| author | weijun |
| Fri, 15 Nov 2019 09:06:58 +0800 | |
| changeset 59104 | 046e4024e55a |
| parent 52598 | 0379b618ec46 |
| permissions | -rw-r--r-- |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
1 |
/* |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
2 |
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
4 |
* |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
8 |
* |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
13 |
* accompanied this code). |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
14 |
* |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
15 |
* You should have received a copy of the GNU General Public License version |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
18 |
* |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
20 |
* or visit www.oracle.com if you need additional information or have any |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
21 |
* questions. |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
22 |
*/ |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
23 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
24 |
/* |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
25 |
* @test |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
26 |
* @bug 8171319 8177569 8182879 |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
27 |
* @summary keytool should print out warnings when reading or generating |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
28 |
* cert/cert req using weak algorithms |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
29 |
* @library /test/lib |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
30 |
* @modules java.base/sun.security.tools.keytool |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
31 |
* java.base/sun.security.tools |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
32 |
* java.base/sun.security.util |
|
45467
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
33 |
* @build jdk.test.lib.SecurityTools |
|
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
34 |
* jdk.test.lib.Utils |
|
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
35 |
* jdk.test.lib.Asserts |
|
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
36 |
* jdk.test.lib.JDKToolFinder |
|
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
37 |
* jdk.test.lib.JDKToolLauncher |
|
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
38 |
* jdk.test.lib.Platform |
|
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
39 |
* jdk.test.lib.process.* |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
40 |
* @run main/othervm/timeout=600 -Duser.language=en -Duser.country=US WeakAlg |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
41 |
*/ |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
42 |
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
43 |
import jdk.test.lib.Asserts; |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
44 |
import jdk.test.lib.SecurityTools; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
45 |
import jdk.test.lib.process.OutputAnalyzer; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
46 |
import sun.security.tools.KeyStoreUtil; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
47 |
import sun.security.util.DisabledAlgorithmConstraints; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
48 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
49 |
import java.io.ByteArrayInputStream; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
50 |
import java.io.ByteArrayOutputStream; |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
51 |
import java.io.File; |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
52 |
import java.io.IOException; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
53 |
import java.io.InputStream; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
54 |
import java.io.PrintStream; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
55 |
import java.nio.file.Files; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
56 |
import java.nio.file.Paths; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
57 |
import java.nio.file.StandardCopyOption; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
58 |
import java.security.CryptoPrimitive; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
59 |
import java.security.KeyStore; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
60 |
import java.security.cert.X509Certificate; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
61 |
import java.util.Collections; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
62 |
import java.util.EnumSet; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
63 |
import java.util.Set; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
64 |
import java.util.stream.Collectors; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
65 |
import java.util.stream.Stream; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
66 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
67 |
public class WeakAlg {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
68 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
69 |
public static void main(String[] args) throws Throwable {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
70 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
71 |
rm("ks");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
72 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
73 |
// -genkeypair, and -printcert, -list -alias, -exportcert |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
74 |
// (w/ different formats) |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
75 |
checkGenKeyPair("a", "-keyalg RSA -sigalg MD5withRSA", "MD5withRSA");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
76 |
checkGenKeyPair("b", "-keyalg RSA -keysize 512", "512-bit RSA key");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
77 |
checkGenKeyPair("c", "-keyalg RSA", null);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
78 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
79 |
kt("-list")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
80 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
81 |
.shouldMatch("<a>.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
82 |
.shouldMatch("<b>.*512-bit RSA key.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
83 |
kt("-list -v")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
84 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
85 |
.shouldMatch("<a>.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
86 |
.shouldContain("MD5withRSA (weak)")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
87 |
.shouldMatch("<b>.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
88 |
.shouldContain("512-bit RSA key (weak)");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
89 |
|
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
90 |
// Multiple warnings for multiple cert in -printcert |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
91 |
// or -list or -exportcert |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
92 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
93 |
// -certreq, -printcertreq, -gencert |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
94 |
checkCertReq("a", "", null);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
95 |
gencert("c-a", "")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
96 |
.shouldNotContain("Warning"); // new sigalg is not weak
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
97 |
gencert("c-a", "-sigalg MD2withRSA")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
98 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
99 |
.shouldMatch("The generated certificate.*MD2withRSA.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
100 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
