test.lib.SecurityTools;
import jdk.test.lib.util.JarUtils;
import jdk.test.lib.process.OutputAnalyzer;

* @test
* @bug 8248745
* @summary Test key generation and jar signing with disabled algorithms and
* key sizes, with and without entries in jdk.jar.disabledAlgorithms,
* jdk.certpath.disabledAlgorithms
* @library /test/lib
* @run main/othervm RestrictedAlgo RESTRICT
* @run main/othervm RestrictedAlgo NO_RESTRICT

public class RestrictedAlgo {

private static final String KEYSTORE = "keystore.jks";
private static final String PASSWORD = "password";
private static final String SIGNED_JARFILE = "signed.jar";
private static final String UNSIGNED_JARFILE = "unsigned.jar";
private static final String SECURITY_FILE = "";
private static final String NO_RESTRICT = ""
private static final String FIRST_FILE = "first.txt";
private static final String WARNING = "Warning:";
private static final String SECURITY_WARNING =
".* is considered a security risk and is disabled.";

private static String algoStatus;

public static void main(String[] args) throws Exception {

algoStatus = args[0];
// create a jar file that contains one file
JarUtils.createJarFile(Path.of(UNSIGNED_JARFILE), Path.of("."),
new File(FIRST_FILE).exists() ? Paths.get(FIRST_FILE)
: Files.createFile(Paths.get(FIRST_FILE)));
if (!isAlgoRestricted()) {
// An alternative security properties
+ "jdk.jar.disabledAlgorithms=\n"
+ "");

System.out.println("\nTesting sigalg MD2\n");
test("RSA", "MD2withRSA", "SigAlgMD2", "SHA256", true);

System.out.println("\nTesting sigalg MD5\n");
test("RSA", "MD5withRSA", "SigAlgMD5", "SHA256", true);

System.out.println("\nTesting digestalg MD2\n");
test("RSA", "SHA256withRSA", "DigestAlgMD2", "MD2", false);

System.out.println("\nTesting digestalg MD5\n");
test("RSA", "SHA256withRSA", "DigestAlgMD5", "MD5", false);

System.out.println("\nTesting RSA Keysize: RSA keySize < 1024\n");
test("RSA", "SHA256withRSA", "KeySizeRSA", "SHA256", true,
"-keysize", "512");

System.out.println("\nTesting DSA Keysize: DSA keySize < 1024\n");
test("DSA", "SHA256withDSA", "KeySizeDSA", "SHA256", true,
"-keysize", "512");

System.out.println("\nTesting Native Curve:"
+ " include jdk.disabled.namedCurves\n");
test("EC", "SHA256withECDSA", "curve", "SHA256", true,
"-groupname", "secp112r1");

private static void test(String keyAlg, String sigAlg, String aliasPrefix,
String digestAlg, boolean isKeyToolVerify,
String... addKeyToolArgs) throws Exception {

String alias = aliasPrefix + "_" + algoStatus;
testKeytool(keyAlg, sigAlg, alias, isKeyToolVerify, addKeyToolArgs);
testJarSignerSigning(sigAlg, alias, digestAlg);

private static void testKeytool(String keyAlg, String sigAlg, String alias,
boolean isKeyToolVerify, String... additionalCmdArgs)
throws Exception {

System.out.println("Testing Keytool\n");
List<String> cmd = prepareCommand(
"-keystore", KEYSTORE,
"-storepass", PASSWORD,
"-dname", "CN=Test",
"-ext", "bc:c",
"-keyalg", keyAlg,
"-sigalg", sigAlg,
"-alias", alias,
for (String additionalCMDArg : additionalCmdArgs) {

OutputAnalyzer analyzer = SecurityTools.keytool(cmd)
if (isKeyToolVerify) {

private static void testJarSignerSigning(String sigAlg, String alias,
String digestAlg) throws Exception {

System.out.println("\nTesting JarSigner Signing\n");
List<String> cmd = prepareCommand(
"-keystore", KEYSTORE,
"-storepass", PASSWORD,
"-sigalg", sigAlg,
"-digestalg", digestAlg,
"-signedjar", SIGNED_JARFILE,

OutputAnalyzer analyzer = SecurityTools.jarsigner(cmd)


private static void testJarSignerVerification()
throws Exception {

System.out.println("\nTesting JarSigner Verification\n");
List<String> cmd = prepareCommand(

OutputAnalyzer analyzer = SecurityTools.jarsigner(cmd)

if (isAlgoRestricted()) {
analyzer.shouldContain("The jar will be treated as unsigned,"
+ " because it is signed with a weak algorithm that "
+ "is now disabled.");
} else {
analyzer.shouldContain("jar verified.");

private static List<String> prepareCommand(String... options) {
List<String> cmd = new ArrayList<>();
if (!isAlgoRestricted()) {
return cmd;

private static void verifyAnalyzer(OutputAnalyzer analyzer) {
if (isAlgoRestricted()) {
} else {

private static boolean isAlgoRestricted() {
return ("RESTRICT".equals(algoStatus)) ? true : false;

0 comments on commit dcb4a8d

Please sign in to comment.