/*

 * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

/*

 * @test

 * @bug 6251120 8231950

 * @summary Testing keytool

 *

 * Run through autotest.sh and manualtest.sh

 *

 * Testing non-PKCS11 keystores:

 *       echo | java -Dfile KeyToolTest

 *

 * Testing NSS PKCS11 keystores:

 *       # testing NSS

 *       # make sure the NSS db files are in current directory and writable

 *       echo | java -Dnss -Dnss.lib=/path/to/libsoftokn3.so KeyToolTest

 *

 * Testing Solaris Cryptography Framework PKCS11 keystores:

 *       # make sure you've already run pktool and set test12 as pin

 *       echo | java -Dsolaris KeyToolTest

 *

 * ATTENTION:

 * Exception in thread "main" java.security.ProviderException:

 *   sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE

 *       at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:420)

 *       ...

 * Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE

 *       at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)

 *       at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:391)

 *       ...

 * been observed. Possibly a Solaris bug

 *

 * ATTENTION:

 * NSS PKCS11 config file are changed, DSA not supported now.

 *

 * @library /test/lib

 * @modules java.base/sun.security.tools.keytool

 *          java.base/sun.security.util

 *          java.base/sun.security.x509

 * @run main/othervm/timeout=600 -Dfile KeyToolTest

 */

import java.nio.file.Files;

import java.nio.file.Paths;

import java.security.KeyStore;

import sun.security.x509.*;

import java.io.*;

import java.security.KeyPairGenerator;

import java.security.NoSuchAlgorithmException;

import java.util.*;

import java.security.cert.X509Certificate;

import jdk.test.lib.util.FileUtils;

import sun.security.util.ObjectIdentifier;

public class KeyToolTest {

    // The stdout and stderr outputs after a keytool run

    String out;

    String err;

    // the output of println() in KeyTool.run

    String ex;

    String lastInput = "", lastCommand = "";

    private static final boolean debug =

        System.getProperty("debug") != null;

    static final String NSS_P11_ARG =

            "-keystore NONE -storetype PKCS11 -providerName SunPKCS11-nss " +

            "-addprovider SunPKCS11 " +

            "-providerArg p11-nss.txt ";

    // Use -providerClass here, to confirm it still works for SunPKCS11.

    static final String NSS_SRC_P11_ARG =

            "-srckeystore NONE -srcstoretype PKCS11 " +

            "-srcproviderName SunPKCS11-nss " +

            "-providerClass sun.security.pkcs11.SunPKCS11 " +

            "-providerArg p11-nss.txt ";

    static final String NZZ_P11_ARG =

            "-keystore NONE -storetype PKCS11 -providerName SunPKCS11-nzz " +

            "-addprovider SunPKCS11 " +

            "-providerArg p11-nzz.txt ";

    static final String NZZ_SRC_P11_ARG =

            "-srckeystore NONE -srcstoretype PKCS11 " +

            "-srcproviderName SunPKCS11-nzz " +

            "-addprovider SunPKCS11 " +

            "-providerArg p11-nzz.txt ";

    static final String SUN_P11_ARG = "-keystore NONE -storetype PKCS11 ";

    static final String SUN_SRC_P11_ARG =

            "-srckeystore NONE -srcstoretype PKCS11 ";

    String p11Arg, srcP11Arg;

    /** Creates a new instance of KeyToolTest */

    KeyToolTest() {

        // so that there is "Warning" and not translated into other language

        Locale.setDefault(Locale.US);

    }

    /**

     * Helper, removes a file

     */

    void remove(String filename) {

        if (debug) {

            System.err.println("Removing " + filename);

        }

        try{

            FileUtils.deleteFileIfExistsWithRetry(Paths.get(filename));

        }catch(IOException e) {

            throw new RuntimeException("Error deleting " + filename, e);

        }

    }

    /**

     * Run a set of keytool command with given terminal input.