101 |
checkCertReq("a", "-sigalg MD5withRSA", "MD5withRSA");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
102 |
gencert("c-a", "")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
103 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
104 |
.shouldMatch("The certificate request.*MD5withRSA.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
105 |
gencert("c-a", "-sigalg MD2withRSA")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
106 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
107 |
.shouldMatch("The certificate request.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
108 |
.shouldMatch("The generated certificate.*MD2withRSA.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
109 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
110 |
checkCertReq("b", "", "512-bit RSA key");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
111 |
gencert("c-b", "")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
112 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
113 |
.shouldMatch("The certificate request.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
114 |
.shouldMatch("The generated certificate.*512-bit RSA key.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
115 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
116 |
checkCertReq("c", "", null);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
117 |
gencert("a-c", "")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
118 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
119 |
.shouldMatch("The issuer.*MD5withRSA.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
120 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
121 |
// but the new cert is not weak |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
122 |
kt("-printcert -file a-c.cert")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
123 |
.shouldNotContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
124 |
.shouldNotContain("weak");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
125 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
126 |
gencert("b-c", "")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
127 |
.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
128 |
.shouldMatch("The issuer.*512-bit RSA key.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
129 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
130 |
// -importcert |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
131 |
checkImport(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
132 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
133 |
// -importkeystore |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
134 |
checkImportKeyStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
135 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
136 |
// -gencrl, -printcrl |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
137 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
138 |
checkGenCRL("a", "", null);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
139 |
checkGenCRL("a", "-sigalg MD5withRSA", "MD5withRSA");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
140 |
checkGenCRL("b", "", "512-bit RSA key");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
141 |
checkGenCRL("c", "", null);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
142 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
143 |
kt("-delete -alias b");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
144 |
kt("-printcrl -file b.crl")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
145 |
.shouldContain("WARNING: not verified");
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
146 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
147 |
jksTypeCheck(); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
148 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
149 |
checkInplaceImportKeyStore(); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
150 |
} |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
151 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
152 |
static void jksTypeCheck() throws Exception {
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
153 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
154 |
// No warning for cacerts, all certs |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
155 |
kt0("-cacerts -list -storepass changeit")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
156 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
157 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
158 |
rm("ks");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
159 |
rm("ks2");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
160 |
|
|
52598
0379b618ec46
8212003: Deprecating the default keytool -keyalg option
weijun
parents:
47420
diff
changeset
|
161 |
kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
162 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
163 |
kt("-list")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
164 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
165 |
kt("-list -storetype jks") // no warning if PKCS12 used as JKS
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
166 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
167 |
kt("-exportcert -alias a -file a.crt")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
168 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
169 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
170 |
// warn if migrating to JKS |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
171 |
importkeystore("ks", "ks2", "-deststoretype jks")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
172 |
.shouldContain("JKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
173 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
174 |
rm("ks");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
175 |
rm("ks2");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
176 |
rm("ks3");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
177 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
178 |
// no warning if all certs |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
179 |
kt("-importcert -alias b -file a.crt -storetype jks -noprompt")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
180 |
.shouldNotContain("Warning:");
|
| 59104 | 181 |
kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
182 |
.shouldContain("JKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
183 |
kt("-list")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
184 |
.shouldContain("JKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
185 |
kt("-list -storetype pkcs12") // warn if JKS used as PKCS12
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
186 |
.shouldContain("JKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
187 |
kt("-exportcert -alias a -file a.crt")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
188 |
.shouldContain("JKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
189 |
kt("-printcert -file a.crt") // no warning if keystore not touched
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
190 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
191 |
kt("-certreq -alias a -file a.req")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
192 |
.shouldContain("JKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
193 |
kt("-printcertreq -file a.req") // no warning if keystore not touched
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
194 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
195 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
196 |
// No warning if migrating from JKS |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
197 |
importkeystore("ks", "ks2", "")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
198 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
