author | weijun |
Fri, 03 Apr 2009 11:36:19 +0800 | |
changeset 2437 | 098db6faaf66 |
parent 2432 | dc17f417ef85 |
child 3316 | 32d30c561c5a |
permissions | -rw-r--r-- |
2 | 1 |
/* |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2 |
* Copyright 1997-2009 Sun Microsystems, Inc. All Rights Reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Sun designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Sun in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or |
|
23 |
* have any questions. |
|
24 |
*/ |
|
25 |
||
26 |
package sun.security.tools; |
|
27 |
||
28 |
import java.io.*; |
|
29 |
import java.security.KeyStore; |
|
30 |
import java.security.KeyStoreException; |
|
31 |
import java.security.MessageDigest; |
|
32 |
import java.security.Key; |
|
33 |
import java.security.PublicKey; |
|
34 |
import java.security.PrivateKey; |
|
35 |
import java.security.Security; |
|
36 |
import java.security.Signature; |
|
37 |
import java.security.UnrecoverableEntryException; |
|
38 |
import java.security.UnrecoverableKeyException; |
|
39 |
import java.security.Principal; |
|
40 |
import java.security.Provider; |
|
41 |
import java.security.Identity; |
|
42 |
import java.security.cert.Certificate; |
|
43 |
import java.security.cert.CertificateFactory; |
|
44 |
import java.security.cert.X509Certificate; |
|
45 |
import java.security.cert.CertificateException; |
|
46 |
import java.text.Collator; |
|
47 |
import java.text.MessageFormat; |
|
48 |
import java.util.*; |
|
49 |
import java.lang.reflect.Constructor; |
|
50 |
import java.net.URL; |
|
51 |
import java.net.URLClassLoader; |
|
52 |
||
53 |
import sun.misc.BASE64Encoder; |
|
54 |
import sun.security.util.ObjectIdentifier; |
|
55 |
import sun.security.pkcs.PKCS10; |
|
56 |
import sun.security.provider.IdentityDatabase; |
|
57 |
import sun.security.provider.SystemSigner; |
|
58 |
import sun.security.provider.SystemIdentity; |
|
59 |
import sun.security.provider.X509Factory; |
|
60 |
import sun.security.util.DerOutputStream; |
|
61 |
import sun.security.util.Password; |
|
62 |
import sun.security.util.PathList; |
|
63 |
import javax.crypto.KeyGenerator; |
|
64 |
import javax.crypto.SecretKey; |
|
65 |
||
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
66 |
import javax.net.ssl.HostnameVerifier; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
67 |
import javax.net.ssl.HttpsURLConnection; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
68 |
import javax.net.ssl.SSLContext; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
69 |
import javax.net.ssl.SSLSession; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
70 |
import javax.net.ssl.TrustManager; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
71 |
import javax.net.ssl.X509TrustManager; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
72 |
import sun.misc.BASE64Decoder; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
73 |
import sun.security.pkcs.PKCS10Attribute; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
74 |
import sun.security.pkcs.PKCS9Attribute; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
75 |
import sun.security.util.DerValue; |
2 | 76 |
import sun.security.x509.*; |
77 |
||
78 |
import static java.security.KeyStore.*; |
|
79 |
||
80 |
/** |
|
81 |
* This tool manages keystores. |
|
82 |
* |
|
83 |
* @author Jan Luehe |
|
84 |
* |
|
85 |
* |
|
86 |
* @see java.security.KeyStore |
|
87 |
* @see sun.security.provider.KeyProtector |
|
88 |
* @see sun.security.provider.JavaKeyStore |
|
89 |
* |
|
90 |
* @since 1.2 |
|
91 |
*/ |
|
92 |
public final class KeyTool { |
|
93 |
||
94 |
private boolean debug = false; |
|
95 |
private int command = -1; |
|
96 |
private String sigAlgName = null; |
|
97 |
private String keyAlgName = null; |
|
98 |
private boolean verbose = false; |
|
99 |
private int keysize = -1; |
|
100 |
private boolean rfc = false; |
|
101 |
private long validity = (long)90; |
|
102 |
private String alias = null; |
|
103 |
private String dname = null; |
|
104 |
private String dest = null; |
|
105 |
private String filename = null; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
106 |
private String infilename = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
107 |
private String outfilename = null; |
2 | 108 |
private String srcksfname = null; |
109 |
||
110 |
// User-specified providers are added before any command is called. |
|
111 |
// However, they are not removed before the end of the main() method. |
|
112 |
// If you're calling KeyTool.main() directly in your own Java program, |
|
113 |
// please programtically add any providers you need and do not specify |
|
114 |
// them through the command line. |
|
115 |
||
116 |
private Set<Pair <String, String>> providers = null; |
|
117 |
private String storetype = null; |
|
118 |
private String srcProviderName = null; |
|
119 |
private String providerName = null; |
|
120 |
private String pathlist = null; |
|
121 |
private char[] storePass = null; |
|
122 |
private char[] storePassNew = null; |
|
123 |
private char[] keyPass = null; |
|
124 |
private char[] keyPassNew = null; |
|
125 |
private char[] newPass = null; |
|
126 |
private char[] destKeyPass = null; |
|
127 |
private char[] srckeyPass = null; |
|
128 |
private String ksfname = null; |
|
129 |
private File ksfile = null; |
|
130 |
private InputStream ksStream = null; // keystore stream |
|
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
131 |
private String sslserver = null; |
2 | 132 |
private KeyStore keyStore = null; |
133 |
private boolean token = false; |
|
134 |
private boolean nullStream = false; |
|
135 |
private boolean kssave = false; |
|
136 |
private boolean noprompt = false; |
|
137 |
private boolean trustcacerts = false; |
|
138 |
private boolean protectedPath = false; |
|
139 |
private boolean srcprotectedPath = false; |
|
140 |
private CertificateFactory cf = null; |
|
141 |
private KeyStore caks = null; // "cacerts" keystore |
|
142 |
private char[] srcstorePass = null; |
|
143 |
private String srcstoretype = null; |
|
144 |
private Set<char[]> passwords = new HashSet<char[]> (); |
|
145 |
private String startDate = null; |
|
146 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
147 |
private List <String> v3ext = new ArrayList <String> (); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
148 |
|
2 | 149 |
private static final int CERTREQ = 1; |
150 |
private static final int CHANGEALIAS = 2; |
|
151 |
private static final int DELETE = 3; |
|
152 |
private static final int EXPORTCERT = 4; |
|
153 |
private static final int GENKEYPAIR = 5; |
|
154 |
private static final int GENSECKEY = 6; |
|
155 |
// there is no HELP |
|
156 |
private static final int IDENTITYDB = 7; |
|
157 |
private static final int IMPORTCERT = 8; |
|
158 |
private static final int IMPORTKEYSTORE = 9; |
|
159 |
private static final int KEYCLONE = 10; |
|
160 |
private static final int KEYPASSWD = 11; |
|
161 |
private static final int LIST = 12; |
|
162 |
private static final int PRINTCERT = 13; |
|
163 |
private static final int SELFCERT = 14; |
|
164 |
private static final int STOREPASSWD = 15; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
165 |
private static final int GENCERT = 16; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
166 |
private static final int PRINTCERTREQ = 17; |
2 | 167 |
|
168 |
private static final Class[] PARAM_STRING = { String.class }; |
|
169 |
||
170 |
private static final String JKS = "jks"; |
|
171 |
private static final String NONE = "NONE"; |
|
172 |
private static final String P11KEYSTORE = "PKCS11"; |
|
173 |
private static final String P12KEYSTORE = "PKCS12"; |
|
174 |
private final String keyAlias = "mykey"; |
|
175 |
||
176 |
// for i18n |
|
177 |
private static final java.util.ResourceBundle rb = |
|
178 |
java.util.ResourceBundle.getBundle("sun.security.util.Resources"); |
|
179 |
private static final Collator collator = Collator.getInstance(); |
|
180 |
static { |
|
181 |
// this is for case insensitive string comparisons |
|
182 |
collator.setStrength(Collator.PRIMARY); |
|
183 |
}; |
|
184 |
||
185 |
private KeyTool() { } |
|
186 |
||
187 |
public static void main(String[] args) throws Exception { |
|
188 |
KeyTool kt = new KeyTool(); |
|
189 |
kt.run(args, System.out); |
|
190 |
} |
|
191 |
||
192 |
private void run(String[] args, PrintStream out) throws Exception { |
|
193 |
try { |
|
194 |
parseArgs(args); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
195 |
if (command != -1) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
196 |
doCommands(out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
197 |
} |
2 | 198 |
} catch (Exception e) { |
199 |
System.out.println(rb.getString("keytool error: ") + e); |
|
200 |
if (verbose) { |
|
201 |
e.printStackTrace(System.out); |
|
202 |
} |
|
203 |
if (!debug) { |
|
204 |
System.exit(1); |
|
205 |
} else { |
|
206 |
throw e; |
|
207 |
} |
|
208 |
} finally { |
|
209 |
for (char[] pass : passwords) { |
|
210 |
if (pass != null) { |
|
211 |
Arrays.fill(pass, ' '); |
|
212 |
pass = null; |
|
213 |
} |
|
214 |
} |
|
215 |
||
216 |
if (ksStream != null) { |
|
217 |
ksStream.close(); |
|
218 |
} |
|
219 |
} |
|
220 |
} |
|
221 |
||
222 |
/** |
|
223 |
* Parse command line arguments. |
|
224 |
*/ |
|
225 |
void parseArgs(String[] args) { |
|
226 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
227 |
if (args.length == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
228 |
usage(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
229 |
return; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
230 |
} |
2 | 231 |
|
232 |
int i=0; |
|
233 |
||
234 |
for (i=0; (i < args.length) && args[i].startsWith("-"); i++) { |
|
235 |
||
236 |
String flags = args[i]; |
|
237 |
/* |
|
238 |
* command modes |
|
239 |
*/ |
|
240 |
if (collator.compare(flags, "-certreq") == 0) { |
|
241 |
command = CERTREQ; |
|
242 |
} else if (collator.compare(flags, "-delete") == 0) { |
|
243 |
command = DELETE; |
|
244 |
} else if (collator.compare(flags, "-export") == 0 || |
|
245 |
collator.compare(flags, "-exportcert") == 0) { |
|
246 |
command = EXPORTCERT; |
|
247 |
} else if (collator.compare(flags, "-genkey") == 0 || |
|
248 |
collator.compare(flags, "-genkeypair") == 0) { |
|
249 |
command = GENKEYPAIR; |
|
250 |
} else if (collator.compare(flags, "-help") == 0) { |
|
251 |
usage(); |
|
252 |
return; |
|
253 |
} else if (collator.compare(flags, "-identitydb") == 0) { // obsolete |
|
254 |
command = IDENTITYDB; |
|
255 |
} else if (collator.compare(flags, "-import") == 0 || |
|
256 |
collator.compare(flags, "-importcert") == 0) { |
|
257 |
command = IMPORTCERT; |
|
258 |
} else if (collator.compare(flags, "-keyclone") == 0) { // obsolete |
|
259 |
command = KEYCLONE; |
|
260 |
} else if (collator.compare(flags, "-changealias") == 0) { |
|
261 |
command = CHANGEALIAS; |
|
262 |
} else if (collator.compare(flags, "-keypasswd") == 0) { |
|
263 |
command = KEYPASSWD; |
|
264 |
} else if (collator.compare(flags, "-list") == 0) { |
|
265 |
command = LIST; |
|
266 |
} else if (collator.compare(flags, "-printcert") == 0) { |
|
267 |
command = PRINTCERT; |
|
268 |
} else if (collator.compare(flags, "-selfcert") == 0) { // obsolete |
|
269 |
command = SELFCERT; |
|
270 |
} else if (collator.compare(flags, "-storepasswd") == 0) { |
|
271 |
command = STOREPASSWD; |
|
272 |
} else if (collator.compare(flags, "-importkeystore") == 0) { |
|
273 |
command = IMPORTKEYSTORE; |
|
274 |
} else if (collator.compare(flags, "-genseckey") == 0) { |
|
275 |
command = GENSECKEY; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
276 |
} else if (collator.compare(flags, "-gencert") == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
277 |
command = GENCERT; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
278 |
} else if (collator.compare(flags, "-printcertreq") == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
279 |
command = PRINTCERTREQ; |
2 | 280 |
} |
281 |
||
282 |
/* |
|
283 |
* specifiers |
|
284 |
*/ |
|
285 |
else if (collator.compare(flags, "-keystore") == 0 || |
|
286 |
collator.compare(flags, "-destkeystore") == 0) { |
|
287 |
if (++i == args.length) errorNeedArgument(flags); |
|
288 |
ksfname = args[i]; |
|
289 |
} else if (collator.compare(flags, "-storepass") == 0 || |
|
290 |
collator.compare(flags, "-deststorepass") == 0) { |
|
291 |
if (++i == args.length) errorNeedArgument(flags); |
|
292 |
storePass = args[i].toCharArray(); |
|
293 |
passwords.add(storePass); |
|
294 |
} else if (collator.compare(flags, "-storetype") == 0 || |
|
295 |
collator.compare(flags, "-deststoretype") == 0) { |
|
296 |
if (++i == args.length) errorNeedArgument(flags); |
|
297 |
storetype = args[i]; |
|
298 |
} else if (collator.compare(flags, "-srcstorepass") == 0) { |
|
299 |
if (++i == args.length) errorNeedArgument(flags); |
|
300 |
srcstorePass = args[i].toCharArray(); |
|
301 |
passwords.add(srcstorePass); |
|
302 |
} else if (collator.compare(flags, "-srcstoretype") == 0) { |
|
