author | weijun |
Fri, 15 Nov 2019 09:06:58 +0800 | |
changeset 59104 | 046e4024e55a |
parent 52598 | 0379b618ec46 |
permissions | -rw-r--r-- |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
1 |
/* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
2 |
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
4 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
8 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
13 |
* accompanied this code). |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
14 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
15 |
* You should have received a copy of the GNU General Public License version |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
18 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
20 |
* or visit www.oracle.com if you need additional information or have any |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
21 |
* questions. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
22 |
*/ |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
23 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
24 |
/* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
25 |
* @test |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
26 |
* @bug 8171319 8177569 8182879 |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
27 |
* @summary keytool should print out warnings when reading or generating |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
28 |
* cert/cert req using weak algorithms |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
29 |
* @library /test/lib |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
30 |
* @modules java.base/sun.security.tools.keytool |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
31 |
* java.base/sun.security.tools |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
32 |
* java.base/sun.security.util |
45467
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
33 |
* @build jdk.test.lib.SecurityTools |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
34 |
* jdk.test.lib.Utils |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
35 |
* jdk.test.lib.Asserts |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
36 |
* jdk.test.lib.JDKToolFinder |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
37 |
* jdk.test.lib.JDKToolLauncher |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
38 |
* jdk.test.lib.Platform |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
39 |
* jdk.test.lib.process.* |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
40 |
* @run main/othervm/timeout=600 -Duser.language=en -Duser.country=US WeakAlg |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
41 |
*/ |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
42 |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
43 |
import jdk.test.lib.Asserts; |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
44 |
import jdk.test.lib.SecurityTools; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
45 |
import jdk.test.lib.process.OutputAnalyzer; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
46 |
import sun.security.tools.KeyStoreUtil; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
47 |
import sun.security.util.DisabledAlgorithmConstraints; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
48 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
49 |
import java.io.ByteArrayInputStream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
50 |
import java.io.ByteArrayOutputStream; |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
51 |
import java.io.File; |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
52 |
import java.io.IOException; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
53 |
import java.io.InputStream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
54 |
import java.io.PrintStream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
55 |
import java.nio.file.Files; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
56 |
import java.nio.file.Paths; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
57 |
import java.nio.file.StandardCopyOption; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
58 |
import java.security.CryptoPrimitive; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
59 |
import java.security.KeyStore; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
60 |
import java.security.cert.X509Certificate; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
61 |
import java.util.Collections; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
62 |
import java.util.EnumSet; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
63 |
import java.util.Set; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
64 |
import java.util.stream.Collectors; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
65 |
import java.util.stream.Stream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
66 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
67 |
public class WeakAlg { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
68 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
69 |
public static void main(String[] args) throws Throwable { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
70 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
71 |
rm("ks"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
72 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
73 |
// -genkeypair, and -printcert, -list -alias, -exportcert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
74 |
// (w/ different formats) |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
75 |
checkGenKeyPair("a", "-keyalg RSA -sigalg MD5withRSA", "MD5withRSA"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
76 |
checkGenKeyPair("b", "-keyalg RSA -keysize 512", "512-bit RSA key"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
77 |
checkGenKeyPair("c", "-keyalg RSA", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
78 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
79 |
kt("-list") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
80 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
81 |
.shouldMatch("<a>.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
82 |
.shouldMatch("<b>.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
83 |
kt("-list -v") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
84 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
85 |
.shouldMatch("<a>.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
86 |
.shouldContain("MD5withRSA (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
87 |
.shouldMatch("<b>.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
88 |
.shouldContain("512-bit RSA key (weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
89 |
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
90 |
// Multiple warnings for multiple cert in -printcert |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
91 |
// or -list or -exportcert |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
92 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
93 |
// -certreq, -printcertreq, -gencert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
94 |
checkCertReq("a", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
95 |
gencert("c-a", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
96 |
.shouldNotContain("Warning"); // new sigalg is not weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
97 |
gencert("c-a", "-sigalg MD2withRSA") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
98 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
99 |
.shouldMatch("The generated certificate.*MD2withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
100 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
101 |
checkCertReq("a", "-sigalg MD5withRSA", "MD5withRSA"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
102 |
gencert("c-a", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
103 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
104 |
.shouldMatch("The certificate request.*MD5withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
105 |
gencert("c-a", "-sigalg MD2withRSA") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
106 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
107 |
.shouldMatch("The certificate request.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
108 |
.shouldMatch("The generated certificate.*MD2withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
109 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
110 |
checkCertReq("b", "", "512-bit RSA key"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
111 |
gencert("c-b", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