199 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
200 |
importkeystore("ks", "ks3", "-deststoretype pkcs12")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
201 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
202 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
203 |
rm("ks");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
204 |
|
| 59104 | 205 |
kt("-genkeypair -keyalg DSA -alias a -dname CN=A -storetype jceks")
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
206 |
.shouldContain("JCEKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
207 |
kt("-list")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
208 |
.shouldContain("JCEKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
209 |
kt("-importcert -alias b -file a.crt -noprompt")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
210 |
.shouldContain("JCEKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
211 |
kt("-exportcert -alias a -file a.crt")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
212 |
.shouldContain("JCEKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
213 |
kt("-printcert -file a.crt")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
214 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
215 |
kt("-certreq -alias a -file a.req")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
216 |
.shouldContain("JCEKS keystore uses a proprietary format");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
217 |
kt("-printcertreq -file a.req")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
218 |
.shouldNotContain("Warning:");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
219 |
kt("-genseckey -alias c -keyalg AES -keysize 128")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
220 |
.shouldContain("JCEKS keystore uses a proprietary format");
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
221 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
222 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
223 |
static void checkImportKeyStore() throws Exception {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
224 |
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
225 |
rm("ks2");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
226 |
rm("ks3");
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
227 |
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
228 |
importkeystore("ks", "ks2", "")
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
229 |
.shouldContain("3 entries successfully imported")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
230 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
231 |
.shouldMatch("<b>.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
232 |
.shouldMatch("<a>.*MD5withRSA.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
233 |
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
234 |
importkeystore("ks", "ks3", "-srcalias a")
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
235 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
236 |
.shouldMatch("<a>.*MD5withRSA.*risk");
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
237 |
} |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
238 |
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
239 |
static void checkInplaceImportKeyStore() throws Exception {
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
240 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
241 |
rm("ks");
|
| 59104 | 242 |
genkeypair("a", "-keyalg DSA");
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
243 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
244 |
// Same type backup |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
245 |
importkeystore("ks", "ks", "")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
246 |
.shouldContain("Warning:")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
247 |
.shouldMatch("original.*ks.old");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
248 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
249 |
importkeystore("ks", "ks", "")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
250 |
.shouldContain("Warning:")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
251 |
.shouldMatch("original.*ks.old2");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
252 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
253 |
importkeystore("ks", "ks", "-srcstoretype jks") // it knows real type
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
254 |
.shouldContain("Warning:")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
255 |
.shouldMatch("original.*ks.old3");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
256 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
257 |
String cPath = new File("ks").getCanonicalPath();
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
258 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
259 |
importkeystore("ks", cPath, "")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
260 |
.shouldContain("Warning:")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
261 |
.shouldMatch("original.*ks.old4");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
262 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
263 |
// Migration |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
264 |
importkeystore("ks", "ks", "-deststoretype jks")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
265 |
.shouldContain("Warning:")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
266 |
.shouldContain("JKS keystore uses a proprietary format")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
267 |
.shouldMatch("Migrated.*JKS.*PKCS12.*ks.old5");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
268 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
269 |
Asserts.assertEQ( |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
270 |
KeyStore.getInstance( |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
271 |
new File("ks"), "changeit".toCharArray()).getType(),
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
272 |
"JKS"); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
273 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
274 |
importkeystore("ks", "ks", "-srcstoretype PKCS12")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
275 |
.shouldContain("Warning:")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
276 |
.shouldNotContain("proprietary format")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
277 |
.shouldMatch("Migrated.*PKCS12.*JKS.*ks.old6");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
278 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
279 |
Asserts.assertEQ( |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
280 |
KeyStore.getInstance( |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
281 |
new File("ks"), "changeit".toCharArray()).getType(),
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
282 |
"PKCS12"); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
283 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
284 |
Asserts.assertEQ( |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
285 |
KeyStore.getInstance( |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
286 |
new File("ks.old6"), "changeit".toCharArray()).getType(),
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
287 |
"JKS"); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
288 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
289 |
// One password prompt is enough for migration |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
290 |
kt0("-importkeystore -srckeystore ks -destkeystore ks", "changeit")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
291 |
.shouldMatch("original.*ks.old7");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
292 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
293 |