303 |
if (++i == args.length) errorNeedArgument(flags); |
|
304 |
srcstoretype = args[i]; |
|
305 |
} else if (collator.compare(flags, "-srckeypass") == 0) { |
|
306 |
if (++i == args.length) errorNeedArgument(flags); |
|
307 |
srckeyPass = args[i].toCharArray(); |
|
308 |
passwords.add(srckeyPass); |
|
309 |
} else if (collator.compare(flags, "-srcprovidername") == 0) { |
|
310 |
if (++i == args.length) errorNeedArgument(flags); |
|
311 |
srcProviderName = args[i]; |
|
312 |
} else if (collator.compare(flags, "-providername") == 0 || |
|
313 |
collator.compare(flags, "-destprovidername") == 0) { |
|
314 |
if (++i == args.length) errorNeedArgument(flags); |
|
315 |
providerName = args[i]; |
|
316 |
} else if (collator.compare(flags, "-providerpath") == 0) { |
|
317 |
if (++i == args.length) errorNeedArgument(flags); |
|
318 |
pathlist = args[i]; |
|
319 |
} else if (collator.compare(flags, "-keypass") == 0) { |
|
320 |
if (++i == args.length) errorNeedArgument(flags); |
|
321 |
keyPass = args[i].toCharArray(); |
|
322 |
passwords.add(keyPass); |
|
323 |
} else if (collator.compare(flags, "-new") == 0) { |
|
324 |
if (++i == args.length) errorNeedArgument(flags); |
|
325 |
newPass = args[i].toCharArray(); |
|
326 |
passwords.add(newPass); |
|
327 |
} else if (collator.compare(flags, "-destkeypass") == 0) { |
|
328 |
if (++i == args.length) errorNeedArgument(flags); |
|
329 |
destKeyPass = args[i].toCharArray(); |
|
330 |
passwords.add(destKeyPass); |
|
331 |
} else if (collator.compare(flags, "-alias") == 0 || |
|
332 |
collator.compare(flags, "-srcalias") == 0) { |
|
333 |
if (++i == args.length) errorNeedArgument(flags); |
|
334 |
alias = args[i]; |
|
335 |
} else if (collator.compare(flags, "-dest") == 0 || |
|
336 |
collator.compare(flags, "-destalias") == 0) { |
|
337 |
if (++i == args.length) errorNeedArgument(flags); |
|
338 |
dest = args[i]; |
|
339 |
} else if (collator.compare(flags, "-dname") == 0) { |
|
340 |
if (++i == args.length) errorNeedArgument(flags); |
|
341 |
dname = args[i]; |
|
342 |
} else if (collator.compare(flags, "-keysize") == 0) { |
|
343 |
if (++i == args.length) errorNeedArgument(flags); |
|
344 |
keysize = Integer.parseInt(args[i]); |
|
345 |
} else if (collator.compare(flags, "-keyalg") == 0) { |
|
346 |
if (++i == args.length) errorNeedArgument(flags); |
|
347 |
keyAlgName = args[i]; |
|
348 |
} else if (collator.compare(flags, "-sigalg") == 0) { |
|
349 |
if (++i == args.length) errorNeedArgument(flags); |
|
350 |
sigAlgName = args[i]; |
|
351 |
} else if (collator.compare(flags, "-startdate") == 0) { |
|
352 |
if (++i == args.length) errorNeedArgument(flags); |
|
353 |
startDate = args[i]; |
|
354 |
} else if (collator.compare(flags, "-validity") == 0) { |
|
355 |
if (++i == args.length) errorNeedArgument(flags); |
|
356 |
validity = Long.parseLong(args[i]); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
357 |
} else if (collator.compare(flags, "-ext") == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
358 |
if (++i == args.length) errorNeedArgument(flags); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
359 |
v3ext.add(args[i]); |
2 | 360 |
} else if (collator.compare(flags, "-file") == 0) { |
361 |
if (++i == args.length) errorNeedArgument(flags); |
|
362 |
filename = args[i]; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
363 |
} else if (collator.compare(flags, "-infile") == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
364 |
if (++i == args.length) errorNeedArgument(flags); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
365 |
infilename = args[i]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
366 |
} else if (collator.compare(flags, "-outfile") == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
367 |
if (++i == args.length) errorNeedArgument(flags); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
368 |
outfilename = args[i]; |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
369 |
} else if (collator.compare(flags, "-sslserver") == 0) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
370 |
if (++i == args.length) errorNeedArgument(flags); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
371 |
sslserver = args[i]; |
2 | 372 |
} else if (collator.compare(flags, "-srckeystore") == 0) { |
373 |
if (++i == args.length) errorNeedArgument(flags); |
|
374 |
srcksfname = args[i]; |
|
375 |
} else if ((collator.compare(flags, "-provider") == 0) || |
|
376 |
(collator.compare(flags, "-providerclass") == 0)) { |
|
377 |
if (++i == args.length) errorNeedArgument(flags); |
|
378 |
if (providers == null) { |
|
379 |
providers = new HashSet<Pair <String, String>> (3); |
|
380 |
} |
|
381 |
String providerClass = args[i]; |
|
382 |
String providerArg = null; |
|
383 |
||
384 |
if (args.length > (i+1)) { |
|
385 |
flags = args[i+1]; |
|
386 |
if (collator.compare(flags, "-providerarg") == 0) { |
|
387 |
if (args.length == (i+2)) errorNeedArgument(flags); |
|
388 |
providerArg = args[i+2]; |
|
389 |
i += 2; |
|
390 |
} |
|
391 |
} |
|
392 |
providers.add( |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
393 |
Pair.of(providerClass, providerArg)); |
2 | 394 |
} |
395 |
||
396 |
/* |
|
397 |
* options |
|
398 |
*/ |
|
399 |
else if (collator.compare(flags, "-v") == 0) { |
|
400 |
verbose = true; |
|
401 |
} else if (collator.compare(flags, "-debug") == 0) { |
|
402 |
debug = true; |
|
403 |
} else if (collator.compare(flags, "-rfc") == 0) { |
|
404 |
rfc = true; |
|
405 |
} else if (collator.compare(flags, "-noprompt") == 0) { |
|
406 |
noprompt = true; |
|
407 |
} else if (collator.compare(flags, "-trustcacerts") == 0) { |
|
408 |
trustcacerts = true; |
|
409 |
} else if (collator.compare(flags, "-protected") == 0 || |
|
410 |
collator.compare(flags, "-destprotected") == 0) { |
|
411 |
protectedPath = true; |
|
412 |
} else if (collator.compare(flags, "-srcprotected") == 0) { |
|
413 |
srcprotectedPath = true; |
|
414 |
} else { |
|
415 |
System.err.println(rb.getString("Illegal option: ") + flags); |
|
416 |
tinyHelp(); |
|
417 |
} |
|
418 |
} |
|
419 |
||
420 |
if (i<args.length) { |
|
421 |
MessageFormat form = new MessageFormat |
|
422 |
(rb.getString("Usage error, <arg> is not a legal command")); |
|
423 |
Object[] source = {args[i]}; |
|
424 |
throw new RuntimeException(form.format(source)); |
|
425 |
} |
|
426 |
||
427 |
if (command == -1) { |
|
428 |
System.err.println(rb.getString("Usage error: no command provided")); |
|
429 |
tinyHelp(); |
|
430 |
} |
|
431 |
} |
|
432 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
433 |
boolean isKeyStoreRelated(int cmd) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
434 |
return cmd != PRINTCERT && cmd != PRINTCERTREQ; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
435 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
436 |
|
2 | 437 |
/** |
438 |
* Execute the commands. |
|
439 |
*/ |
|
440 |
void doCommands(PrintStream out) throws Exception { |
|
441 |
||
442 |
if (storetype == null) { |
|
443 |
storetype = KeyStore.getDefaultType(); |
|
444 |
} |
|
445 |
storetype = KeyStoreUtil.niceStoreTypeName(storetype); |
|
446 |
||
447 |
if (srcstoretype == null) { |
|
448 |
srcstoretype = KeyStore.getDefaultType(); |
|
449 |
} |
|
450 |
srcstoretype = KeyStoreUtil.niceStoreTypeName(srcstoretype); |
|
451 |
||
452 |
if (P11KEYSTORE.equalsIgnoreCase(storetype) || |
|
453 |
KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
454 |
token = true; |
|
455 |
if (ksfname == null) { |
|
456 |
ksfname = NONE; |
|
457 |
} |
|
458 |
} |
|
459 |
if (NONE.equals(ksfname)) { |
|
460 |
nullStream = true; |
|
461 |
} |
|
462 |
||
463 |
if (token && !nullStream) { |
|
464 |
System.err.println(MessageFormat.format(rb.getString |
|
465 |
("-keystore must be NONE if -storetype is {0}"), storetype)); |
|
466 |
System.err.println(); |
|
467 |
tinyHelp(); |
|
468 |
} |
|
469 |
||
470 |
if (token && |
|
471 |
(command == KEYPASSWD || command == STOREPASSWD)) { |
|
472 |
throw new UnsupportedOperationException(MessageFormat.format(rb.getString |
|
473 |
("-storepasswd and -keypasswd commands not supported " + |
|
474 |
"if -storetype is {0}"), storetype)); |
|
475 |
} |
|
476 |
||
477 |
if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) { |
|
478 |
throw new UnsupportedOperationException(rb.getString |
|
479 |
("-keypasswd commands not supported " + |
|
480 |
"if -storetype is PKCS12")); |
|
481 |
} |
|
482 |
||
483 |
if (token && (keyPass != null || newPass != null || destKeyPass != null)) { |
|
484 |
throw new IllegalArgumentException(MessageFormat.format(rb.getString |
|
485 |
("-keypass and -new " + |
|
486 |
"can not be specified if -storetype is {0}"), storetype)); |
|
487 |
} |
|
488 |
||
489 |
if (protectedPath) { |
|
490 |
if (storePass != null || keyPass != null || |
|
491 |
newPass != null || destKeyPass != null) { |
|
492 |
throw new IllegalArgumentException(rb.getString |
|
493 |
("if -protected is specified, " + |
|
494 |
"then -storepass, -keypass, and -new " + |
|
495 |
"must not be specified")); |
|
496 |
} |
|
497 |
} |
|
498 |
||
499 |
if (srcprotectedPath) { |
|
500 |
if (srcstorePass != null || srckeyPass != null) { |
|
501 |
throw new IllegalArgumentException(rb.getString |
|
502 |
("if -srcprotected is specified, " + |
|
503 |
"then -srcstorepass and -srckeypass " + |
|
504 |
"must not be specified")); |
|
505 |
} |
|
506 |
} |
|
507 |
||
508 |
if (KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
509 |
if (storePass != null || keyPass != null || |
|
510 |
newPass != null || destKeyPass != null) { |
|
511 |
throw new IllegalArgumentException(rb.getString |
|
512 |
("if keystore is not password protected, " + |
|
513 |
"then -storepass, -keypass, and -new " + |
|
514 |
"must not be specified")); |
|
515 |
} |
|
516 |
} |
|
517 |
||
518 |
if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
519 |
if (srcstorePass != null || srckeyPass != null) { |
|
520 |
throw new IllegalArgumentException(rb.getString |
|
521 |
("if source keystore is not password protected, " + |
|
522 |
"then -srcstorepass and -srckeypass " + |
|
523 |
"must not be specified")); |
|
524 |
} |
|
525 |
} |
|
526 |
||
527 |
if (validity <= (long)0) { |
|
528 |
throw new Exception |
|
529 |
(rb.getString("Validity must be greater than zero")); |
|
530 |
} |
|
531 |
||
532 |
// Try to load and install specified provider |
|
533 |
if (providers != null) { |
|
534 |
ClassLoader cl = null; |
|
535 |
if (pathlist != null) { |
|
536 |
String path = null; |
|
537 |
path = PathList.appendPath( |
|
538 |
path, System.getProperty("java.class.path")); |
|
539 |
path = PathList.appendPath( |
|
540 |
path, System.getProperty("env.class.path")); |
|
541 |
path = PathList.appendPath(path, pathlist); |
|
542 |
||
543 |
URL[] urls = PathList.pathToURLs(path); |
|
544 |
cl = new URLClassLoader(urls); |
|
545 |
} else { |
|
546 |
cl = ClassLoader.getSystemClassLoader(); |
|
547 |
} |
|
548 |
||
549 |
for (Pair <String, String> provider: providers) { |
|
550 |
String provName = provider.fst; |
|
551 |
Class<?> provClass; |
|
552 |
if (cl != null) { |
|
553 |
provClass = cl.loadClass(provName); |
|
554 |
} else { |
|
555 |
provClass = Class.forName(provName); |
|
556 |
} |
|
557 |
||
558 |
String provArg = provider.snd; |
|
559 |
Object obj; |
|
560 |
if (provArg == null) { |
|
561 |
obj = provClass.newInstance(); |
|
562 |
} else { |
|
563 |
Constructor<?> c = provClass.getConstructor(PARAM_STRING); |
|
564 |
obj = c.newInstance(provArg); |
|
565 |
} |
|
566 |
if (!(obj instanceof Provider)) { |
|
567 |
MessageFormat form = new MessageFormat |
|
568 |
(rb.getString("provName not a provider")); |
|
569 |
Object[] source = {provName}; |
|
570 |
throw new Exception(form.format(source)); |
|
571 |
} |
|
572 |
Security.addProvider((Provider)obj); |
|
573 |
} |
|
574 |
} |
|
575 |
||
576 |
if (command == LIST && verbose && rfc) { |
|
577 |
System.err.println(rb.getString |
|
578 |
("Must not specify both -v and -rfc with 'list' command")); |
|
579 |
tinyHelp(); |
|
580 |
} |
|
581 |
||
582 |
// Make sure provided passwords are at least 6 characters long |
|
583 |
if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) { |
|
584 |
throw new Exception(rb.getString |
|
585 |
("Key password must be at least 6 characters")); |
|
586 |
} |
|
587 |
if (newPass != null && newPass.length < 6) { |
|
588 |
throw new Exception(rb.getString |
|
589 |
("New password must be at least 6 characters")); |
|
590 |
} |
|
591 |
if (destKeyPass != null && destKeyPass.length < 6) { |
|
592 |
throw new Exception(rb.getString |
|
593 |
("New password must be at least 6 characters")); |
|
594 |
} |
|
595 |
||
596 |
// Check if keystore exists. |
|
597 |
// If no keystore has been specified at the command line, try to use |
|
598 |
// the default, which is located in $HOME/.keystore. |
|
599 |
// If the command is "genkey", "identitydb", "import", or "printcert", |
|
600 |
// it is OK not to have a keystore. |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
601 |
