1 /* 2 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import java.nio.file.Path; 25 import java.util.List; 26 27 import jdk.jpackage.test.TKit; 28 import jdk.jpackage.test.Executor; 29 30 public class SigningBase { 31 32 public static String DEV_NAME = "jpackage.openjdk.java.net"; 33 public static String APP_CERT 34 = "Developer ID Application: " + DEV_NAME; 35 public static String INSTALLER_CERT 36 = "Developer ID Installer: " + DEV_NAME; 37 public static String KEYCHAIN = "jpackagerTest.keychain"; 38 39 private static void checkString(List<String> result, String lookupString) { 40 TKit.assertTextStream(lookupString).predicate( 41 (line, what) -> line.trim().equals(what)).apply(result.stream()); 42 } 43 44 private static List<String> codesignResult(Path target, boolean signed) { 45 int exitCode = signed ? 0 : 1; 46 List<String> result = new Executor() 47 .setExecutable("codesign") 48 .addArguments("--verify", "--deep", "--strict", "--verbose=2", 49 target.toString()) 50 .saveOutput() 51 .execute(exitCode).getOutput(); 52 53 return result; 54 } 55 56 private static void verifyCodesignResult(List<String> result, Path target, 57 boolean signed) { 58 result.stream().forEachOrdered(TKit::trace); 59 if (signed) { 60 String lookupString = target.toString() + ": valid on disk"; 61 checkString(result, lookupString); 62 lookupString = target.toString() + ": satisfies its Designated Requirement"; 63 checkString(result, lookupString); 64 } else { 65 String lookupString = target.toString() 66 + ": code object is not signed at all"; 67 checkString(result, lookupString); 68 } 69 } 70 71 private static List<String> spctlResult(Path target, String type) { 72 List<String> result = new Executor() 73 .setExecutable("/usr/sbin/spctl") 74 .addArguments("-vvv", "--assess", "--type", type, 75 target.toString()) 76 // on Catalina, the exit code can be 3, meaning not notarized 77 .saveOutput() 78 .executeWithoutExitCodeCheck() 79 .getOutput(); 80 81 return result; 82 } 83 84 private static void verifySpctlResult(List<String> result, Path target, String type) { 85 result.stream().forEachOrdered(TKit::trace); 86 String lookupString; 87 /* on Catalina, spctl may return 3 and say: 88 * target: rejected 89 * source=Unnotarized DEV_NAME 90 * so we must skip these two checks 91 lookupString = target.toString() + ": accepted"; 92 checkString(result, lookupString); 93 lookupString = "source=" + DEV_NAME; 94 checkString(result, lookupString); 95 */ 96 if (type.equals("install")) { 97 lookupString = "origin=" + INSTALLER_CERT; 98 } else { 99 lookupString = "origin=" + APP_CERT; 100 } 101 checkString(result, lookupString); 102 } 103 104 private static List<String> pkgutilResult(Path target) { 105 List<String> result = new Executor() 106 .setExecutable("/usr/sbin/pkgutil") 107 .addArguments("--check-signature", 108 target.toString()) 109 .executeAndGetOutput(); 110 111 return result; 112 } 113 114 private static void verifyPkgutilResult(List<String> result) { 115 result.stream().forEachOrdered(TKit::trace); 116 String lookupString = "Status: signed by a certificate trusted for current user"; 117 checkString(result, lookupString); 118 lookupString = "1. " + INSTALLER_CERT; 119 checkString(result, lookupString); 120 } 121 122 public static void verifyCodesign(Path target, boolean signed) { 123 List<String> result = codesignResult(target, signed); 124 verifyCodesignResult(result, target, signed); 125 } 126 127 public static void verifySpctl(Path target, String type) { 128 List<String> result = spctlResult(target, type); 129 verifySpctlResult(result, target, type); 130 } 131 132 public static void verifyPkgutil(Path target) { 133 List<String> result = pkgutilResult(target); 134 verifyPkgutilResult(result); 135 } 136 137 }