// But three if importing to a different keystore |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
294 |
rm("ks2");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
295 |
kt0("-importkeystore -srckeystore ks -destkeystore ks2",
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
296 |
"changeit") |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
297 |
.shouldContain("Keystore password is too short");
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
298 |
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
299 |
kt0("-importkeystore -srckeystore ks -destkeystore ks2",
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
300 |
"changeit", "changeit", "changeit") |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
301 |
.shouldContain("Importing keystore ks to ks2...")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
302 |
.shouldNotContain("original")
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
303 |
.shouldNotContain("Migrated");
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
304 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
305 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
306 |
static void checkImport() throws Exception {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
307 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
308 |
saveStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
309 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
310 |
// add trusted cert |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
311 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
312 |
// cert already in |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
313 |
kt("-importcert -alias d -file a.cert", "no")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
314 |
.shouldContain("Certificate already exists in keystore")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
315 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
316 |
.shouldMatch("The input.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
317 |
.shouldContain("Do you still want to add it?");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
318 |
kt("-importcert -alias d -file a.cert -noprompt")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
319 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
320 |
.shouldMatch("The input.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
321 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
322 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
323 |
// cert is self-signed |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
324 |
kt("-delete -alias a");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
325 |
kt("-delete -alias d");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
326 |
kt("-importcert -alias d -file a.cert", "no")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
327 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
328 |
.shouldContain("MD5withRSA (weak)")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
329 |
.shouldMatch("The input.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
330 |
.shouldContain("Trust this certificate?");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
331 |
kt("-importcert -alias d -file a.cert -noprompt")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
332 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
333 |
.shouldMatch("The input.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
334 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
335 |
|
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
336 |
// JDK-8177569: no warning for sigalg of trusted cert |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
337 |
String weakSigAlgCA = null; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
338 |
KeyStore ks = KeyStoreUtil.getCacertsKeyStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
339 |
if (ks != null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
340 |
DisabledAlgorithmConstraints disabledCheck = |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
341 |
new DisabledAlgorithmConstraints( |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
342 |
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
343 |
Set<CryptoPrimitive> sigPrimitiveSet = Collections |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
344 |
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
345 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
346 |
for (String s : Collections.list(ks.aliases())) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
347 |
if (ks.isCertificateEntry(s)) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
348 |
X509Certificate c = (X509Certificate)ks.getCertificate(s); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
349 |
String sigAlg = c.getSigAlgName(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
350 |
if (!disabledCheck.permits(sigPrimitiveSet, sigAlg, null)) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
351 |
weakSigAlgCA = sigAlg; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
352 |
Files.write(Paths.get("ca.cert"),
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
353 |
ks.getCertificate(s).getEncoded()); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
354 |
break; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
355 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
356 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
357 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
358 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
359 |
if (weakSigAlgCA != null) {
|
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
360 |
// The following 2 commands still have a warning on why not using |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
361 |
// the -cacerts option directly. |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
362 |
kt("-list -keystore " + KeyStoreUtil.getCacerts())
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
363 |
.shouldNotContain("risk");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
364 |
kt("-list -v -keystore " + KeyStoreUtil.getCacerts())
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
365 |
.shouldNotContain("risk");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
366 |
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
367 |
// -printcert will always show warnings |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
368 |
kt("-printcert -file ca.cert")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
369 |
.shouldContain("name: " + weakSigAlgCA + " (weak)")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
370 |
.shouldContain("Warning")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
371 |
.shouldMatch("The certificate.*" + weakSigAlgCA + ".*risk");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
372 |
kt("-printcert -file ca.cert -trustcacerts") // -trustcacerts useless
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
373 |
.shouldContain("name: " + weakSigAlgCA + " (weak)")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
374 |
.shouldContain("Warning")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
375 |
.shouldMatch("The certificate.*" + weakSigAlgCA + ".*risk");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
376 |
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
377 |
// Importing with -trustcacerts ignore CA cert's sig alg |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
378 |
kt("-delete -alias d");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
379 |
kt("-importcert -alias d -trustcacerts -file ca.cert", "no")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
380 |
.shouldContain("Certificate already exists in system-wide CA")
|
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
381 |
.shouldNotContain("risk")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