112 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
113 |
.shouldMatch("The certificate request.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
114 |
.shouldMatch("The generated certificate.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
115 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
116 |
checkCertReq("c", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
117 |
gencert("a-c", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
118 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
119 |
.shouldMatch("The issuer.*MD5withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
120 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
121 |
// but the new cert is not weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
122 |
kt("-printcert -file a-c.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
123 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
124 |
.shouldNotContain("weak"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
125 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
126 |
gencert("b-c", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
127 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
128 |
.shouldMatch("The issuer.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
129 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
130 |
// -importcert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
131 |
checkImport(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
132 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
133 |
// -importkeystore |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
134 |
checkImportKeyStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
135 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
136 |
// -gencrl, -printcrl |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
137 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
138 |
checkGenCRL("a", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
139 |
checkGenCRL("a", "-sigalg MD5withRSA", "MD5withRSA"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
140 |
checkGenCRL("b", "", "512-bit RSA key"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
141 |
checkGenCRL("c", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
142 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
143 |
kt("-delete -alias b"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
144 |
kt("-printcrl -file b.crl") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
145 |
.shouldContain("WARNING: not verified"); |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
146 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
147 |
jksTypeCheck(); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
148 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
149 |
checkInplaceImportKeyStore(); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
150 |
} |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
151 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
152 |
static void jksTypeCheck() throws Exception { |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
153 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
154 |
// No warning for cacerts, all certs |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
155 |
kt0("-cacerts -list -storepass changeit") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
156 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
157 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
158 |
rm("ks"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
159 |
rm("ks2"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
160 |
|
52598
0379b618ec46
8212003: Deprecating the default keytool -keyalg option
weijun
parents:
47420
diff
changeset
|
161 |
kt("-genkeypair -keyalg DSA -alias a -dname CN=A") |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
162 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
163 |
kt("-list") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
164 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
165 |
kt("-list -storetype jks") // no warning if PKCS12 used as JKS |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
166 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
167 |
kt("-exportcert -alias a -file a.crt") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
168 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
169 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
170 |
// warn if migrating to JKS |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
171 |
importkeystore("ks", "ks2", "-deststoretype jks") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
172 |
.shouldContain("JKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
173 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
174 |
rm("ks"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
175 |
rm("ks2"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
176 |
rm("ks3"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
177 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
178 |
// no warning if all certs |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
179 |
kt("-importcert -alias b -file a.crt -storetype jks -noprompt") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
180 |
.shouldNotContain("Warning:"); |
59104 | 181 |
kt("-genkeypair -keyalg DSA -alias a -dname CN=A") |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
182 |
.shouldContain("JKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
183 |
kt("-list") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
184 |
.shouldContain("JKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
185 |
kt("-list -storetype pkcs12") // warn if JKS used as PKCS12 |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
186 |
.shouldContain("JKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
187 |
kt("-exportcert -alias a -file a.crt") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
188 |
.shouldContain("JKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
189 |
kt("-printcert -file a.crt") // no warning if keystore not touched |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
190 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
191 |
kt("-certreq -alias a -file a.req") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
192 |
.shouldContain("JKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
193 |
kt("-printcertreq -file a.req") // no warning if keystore not touched |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
194 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
195 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
196 |
// No warning if migrating from JKS |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
197 |
importkeystore("ks", "ks2", "") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
198 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
199 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
200 |
importkeystore("ks", "ks3", "-deststoretype pkcs12") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
201 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
202 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
203 |
rm("ks"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
204 |
|
59104 | 205 |
kt("-genkeypair -keyalg DSA -alias a -dname CN=A -storetype jceks") |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
206 |
.shouldContain("JCEKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
207 |
kt("-list") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
208 |
.shouldContain("JCEKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
209 |
kt("-importcert -alias b -file a.crt -noprompt") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
210 |
.shouldContain("JCEKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
211 |
kt("-exportcert -alias a -file a.crt") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
212 |
.shouldContain("JCEKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
213 |
kt("-printcert -file a.crt") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
214 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
215 |
kt("-certreq -alias a -file a.req") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
216 |
.shouldContain("JCEKS keystore uses a proprietary format"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
217 |
kt("-printcertreq -file a.req") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
218 |
.shouldNotContain("Warning:"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
219 |
kt("-genseckey -alias c -keyalg AES -keysize 128") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
220 |
.shouldContain("JCEKS keystore uses a proprietary format"); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