     * @param input the terminal inputs, the characters typed by human

     *        if <code>cmd</code> is running on a terminal

     * @param cmd the argument of a keytool command line

     * @throws if keytool goes wrong in some place

     */

    void test(String input, String cmd) throws Exception {

        lastInput = input;

        lastCommand = cmd;

        // "X" is appended so that we can precisely test how input is consumed

        HumanInputStream in = new HumanInputStream(input+"X");

        test(in, cmd);

        // make sure the input string is no more no less

        if(in.read() != 'X' || in.read() != -1)

            throw new Exception("Input not consumed exactly");

    }

    void test(InputStream in, String cmd) throws Exception {

        // save the original 3 streams

        if (debug) {

            System.err.println(cmd);

        } else {

            System.err.print(".");

        }

        PrintStream p1 = System.out;

        PrintStream p2 = System.err;

        InputStream i1 = System.in;

        ByteArrayOutputStream b1 = new ByteArrayOutputStream();

        ByteArrayOutputStream b2 = new ByteArrayOutputStream();

        try {

            System.setIn(in);

            System.setOut(new PrintStream(b1));

            System.setErr(new PrintStream(b2));

            // since System.in is overrided, the

            // sun.security.tools.keytool.Main.main() method will

            // never block at user input

            // use -debug so that main() will throw an Exception

            // instead of calling System.exit()

            sun.security.tools.keytool.Main.main(("-debug "+cmd).split("\\s+"));

        } finally {

            out = b1.toString();

            err = b2.toString();

            ex = out;   // now it goes to System.out

            System.setIn(i1);

            System.setOut(p1);

            System.setErr(p2);

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should go OK

     */

    void testOK(String input, String cmd) throws Exception {

        try {

            // Workaround for "8057810: Make SHA256withDSA the default

            // jarsigner and keytool algorithm for DSA keys". Unfortunately

            // SunPKCS11-NSS does not support SHA256withDSA yet.

            if (cmd.contains("p11-nss.txt") && cmd.contains("-genkey")

                cmd += " -sigalg SHA1withDSA -keysize 1024";

            }

            test(input, cmd);

        } catch(Exception e) {

            afterFail(input, cmd, "OK");

            throw e;

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should fail and throw

     * an exception

     */

    void testFail(String input, String cmd) throws Exception {

        boolean ok;

        try {

            test(input, cmd);

            ok = true;

        } catch(Exception e) {

            if (e instanceof MissingResourceException) {

                ok = true;

            } else {

                ok = false;

            }

        }

        if(ok) {

            afterFail(input, cmd, "FAIL");

            throw new RuntimeException();

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should go OK

     */

    void testOK(InputStream is, String cmd) throws Exception {

        try {

            test(is, cmd);

        } catch(Exception e) {

            afterFail("", cmd, "OK");

            throw e;

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should fail and throw

     * an exception

     */

    void testFail(InputStream is, String cmd) throws Exception {

        boolean ok;

        try {

            test(is, cmd);

            ok = true;

        } catch(Exception e) {

            ok = false;

        }

        if(ok) {

            afterFail("", cmd, "FAIL");

            throw new RuntimeException();

        }

    }

    /**

     * Call this method if you just want to run the command and does

     * not care if it succeeds or fails.

     */

    void testAnyway(String input, String cmd) {

        try {

            test(input, cmd);

        } catch(Exception e) {

            ;

        }

    }

    /**

     * Helper method, print some output after a test does not do as expected

     */

    void afterFail(String input, String cmd, String should) {

        if (cmd.contains("p11-nss.txt")) {

            cmd = "-J-Dnss.lib=" + System.getProperty("nss.lib") + " " + cmd;

        }

        System.err.println("\nTest fails for the command ---\n" +

                "keytool " + cmd + "\nOr its debug version ---\n" +

                "keytool -debug " + cmd);

        System.err.println("The command result should be " + should +

                ", but it's not. Try run the command manually and type" +

                " these input into it: ");

        char[] inputChars = input.toCharArray();

        for (int i=0; i<inputChars.length; i++) {

            char ch = inputChars[i];

            if (ch == '\n') System.err.print("ENTER ");

            else if (ch == ' ') System.err.print("SPACE ");

            else System.err.print(ch + " ");

        }

        System.err.println("");

        System.err.println("ERR is:\n"+err);

        System.err.println("OUT is:\n"+out);