382 |
.shouldContain("Do you still want to add it to your own keystore?");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
383 |
kt("-importcert -alias d -trustcacerts -file ca.cert -noprompt")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
384 |
.shouldNotContain("risk")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
385 |
.shouldNotContain("[no]");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
386 |
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
387 |
// but not without -trustcacerts |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
388 |
kt("-delete -alias d");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
389 |
kt("-importcert -alias d -file ca.cert", "no")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
390 |
.shouldContain("name: " + weakSigAlgCA + " (weak)")
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
391 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
392 |
.shouldMatch("The input.*" + weakSigAlgCA + ".*risk")
|
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
393 |
.shouldContain("Trust this certificate?");
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
394 |
kt("-importcert -alias d -file ca.cert -noprompt")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
395 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
396 |
.shouldMatch("The input.*" + weakSigAlgCA + ".*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
397 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
398 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
399 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
400 |
// a non self-signed weak cert |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
401 |
reStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
402 |
certreq("b", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
403 |
gencert("c-b", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
404 |
kt("-importcert -alias d -file c-b.cert") // weak only, no prompt
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
405 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
406 |
.shouldNotContain("512-bit RSA key (weak)")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
407 |
.shouldMatch("The input.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
408 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
409 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
410 |
kt("-delete -alias b");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
411 |
kt("-delete -alias c");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
412 |
kt("-delete -alias d");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
413 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
414 |
kt("-importcert -alias d -file c-b.cert", "no") // weak and not trusted
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
415 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
416 |
.shouldContain("512-bit RSA key (weak)")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
417 |
.shouldMatch("The input.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
418 |
.shouldContain("Trust this certificate?");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
419 |
kt("-importcert -alias d -file c-b.cert -noprompt")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
420 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
421 |
.shouldMatch("The input.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
422 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
423 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
424 |
// a non self-signed strong cert |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
425 |
reStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
426 |
certreq("a", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
427 |
gencert("c-a", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
428 |
kt("-importcert -alias d -file c-a.cert") // trusted
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
429 |
.shouldNotContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
430 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
431 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
432 |
kt("-delete -alias a");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
433 |
kt("-delete -alias c");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
434 |
kt("-delete -alias d");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
435 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
436 |
kt("-importcert -alias d -file c-a.cert", "no") // not trusted
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
437 |
.shouldNotContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
438 |
.shouldContain("Trust this certificate?");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
439 |
kt("-importcert -alias d -file c-a.cert -noprompt")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
440 |
.shouldNotContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
441 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
442 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
443 |
// install reply |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
444 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
445 |
reStore(); |
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
446 |
certreq("c", "");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
447 |
gencert("a-c", "");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
448 |
kt("-importcert -alias c -file a-c.cert")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
449 |
.shouldContain("Warning")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
450 |
.shouldMatch("Issuer <a>.*MD5withRSA.*risk");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
451 |
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
452 |
// JDK-8177569: no warning for sigalg of trusted cert |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
453 |
reStore(); |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
454 |
// Change a into a TrustedCertEntry |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
455 |
kt("-exportcert -alias a -file a.cert");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
456 |
kt("-delete -alias a");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
457 |
kt("-importcert -alias a -file a.cert -noprompt");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
458 |
kt("-list -alias a -v")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
459 |
.shouldNotContain("weak")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
460 |
.shouldNotContain("Warning");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
461 |
// This time a is trusted and no warning on its weak sig alg |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
462 |
kt("-importcert -alias c -file a-c.cert")
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
463 |
.shouldNotContain("Warning");
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
464 |
|
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
465 |
reStore(); |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
466 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
467 |
gencert("a-b", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
468 |
gencert("b-c", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
469 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
470 |
// Full chain with root |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
471 |
cat("a-a-b-c.cert", "b-c.cert", "a-b.cert", "a.cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
472 |
kt("-importcert -alias c -file a-a-b-c.cert") // only weak
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
473 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
474 |
.shouldMatch("Reply #2 of 3.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
475 |
