291 // Valid until: Sat May 30 10:38:31 GMT 2020
292 add("addtrustexternalca [jdk]");
293 // Valid until: Sat May 30 10:44:50 GMT 2020
294 add("addtrustqualifiedca [jdk]");
295 // Valid until: Wed Mar 17 02:51:37 PDT 2021
296 add("luxtrustglobalrootca [jdk]");
297 // Valid until: Wed Mar 17 11:33:33 PDT 2021
298 add("quovadisrootca [jdk]");
299 // Valid until: Sat May 21 04:00:00 GMT 2022
300 add("geotrustglobalca [jdk]");
301 }
302 };
303
304 // Ninety days in milliseconds
305 private static final long NINETY_DAYS = 7776000000L;
306
307 private static boolean atLeastOneFailed = false;
308
309 private static MessageDigest md;
310
311 public static void main(String[] args) throws Exception {
312 System.out.println("cacerts file: " + CACERTS);
313
314 // verify integrity of cacerts
315 md = MessageDigest.getInstance("SHA-256");
316 byte[] data = Files.readAllBytes(Path.of(CACERTS));
317 String checksum = HEX.formatHex(md.digest(data));
318 if (!checksum.equals(CHECKSUM)) {
319 atLeastOneFailed = true;
320 System.err.println("ERROR: wrong checksum " + checksum);
321 System.err.println("Expected checksum " + CHECKSUM);
322 }
323
324 KeyStore ks = KeyStore.getInstance("JKS");
325 ks.load(new ByteArrayInputStream(data), "changeit".toCharArray());
326
327 // check the count of certs inside
328 if (ks.size() != COUNT) {
329 atLeastOneFailed = true;
330 System.err.println("ERROR: " + ks.size() + " entries, should be "
331 + COUNT);
332 }
333
334 System.out.println("Trusted CA Certificate count: " + ks.size());
335
336 // also ensure FINGERPRINT_MAP lists correct count
337 if (FINGERPRINT_MAP.size() != COUNT) {
338 atLeastOneFailed = true;
339 System.err.println("ERROR: " + FINGERPRINT_MAP.size()
340 + " FINGERPRINT_MAP entries, should be " + COUNT);
341 }
342
343 // check that all entries in the map are in the keystore
344 for (String alias : FINGERPRINT_MAP.keySet()) {
345 if (!ks.isCertificateEntry(alias)) {
346 atLeastOneFailed = true;
347 System.err.println("ERROR: " + alias + " is not in cacerts");
348 }
349 }
350
351 // pull all the trusted self-signed CA certs out of the cacerts file
352 // and verify their signatures
353 Enumeration<String> aliases = ks.aliases();
354 while (aliases.hasMoreElements()) {
355 String alias = aliases.nextElement();
356 System.out.println("Verifying " + alias);
357
358 // Is cert trusted?
359 if (!ks.isCertificateEntry(alias)) {
360 atLeastOneFailed = true;
|
291 // Valid until: Sat May 30 10:38:31 GMT 2020
292 add("addtrustexternalca [jdk]");
293 // Valid until: Sat May 30 10:44:50 GMT 2020
294 add("addtrustqualifiedca [jdk]");
295 // Valid until: Wed Mar 17 02:51:37 PDT 2021
296 add("luxtrustglobalrootca [jdk]");
297 // Valid until: Wed Mar 17 11:33:33 PDT 2021
298 add("quovadisrootca [jdk]");
299 // Valid until: Sat May 21 04:00:00 GMT 2022
300 add("geotrustglobalca [jdk]");
301 }
302 };
303
304 // Ninety days in milliseconds
305 private static final long NINETY_DAYS = 7776000000L;
306
307 private static boolean atLeastOneFailed = false;
308
309 private static MessageDigest md;
310
311 private static final int OVERALL_CA_CERT_COUNT = COUNT + AmazonCACertConstants.AMAZON_CA_CERT_COUNT;
312
313 public static void main(String[] args) throws Exception {
314 System.out.println("cacerts file: " + CACERTS);
315 FINGERPRINT_MAP.putAll(AmazonCACertConstants.AMAZON_CA_FINGERPRINT_MAP);
316 EXPIRY_EXC_ENTRIES.addAll(AmazonCACertConstants.AMAZON_CA_EXPIRY_EXC_ENTRIES);
317
318 // verify integrity of cacerts
319 md = MessageDigest.getInstance("SHA-256");
320 byte[] data = Files.readAllBytes(Path.of(CACERTS));
321 /* Ignore whole-file checksum as the checksum of the cacerts
322 * file changes with each build, due to the way we merge upstream
323 * OpenJDK certs and Amazon Linux certs at build time.
324 String checksum = HEX.formatHex(md.digest(data));
325 if (!checksum.equals(CHECKSUM)) {
326 atLeastOneFailed = true;
327 System.err.println("ERROR: wrong checksum " + checksum);
328 System.err.println("Expected checksum " + CHECKSUM);
329 }
330 */
331
332 KeyStore ks = KeyStore.getInstance("JKS");
333 ks.load(new ByteArrayInputStream(data), "changeit".toCharArray());
334
335 // check the count of certs inside
336 if (ks.size() != OVERALL_CA_CERT_COUNT) {
337 atLeastOneFailed = true;
338 System.err.println("ERROR: " + ks.size() + " entries, should be "
339 + OVERALL_CA_CERT_COUNT);
340 }
341
342 System.out.println("Trusted CA Certificate count: " + ks.size());
343
344 // also ensure FINGERPRINT_MAP lists correct count
345 if (FINGERPRINT_MAP.size() != OVERALL_CA_CERT_COUNT) {
346 atLeastOneFailed = true;
347 System.err.println("ERROR: " + FINGERPRINT_MAP.size()
348 + " FINGERPRINT_MAP entries, should be " + OVERALL_CA_CERT_COUNT);
349 }
350
351 // check that all entries in the map are in the keystore
352 for (String alias : FINGERPRINT_MAP.keySet()) {
353 if (!ks.isCertificateEntry(alias)) {
354 atLeastOneFailed = true;
355 System.err.println("ERROR: " + alias + " is not in cacerts");
356 }
357 }
358
359 // pull all the trusted self-signed CA certs out of the cacerts file
360 // and verify their signatures
361 Enumeration<String> aliases = ks.aliases();
362 while (aliases.hasMoreElements()) {
363 String alias = aliases.nextElement();
364 System.out.println("Verifying " + alias);
365
366 // Is cert trusted?
367 if (!ks.isCertificateEntry(alias)) {
368 atLeastOneFailed = true;
|