if (isKeyStoreRelated(command)) { |
2 | 602 |
if (ksfname == null) { |
603 |
ksfname = System.getProperty("user.home") + File.separator |
|
604 |
+ ".keystore"; |
|
605 |
} |
|
606 |
||
607 |
if (!nullStream) { |
|
608 |
try { |
|
609 |
ksfile = new File(ksfname); |
|
610 |
// Check if keystore file is empty |
|
611 |
if (ksfile.exists() && ksfile.length() == 0) { |
|
612 |
throw new Exception(rb.getString |
|
613 |
("Keystore file exists, but is empty: ") + ksfname); |
|
614 |
} |
|
615 |
ksStream = new FileInputStream(ksfile); |
|
616 |
} catch (FileNotFoundException e) { |
|
617 |
if (command != GENKEYPAIR && |
|
618 |
command != GENSECKEY && |
|
619 |
command != IDENTITYDB && |
|
620 |
command != IMPORTCERT && |
|
621 |
command != IMPORTKEYSTORE) { |
|
622 |
throw new Exception(rb.getString |
|
623 |
("Keystore file does not exist: ") + ksfname); |
|
624 |
} |
|
625 |
} |
|
626 |
} |
|
627 |
} |
|
628 |
||
629 |
if ((command == KEYCLONE || command == CHANGEALIAS) |
|
630 |
&& dest == null) { |
|
631 |
dest = getAlias("destination"); |
|
632 |
if ("".equals(dest)) { |
|
633 |
throw new Exception(rb.getString |
|
634 |
("Must specify destination alias")); |
|
635 |
} |
|
636 |
} |
|
637 |
||
638 |
if (command == DELETE && alias == null) { |
|
639 |
alias = getAlias(null); |
|
640 |
if ("".equals(alias)) { |
|
641 |
throw new Exception(rb.getString("Must specify alias")); |
|
642 |
} |
|
643 |
} |
|
644 |
||
645 |
// Create new keystore |
|
646 |
if (providerName == null) { |
|
647 |
keyStore = KeyStore.getInstance(storetype); |
|
648 |
} else { |
|
649 |
keyStore = KeyStore.getInstance(storetype, providerName); |
|
650 |
} |
|
651 |
||
652 |
/* |
|
653 |
* Load the keystore data. |
|
654 |
* |
|
655 |
* At this point, it's OK if no keystore password has been provided. |
|
656 |
* We want to make sure that we can load the keystore data, i.e., |
|
657 |
* the keystore data has the right format. If we cannot load the |
|
658 |
* keystore, why bother asking the user for his or her password? |
|
659 |
* Only if we were able to load the keystore, and no keystore |
|
660 |
* password has been provided, will we prompt the user for the |
|
661 |
* keystore password to verify the keystore integrity. |
|
662 |
* This means that the keystore is loaded twice: first load operation |
|
663 |
* checks the keystore format, second load operation verifies the |
|
664 |
* keystore integrity. |
|
665 |
* |
|
666 |
* If the keystore password has already been provided (at the |
|
667 |
* command line), however, the keystore is loaded only once, and the |
|
668 |
* keystore format and integrity are checked "at the same time". |
|
669 |
* |
|
670 |
* Null stream keystores are loaded later. |
|
671 |
*/ |
|
672 |
if (!nullStream) { |
|
673 |
keyStore.load(ksStream, storePass); |
|
674 |
if (ksStream != null) { |
|
675 |
ksStream.close(); |
|
676 |
} |
|
677 |
} |
|
678 |
||
679 |
// All commands that create or modify the keystore require a keystore |
|
680 |
// password. |
|
681 |
||
682 |
if (nullStream && storePass != null) { |
|
683 |
keyStore.load(null, storePass); |
|
684 |
} else if (!nullStream && storePass != null) { |
|
685 |
// If we are creating a new non nullStream-based keystore, |
|
686 |
// insist that the password be at least 6 characters |
|
687 |
if (ksStream == null && storePass.length < 6) { |
|
688 |
throw new Exception(rb.getString |
|
689 |
("Keystore password must be at least 6 characters")); |
|
690 |
} |
|
691 |
} else if (storePass == null) { |
|
692 |
||
693 |
// only prompt if (protectedPath == false) |
|
694 |
||
695 |
if (!protectedPath && !KeyStoreUtil.isWindowsKeyStore(storetype) && |
|
696 |
(command == CERTREQ || |
|
697 |
command == DELETE || |
|
698 |
command == GENKEYPAIR || |
|
699 |
command == GENSECKEY || |
|
700 |
command == IMPORTCERT || |
|
701 |
command == IMPORTKEYSTORE || |
|
702 |
command == KEYCLONE || |
|
703 |
command == CHANGEALIAS || |
|
704 |
command == SELFCERT || |
|
705 |
command == STOREPASSWD || |
|
706 |
command == KEYPASSWD || |
|
707 |
command == IDENTITYDB)) { |
|
708 |
int count = 0; |
|
709 |
do { |
|
710 |
if (command == IMPORTKEYSTORE) { |
|
711 |
System.err.print |
|
712 |
(rb.getString("Enter destination keystore password: ")); |
|
713 |
} else { |
|
714 |
System.err.print |
|
715 |
(rb.getString("Enter keystore password: ")); |
|
716 |
} |
|
717 |
System.err.flush(); |
|
718 |
storePass = Password.readPassword(System.in); |
|
719 |
passwords.add(storePass); |
|
720 |
||
721 |
// If we are creating a new non nullStream-based keystore, |
|
722 |
// insist that the password be at least 6 characters |
|
723 |
if (!nullStream && (storePass == null || storePass.length < 6)) { |
|
724 |
System.err.println(rb.getString |
|
725 |
("Keystore password is too short - " + |
|
726 |
"must be at least 6 characters")); |
|
727 |
storePass = null; |
|
728 |
} |
|
729 |
||
730 |
// If the keystore file does not exist and needs to be |
|
731 |
// created, the storepass should be prompted twice. |
|
732 |
if (storePass != null && !nullStream && ksStream == null) { |
|
733 |
System.err.print(rb.getString("Re-enter new password: ")); |
|
734 |
char[] storePassAgain = Password.readPassword(System.in); |
|
735 |
passwords.add(storePassAgain); |
|
736 |
if (!Arrays.equals(storePass, storePassAgain)) { |
|
737 |
System.err.println |
|
738 |
(rb.getString("They don't match. Try again")); |
|
739 |
storePass = null; |
|
740 |
} |
|
741 |
} |
|
742 |
||
743 |
count++; |
|
744 |
} while ((storePass == null) && count < 3); |
|
745 |
||
746 |
||
747 |
if (storePass == null) { |
|
748 |
System.err.println |
|
749 |
(rb.getString("Too many failures - try later")); |
|
750 |
return; |
|
751 |
} |
|
752 |
} else if (!protectedPath |
|
753 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype) |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
754 |
&& isKeyStoreRelated(command)) { |
2 | 755 |
// here we have EXPORTCERT and LIST (info valid until STOREPASSWD) |
756 |
System.err.print(rb.getString("Enter keystore password: ")); |
|
757 |
System.err.flush(); |
|
758 |
storePass = Password.readPassword(System.in); |
|
759 |
passwords.add(storePass); |
|
760 |
} |
|
761 |
||
762 |
// Now load a nullStream-based keystore, |
|
763 |
// or verify the integrity of an input stream-based keystore |
|
764 |
if (nullStream) { |
|
765 |
keyStore.load(null, storePass); |
|
766 |
} else if (ksStream != null) { |
|
767 |
ksStream = new FileInputStream(ksfile); |
|
768 |
keyStore.load(ksStream, storePass); |
|
769 |
ksStream.close(); |
|
770 |
} |
|
771 |
} |
|
772 |
||
773 |
if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) { |
|
774 |
MessageFormat form = new MessageFormat(rb.getString( |
|
775 |
"Warning: Different store and key passwords not supported " + |
|
776 |
"for PKCS12 KeyStores. Ignoring user-specified <command> value.")); |
|
777 |
if (keyPass != null && !Arrays.equals(storePass, keyPass)) { |
|
778 |
Object[] source = {"-keypass"}; |
|
779 |
System.err.println(form.format(source)); |
|
780 |
keyPass = storePass; |
|
781 |
} |
|
782 |
if (newPass != null && !Arrays.equals(storePass, newPass)) { |
|
783 |
Object[] source = {"-new"}; |
|
784 |
System.err.println(form.format(source)); |
|
785 |
newPass = storePass; |
|
786 |
} |
|
787 |
if (destKeyPass != null && !Arrays.equals(storePass, destKeyPass)) { |
|
788 |
Object[] source = {"-destkeypass"}; |
|
789 |
System.err.println(form.format(source)); |
|
790 |
destKeyPass = storePass; |
|
791 |
} |
|
792 |
} |
|
793 |
||
794 |
// Create a certificate factory |
|
795 |
if (command == PRINTCERT || command == IMPORTCERT |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
796 |
|| command == IDENTITYDB) { |
2 | 797 |
cf = CertificateFactory.getInstance("X509"); |
798 |
} |
|
799 |
||
800 |
if (trustcacerts) { |
|
801 |
caks = getCacertsKeyStore(); |
|
802 |
} |
|
803 |
||
804 |
// Perform the specified command |
|
805 |
if (command == CERTREQ) { |
|
806 |
PrintStream ps = null; |
|
807 |
if (filename != null) { |
|
808 |
ps = new PrintStream(new FileOutputStream |
|
809 |
(filename)); |
|
810 |
out = ps; |
|
811 |
} |
|
812 |
try { |
|
813 |
doCertReq(alias, sigAlgName, out); |
|
814 |
} finally { |
|
815 |
if (ps != null) { |
|
816 |
ps.close(); |
|
817 |
} |
|
818 |
} |
|
819 |
if (verbose && filename != null) { |
|
820 |
MessageFormat form = new MessageFormat(rb.getString |
|
821 |
("Certification request stored in file <filename>")); |
|
822 |
Object[] source = {filename}; |
|
823 |
System.err.println(form.format(source)); |
|
824 |
System.err.println(rb.getString("Submit this to your CA")); |
|
825 |
} |
|
826 |
} else if (command == DELETE) { |
|
827 |
doDeleteEntry(alias); |
|
828 |
kssave = true; |
|
829 |
} else if (command == EXPORTCERT) { |
|
830 |
PrintStream ps = null; |
|
831 |
if (filename != null) { |
|
832 |
ps = new PrintStream(new FileOutputStream |
|
833 |
(filename)); |
|
834 |
out = ps; |
|
835 |
} |
|
836 |
try { |
|
837 |
doExportCert(alias, out); |
|
838 |
} finally { |
|
839 |
if (ps != null) { |
|
840 |
ps.close(); |
|
841 |
} |
|
842 |
} |
|
843 |
if (filename != null) { |
|
844 |
MessageFormat form = new MessageFormat(rb.getString |
|
845 |
("Certificate stored in file <filename>")); |
|
846 |
Object[] source = {filename}; |
|
847 |
System.err.println(form.format(source)); |
|
848 |
} |
|
849 |
} else if (command == GENKEYPAIR) { |
|
850 |
if (keyAlgName == null) { |
|
851 |
keyAlgName = "DSA"; |
|
852 |
} |
|
853 |
doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName); |
|
854 |
kssave = true; |
|
855 |
} else if (command == GENSECKEY) { |
|
856 |
if (keyAlgName == null) { |
|
857 |
keyAlgName = "DES"; |
|
858 |
} |
|
859 |
doGenSecretKey(alias, keyAlgName, keysize); |
|
860 |
kssave = true; |
|
861 |
} else if (command == IDENTITYDB) { |
|
862 |
InputStream inStream = System.in; |
|
863 |
if (filename != null) { |
|
864 |
inStream = new FileInputStream(filename); |
|
865 |
} |
|
866 |
try { |
|
867 |
doImportIdentityDatabase(inStream); |
|
868 |
} finally { |
|
869 |
if (inStream != System.in) { |
|
870 |
inStream.close(); |
|
871 |
} |
|
872 |
} |
|
873 |
} else if (command == IMPORTCERT) { |
|
874 |
InputStream inStream = System.in; |
|
875 |
if (filename != null) { |
|
876 |
inStream = new FileInputStream(filename); |
|
877 |
} |
|
2289
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
878 |
// Read the full stream before feeding to X509Factory, |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
879 |
// otherwise, keytool -gencert | keytool -importcert |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
880 |
// might not work properly, since -gencert is slow |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
881 |
// and there's no data in the pipe at the beginning. |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
882 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
883 |
byte[] b = new byte[4096]; |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
884 |
while (true) { |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
885 |
int len = inStream.read(b); |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
886 |
if (len < 0) break; |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
887 |
bout.write(b, 0, len); |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
888 |
} |
99207c64bf80
6819272: keytool -importcert should read the whole input
weijun
parents:
2179
diff
changeset
|
889 |
inStream = new ByteArrayInputStream(bout.toByteArray()); |
2 | 890 |
try { |
891 |
String importAlias = (alias!=null)?alias:keyAlias; |
|
892 |
if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) { |
|
893 |
kssave = installReply(importAlias, inStream); |
|
894 |
if (kssave) { |
|
895 |
System.err.println(rb.getString |
|
896 |
("Certificate reply was installed in keystore")); |
|
897 |
} else { |
|
898 |
System.err.println(rb.getString |
|
899 |
("Certificate reply was not installed in keystore")); |
|
900 |
} |
|
901 |
} else if (!keyStore.containsAlias(importAlias) || |
|
902 |
keyStore.entryInstanceOf(importAlias, |
|
903 |
KeyStore.TrustedCertificateEntry.class)) { |
|
904 |
kssave = addTrustedCert(importAlias, inStream); |
|
905 |
if (kssave) { |
|
906 |
System.err.println(rb.getString |
|
907 |
("Certificate was added to keystore")); |
|
908 |
} else { |
|
909 |
System.err.println(rb.getString |
|
910 |
("Certificate was not added to keystore")); |
|
911 |
} |
|
912 |
} |
|
913 |
} finally { |
|
914 |
if (inStream != System.in) { |
|
915 |
inStream.close(); |
|
916 |
} |
|
917 |
} |
|
918 |
} else if (command == IMPORTKEYSTORE) { |
|
919 |
doImportKeyStore(); |
|
920 |
kssave = true; |
|
921 |
} else if (command == KEYCLONE) { |
|
922 |
keyPassNew = newPass; |
|
923 |
||
924 |
// added to make sure only key can go thru |
|
925 |
if (alias == null) { |
|
926 |
alias = keyAlias; |
|
927 |
} |
|
928 |
if (keyStore.containsAlias(alias) == false) { |
|
929 |
MessageFormat form = new MessageFormat |
|
930 |