.shouldMatch("Reply #3 of 3.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
476 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
477 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
478 |
// Without root |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
479 |
cat("a-b-c.cert", "b-c.cert", "a-b.cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
480 |
kt("-importcert -alias c -file a-b-c.cert") // only weak
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
481 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
482 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
483 |
.shouldMatch("Issuer <a>.*MD5withRSA.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
484 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
485 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
486 |
reStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
487 |
gencert("b-a", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
488 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
489 |
kt("-importcert -alias a -file b-a.cert")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
490 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
491 |
.shouldMatch("Issuer <b>.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
492 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
493 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
494 |
kt("-importcert -alias a -file c-a.cert")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
495 |
.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
496 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
497 |
kt("-importcert -alias b -file c-b.cert")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
498 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
499 |
.shouldMatch("The input.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
500 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
501 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
502 |
reStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
503 |
gencert("b-a", "");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
504 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
505 |
cat("c-b-a.cert", "b-a.cert", "c-b.cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
506 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
507 |
kt("-printcert -file c-b-a.cert")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
508 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
509 |
.shouldMatch("The certificate #2 of 2.*512-bit RSA key.*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
510 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
511 |
kt("-delete -alias b");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
512 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
513 |
kt("-importcert -alias a -file c-b-a.cert")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
514 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
515 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
516 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
517 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
518 |
kt("-delete -alias c");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
519 |
kt("-importcert -alias a -file c-b-a.cert", "no")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
520 |
.shouldContain("Top-level certificate in reply:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
521 |
.shouldContain("512-bit RSA key (weak)")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
522 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
523 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
524 |
.shouldContain("Install reply anyway?");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
525 |
kt("-importcert -alias a -file c-b-a.cert -noprompt")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
526 |
.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
527 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
528 |
.shouldNotContain("[no]");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
529 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
530 |
reStore(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
531 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
532 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
533 |
private static void cat(String dest, String... src) throws IOException {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
534 |
System.out.println("---------------------------------------------");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
535 |
System.out.printf("$ cat ");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
536 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
537 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
538 |
for (String s : src) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
539 |
System.out.printf(s + " "); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
540 |
bout.write(Files.readAllBytes(Paths.get(s))); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
541 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
542 |
Files.write(Paths.get(dest), bout.toByteArray()); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
543 |
System.out.println("> " + dest);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
544 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
545 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
546 |
static void checkGenCRL(String alias, String options, String bad) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
547 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
548 |
OutputAnalyzer oa = kt("-gencrl -alias " + alias
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
549 |
+ " -id 1 -file " + alias + ".crl " + options); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
550 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
551 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
552 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
553 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
554 |
.shouldMatch("The generated CRL.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
555 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
556 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
557 |
oa = kt("-printcrl -file " + alias + ".crl");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
558 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
559 |
oa.shouldNotContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
560 |
.shouldContain("Verified by " + alias + " in keystore")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
561 |
.shouldNotContain("(weak");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
562 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
563 |
oa.shouldContain("Warning:")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
564 |
.shouldMatch("The CRL.*" + bad + ".*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
565 |
.shouldContain("Verified by " + alias + " in keystore")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
566 |
.shouldContain(bad + " (weak)"); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
567 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
568 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
569 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
570 |
static void checkCertReq( |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
571 |
String alias, String options, String bad) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
572 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
573 |
OutputAnalyzer oa = certreq(alias, options); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
574 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
575 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
576 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