    }

    void assertTrue(boolean bool, String msg) {

        if (debug) {

            System.err.println("If not " + bool + ", " + msg);

        } else {

            System.err.print("v");

        }

        if(!bool) {

            afterFail(lastInput, lastCommand, "TRUE");

                System.err.println(msg);

            throw new RuntimeException(msg);

        }

    }

    void assertTrue(boolean bool) {

        assertTrue(bool, "well...");

    }

    /**

     * Helper method, load a keystore

     * @param file file for keystore, null or "NONE" for PKCS11

     * @pass password for the keystore

     * @type keystore type

     * @returns the KeyStore object

     * @exception Exception if anything goes wrong

     */

    KeyStore loadStore(String file, String pass, String type) throws Exception {

        KeyStore ks = KeyStore.getInstance(type);

        FileInputStream is = null;

        if (file != null && !file.equals("NONE")) {

            is = new FileInputStream(file);

        }

        ks.load(is, pass.toCharArray());

        is.close();

        return ks;

    }

    /**

     * The test suite.

     * Maybe it's better to put this outside the KeyToolTest class

     */

    void testAll() throws Exception {

        KeyStore ks;

        remove("x.jks");

        remove("x.jceks");

        remove("x.p12");

        remove("x2.jceks");

        remove("x2.jks");

        remove("x.jks.p1.cert");

        // name changes: genkeypair, importcert, exportcert

        remove("x.jks");

        remove("x.jks.p1.cert");

        testOK("", "-keystore x.jks -storetype JKS -storepass changeit " +

        testOK("", "-keystore x.jks -storetype JKS -storepass changeit " +

                "-exportcert -alias p1 -file x.jks.p1.cert");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.getKey("p1", "changeit".toCharArray()) != null,

            "key not DSA");

        assertTrue(new File("x.jks.p1.cert").exists(), "p1 export err");

        testOK("", "-keystore x.jks -storetype JKS -storepass changeit " +

                "-delete -alias p1");

        // importcert, prompt for Yes/No

        testOK("y\n", "-keystore x.jks -storetype JKS -storepass changeit " +

                "-importcert -alias c1 -file x.jks.p1.cert");

        // importcert, -noprompt

        testOK("", "-keystore x.jks -storetype JKS -storepass changeit " +

                "-importcert -alias c2 -file x.jks.p1.cert -noprompt");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.getCertificate("c1") != null, "import c1 err");

        // v3

        byte[] encoded = ks.getCertificate("c1").getEncoded();

        X509CertImpl certImpl = new X509CertImpl(encoded);

        assertTrue(certImpl.getVersion() == 3, "Version is not 3");

        // changealias and keyclone

        testOK("", "-keystore x.jks -storetype JKS -storepass changeit " +

        testOK("changeit\n", "-keystore x.jks -storetype JKS " +

                "-changealias -alias p1 -destalias p11");

        testOK("changeit\n", "-keystore x.jks -storetype JKS " +

                "-changealias -alias c1 -destalias c11");

        // press ENTER when prompt for p111's keypass

        testOK("changeit\n\n", "-keystore x.jks -storetype JKS " +

                "-keyclone -alias p11 -destalias p111");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(!ks.containsAlias("p1"), "there is no p1");

        assertTrue(!ks.containsAlias("c1"), "there is no c1");

        assertTrue(ks.containsAlias("p11"), "there is p11");

        assertTrue(ks.containsAlias("c11"), "there is c11");

        assertTrue(ks.containsAlias("p111"), "there is p111");

        // genSecKey

        remove("x.jceks");

        // DES, no need keysize

        testOK("changeit\nchangeit\n\n", "-keystore x.jceks -storetype JCEKS " +

        // DES, keysize cannot be 128

        testFail("changeit\n\n", "-keystore x.jceks -storetype JCEKS " +

        // DESede. no need keysize

        testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS " +

                "-genseckey -keyalg DESede -alias s2");

        // AES, need keysize

        testFail("changeit\n\n", "-keystore x.jceks -storetype AES " +

                "-genseckey -keyalg Rijndael -alias s3");

        testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS " +

                "-genseckey -keyalg AES -alias s3 -keysize 128");