(rb.getString("Alias <alias> does not exist")); |
|
931 |
Object[] source = {alias}; |
|
932 |
throw new Exception(form.format(source)); |
|
933 |
} |
|
934 |
if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) { |
|
935 |
MessageFormat form = new MessageFormat(rb.getString( |
|
936 |
"Alias <alias> references an entry type that is not a private key entry. " + |
|
937 |
"The -keyclone command only supports cloning of private key entries")); |
|
938 |
Object[] source = {alias}; |
|
939 |
throw new Exception(form.format(source)); |
|
940 |
} |
|
941 |
||
942 |
doCloneEntry(alias, dest, true); // Now everything can be cloned |
|
943 |
kssave = true; |
|
944 |
} else if (command == CHANGEALIAS) { |
|
945 |
if (alias == null) { |
|
946 |
alias = keyAlias; |
|
947 |
} |
|
948 |
doCloneEntry(alias, dest, false); |
|
949 |
// in PKCS11, clone a PrivateKeyEntry will delete the old one |
|
950 |
if (keyStore.containsAlias(alias)) { |
|
951 |
doDeleteEntry(alias); |
|
952 |
} |
|
953 |
kssave = true; |
|
954 |
} else if (command == KEYPASSWD) { |
|
955 |
keyPassNew = newPass; |
|
956 |
doChangeKeyPasswd(alias); |
|
957 |
kssave = true; |
|
958 |
} else if (command == LIST) { |
|
959 |
if (alias != null) { |
|
960 |
doPrintEntry(alias, out, true); |
|
961 |
} else { |
|
962 |
doPrintEntries(out); |
|
963 |
} |
|
964 |
} else if (command == PRINTCERT) { |
|
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
965 |
doPrintCert(out); |
2 | 966 |
} else if (command == SELFCERT) { |
967 |
doSelfCert(alias, dname, sigAlgName); |
|
968 |
kssave = true; |
|
969 |
} else if (command == STOREPASSWD) { |
|
970 |
storePassNew = newPass; |
|
971 |
if (storePassNew == null) { |
|
972 |
storePassNew = getNewPasswd("keystore password", storePass); |
|
973 |
} |
|
974 |
kssave = true; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
975 |
} else if (command == GENCERT) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
976 |
if (alias == null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
977 |
alias = keyAlias; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
978 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
979 |
InputStream inStream = System.in; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
980 |
if (infilename != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
981 |
inStream = new FileInputStream(infilename); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
982 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
983 |
PrintStream ps = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
984 |
if (outfilename != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
985 |
ps = new PrintStream(new FileOutputStream(outfilename)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
986 |
out = ps; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
987 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
988 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
989 |
doGenCert(alias, sigAlgName, inStream, out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
990 |
} finally { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
991 |
if (inStream != System.in) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
992 |
inStream.close(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
993 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
994 |
if (ps != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
995 |
ps.close(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
996 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
997 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
998 |
} else if (command == PRINTCERTREQ) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
999 |
InputStream inStream = System.in; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1000 |
if (filename != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1001 |
inStream = new FileInputStream(filename); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1002 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1003 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1004 |
doPrintCertReq(inStream, out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1005 |
} finally { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1006 |
if (inStream != System.in) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1007 |
inStream.close(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1008 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1009 |
} |
2 | 1010 |
} |
1011 |
||
1012 |
// If we need to save the keystore, do so. |
|
1013 |
if (kssave) { |
|
1014 |
if (verbose) { |
|
1015 |
MessageFormat form = new MessageFormat |
|
1016 |
(rb.getString("[Storing ksfname]")); |
|
1017 |
Object[] source = {nullStream ? "keystore" : ksfname}; |
|
1018 |
System.err.println(form.format(source)); |
|
1019 |
} |
|
1020 |
||
1021 |
if (token) { |
|
1022 |
keyStore.store(null, null); |
|
1023 |
} else { |
|
1024 |
FileOutputStream fout = null; |
|
1025 |
try { |
|
1026 |
fout = (nullStream ? |
|
1027 |
(FileOutputStream)null : |
|
1028 |
new FileOutputStream(ksfname)); |
|
1029 |
keyStore.store |
|
1030 |
(fout, |
|
1031 |
(storePassNew!=null) ? storePassNew : storePass); |
|
1032 |
} finally { |
|
1033 |
if (fout != null) { |
|
1034 |
fout.close(); |
|
1035 |
} |
|
1036 |
} |
|
1037 |
} |
|
1038 |
} |
|
1039 |
} |
|
1040 |
||
1041 |
/** |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1042 |
* Generate a certificate: Read PKCS10 request from in, and print |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1043 |
* certificate to out. Use alias as CA, sigAlgName as the signature |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1044 |
* type. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1045 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1046 |
private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStream out) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1047 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1048 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1049 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1050 |
Certificate signerCert = keyStore.getCertificate(alias); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1051 |
byte[] encoded = signerCert.getEncoded(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1052 |
X509CertImpl signerCertImpl = new X509CertImpl(encoded); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1053 |
X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1054 |
X509CertImpl.NAME + "." + X509CertImpl.INFO); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1055 |
X500Name owner = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." + |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1056 |
CertificateSubjectName.DN_NAME); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1057 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1058 |
Date firstDate = getStartDate(startDate); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1059 |
Date lastDate = new Date(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1060 |
lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1061 |
CertificateValidity interval = new CertificateValidity(firstDate, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1062 |
lastDate); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1063 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1064 |
PrivateKey privateKey = (PrivateKey)recoverKey(alias, storePass, keyPass).fst; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1065 |
if (sigAlgName == null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1066 |
sigAlgName = getCompatibleSigAlgName(privateKey.getAlgorithm()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1067 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1068 |
Signature signature = Signature.getInstance(sigAlgName); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1069 |
signature.initSign(privateKey); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1070 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1071 |
X500Signer signer = new X500Signer(signature, owner); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1072 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1073 |
X509CertInfo info = new X509CertInfo(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1074 |
info.set(X509CertInfo.VALIDITY, interval); |
2293
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
1075 |
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber( |
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
1076 |
new java.util.Random().nextInt() & 0x7fffffff)); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1077 |
info.set(X509CertInfo.VERSION, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1078 |
new CertificateVersion(CertificateVersion.V3)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1079 |
info.set(X509CertInfo.ALGORITHM_ID, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1080 |
new CertificateAlgorithmId(signer.getAlgorithmId())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1081 |
info.set(X509CertInfo.ISSUER, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1082 |
new CertificateIssuerName(signer.getSigner())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1083 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1084 |
BufferedReader reader = new BufferedReader(new InputStreamReader(in)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1085 |
boolean canRead = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1086 |
StringBuffer sb = new StringBuffer(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1087 |
while (true) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1088 |
String s = reader.readLine(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1089 |
if (s == null) break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1090 |
// OpenSSL does not use NEW |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1091 |
//if (s.startsWith("-----BEGIN NEW CERTIFICATE REQUEST-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1092 |
if (s.startsWith("-----BEGIN") && s.indexOf("REQUEST") >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1093 |
canRead = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1094 |
//} else if (s.startsWith("-----END NEW CERTIFICATE REQUEST-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1095 |
} else if (s.startsWith("-----END") && s.indexOf("REQUEST") >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1096 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1097 |
} else if (canRead) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1098 |
sb.append(s); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1099 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1100 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1101 |
byte[] rawReq = new BASE64Decoder().decodeBuffer(new String(sb)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1102 |
PKCS10 req = new PKCS10(rawReq); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1103 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1104 |
info.set(X509CertInfo.KEY, new CertificateX509Key(req.getSubjectPublicKeyInfo())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1105 |
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(req.getSubjectName())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1106 |
CertificateExtensions reqex = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1107 |
Iterator<PKCS10Attribute> attrs = req.getAttributes().getAttributes().iterator(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1108 |
while (attrs.hasNext()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1109 |
PKCS10Attribute attr = attrs.next(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1110 |
if (attr.getAttributeId().equals(PKCS9Attribute.EXTENSION_REQUEST_OID)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1111 |
reqex = (CertificateExtensions)attr.getAttributeValue(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1112 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1113 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1114 |
CertificateExtensions ext = createV3Extensions( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1115 |
reqex, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1116 |
null, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1117 |
v3ext, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1118 |
req.getSubjectPublicKeyInfo(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1119 |
signerCert.getPublicKey()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1120 |
info.set(X509CertInfo.EXTENSIONS, ext); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1121 |
X509CertImpl cert = new X509CertImpl(info); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1122 |
cert.sign(privateKey, sigAlgName); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1123 |
dumpCert(cert, out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1124 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1125 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1126 |