577 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
578 |
.shouldMatch("The generated certificate request.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
579 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
580 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
581 |
oa = kt("-printcertreq -file " + alias + ".req");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
582 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
583 |
oa.shouldNotContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
584 |
.shouldNotContain("(weak)");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
585 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
586 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
587 |
.shouldMatch("The certificate request.*" + bad + ".*risk")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
588 |
.shouldContain(bad + " (weak)"); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
589 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
590 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
591 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
592 |
static void checkGenKeyPair( |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
593 |
String alias, String options, String bad) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
594 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
595 |
OutputAnalyzer oa = genkeypair(alias, options); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
596 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
597 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
598 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
599 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
600 |
.shouldMatch("The generated certificate.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
601 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
602 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
603 |
oa = kt("-exportcert -alias " + alias + " -file " + alias + ".cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
604 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
605 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
606 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
607 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
608 |
.shouldMatch("The certificate.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
609 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
610 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
611 |
oa = kt("-exportcert -rfc -alias " + alias + " -file " + alias + ".cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
612 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
613 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
614 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
615 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
616 |
.shouldMatch("The certificate.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
617 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
618 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
619 |
oa = kt("-printcert -rfc -file " + alias + ".cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
620 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
621 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
622 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
623 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
624 |
.shouldMatch("The certificate.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
625 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
626 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
627 |
oa = kt("-list -alias " + alias);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
628 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
629 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
630 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
631 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
632 |
.shouldMatch("The certificate.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
633 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
634 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
635 |
// With cert content |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
636 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
637 |
oa = kt("-printcert -file " + alias + ".cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
638 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
639 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
640 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
641 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
642 |
.shouldContain(bad + " (weak)") |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
643 |
.shouldMatch("The certificate.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
644 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
645 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
646 |
oa = kt("-list -v -alias " + alias);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
647 |
if (bad == null) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
648 |
oa.shouldNotContain("Warning");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
649 |
} else {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
650 |
oa.shouldContain("Warning")
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
651 |
.shouldContain(bad + " (weak)") |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
652 |
.shouldMatch("The certificate.*" + bad + ".*risk");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
653 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
654 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
655 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
656 |
// This is slow, but real keytool process is launched. |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
657 |
static OutputAnalyzer kt1(String cmd, String... input) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
658 |
cmd = "-keystore ks -storepass changeit " + |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
659 |
"-keypass changeit " + cmd; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
660 |
System.out.println("---------------------------------------------");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
661 |
try {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
662 |
SecurityTools.setResponse(input); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
663 |
return SecurityTools.keytool(cmd); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
664 |
} catch (Throwable e) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
665 |
throw new RuntimeException(e); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
666 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
667 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
668 |
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
669 |
static OutputAnalyzer kt(String cmd, String... input) {
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
670 |
return kt0("-keystore ks -storepass changeit " +
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
671 |
"-keypass changeit " + cmd, input); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
672 |
} |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
673 |
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
674 |
// Fast keytool execution by directly calling its main() method |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
675 |
static OutputAnalyzer kt0(String cmd, String... input) {
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
676 |
PrintStream out = System.out; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
677 |
PrintStream err = System.err; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
678 |
InputStream ins = System.in; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
