299 // Valid until: Sat May 30 10:38:31 GMT 2020
300 add("addtrustexternalca [jdk]");
301 // Valid until: Sat May 30 10:44:50 GMT 2020
302 add("addtrustqualifiedca [jdk]");
303 // Valid until: Wed Mar 17 02:51:37 PDT 2021
304 add("luxtrustglobalrootca [jdk]");
305 // Valid until: Wed Mar 17 11:33:33 PDT 2021
306 add("quovadisrootca [jdk]");
307 // Valid until: Sat May 21 04:00:00 GMT 2022
308 add("geotrustglobalca [jdk]");
309 }
310 };
311
312 // Ninety days in milliseconds
313 private static final long NINETY_DAYS = 7776000000L;
314
315 private static boolean atLeastOneFailed = false;
316
317 private static MessageDigest md;
318
319 public static void main(String[] args) throws Exception {
320 System.out.println("cacerts file: " + CACERTS);
321
322 // verify integrity of cacerts
323 md = MessageDigest.getInstance("SHA-256");
324 byte[] data = Files.readAllBytes(Path.of(CACERTS));
325 String checksum = HEX.formatHex(md.digest(data));
326 if (!checksum.equals(CHECKSUM)) {
327 atLeastOneFailed = true;
328 System.err.println("ERROR: wrong checksum " + checksum);
329 System.err.println("Expected checksum " + CHECKSUM);
330 }
331
332 KeyStore ks = KeyStore.getInstance("JKS");
333 ks.load(new ByteArrayInputStream(data), "changeit".toCharArray());
334
335 // check the count of certs inside
336 if (ks.size() != COUNT) {
337 atLeastOneFailed = true;
338 System.err.println("ERROR: " + ks.size() + " entries, should be "
339 + COUNT);
340 }
341
342 System.out.println("Trusted CA Certificate count: " + ks.size());
343
344 // also ensure FINGERPRINT_MAP lists correct count
345 if (FINGERPRINT_MAP.size() != COUNT) {
346 atLeastOneFailed = true;
347 System.err.println("ERROR: " + FINGERPRINT_MAP.size()
348 + " FINGERPRINT_MAP entries, should be " + COUNT);
349 }
350
351 // check that all entries in the map are in the keystore
352 for (String alias : FINGERPRINT_MAP.keySet()) {
353 if (!ks.isCertificateEntry(alias)) {
354 atLeastOneFailed = true;
355 System.err.println("ERROR: " + alias + " is not in cacerts");
356 }
357 }
358
359 // pull all the trusted self-signed CA certs out of the cacerts file
360 // and verify their signatures
361 Enumeration<String> aliases = ks.aliases();
362 while (aliases.hasMoreElements()) {
363 String alias = aliases.nextElement();
364 System.out.println("Verifying " + alias);
365
366 // Is cert trusted?
367 if (!ks.isCertificateEntry(alias)) {
368 atLeastOneFailed = true;
|
299 // Valid until: Sat May 30 10:38:31 GMT 2020
300 add("addtrustexternalca [jdk]");
301 // Valid until: Sat May 30 10:44:50 GMT 2020
302 add("addtrustqualifiedca [jdk]");
303 // Valid until: Wed Mar 17 02:51:37 PDT 2021
304 add("luxtrustglobalrootca [jdk]");
305 // Valid until: Wed Mar 17 11:33:33 PDT 2021
306 add("quovadisrootca [jdk]");
307 // Valid until: Sat May 21 04:00:00 GMT 2022
308 add("geotrustglobalca [jdk]");
309 }
310 };
311
312 // Ninety days in milliseconds
313 private static final long NINETY_DAYS = 7776000000L;
314
315 private static boolean atLeastOneFailed = false;
316
317 private static MessageDigest md;
318
319 private static final int OVERALL_CA_CERT_COUNT = COUNT + AmazonCACertConstants.AMAZON_CA_CERT_COUNT;
320
321 public static void main(String[] args) throws Exception {
322 System.out.println("cacerts file: " + CACERTS);
323 FINGERPRINT_MAP.putAll(AmazonCACertConstants.AMAZON_CA_FINGERPRINT_MAP);
324 EXPIRY_EXC_ENTRIES.addAll(AmazonCACertConstants.AMAZON_CA_EXPIRY_EXC_ENTRIES);
325
326 // verify integrity of cacerts
327 md = MessageDigest.getInstance("SHA-256");
328 byte[] data = Files.readAllBytes(Path.of(CACERTS));
329 /* Ignore whole-file checksum as the checksum of the cacerts
330 * file changes with each build, due to the way we merge upstream
331 * OpenJDK certs and Amazon Linux certs at build time.
332 String checksum = HEX.formatHex(md.digest(data));
333 if (!checksum.equals(CHECKSUM)) {
334 atLeastOneFailed = true;
335 System.err.println("ERROR: wrong checksum " + checksum);
336 System.err.println("Expected checksum " + CHECKSUM);
337 }
338 */
339
340 KeyStore ks = KeyStore.getInstance("JKS");
341 ks.load(new ByteArrayInputStream(data), "changeit".toCharArray());
342
343 // check the count of certs inside
344 if (ks.size() != OVERALL_CA_CERT_COUNT) {
345 atLeastOneFailed = true;
346 System.err.println("ERROR: " + ks.size() + " entries, should be "
347 + OVERALL_CA_CERT_COUNT);
348 }
349
350 System.out.println("Trusted CA Certificate count: " + ks.size());
351
352 // also ensure FINGERPRINT_MAP lists correct count
353 if (FINGERPRINT_MAP.size() != OVERALL_CA_CERT_COUNT) {
354 atLeastOneFailed = true;
355 System.err.println("ERROR: " + FINGERPRINT_MAP.size()
356 + " FINGERPRINT_MAP entries, should be " + OVERALL_CA_CERT_COUNT);
357 }
358
359 // check that all entries in the map are in the keystore
360 for (String alias : FINGERPRINT_MAP.keySet()) {
361 if (!ks.isCertificateEntry(alias)) {
362 atLeastOneFailed = true;
363 System.err.println("ERROR: " + alias + " is not in cacerts");
364 }
365 }
366
367 // pull all the trusted self-signed CA certs out of the cacerts file
368 // and verify their signatures
369 Enumeration<String> aliases = ks.aliases();
370 while (aliases.hasMoreElements()) {
371 String alias = aliases.nextElement();
372 System.out.println("Verifying " + alias);
373
374 // Is cert trusted?
375 if (!ks.isCertificateEntry(alias)) {
376 atLeastOneFailed = true;
|