/** |
2 | 1127 |
* Creates a PKCS#10 cert signing request, corresponding to the |
1128 |
* keys (and name) associated with a given alias. |
|
1129 |
*/ |
|
1130 |
private void doCertReq(String alias, String sigAlgName, PrintStream out) |
|
1131 |
throws Exception |
|
1132 |
{ |
|
1133 |
if (alias == null) { |
|
1134 |
alias = keyAlias; |
|
1135 |
} |
|
1136 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1137 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1138 |
PrivateKey privKey = (PrivateKey)objs.fst; |
2 | 1139 |
if (keyPass == null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1140 |
keyPass = objs.snd; |
2 | 1141 |
} |
1142 |
||
1143 |
Certificate cert = keyStore.getCertificate(alias); |
|
1144 |
if (cert == null) { |
|
1145 |
MessageFormat form = new MessageFormat |
|
1146 |
(rb.getString("alias has no public key (certificate)")); |
|
1147 |
Object[] source = {alias}; |
|
1148 |
throw new Exception(form.format(source)); |
|
1149 |
} |
|
1150 |
PKCS10 request = new PKCS10(cert.getPublicKey()); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1151 |
CertificateExtensions ext = createV3Extensions(null, null, v3ext, cert.getPublicKey(), null); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1152 |
// Attribute name is not significant |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1153 |
request.getAttributes().setAttribute(X509CertInfo.EXTENSIONS, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1154 |
new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ext)); |
2 | 1155 |
|
1156 |
// Construct an X500Signer object, so that we can sign the request |
|
1157 |
if (sigAlgName == null) { |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1158 |
sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm()); |
2 | 1159 |
} |
1160 |
||
1161 |
Signature signature = Signature.getInstance(sigAlgName); |
|
1162 |
signature.initSign(privKey); |
|
1163 |
X500Name subject = |
|
1164 |
new X500Name(((X509Certificate)cert).getSubjectDN().toString()); |
|
1165 |
X500Signer signer = new X500Signer(signature, subject); |
|
1166 |
||
1167 |
// Sign the request and base-64 encode it |
|
1168 |
request.encodeAndSign(signer); |
|
1169 |
request.print(out); |
|
1170 |
} |
|
1171 |
||
1172 |
/** |
|
1173 |
* Deletes an entry from the keystore. |
|
1174 |
*/ |
|
1175 |
private void doDeleteEntry(String alias) throws Exception { |
|
1176 |
if (keyStore.containsAlias(alias) == false) { |
|
1177 |
MessageFormat form = new MessageFormat |
|
1178 |
(rb.getString("Alias <alias> does not exist")); |
|
1179 |
Object[] source = {alias}; |
|
1180 |
throw new Exception(form.format(source)); |
|
1181 |
} |
|
1182 |
keyStore.deleteEntry(alias); |
|
1183 |
} |
|
1184 |
||
1185 |
/** |
|
1186 |
* Exports a certificate from the keystore. |
|
1187 |
*/ |
|
1188 |
private void doExportCert(String alias, PrintStream out) |
|
1189 |
throws Exception |
|
1190 |
{ |
|
1191 |
if (storePass == null |
|
1192 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1193 |
printWarning(); |
|
1194 |
} |
|
1195 |
if (alias == null) { |
|
1196 |
alias = keyAlias; |
|
1197 |
} |
|
1198 |
if (keyStore.containsAlias(alias) == false) { |
|
1199 |
MessageFormat form = new MessageFormat |
|
1200 |
(rb.getString("Alias <alias> does not exist")); |
|
1201 |
Object[] source = {alias}; |
|
1202 |
throw new Exception(form.format(source)); |
|
1203 |
} |
|
1204 |
||
1205 |
X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias); |
|
1206 |
if (cert == null) { |
|
1207 |
MessageFormat form = new MessageFormat |
|
1208 |
(rb.getString("Alias <alias> has no certificate")); |
|
1209 |
Object[] source = {alias}; |
|
1210 |
throw new Exception(form.format(source)); |
|
1211 |
} |
|
1212 |
dumpCert(cert, out); |
|
1213 |
} |
|
1214 |
||
1215 |
/** |
|
1216 |
* Prompt the user for a keypass when generating a key entry. |
|
1217 |
* @param alias the entry we will set password for |
|
1218 |
* @param orig the original entry of doing a dup, null if generate new |
|
1219 |
* @param origPass the password to copy from if user press ENTER |
|
1220 |
*/ |
|
1221 |
private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{ |
|
1222 |
if (P12KEYSTORE.equalsIgnoreCase(storetype)) { |
|
1223 |
return origPass; |
|
1224 |
} else if (!token) { |
|
1225 |
// Prompt for key password |
|
1226 |
int count; |
|
1227 |
for (count = 0; count < 3; count++) { |
|
1228 |
MessageFormat form = new MessageFormat(rb.getString |
|
1229 |
("Enter key password for <alias>")); |
|
1230 |
Object[] source = {alias}; |
|
1231 |
System.err.println(form.format(source)); |
|
1232 |
if (orig == null) { |
|
1233 |
System.err.print(rb.getString |
|
1234 |
("\t(RETURN if same as keystore password): ")); |
|
1235 |
} else { |
|
1236 |
form = new MessageFormat(rb.getString |
|
1237 |
("\t(RETURN if same as for <otherAlias>)")); |
|
1238 |
Object[] src = {orig}; |
|
1239 |
System.err.print(form.format(src)); |
|
1240 |
} |
|
1241 |
System.err.flush(); |
|
1242 |
char[] entered = Password.readPassword(System.in); |
|
1243 |
passwords.add(entered); |
|
1244 |
if (entered == null) { |
|
1245 |
return origPass; |
|
1246 |
} else if (entered.length >= 6) { |
|
1247 |
System.err.print(rb.getString("Re-enter new password: ")); |
|
1248 |
char[] passAgain = Password.readPassword(System.in); |
|
1249 |
passwords.add(passAgain); |
|
1250 |
if (!Arrays.equals(entered, passAgain)) { |
|
1251 |
System.err.println |
|
1252 |
(rb.getString("They don't match. Try again")); |
|
1253 |
continue; |
|
1254 |
} |
|
1255 |
return entered; |
|
1256 |
} else { |
|
1257 |
System.err.println(rb.getString |
|
1258 |
("Key password is too short - must be at least 6 characters")); |
|
1259 |
} |
|
1260 |
} |
|
1261 |
if (count == 3) { |
|
1262 |
if (command == KEYCLONE) { |
|
1263 |
throw new Exception(rb.getString |
|
1264 |
("Too many failures. Key entry not cloned")); |
|
1265 |
} else { |
|
1266 |
throw new Exception(rb.getString |
|
1267 |
("Too many failures - key not added to keystore")); |
|
1268 |
} |
|
1269 |
} |
|
1270 |
} |
|
1271 |
return null; // PKCS11 |
|
1272 |
} |
|
1273 |
/** |
|
1274 |
* Creates a new secret key. |
|
1275 |
*/ |
|
1276 |
private void doGenSecretKey(String alias, String keyAlgName, |
|
1277 |
int keysize) |
|
1278 |
throws Exception |
|
1279 |
{ |
|
1280 |
if (alias == null) { |
|
1281 |
alias = keyAlias; |
|
1282 |
} |
|
1283 |
if (keyStore.containsAlias(alias)) { |
|
1284 |
MessageFormat form = new MessageFormat(rb.getString |
|
1285 |
("Secret key not generated, alias <alias> already exists")); |
|
1286 |
Object[] source = {alias}; |
|
1287 |
throw new Exception(form.format(source)); |
|
1288 |
} |
|
1289 |
||
1290 |
SecretKey secKey = null; |
|
1291 |
KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName); |
|
1292 |
if (keysize != -1) { |
|
1293 |
keygen.init(keysize); |
|
1294 |
} else if ("DES".equalsIgnoreCase(keyAlgName)) { |
|
1295 |
keygen.init(56); |
|
1296 |
} else if ("DESede".equalsIgnoreCase(keyAlgName)) { |
|
1297 |
keygen.init(168); |
|
1298 |
} else { |
|
1299 |
throw new Exception(rb.getString |
|
1300 |
("Please provide -keysize for secret key generation")); |
|
1301 |
} |
|
1302 |
||
1303 |
secKey = keygen.generateKey(); |
|
1304 |
if (keyPass == null) { |
|
1305 |
keyPass = promptForKeyPass(alias, null, storePass); |
|
1306 |
} |
|
1307 |
keyStore.setKeyEntry(alias, secKey, keyPass, null); |
|
1308 |
} |
|
1309 |
||
1310 |
/** |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1311 |
* If no signature algorithm was specified at the command line, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1312 |
* we choose one that is compatible with the selected private key |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1313 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1314 |
private static String getCompatibleSigAlgName(String keyAlgName) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1315 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1316 |
if ("DSA".equalsIgnoreCase(keyAlgName)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1317 |
return "SHA1WithDSA"; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1318 |
} else if ("RSA".equalsIgnoreCase(keyAlgName)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1319 |
return "SHA1WithRSA"; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1320 |
} else if ("EC".equalsIgnoreCase(keyAlgName)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1321 |
return "SHA1withECDSA"; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1322 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1323 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1324 |
("Cannot derive signature algorithm")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1325 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1326 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1327 |
/** |
2 | 1328 |
* Creates a new key pair and self-signed certificate. |
1329 |
*/ |
|
1330 |
private void doGenKeyPair(String alias, String dname, String keyAlgName, |
|
1331 |
int keysize, String sigAlgName) |
|
1332 |
throws Exception |
|
1333 |
{ |
|
1334 |
if (keysize == -1) { |
|
1335 |
if ("EC".equalsIgnoreCase(keyAlgName)) { |
|
1336 |
keysize = 256; |
|
1337 |
} else { |
|
1338 |
keysize = 1024; |
|
1339 |
} |
|
1340 |
} |
|
1341 |
||
1342 |
if (alias == null) { |
|
1343 |
alias = keyAlias; |
|
1344 |
} |
|
1345 |
||
1346 |
if (keyStore.containsAlias(alias)) { |
|
1347 |
MessageFormat form = new MessageFormat(rb.getString |
|
1348 |
("Key pair not generated, alias <alias> already exists")); |
|
1349 |
Object[] source = {alias}; |
|
1350 |
throw new Exception(form.format(source)); |
|
1351 |
} |
|
1352 |
||
1353 |
if (sigAlgName == null) { |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1354 |
sigAlgName = getCompatibleSigAlgName(keyAlgName); |
2 | 1355 |
} |
1356 |
CertAndKeyGen keypair = |
|
1357 |
new CertAndKeyGen(keyAlgName, sigAlgName, providerName); |
|
1358 |
||
1359 |
||
1360 |
// If DN is provided, parse it. Otherwise, prompt the user for it. |
|
1361 |
X500Name x500Name; |
|
1362 |
if (dname == null) { |
|
1363 |
x500Name = getX500Name(); |
|
1364 |
} else { |
|
1365 |
x500Name = new X500Name(dname); |
|
1366 |
} |
|
1367 |
||
1368 |
keypair.generate(keysize); |
|
1369 |
PrivateKey privKey = keypair.getPrivateKey(); |
|
1370 |
||
1371 |
X509Certificate[] chain = new X509Certificate[1]; |
|
1372 |
chain[0] = keypair.getSelfCertificate( |
|
1373 |
x500Name, getStartDate(startDate), validity*24L*60L*60L); |
|
1374 |
||
1375 |
if (verbose) { |
|
1376 |
MessageFormat form = new MessageFormat(rb.getString |
|
1377 |
("Generating keysize bit keyAlgName key pair and self-signed certificate " + |
|
1378 |
"(sigAlgName) with a validity of validality days\n\tfor: x500Name")); |
|
1379 |
Object[] source = {new Integer(keysize), |
|
1380 |
privKey.getAlgorithm(), |
|
1381 |
chain[0].getSigAlgName(), |
|
1382 |
new Long(validity), |
|
1383 |
x500Name}; |
|
1384 |
System.err.println(form.format(source)); |
|
1385 |
} |
|
1386 |
||
1387 |
if (keyPass == null) { |
|
1388 |
keyPass = promptForKeyPass(alias, null, storePass); |
|
1389 |
} |
|
1390 |
keyStore.setKeyEntry(alias, privKey, keyPass, chain); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1391 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1392 |
// resign so that -ext are applied. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1393 |
doSelfCert(alias, null, sigAlgName); |
2 | 1394 |
} |
1395 |
||
1396 |
/** |
|
1397 |
* Clones an entry |
|
1398 |
* @param orig original alias |
|
1399 |
* @param dest destination alias |
|
1400 |
* @changePassword if the password can be changed |
|
1401 |
*/ |
|
1402 |
private void doCloneEntry(String orig, String dest, boolean changePassword) |
|
1403 |
throws Exception |
|
1404 |
{ |
|
1405 |
if (orig == null) { |
|
1406 |
orig = keyAlias; |
|
1407 |
} |
|
1408 |
||
1409 |
if (keyStore.containsAlias(dest)) { |
|
1410 |
MessageFormat form = new MessageFormat |
|
1411 |
(rb.getString("Destination alias <dest> already exists")); |
|
1412 |
Object[] source = {dest}; |
|
1413 |
throw new Exception(form.format(source)); |
|
1414 |
} |
|
1415 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1416 |
Pair<Entry,char[]> objs = recoverEntry(keyStore, orig, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1417 |
Entry entry = objs.fst; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1418 |
keyPass = objs.snd; |
2 | 1419 |
|
1420 |
PasswordProtection pp = null; |
|
1421 |
||
1422 |
if (keyPass != null) { // protected |
|
1423 |
if (!changePassword || P12KEYSTORE.equalsIgnoreCase(storetype)) { |
|
1424 |
keyPassNew = keyPass; |
|
1425 |
} else { |
|
1426 |
if (keyPassNew == null) { |
|
1427 |
keyPassNew = promptForKeyPass(dest, orig, keyPass); |
|
1428 |
} |
|
1429 |
} |
|
1430 |
pp = new PasswordProtection(keyPassNew); |
|
1431 |
} |
|
1432 |
keyStore.setEntry(dest, entry, pp); |