221 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
222 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
223 |
static void checkImportKeyStore() throws Exception { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
224 |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
225 |
rm("ks2"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
226 |
rm("ks3"); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
227 |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
228 |
importkeystore("ks", "ks2", "") |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
229 |
.shouldContain("3 entries successfully imported") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
230 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
231 |
.shouldMatch("<b>.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
232 |
.shouldMatch("<a>.*MD5withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
233 |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
234 |
importkeystore("ks", "ks3", "-srcalias a") |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
235 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
236 |
.shouldMatch("<a>.*MD5withRSA.*risk"); |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
237 |
} |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
238 |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
239 |
static void checkInplaceImportKeyStore() throws Exception { |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
240 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
241 |
rm("ks"); |
59104 | 242 |
genkeypair("a", "-keyalg DSA"); |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
243 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
244 |
// Same type backup |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
245 |
importkeystore("ks", "ks", "") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
246 |
.shouldContain("Warning:") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
247 |
.shouldMatch("original.*ks.old"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
248 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
249 |
importkeystore("ks", "ks", "") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
250 |
.shouldContain("Warning:") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
251 |
.shouldMatch("original.*ks.old2"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
252 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
253 |
importkeystore("ks", "ks", "-srcstoretype jks") // it knows real type |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
254 |
.shouldContain("Warning:") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
255 |
.shouldMatch("original.*ks.old3"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
256 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
257 |
String cPath = new File("ks").getCanonicalPath(); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
258 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
259 |
importkeystore("ks", cPath, "") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
260 |
.shouldContain("Warning:") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
261 |
.shouldMatch("original.*ks.old4"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
262 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
263 |
// Migration |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
264 |
importkeystore("ks", "ks", "-deststoretype jks") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
265 |
.shouldContain("Warning:") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
266 |
.shouldContain("JKS keystore uses a proprietary format") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
267 |
.shouldMatch("Migrated.*JKS.*PKCS12.*ks.old5"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
268 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
269 |
Asserts.assertEQ( |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
270 |
KeyStore.getInstance( |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
271 |
new File("ks"), "changeit".toCharArray()).getType(), |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
272 |
"JKS"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
273 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
274 |
importkeystore("ks", "ks", "-srcstoretype PKCS12") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
275 |
.shouldContain("Warning:") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
276 |
.shouldNotContain("proprietary format") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
277 |
.shouldMatch("Migrated.*PKCS12.*JKS.*ks.old6"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
278 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
279 |
Asserts.assertEQ( |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
280 |
KeyStore.getInstance( |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
281 |
new File("ks"), "changeit".toCharArray()).getType(), |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
282 |
"PKCS12"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
283 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
284 |
Asserts.assertEQ( |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
285 |
KeyStore.getInstance( |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
286 |
new File("ks.old6"), "changeit".toCharArray()).getType(), |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
287 |
"JKS"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
288 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
289 |
// One password prompt is enough for migration |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
290 |
kt0("-importkeystore -srckeystore ks -destkeystore ks", "changeit") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
291 |
.shouldMatch("original.*ks.old7"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
292 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
293 |
// But three if importing to a different keystore |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
294 |
rm("ks2"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
295 |
kt0("-importkeystore -srckeystore ks -destkeystore ks2", |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
296 |
"changeit") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
297 |
.shouldContain("Keystore password is too short"); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
298 |
|
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
299 |
kt0("-importkeystore -srckeystore ks -destkeystore ks2", |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
300 |
"changeit", "changeit", "changeit") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
301 |
.shouldContain("Importing keystore ks to ks2...") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
302 |
.shouldNotContain("original") |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
303 |
.shouldNotContain("Migrated"); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
304 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
305 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
306 |
static void checkImport() throws Exception { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
307 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
308 |
saveStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
309 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
310 |
// add trusted cert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
311 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
312 |
// cert already in |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
313 |
kt("-importcert -alias d -file a.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
314 |
.shouldContain("Certificate already exists in keystore") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
315 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
316 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
317 |
.shouldContain("Do you still want to add it?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
318 |
kt("-importcert -alias d -file a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
319 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
320 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
321 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
322 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
323 |
// cert is self-signed |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
324 |
kt("-delete -alias a"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
325 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
326 |
kt("-importcert -alias d -file a.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