        // about keypass

        // can accept storepass

        testOK("\n", "-keystore x.jceks -storetype JCEKS -storepass changeit " +

        // or a new one

        testOK("keypass\nkeypass\n", "-keystore x.jceks -storetype JCEKS " +

        // keypass must be valid (prompt 3 times)

        testOK("bad\n\bad\nkeypass\nkeypass\n", "-keystore x.jceks " +

        // keypass must be valid (prompt 3 times)

        testFail("bad\n\bad\nbad\n", "-keystore x.jceks -storetype JCEKS " +

        // keypass must be valid (prompt 3 times)

        testFail("bad\n\bad\nbad\nkeypass\n", "-keystore x.jceks " +

        ks = loadStore("x.jceks", "changeit", "JCEKS");

        assertTrue(ks.getKey("s1", "changeit".toCharArray())

                .getAlgorithm().equalsIgnoreCase("DES"), "s1 is DES");

        assertTrue(ks.getKey("s1", "changeit".toCharArray())

                .getEncoded().length == 8,  "DES is 56");

        assertTrue(ks.getKey("s2", "changeit".toCharArray())

                .getEncoded().length == 24,  "DESede is 168");

        assertTrue(ks.getKey("s2", "changeit".toCharArray())

                .getAlgorithm().equalsIgnoreCase("DESede"), "s2 is DESede");

        assertTrue(ks.getKey("s3", "changeit".toCharArray())

                .getAlgorithm().equalsIgnoreCase("AES"), "s3 is AES");

        assertTrue(ks.getKey("s4", "changeit".toCharArray())

                .getAlgorithm().equalsIgnoreCase("DES"), "s4 is DES");

        assertTrue(ks.getKey("s5", "keypass".toCharArray())

                .getAlgorithm().equalsIgnoreCase("DES"), "s5 is DES");

        assertTrue(ks.getKey("s6", "keypass".toCharArray())

                .getAlgorithm().equalsIgnoreCase("DES"), "s6 is DES");

        assertTrue(!ks.containsAlias("s7"), "s7 not created");

        // maybe we needn't test this, one day JKS will support SecretKey

        //testFail("changeit\nchangeit\n", "-keystore x.jks -storetype JKS " +

        //        "-genseckey -keyalg AES -alias s3 -keysize 128");

        // importKeyStore

        remove("x.jks");

        remove("x.jceks");

        // create 2 entries...

        testOK("changeit\nchangeit\n\n", "-keystore x.jceks -storetype JCEKS " +

        testOK("", "-keystore x.jceks -storetype JCEKS -storepass changeit " +

                "-importcert -alias c1 -file x.jks.p1.cert -noprompt");

        ks = loadStore("x.jceks", "changeit", "JCEKS");

        assertTrue(ks.size() == 2, "2 entries in JCEKS");

        // import, shouldn't mention destalias/srckeypass/destkeypass

        // if srcalias is no given

        testFail("changeit\nchangeit\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS -destalias pp");

        testFail("changeit\nchangeit\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS -srckeypass changeit");

        testFail("changeit\nchangeit\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS -destkeypass changeit");

        // normal import

        testOK("changeit\nchangeit\nchangeit\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 2, "2 entries in JKS");

        // import again, type yes to overwrite old entries

        testOK("changeit\nchangeit\ny\ny\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS");

        ks = loadStore("x.jks", "changeit", "JKS");

        // import again, specify -nopromt

        testOK("changeit\nchangeit\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS -noprompt");

        assertTrue(err.indexOf("Warning") != -1, "noprompt will warn");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 2, "2 entries in JKS");

        // import again, type into new aliases when prompted

        testOK("changeit\nchangeit\n\ns1\n\ns2\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 4, "4 entries in JKS");

        // importkeystore single

        // normal

        remove("x.jks");

        testOK("changeit\nchangeit\nchangeit\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS -srcalias p1");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 1, "1 entries in JKS");

        // overwrite

        testOK("changeit\nchangeit\ny\n", "-importkeystore " +

                "-srckeystore x.jceks -srcstoretype JCEKS " +

                "-destkeystore x.jks -deststoretype JKS -srcalias p1");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 1, "1 entries in JKS");