|
1433 |
} |
|
1434 |
||
1435 |
/** |
|
1436 |
* Changes a key password. |
|
1437 |
*/ |
|
1438 |
private void doChangeKeyPasswd(String alias) throws Exception |
|
1439 |
{ |
|
1440 |
||
1441 |
if (alias == null) { |
|
1442 |
alias = keyAlias; |
|
1443 |
} |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1444 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1445 |
Key privKey = objs.fst; |
2 | 1446 |
if (keyPass == null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1447 |
keyPass = objs.snd; |
2 | 1448 |
} |
1449 |
||
1450 |
if (keyPassNew == null) { |
|
1451 |
MessageFormat form = new MessageFormat |
|
1452 |
(rb.getString("key password for <alias>")); |
|
1453 |
Object[] source = {alias}; |
|
1454 |
keyPassNew = getNewPasswd(form.format(source), keyPass); |
|
1455 |
} |
|
1456 |
keyStore.setKeyEntry(alias, privKey, keyPassNew, |
|
1457 |
keyStore.getCertificateChain(alias)); |
|
1458 |
} |
|
1459 |
||
1460 |
/** |
|
1461 |
* Imports a JDK 1.1-style identity database. We can only store one |
|
1462 |
* certificate per identity, because we use the identity's name as the |
|
1463 |
* alias (which references a keystore entry), and aliases must be unique. |
|
1464 |
*/ |
|
1465 |
private void doImportIdentityDatabase(InputStream in) |
|
1466 |
throws Exception |
|
1467 |
{ |
|
1468 |
byte[] encoded; |
|
1469 |
ByteArrayInputStream bais; |
|
1470 |
java.security.cert.X509Certificate newCert; |
|
1471 |
java.security.cert.Certificate[] chain = null; |
|
1472 |
PrivateKey privKey; |
|
1473 |
boolean modified = false; |
|
1474 |
||
1475 |
IdentityDatabase idb = IdentityDatabase.fromStream(in); |
|
1476 |
for (Enumeration<Identity> enum_ = idb.identities(); |
|
1477 |
enum_.hasMoreElements();) { |
|
1478 |
Identity id = enum_.nextElement(); |
|
1479 |
newCert = null; |
|
1480 |
// only store trusted identities in keystore |
|
1481 |
if ((id instanceof SystemSigner && ((SystemSigner)id).isTrusted()) |
|
1482 |
|| (id instanceof SystemIdentity |
|
1483 |
&& ((SystemIdentity)id).isTrusted())) { |
|
1484 |
// ignore if keystore entry with same alias name already exists |
|
1485 |
if (keyStore.containsAlias(id.getName())) { |
|
1486 |
MessageFormat form = new MessageFormat |
|
1487 |
(rb.getString("Keystore entry for <id.getName()> already exists")); |
|
1488 |
Object[] source = {id.getName()}; |
|
1489 |
System.err.println(form.format(source)); |
|
1490 |
continue; |
|
1491 |
} |
|
1492 |
java.security.Certificate[] certs = id.certificates(); |
|
1493 |
if (certs!=null && certs.length>0) { |
|
1494 |
// we can only store one user cert per identity. |
|
1495 |
// convert old-style to new-style cert via the encoding |
|
1496 |
DerOutputStream dos = new DerOutputStream(); |
|
1497 |
certs[0].encode(dos); |
|
1498 |
encoded = dos.toByteArray(); |
|
1499 |
bais = new ByteArrayInputStream(encoded); |
|
1500 |
newCert = (X509Certificate)cf.generateCertificate(bais); |
|
1501 |
bais.close(); |
|
1502 |
||
1503 |
// if certificate is self-signed, make sure it verifies |
|
1504 |
if (isSelfSigned(newCert)) { |
|
1505 |
PublicKey pubKey = newCert.getPublicKey(); |
|
1506 |
try { |
|
1507 |
newCert.verify(pubKey); |
|
1508 |
} catch (Exception e) { |
|
1509 |
// ignore this cert |
|
1510 |
continue; |
|
1511 |
} |
|
1512 |
} |
|
1513 |
||
1514 |
if (id instanceof SystemSigner) { |
|
1515 |
MessageFormat form = new MessageFormat(rb.getString |
|
1516 |
("Creating keystore entry for <id.getName()> ...")); |
|
1517 |
Object[] source = {id.getName()}; |
|
1518 |
System.err.println(form.format(source)); |
|
1519 |
if (chain==null) { |
|
1520 |
chain = new java.security.cert.Certificate[1]; |
|
1521 |
} |
|
1522 |
chain[0] = newCert; |
|
1523 |
privKey = ((SystemSigner)id).getPrivateKey(); |
|
1524 |
keyStore.setKeyEntry(id.getName(), privKey, storePass, |
|
1525 |
chain); |
|
1526 |
} else { |
|
1527 |
keyStore.setCertificateEntry(id.getName(), newCert); |
|
1528 |
} |
|
1529 |
kssave = true; |
|
1530 |
} |
|
1531 |
} |
|
1532 |
} |
|
1533 |
if (!kssave) { |
|
1534 |
System.err.println(rb.getString |
|
1535 |
("No entries from identity database added")); |
|
1536 |
} |
|
1537 |
} |
|
1538 |
||
1539 |
/** |
|
1540 |
* Prints a single keystore entry. |
|
1541 |
*/ |
|
1542 |
private void doPrintEntry(String alias, PrintStream out, |
|
1543 |
boolean printWarning) |
|
1544 |
throws Exception |
|
1545 |
{ |
|
1546 |
if (storePass == null && printWarning |
|
1547 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1548 |
printWarning(); |
|
1549 |
} |
|
1550 |
||
1551 |
if (keyStore.containsAlias(alias) == false) { |
|
1552 |
MessageFormat form = new MessageFormat |
|
1553 |
(rb.getString("Alias <alias> does not exist")); |
|
1554 |
Object[] source = {alias}; |
|
1555 |
throw new Exception(form.format(source)); |
|
1556 |
} |
|
1557 |
||
1558 |
if (verbose || rfc || debug) { |
|
1559 |
MessageFormat form = new MessageFormat |
|
1560 |
(rb.getString("Alias name: alias")); |
|
1561 |
Object[] source = {alias}; |
|
1562 |
out.println(form.format(source)); |
|
1563 |
||
1564 |
if (!token) { |
|
1565 |
form = new MessageFormat(rb.getString |
|
1566 |
("Creation date: keyStore.getCreationDate(alias)")); |
|
1567 |
Object[] src = {keyStore.getCreationDate(alias)}; |
|
1568 |
out.println(form.format(src)); |
|
1569 |
} |
|
1570 |
} else { |
|
1571 |
if (!token) { |
|
1572 |
MessageFormat form = new MessageFormat |
|
1573 |
(rb.getString("alias, keyStore.getCreationDate(alias), ")); |
|
1574 |
Object[] source = {alias, keyStore.getCreationDate(alias)}; |
|
1575 |
out.print(form.format(source)); |
|
1576 |
} else { |
|
1577 |
MessageFormat form = new MessageFormat |
|
1578 |
(rb.getString("alias, ")); |
|
1579 |
Object[] source = {alias}; |
|
1580 |
out.print(form.format(source)); |
|
1581 |
} |
|
1582 |
} |
|
1583 |
||
1584 |
if (keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) { |
|
1585 |
if (verbose || rfc || debug) { |
|
1586 |
Object[] source = {"SecretKeyEntry"}; |
|
1587 |
out.println(new MessageFormat( |
|
1588 |
rb.getString("Entry type: <type>")).format(source)); |
|
1589 |
} else { |
|
1590 |
out.println("SecretKeyEntry, "); |
|
1591 |
} |
|
1592 |
} else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) { |
|
1593 |
if (verbose || rfc || debug) { |
|
1594 |
Object[] source = {"PrivateKeyEntry"}; |
|
1595 |
out.println(new MessageFormat( |
|
1596 |
rb.getString("Entry type: <type>")).format(source)); |
|
1597 |
} else { |
|
1598 |
out.println("PrivateKeyEntry, "); |
|
1599 |
} |
|
1600 |
||
1601 |
// Get the chain |
|
1602 |
Certificate[] chain = keyStore.getCertificateChain(alias); |
|
1603 |
if (chain != null) { |
|
1604 |
if (verbose || rfc || debug) { |
|
1605 |
out.println(rb.getString |
|
1606 |
("Certificate chain length: ") + chain.length); |
|
1607 |
for (int i = 0; i < chain.length; i ++) { |
|
1608 |
MessageFormat form = new MessageFormat |
|
1609 |
(rb.getString("Certificate[(i + 1)]:")); |
|
1610 |
Object[] source = {new Integer((i + 1))}; |
|
1611 |
out.println(form.format(source)); |
|
1612 |
if (verbose && (chain[i] instanceof X509Certificate)) { |
|
1613 |
printX509Cert((X509Certificate)(chain[i]), out); |
|
1614 |
} else if (debug) { |
|
1615 |
out.println(chain[i].toString()); |
|
1616 |
} else { |
|
1617 |
dumpCert(chain[i], out); |
|
1618 |
} |
|
1619 |
} |
|
1620 |
} else { |
|
1621 |
// Print the digest of the user cert only |
|
1622 |
out.println |
|
909
c7bb1699d1b0
6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
weijun
parents:
904
diff
changeset
|
1623 |
(rb.getString("Certificate fingerprint (SHA1): ") + |
c7bb1699d1b0
6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
weijun
parents:
904
diff
changeset
|
1624 |
getCertFingerPrint("SHA1", chain[0])); |
2 | 1625 |
} |
1626 |
} |
|
1627 |
} else if (keyStore.entryInstanceOf(alias, |
|
1628 |
KeyStore.TrustedCertificateEntry.class)) { |
|
1629 |
// We have a trusted certificate entry |
|
1630 |
Certificate cert = keyStore.getCertificate(alias); |
|
1631 |
if (verbose && (cert instanceof X509Certificate)) { |
|
1632 |
out.println(rb.getString("Entry type: trustedCertEntry\n")); |
|
1633 |
printX509Cert((X509Certificate)cert, out); |
|
1634 |
} else if (rfc) { |
|
1635 |
out.println(rb.getString("Entry type: trustedCertEntry\n")); |
|
1636 |
dumpCert(cert, out); |
|
1637 |
} else if (debug) { |
|
1638 |
out.println(cert.toString()); |
|
1639 |
} else { |
|
1640 |
out.println(rb.getString("trustedCertEntry,")); |
|
909
c7bb1699d1b0
6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
weijun
parents:
904
diff
changeset
|
1641 |
out.println(rb.getString("Certificate fingerprint (SHA1): ") |
c7bb1699d1b0
6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
weijun
parents:
904
diff
changeset
|
1642 |
+ getCertFingerPrint("SHA1", cert)); |
2 | 1643 |
} |
1644 |
} else { |
|
1645 |
out.println(rb.getString("Unknown Entry Type")); |
|
1646 |
} |
|
1647 |
} |
|
1648 |
||
1649 |
/** |
|
1650 |
* Load the srckeystore from a stream, used in -importkeystore |
|
1651 |
* @returns the src KeyStore |
|
1652 |
*/ |
|
1653 |
KeyStore loadSourceKeyStore() throws Exception { |
|
1654 |
boolean isPkcs11 = false; |
|
1655 |
||
1656 |
InputStream is = null; |
|
1657 |
||
1658 |
if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) || |
|
1659 |
KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
1660 |
if (!NONE.equals(srcksfname)) { |
|
1661 |
System.err.println(MessageFormat.format(rb.getString |
|
1662 |
("-keystore must be NONE if -storetype is {0}"), srcstoretype)); |
|
1663 |
System.err.println(); |
|
1664 |
tinyHelp(); |
|
1665 |
} |
|
1666 |
isPkcs11 = true; |
|
1667 |
} else { |
|
1668 |
if (srcksfname != null) { |
|
1669 |
File srcksfile = new File(srcksfname); |
|
1670 |
if (srcksfile.exists() && srcksfile.length() == 0) { |
|
1671 |
throw new Exception(rb.getString |
|
1672 |
("Source keystore file exists, but is empty: ") + |
|
1673 |
srcksfname); |
|
1674 |
} |
|
1675 |
is = new FileInputStream(srcksfile); |
|
1676 |
} else { |
|
1677 |
throw new Exception(rb.getString |
|
1678 |
("Please specify -srckeystore")); |
|
1679 |
} |
|
1680 |
} |
|
1681 |
||
1682 |
KeyStore store; |
|
1683 |
try { |
|
1684 |
if (srcProviderName == null) { |
|
1685 |
store = KeyStore.getInstance(srcstoretype); |
|
1686 |
} else { |
|
1687 |
store = KeyStore.getInstance(srcstoretype, srcProviderName); |
|
1688 |
} |
|
1689 |
||
1690 |
if (srcstorePass == null |
|
1691 |
&& !srcprotectedPath |
|
1692 |
&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
1693 |
System.err.print(rb.getString("Enter source keystore password: ")); |
|
1694 |
System.err.flush(); |
|
1695 |
srcstorePass = Password.readPassword(System.in); |
|
1696 |
passwords.add(srcstorePass); |
|
1697 |
} |
|
1698 |
||
1699 |
// always let keypass be storepass when using pkcs12 |
|
1700 |
if (P12KEYSTORE.equalsIgnoreCase(srcstoretype)) { |
|
1701 |
if (srckeyPass != null && srcstorePass != null && |
|
1702 |
!Arrays.equals(srcstorePass, srckeyPass)) { |
|
1703 |
MessageFormat form = new MessageFormat(rb.getString( |
|
1704 |
"Warning: Different store and key passwords not supported " + |
|
1705 |
"for PKCS12 KeyStores. Ignoring user-specified <command> value.")); |
|
1706 |
Object[] source = {"-srckeypass"}; |
|
1707 |
System.err.println(form.format(source)); |
|
1708 |
srckeyPass = srcstorePass; |
|
1709 |
} |
|
1710 |
} |
|
1711 |
||
1712 |
store.load(is, srcstorePass); // "is" already null in PKCS11 |
|
1713 |
} finally { |
|
1714 |
if (is != null) { |
|
1715 |
is.close(); |
|
1716 |
} |
|
1717 |
} |
|
1718 |
||
1719 |
if (srcstorePass == null |
|
1720 |
&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
1721 |
// anti refactoring, copied from printWarning(), |
|
1722 |
// but change 2 lines |
|
1723 |
System.err.println(); |
|
1724 |
System.err.println(rb.getString |
|
1725 |
("***************** WARNING WARNING WARNING *****************")); |
|
1726 |
System.err.println(rb.getString |
|
1727 |
("* The integrity of the information stored in the srckeystore*")); |
|
1728 |
System.err.println(rb.getString |
|
1729 |
("* has NOT been verified! In order to verify its integrity, *")); |
|
1730 |
System.err.println(rb.getString |
|
1731 |
("* you must provide the srckeystore password. *")); |
|
1732 |
System.err.println(rb.getString |
|
1733 |
("***************** WARNING WARNING WARNING *****************")); |
|
1734 |
System.err.println(); |
|
1735 |
} |
|
1736 |
||
1737 |
return store; |
|
1738 |
} |
|
1739 |
||
1740 |
/** |
|
1741 |
* import all keys and certs from importkeystore. |
|
1742 |
* keep alias unchanged if no name conflict, otherwise, prompt. |
|
1743 |
* keep keypass unchanged for keys |
|
1744 |
*/ |
|
1745 |
private void doImportKeyStore() throws Exception { |
|
1746 |
||
1747 |
if (alias != null) { |
|
1748 |
doImportKeyStoreSingle(loadSourceKeyStore(), alias); |
|
1749 |
} else { |
|
1750 |
if (dest != null || srckeyPass != null || destKeyPass != null) { |
|
1751 |
throw new Exception(rb.getString( |