327 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
328 |
.shouldContain("MD5withRSA (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
329 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
330 |
.shouldContain("Trust this certificate?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
331 |
kt("-importcert -alias d -file a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
332 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
333 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
334 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
335 |
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
336 |
// JDK-8177569: no warning for sigalg of trusted cert |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
337 |
String weakSigAlgCA = null; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
338 |
KeyStore ks = KeyStoreUtil.getCacertsKeyStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
339 |
if (ks != null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
340 |
DisabledAlgorithmConstraints disabledCheck = |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
341 |
new DisabledAlgorithmConstraints( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
342 |
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
343 |
Set<CryptoPrimitive> sigPrimitiveSet = Collections |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
344 |
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
345 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
346 |
for (String s : Collections.list(ks.aliases())) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
347 |
if (ks.isCertificateEntry(s)) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
348 |
X509Certificate c = (X509Certificate)ks.getCertificate(s); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
349 |
String sigAlg = c.getSigAlgName(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
350 |
if (!disabledCheck.permits(sigPrimitiveSet, sigAlg, null)) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
351 |
weakSigAlgCA = sigAlg; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
352 |
Files.write(Paths.get("ca.cert"), |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
353 |
ks.getCertificate(s).getEncoded()); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
354 |
break; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
355 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
356 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
357 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
358 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
359 |
if (weakSigAlgCA != null) { |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
360 |
// The following 2 commands still have a warning on why not using |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
361 |
// the -cacerts option directly. |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
362 |
kt("-list -keystore " + KeyStoreUtil.getCacerts()) |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
363 |
.shouldNotContain("risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
364 |
kt("-list -v -keystore " + KeyStoreUtil.getCacerts()) |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
365 |
.shouldNotContain("risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
366 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
367 |
// -printcert will always show warnings |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
368 |
kt("-printcert -file ca.cert") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
369 |
.shouldContain("name: " + weakSigAlgCA + " (weak)") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
370 |
.shouldContain("Warning") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
371 |
.shouldMatch("The certificate.*" + weakSigAlgCA + ".*risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
372 |
kt("-printcert -file ca.cert -trustcacerts") // -trustcacerts useless |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
373 |
.shouldContain("name: " + weakSigAlgCA + " (weak)") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
374 |
.shouldContain("Warning") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
375 |
.shouldMatch("The certificate.*" + weakSigAlgCA + ".*risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
376 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
377 |
// Importing with -trustcacerts ignore CA cert's sig alg |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
378 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
379 |
kt("-importcert -alias d -trustcacerts -file ca.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
380 |
.shouldContain("Certificate already exists in system-wide CA") |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
381 |
.shouldNotContain("risk") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
382 |
.shouldContain("Do you still want to add it to your own keystore?"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
383 |
kt("-importcert -alias d -trustcacerts -file ca.cert -noprompt") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
384 |
.shouldNotContain("risk") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
385 |
.shouldNotContain("[no]"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
386 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
387 |
// but not without -trustcacerts |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
388 |
kt("-delete -alias d"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
389 |
kt("-importcert -alias d -file ca.cert", "no") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
390 |
.shouldContain("name: " + weakSigAlgCA + " (weak)") |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
391 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
392 |
.shouldMatch("The input.*" + weakSigAlgCA + ".*risk") |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
393 |
.shouldContain("Trust this certificate?"); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
394 |
kt("-importcert -alias d -file ca.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
395 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
396 |
.shouldMatch("The input.*" + weakSigAlgCA + ".*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
397 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
398 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
399 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
400 |
// a non self-signed weak cert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
401 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
402 |
certreq("b", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
403 |
gencert("c-b", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
404 |
kt("-importcert -alias d -file c-b.cert") // weak only, no prompt |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
405 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
406 |
.shouldNotContain("512-bit RSA key (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
407 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
408 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
409 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
410 |
kt("-delete -alias b"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
411 |
kt("-delete -alias c"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
412 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
413 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
414 |
kt("-importcert -alias d -file c-b.cert", "no") // weak and not trusted |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
415 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
416 |
.shouldContain("512-bit RSA key (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
417 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
418 |
.shouldContain("Trust this certificate?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
419 |
kt("-importcert -alias d -file c-b.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
420 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
421 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
422 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
423 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
424 |
// a non self-signed strong cert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
425 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
426 |
certreq("a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
427 |
gencert("c-a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
428 |
kt("-importcert -alias d -file c-a.cert") // trusted |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