679 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
680 |
ByteArrayOutputStream berr = new ByteArrayOutputStream(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
681 |
boolean succeed = true; |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
682 |
String sout; |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
683 |
String serr; |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
684 |
try {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
685 |
System.out.println("---------------------------------------------");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
686 |
System.out.println("$ keytool " + cmd);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
687 |
System.out.println(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
688 |
String feed = ""; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
689 |
if (input.length > 0) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
690 |
feed = Stream.of(input).collect(Collectors.joining("\n")) + "\n";
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
691 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
692 |
System.setIn(new ByteArrayInputStream(feed.getBytes())); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
693 |
System.setOut(new PrintStream(bout)); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
694 |
System.setErr(new PrintStream(berr)); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
695 |
sun.security.tools.keytool.Main.main( |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
696 |
cmd.trim().split("\\s+"));
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
697 |
} catch (Exception e) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
698 |
// Might be a normal exception when -debug is on or |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
699 |
// SecurityException (thrown by jtreg) when System.exit() is called |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
700 |
if (!(e instanceof SecurityException)) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
701 |
e.printStackTrace(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
702 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
703 |
succeed = false; |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
704 |
} finally {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
705 |
System.setOut(out); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
706 |
System.setErr(err); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
707 |
System.setIn(ins); |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
708 |
sout = new String(bout.toByteArray()); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
709 |
serr = new String(berr.toByteArray()); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
710 |
System.out.println("STDOUT:\n" + sout + "\nSTDERR:\n" + serr);
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
711 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
712 |
if (!succeed) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
713 |
throw new RuntimeException(); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
714 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
715 |
return new OutputAnalyzer(sout, serr); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
716 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
717 |
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
718 |
static OutputAnalyzer importkeystore(String src, String dest, |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
719 |
String options) {
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
720 |
return kt0("-importkeystore "
|
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
721 |
+ "-srckeystore " + src + " -destkeystore " + dest |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
722 |
+ " -srcstorepass changeit -deststorepass changeit " + options); |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
723 |
} |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
724 |
|
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
725 |
static OutputAnalyzer genkeypair(String alias, String options) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
726 |
return kt("-genkeypair -alias " + alias + " -dname CN=" + alias
|
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
727 |
+ " -storetype PKCS12 " + options); |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
728 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
729 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
730 |
static OutputAnalyzer certreq(String alias, String options) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
731 |
return kt("-certreq -alias " + alias
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
732 |
+ " -file " + alias + ".req " + options); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
733 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
734 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
735 |
static OutputAnalyzer exportcert(String alias) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
736 |
return kt("-exportcert -alias " + alias + " -file " + alias + ".cert");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
737 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
738 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
739 |
static OutputAnalyzer gencert(String relation, String options) {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
740 |
int pos = relation.indexOf("-");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
741 |
String issuer = relation.substring(0, pos); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
742 |
String subject = relation.substring(pos + 1); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
743 |
return kt(" -gencert -alias " + issuer + " -infile " + subject
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
744 |
+ ".req -outfile " + relation + ".cert " + options); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
745 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
746 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
747 |
static void saveStore() throws IOException {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
748 |
System.out.println("---------------------------------------------");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
749 |
System.out.println("$ cp ks ks2");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
750 |
Files.copy(Paths.get("ks"), Paths.get("ks2"),
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
751 |
StandardCopyOption.REPLACE_EXISTING); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
752 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
753 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
754 |
static void reStore() throws IOException {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
755 |
System.out.println("---------------------------------------------");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
756 |
System.out.println("$ cp ks2 ks");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
757 |
Files.copy(Paths.get("ks2"), Paths.get("ks"),
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
758 |
StandardCopyOption.REPLACE_EXISTING); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
759 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
760 |
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
761 |
static void rm(String s) throws IOException {
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
762 |
System.out.println("---------------------------------------------");
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
763 |
System.out.println("$ rm " + s);
|
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
764 |
Files.deleteIfExists(Paths.get(s)); |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
765 |
} |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
766 |
} |