|
1752 |
"if alias not specified, destalias, srckeypass, " + |
|
1753 |
"and destkeypass must not be specified")); |
|
1754 |
} |
|
1755 |
doImportKeyStoreAll(loadSourceKeyStore()); |
|
1756 |
} |
|
1757 |
/* |
|
1758 |
* Information display rule of -importkeystore |
|
1759 |
* 1. inside single, shows failure |
|
1760 |
* 2. inside all, shows sucess |
|
1761 |
* 3. inside all where there is a failure, prompt for continue |
|
1762 |
* 4. at the final of all, shows summary |
|
1763 |
*/ |
|
1764 |
} |
|
1765 |
||
1766 |
/** |
|
1767 |
* Import a single entry named alias from srckeystore |
|
1768 |
* @returns 1 if the import action succeed |
|
1769 |
* 0 if user choose to ignore an alias-dumplicated entry |
|
1770 |
* 2 if setEntry throws Exception |
|
1771 |
*/ |
|
1772 |
private int doImportKeyStoreSingle(KeyStore srckeystore, String alias) |
|
1773 |
throws Exception { |
|
1774 |
||
1775 |
String newAlias = (dest==null) ? alias : dest; |
|
1776 |
||
1777 |
if (keyStore.containsAlias(newAlias)) { |
|
1778 |
Object[] source = {alias}; |
|
1779 |
if (noprompt) { |
|
1780 |
System.err.println(new MessageFormat(rb.getString( |
|
1781 |
"Warning: Overwriting existing alias <alias> in destination keystore")).format(source)); |
|
1782 |
} else { |
|
1783 |
String reply = getYesNoReply(new MessageFormat(rb.getString( |
|
1784 |
"Existing entry alias <alias> exists, overwrite? [no]: ")).format(source)); |
|
1785 |
if ("NO".equals(reply)) { |
|
1786 |
newAlias = inputStringFromStdin(rb.getString |
|
1787 |
("Enter new alias name\t(RETURN to cancel import for this entry): ")); |
|
1788 |
if ("".equals(newAlias)) { |
|
1789 |
System.err.println(new MessageFormat(rb.getString( |
|
1790 |
"Entry for alias <alias> not imported.")).format( |
|
1791 |
source)); |
|
1792 |
return 0; |
|
1793 |
} |
|
1794 |
} |
|
1795 |
} |
|
1796 |
} |
|
1797 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1798 |
Pair<Entry,char[]> objs = recoverEntry(srckeystore, alias, srcstorePass, srckeyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1799 |
Entry entry = objs.fst; |
2 | 1800 |
|
1801 |
PasswordProtection pp = null; |
|
1802 |
||
1803 |
// According to keytool.html, "The destination entry will be protected |
|
1804 |
// using destkeypass. If destkeypass is not provided, the destination |
|
1805 |
// entry will be protected with the source entry password." |
|
1806 |
// so always try to protect with destKeyPass. |
|
1807 |
if (destKeyPass != null) { |
|
1808 |
pp = new PasswordProtection(destKeyPass); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1809 |
} else if (objs.snd != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1810 |
pp = new PasswordProtection(objs.snd); |
2 | 1811 |
} |
1812 |
||
1813 |
try { |
|
1814 |
keyStore.setEntry(newAlias, entry, pp); |
|
1815 |
return 1; |
|
1816 |
} catch (KeyStoreException kse) { |
|
1817 |
Object[] source2 = {alias, kse.toString()}; |
|
1818 |
MessageFormat form = new MessageFormat(rb.getString( |
|
1819 |
"Problem importing entry for alias <alias>: <exception>.\nEntry for alias <alias> not imported.")); |
|
1820 |
System.err.println(form.format(source2)); |
|
1821 |
return 2; |
|
1822 |
} |
|
1823 |
} |
|
1824 |
||
1825 |
private void doImportKeyStoreAll(KeyStore srckeystore) throws Exception { |
|
1826 |
||
1827 |
int ok = 0; |
|
1828 |
int count = srckeystore.size(); |
|
1829 |
for (Enumeration<String> e = srckeystore.aliases(); |
|
1830 |
e.hasMoreElements(); ) { |
|
1831 |
String alias = e.nextElement(); |
|
1832 |
int result = doImportKeyStoreSingle(srckeystore, alias); |
|
1833 |
if (result == 1) { |
|
1834 |
ok++; |
|
1835 |
Object[] source = {alias}; |
|
1836 |
MessageFormat form = new MessageFormat(rb.getString("Entry for alias <alias> successfully imported.")); |
|
1837 |
System.err.println(form.format(source)); |
|
1838 |
} else if (result == 2) { |
|
1839 |
if (!noprompt) { |
|
1840 |
String reply = getYesNoReply("Do you want to quit the import process? [no]: "); |
|
1841 |
if ("YES".equals(reply)) { |
|
1842 |
break; |
|
1843 |
} |
|
1844 |
} |
|
1845 |
} |
|
1846 |
} |
|
1847 |
Object[] source = {ok, count-ok}; |
|
1848 |
MessageFormat form = new MessageFormat(rb.getString( |
|
1849 |
"Import command completed: <ok> entries successfully imported, <fail> entries failed or cancelled")); |
|
1850 |
System.err.println(form.format(source)); |
|
1851 |
} |
|
1852 |
||
1853 |
/** |
|
1854 |
* Prints all keystore entries. |
|
1855 |
*/ |
|
1856 |
private void doPrintEntries(PrintStream out) |
|
1857 |
throws Exception |
|
1858 |
{ |
|
1859 |
if (storePass == null |
|
1860 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1861 |
printWarning(); |
|
1862 |
} else { |
|
1863 |
out.println(); |
|
1864 |
} |
|
1865 |
||
1866 |
out.println(rb.getString("Keystore type: ") + keyStore.getType()); |
|
1867 |
out.println(rb.getString("Keystore provider: ") + |
|
1868 |
keyStore.getProvider().getName()); |
|
1869 |
out.println(); |
|
1870 |
||
1871 |
MessageFormat form; |
|
1872 |
form = (keyStore.size() == 1) ? |
|
1873 |
new MessageFormat(rb.getString |
|
1874 |
("Your keystore contains keyStore.size() entry")) : |
|
1875 |
new MessageFormat(rb.getString |
|
1876 |
("Your keystore contains keyStore.size() entries")); |
|
1877 |
Object[] source = {new Integer(keyStore.size())}; |
|
1878 |
out.println(form.format(source)); |
|
1879 |
out.println(); |
|
1880 |
||
1881 |
for (Enumeration<String> e = keyStore.aliases(); |
|
1882 |
e.hasMoreElements(); ) { |
|
1883 |
String alias = e.nextElement(); |
|
1884 |
doPrintEntry(alias, out, false); |
|
1885 |
if (verbose || rfc) { |
|
1886 |
out.println(rb.getString("\n")); |
|
1887 |
out.println(rb.getString |
|
1888 |
("*******************************************")); |
|
1889 |
out.println(rb.getString |
|
1890 |
("*******************************************\n\n")); |
|
1891 |
} |
|
1892 |
} |
|
1893 |
} |
|
1894 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1895 |
private void doPrintCertReq(InputStream in, PrintStream out) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1896 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1897 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1898 |
BufferedReader reader = new BufferedReader(new InputStreamReader(in)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1899 |
StringBuffer sb = new StringBuffer(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1900 |
boolean started = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1901 |
while (true) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1902 |
String s = reader.readLine(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1903 |
if (s == null) break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1904 |
if (!started) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1905 |
if (s.startsWith("-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1906 |
started = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1907 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1908 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1909 |
if (s.startsWith("-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1910 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1911 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1912 |
sb.append(s); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1913 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1914 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1915 |
PKCS10 req = new PKCS10(new BASE64Decoder().decodeBuffer(new String(sb))); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1916 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1917 |
PublicKey pkey = req.getSubjectPublicKeyInfo(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1918 |
out.printf(rb.getString("PKCS #10 Certificate Request (Version 1.0)\n" + |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1919 |
"Subject: %s\nPublic Key: %s format %s key\n"), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1920 |
req.getSubjectName(), pkey.getFormat(), pkey.getAlgorithm()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1921 |
for (PKCS10Attribute attr: req.getAttributes().getAttributes()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1922 |
ObjectIdentifier oid = attr.getAttributeId(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1923 |
if (oid.equals(PKCS9Attribute.EXTENSION_REQUEST_OID)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1924 |
CertificateExtensions exts = (CertificateExtensions)attr.getAttributeValue(); |
2179
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
1925 |
if (exts != null) { |
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
1926 |
printExtensions(rb.getString("Extension Request:"), exts, out); |
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
1927 |
} |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1928 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1929 |
out.println(attr.getAttributeId()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1930 |
out.println(attr.getAttributeValue()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1931 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1932 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1933 |
if (debug) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1934 |
out.println(req); // Just to see more, say, public key length... |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1935 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1936 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1937 |
|
2 | 1938 |
/** |
1939 |
* Reads a certificate (or certificate chain) and prints its contents in |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1940 |
* a human readable format. |
2 | 1941 |
*/ |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1942 |
private void printCertFromStream(InputStream in, PrintStream out) |
2 | 1943 |
throws Exception |
1944 |
{ |
|
1945 |
Collection<? extends Certificate> c = null; |
|
1946 |
try { |
|
1947 |
c = cf.generateCertificates(in); |
|
1948 |
} catch (CertificateException ce) { |
|
1949 |
throw new Exception(rb.getString("Failed to parse input"), ce); |
|
1950 |
} |
|
1951 |
if (c.isEmpty()) { |
|
1952 |
throw new Exception(rb.getString("Empty input")); |
|
1953 |
} |
|
1954 |
Certificate[] certs = c.toArray(new Certificate[c.size()]); |
|
1955 |
for (int i=0; i<certs.length; i++) { |
|
1956 |
X509Certificate x509Cert = null; |
|
1957 |
try { |
|
1958 |
x509Cert = (X509Certificate)certs[i]; |
|
1959 |
} catch (ClassCastException cce) { |
|
1960 |
throw new Exception(rb.getString("Not X.509 certificate")); |
|
1961 |
} |
|
1962 |
if (certs.length > 1) { |
|
1963 |
MessageFormat form = new MessageFormat |
|
1964 |
(rb.getString("Certificate[(i + 1)]:")); |
|
1965 |
Object[] source = {new Integer(i + 1)}; |
|
1966 |
out.println(form.format(source)); |
|
1967 |
} |
|
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1968 |
if (rfc) dumpCert(x509Cert, out); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1969 |
else printX509Cert(x509Cert, out); |
2 | 1970 |
if (i < (certs.length-1)) { |
1971 |
out.println(); |
|
1972 |
} |
|
1973 |
} |
|
1974 |
} |
|
1975 |
||
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1976 |
private void doPrintCert(final PrintStream out) throws Exception { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1977 |
if (sslserver != null) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1978 |
SSLContext sc = SSLContext.getInstance("SSL"); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1979 |
final boolean[] certPrinted = new boolean[1]; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1980 |
sc.init(null, new TrustManager[] { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1981 |
new X509TrustManager() { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1982 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1983 |
public java.security.cert.X509Certificate[] getAcceptedIssuers() { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1984 |
return null; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1985 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1986 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1987 |
public void checkClientTrusted( |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1988 |
java.security.cert.X509Certificate[] certs, String authType) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1989 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1990 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1991 |
public void checkServerTrusted( |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1992 |
java.security.cert.X509Certificate[] certs, String authType) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1993 |
for (int i=0; i<certs.length; i++) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1994 |
X509Certificate cert = certs[i]; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1995 |
try { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1996 |