429 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
430 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
431 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
432 |
kt("-delete -alias a"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
433 |
kt("-delete -alias c"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
434 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
435 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
436 |
kt("-importcert -alias d -file c-a.cert", "no") // not trusted |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
437 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
438 |
.shouldContain("Trust this certificate?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
439 |
kt("-importcert -alias d -file c-a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
440 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
441 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
442 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
443 |
// install reply |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
444 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
445 |
reStore(); |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
446 |
certreq("c", ""); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
447 |
gencert("a-c", ""); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
448 |
kt("-importcert -alias c -file a-c.cert") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
449 |
.shouldContain("Warning") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
450 |
.shouldMatch("Issuer <a>.*MD5withRSA.*risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
451 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
452 |
// JDK-8177569: no warning for sigalg of trusted cert |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
453 |
reStore(); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
454 |
// Change a into a TrustedCertEntry |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
455 |
kt("-exportcert -alias a -file a.cert"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
456 |
kt("-delete -alias a"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
457 |
kt("-importcert -alias a -file a.cert -noprompt"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
458 |
kt("-list -alias a -v") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
459 |
.shouldNotContain("weak") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
460 |
.shouldNotContain("Warning"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
461 |
// This time a is trusted and no warning on its weak sig alg |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
462 |
kt("-importcert -alias c -file a-c.cert") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
463 |
.shouldNotContain("Warning"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
464 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
465 |
reStore(); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
466 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
467 |
gencert("a-b", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
468 |
gencert("b-c", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
469 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
470 |
// Full chain with root |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
471 |
cat("a-a-b-c.cert", "b-c.cert", "a-b.cert", "a.cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
472 |
kt("-importcert -alias c -file a-a-b-c.cert") // only weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
473 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
474 |
.shouldMatch("Reply #2 of 3.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
475 |
.shouldMatch("Reply #3 of 3.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
476 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
477 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
478 |
// Without root |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
479 |
cat("a-b-c.cert", "b-c.cert", "a-b.cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
480 |
kt("-importcert -alias c -file a-b-c.cert") // only weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
481 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
482 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
483 |
.shouldMatch("Issuer <a>.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
484 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
485 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
486 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
487 |
gencert("b-a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
488 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
489 |
kt("-importcert -alias a -file b-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
490 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
491 |
.shouldMatch("Issuer <b>.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
492 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
493 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
494 |
kt("-importcert -alias a -file c-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
495 |
.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
496 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
497 |
kt("-importcert -alias b -file c-b.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
498 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
499 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
500 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
501 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
502 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
503 |
gencert("b-a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
504 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
505 |
cat("c-b-a.cert", "b-a.cert", "c-b.cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
506 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
507 |
kt("-printcert -file c-b-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
508 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
509 |
.shouldMatch("The certificate #2 of 2.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
510 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
511 |
kt("-delete -alias b"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
512 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
513 |
kt("-importcert -alias a -file c-b-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
514 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
515 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
516 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
517 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
518 |
kt("-delete -alias c"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
519 |
kt("-importcert -alias a -file c-b-a.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
520 |
.shouldContain("Top-level certificate in reply:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
521 |
.shouldContain("512-bit RSA key (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
522 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
523 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
524 |
.shouldContain("Install reply anyway?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
525 |
kt("-importcert -alias a -file c-b-a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
526 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
527 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
528 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
529 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
530 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
531 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
532 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
533 |
private static void cat(String dest, String... src) throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
534 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
535 |
System.out.printf("$ cat "); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
536 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
537 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
538 |
for (String s : src) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
539 |
System.out.printf(s + " "); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
540 |
bout.write(Files.readAllBytes(Paths.get(s))); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
541 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
542 |
Files.write(Paths.get(dest), bout.toByteArray()); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
543 |
System.out.println("> " + dest); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
544 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
545 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
546 |
static void checkGenCRL(String alias, String options, String bad) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
547 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
548 |
OutputAnalyzer oa = kt("-gencrl -alias " + alias |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
549 |
+ " -id 1 -file " + alias + ".crl " + options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
550 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
551 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
552 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
553 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
554 |
.shouldMatch("The generated CRL.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
555 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
556 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
557 |
oa = kt("-printcrl -file " + alias + ".crl"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
558 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
559 |
oa.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
560 |
.shouldContain("Verified by " + alias + " in keystore") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
561 |
.shouldNotContain("(weak"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
562 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
563 |
oa.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
564 |
.shouldMatch("The CRL.*" + bad + ".*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
565 |
.shouldContain("Verified by " + alias + " in keystore") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
566 |
.shouldContain(bad + " (weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
567 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
568 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
569 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
570 |
static void checkCertReq( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
571 |
String alias, String options, String bad) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
572 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
573 |
OutputAnalyzer oa = certreq(alias, options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
574 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
575 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
576 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
577 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
578 |
.shouldMatch("The generated certificate request.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
579 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
580 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
581 |
oa = kt("-printcertreq -file " + alias + ".req"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
582 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
583 |
oa.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
584 |
.shouldNotContain("(weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
585 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
586 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
587 |
.shouldMatch("The certificate request.*" + bad + ".*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
588 |
.shouldContain(bad + " (weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
589 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
590 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
591 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
592 |
static void checkGenKeyPair( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
593 |
String alias, String options, String bad) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
594 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
595 |
OutputAnalyzer oa = genkeypair(alias, options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
596 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
597 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
598 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
599 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
600 |
.shouldMatch("The generated certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
601 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
602 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
603 |
oa = kt("-exportcert -alias " + alias + " -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
604 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
605 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
606 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
607 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
608 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
609 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
610 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
611 |
oa = kt("-exportcert -rfc -alias " + alias + " -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
612 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
613 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
614 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
615 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
616 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
617 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
618 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
619 |
oa = kt("-printcert -rfc -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
620 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
621 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
622 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
623 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
624 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
625 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
626 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
627 |
oa = kt("-list -alias " + alias); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
628 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
629 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
630 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
631 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
632 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
633 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
634 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
635 |
// With cert content |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
636 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
637 |
oa = kt("-printcert -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
638 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
639 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
640 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
641 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
642 |
.shouldContain(bad + " (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
643 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
644 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
645 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
646 |
oa = kt("-list -v -alias " + alias); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
647 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
648 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
649 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
650 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
651 |
.shouldContain(bad + " (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
652 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
653 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
654 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
655 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
656 |
// This is slow, but real keytool process is launched. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
657 |
static OutputAnalyzer kt1(String cmd, String... input) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
658 |
cmd = "-keystore ks -storepass changeit " + |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
659 |
"-keypass changeit " + cmd; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
660 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
661 |
try { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
662 |
SecurityTools.setResponse(input); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
663 |
return SecurityTools.keytool(cmd); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
664 |
} catch (Throwable e) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
665 |
throw new RuntimeException(e); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
666 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
667 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
668 |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
669 |
static OutputAnalyzer kt(String cmd, String... input) { |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
670 |
return kt0("-keystore ks -storepass changeit " + |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
671 |
"-keypass changeit " + cmd, input); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
672 |
} |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
673 |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
674 |
// Fast keytool execution by directly calling its main() method |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
675 |
static OutputAnalyzer kt0(String cmd, String... input) { |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
676 |
PrintStream out = System.out; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
677 |
PrintStream err = System.err; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
678 |
InputStream ins = System.in; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
679 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
680 |
ByteArrayOutputStream berr = new ByteArrayOutputStream(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
681 |
boolean succeed = true; |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
682 |
String sout; |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
683 |
String serr; |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
684 |
try { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
685 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
686 |
System.out.println("$ keytool " + cmd); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
687 |
System.out.println(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
688 |
String feed = ""; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
689 |
if (input.length > 0) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
690 |
feed = Stream.of(input).collect(Collectors.joining("\n")) + "\n"; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
691 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
692 |
System.setIn(new ByteArrayInputStream(feed.getBytes())); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
693 |
System.setOut(new PrintStream(bout)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
694 |
System.setErr(new PrintStream(berr)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
695 |
sun.security.tools.keytool.Main.main( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
696 |
cmd.trim().split("\\s+")); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
697 |
} catch (Exception e) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
698 |
// Might be a normal exception when -debug is on or |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
699 |
// SecurityException (thrown by jtreg) when System.exit() is called |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
700 |
if (!(e instanceof SecurityException)) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
701 |
e.printStackTrace(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
702 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
703 |
succeed = false; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
704 |
} finally { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
705 |
System.setOut(out); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
706 |
System.setErr(err); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
707 |
System.setIn(ins); |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
708 |
sout = new String(bout.toByteArray()); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
709 |
serr = new String(berr.toByteArray()); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
710 |
System.out.println("STDOUT:\n" + sout + "\nSTDERR:\n" + serr); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
711 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
712 |
if (!succeed) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
713 |
throw new RuntimeException(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
714 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
715 |
return new OutputAnalyzer(sout, serr); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
716 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
717 |
|
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
718 |
static OutputAnalyzer importkeystore(String src, String dest, |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
719 |
String options) { |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
720 |
return kt0("-importkeystore " |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
721 |
+ "-srckeystore " + src + " -destkeystore " + dest |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
722 |
+ " -srcstorepass changeit -deststorepass changeit " + options); |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
723 |
} |
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
724 |
|
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
725 |
static OutputAnalyzer genkeypair(String alias, String options) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
726 |
return kt("-genkeypair -alias " + alias + " -dname CN=" + alias |
47420
a2bf68a0365f
8182879: Add warnings to keytool when using JKS and JCEKS
weijun
parents:
47216
diff
changeset
|
727 |
+ " -storetype PKCS12 " + options); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
728 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
729 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
730 |
static OutputAnalyzer certreq(String alias, String options) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
731 |
return kt("-certreq -alias " + alias |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
732 |
+ " -file " + alias + ".req " + options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
733 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
734 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
735 |
static OutputAnalyzer exportcert(String alias) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
736 |
return kt("-exportcert -alias " + alias + " -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
737 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
738 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
739 |
static OutputAnalyzer gencert(String relation, String options) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
740 |
int pos = relation.indexOf("-"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
741 |
String issuer = relation.substring(0, pos); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
742 |
String subject = relation.substring(pos + 1); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
743 |
return kt(" -gencert -alias " + issuer + " -infile " + subject |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
744 |
+ ".req -outfile " + relation + ".cert " + options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
745 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
746 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
747 |
static void saveStore() throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
748 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
749 |
System.out.println("$ cp ks ks2"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
750 |
Files.copy(Paths.get("ks"), Paths.get("ks2"), |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
751 |
StandardCopyOption.REPLACE_EXISTING); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
752 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
753 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
754 |
static void reStore() throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
755 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
756 |
System.out.println("$ cp ks2 ks"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
757 |
Files.copy(Paths.get("ks2"), Paths.get("ks"), |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
758 |
StandardCopyOption.REPLACE_EXISTING); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
759 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
760 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
761 |
static void rm(String s) throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
762 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
763 |
System.out.println("$ rm " + s); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
764 |
Files.deleteIfExists(Paths.get(s)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
765 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
766 |
} |