if (rfc) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1997 |
dumpCert(cert, out); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1998 |
} else { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1999 |
out.println("Certificate #" + i); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2000 |
out.println("===================================="); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2001 |
printX509Cert(cert, out); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2002 |
out.println(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2003 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2004 |
} catch (Exception e) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2005 |
if (debug) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2006 |
e.printStackTrace(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2007 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2008 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2009 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2010 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2011 |
// Set to true where there's something to print |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2012 |
if (certs.length > 0) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2013 |
certPrinted[0] = true; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2014 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2015 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2016 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2017 |
}, null); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2018 |
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2019 |
HttpsURLConnection.setDefaultHostnameVerifier( |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2020 |
new HostnameVerifier() { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2021 |
public boolean verify(String hostname, SSLSession session) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2022 |
return true; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2023 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2024 |
}); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2025 |
// HTTPS instead of raw SSL, so that -Dhttps.proxyHost and |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2026 |
// -Dhttps.proxyPort can be used. Since we only go through |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2027 |
// the handshake process, an HTTPS server is not needed. |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2028 |
// This program should be able to deal with any SSL-based |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2029 |
// network service. |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2030 |
Exception ex = null; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2031 |
try { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2032 |
new URL("https://" + sslserver).openConnection().connect(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2033 |
} catch (Exception e) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2034 |
ex = e; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2035 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2036 |
// If the certs are not printed out, we consider it an error even |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2037 |
// if the URL connection is successful. |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2038 |
if (!certPrinted[0]) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2039 |
Exception e = new Exception( |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2040 |
rb.getString("No certificate from the SSL server")); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2041 |
if (ex != null) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2042 |
e.initCause(ex); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2043 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2044 |
throw e; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2045 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2046 |
} else { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2047 |
InputStream inStream = System.in; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2048 |
if (filename != null) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2049 |
inStream = new FileInputStream(filename); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2050 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2051 |
try { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2052 |
// Read the full stream before feeding to X509Factory, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2053 |
// otherwise, keytool -gencert | keytool -printcert |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2054 |
// might not work properly, since -gencert is slow |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2055 |
// and there's no data in the pipe at the beginning. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2056 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2057 |
byte[] b = new byte[4096]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2058 |
while (true) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2059 |
int len = inStream.read(b); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2060 |
if (len < 0) break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2061 |
bout.write(b, 0, len); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2062 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2063 |
printCertFromStream(new ByteArrayInputStream(bout.toByteArray()), out); |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2064 |
} finally { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2065 |
if (inStream != System.in) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2066 |
inStream.close(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2067 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2068 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2069 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2070 |
} |
2 | 2071 |
/** |
2072 |
* Creates a self-signed certificate, and stores it as a single-element |
|
2073 |
* certificate chain. |
|
2074 |
*/ |
|
2075 |
private void doSelfCert(String alias, String dname, String sigAlgName) |
|
2076 |
throws Exception |
|
2077 |
{ |
|
2078 |
if (alias == null) { |
|
2079 |
alias = keyAlias; |
|
2080 |
} |
|
2081 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2082 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2083 |
PrivateKey privKey = (PrivateKey)objs.fst; |
2 | 2084 |
if (keyPass == null) |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2085 |
keyPass = objs.snd; |
2 | 2086 |
|
2087 |
// Determine the signature algorithm |
|
2088 |
if (sigAlgName == null) { |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2089 |
sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm()); |
2 | 2090 |
} |
2091 |
||
2092 |
// Get the old certificate |
|
2093 |
Certificate oldCert = keyStore.getCertificate(alias); |
|
2094 |
if (oldCert == null) { |
|
2095 |
MessageFormat form = new MessageFormat |
|
2096 |
(rb.getString("alias has no public key")); |
|
2097 |
Object[] source = {alias}; |
|
2098 |
throw new Exception(form.format(source)); |
|
2099 |
} |
|
2100 |
if (!(oldCert instanceof X509Certificate)) { |
|
2101 |
MessageFormat form = new MessageFormat |
|
2102 |
(rb.getString("alias has no X.509 certificate")); |
|
2103 |
Object[] source = {alias}; |
|
2104 |
throw new Exception(form.format(source)); |
|
2105 |
} |
|
2106 |
||
2107 |
// convert to X509CertImpl, so that we can modify selected fields |
|
2108 |
// (no public APIs available yet) |
|
2109 |
byte[] encoded = oldCert.getEncoded(); |
|
2110 |
X509CertImpl certImpl = new X509CertImpl(encoded); |
|
2111 |
X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME |
|
2112 |
+ "." + |
|
2113 |
X509CertImpl.INFO); |
|
2114 |
||
2115 |
// Extend its validity |
|
2116 |
Date firstDate = getStartDate(startDate); |
|
2117 |
Date lastDate = new Date(); |
|
2118 |
lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L); |
|
2119 |
CertificateValidity interval = new CertificateValidity(firstDate, |
|
2120 |
lastDate); |
|
2121 |
certInfo.set(X509CertInfo.VALIDITY, interval); |
|
2122 |
||
2123 |
// Make new serial number |
|
2293
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
2124 |
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber( |
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
2125 |
new java.util.Random().nextInt() & 0x7fffffff)); |
2 | 2126 |
|
2127 |
// Set owner and issuer fields |
|
2128 |
X500Name owner; |
|
2129 |
if (dname == null) { |
|
2130 |
// Get the owner name from the certificate |
|
2131 |
owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." + |
|
2132 |
CertificateSubjectName.DN_NAME); |
|
2133 |
} else { |
|
2134 |
// Use the owner name specified at the command line |
|
2135 |
owner = new X500Name(dname); |
|
2136 |
certInfo.set(X509CertInfo.SUBJECT + "." + |
|
2137 |
CertificateSubjectName.DN_NAME, owner); |
|
2138 |
} |
|
2139 |
// Make issuer same as owner (self-signed!) |
|
2140 |
certInfo.set(X509CertInfo.ISSUER + "." + |
|
2141 |
CertificateIssuerName.DN_NAME, owner); |
|
2142 |
||
2143 |
// The inner and outer signature algorithms have to match. |
|
2144 |
// The way we achieve that is really ugly, but there seems to be no |
|
2145 |
// other solution: We first sign the cert, then retrieve the |
|
2146 |
// outer sigalg and use it to set the inner sigalg |
|
2147 |
X509CertImpl newCert = new X509CertImpl(certInfo); |
|
2148 |
newCert.sign(privKey, sigAlgName); |
|
2149 |
AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG); |
|
2150 |
certInfo.set(CertificateAlgorithmId.NAME + "." + |
|
2151 |
CertificateAlgorithmId.ALGORITHM, sigAlgid); |
|
2152 |
||
2153 |
certInfo.set(X509CertInfo.VERSION, |
|
2154 |
new CertificateVersion(CertificateVersion.V3)); |
|
2155 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2156 |
CertificateExtensions ext = createV3Extensions( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2157 |
null, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2158 |
(CertificateExtensions)certInfo.get(X509CertInfo.EXTENSIONS), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2159 |
v3ext, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2160 |
oldCert.getPublicKey(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2161 |
null); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2162 |
certInfo.set(X509CertInfo.EXTENSIONS, ext); |
2 | 2163 |
// Sign the new certificate |
2164 |
newCert = new X509CertImpl(certInfo); |
|
2165 |
newCert.sign(privKey, sigAlgName); |
|
2166 |
||
2167 |
// Store the new certificate as a single-element certificate chain |
|
2168 |
keyStore.setKeyEntry(alias, privKey, |
|
2169 |
(keyPass != null) ? keyPass : storePass, |
|
2170 |
new Certificate[] { newCert } ); |
|
2171 |
||
2172 |
if (verbose) { |
|
2173 |
System.err.println(rb.getString("New certificate (self-signed):")); |
|
2174 |
System.err.print(newCert.toString()); |
|
2175 |
System.err.println(); |
|
2176 |
} |
|
2177 |
} |
|
2178 |
||
2179 |
/** |
|
2180 |
* Processes a certificate reply from a certificate authority. |
|
2181 |
* |
|
2182 |
* <p>Builds a certificate chain on top of the certificate reply, |
|
2183 |
* using trusted certificates from the keystore. The chain is complete |
|
2184 |
* after a self-signed certificate has been encountered. The self-signed |
|
2185 |
* certificate is considered a root certificate authority, and is stored |
|
2186 |
* at the end of the chain. |
|
2187 |
* |
|
2188 |
* <p>The newly generated chain replaces the old chain associated with the |
|
2189 |
* key entry. |
|
2190 |
* |
|
2191 |
* @return true if the certificate reply was installed, otherwise false. |
|
2192 |
*/ |
|
2193 |
private boolean installReply(String alias, InputStream in) |
|
2194 |
throws Exception |
|
2195 |
{ |
|
2196 |
if (alias == null) { |
|
2197 |
alias = keyAlias; |
|
2198 |
} |
|
2199 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2200 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2201 |
PrivateKey privKey = (PrivateKey)objs.fst; |
2 | 2202 |
if (keyPass == null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2203 |
keyPass = objs.snd; |
2 | 2204 |
} |
2205 |
||
2206 |
Certificate userCert = keyStore.getCertificate(alias); |
|
2207 |
if (userCert == null) { |
|
2208 |
MessageFormat form = new MessageFormat |
|
2209 |
(rb.getString("alias has no public key (certificate)")); |
|
2210 |
Object[] source = {alias}; |
|
2211 |
throw new Exception(form.format(source)); |
|
2212 |
} |
|
2213 |
||
2214 |
// Read the certificates in the reply |
|
2215 |
Collection<? extends Certificate> c = cf.generateCertificates(in); |
|
2216 |
if (c.isEmpty()) { |
|
2217 |
throw new Exception(rb.getString("Reply has no certificates")); |
|
2218 |
} |
|
2219 |
Certificate[] replyCerts = c.toArray(new Certificate[c.size()]); |
|
2220 |
Certificate[] newChain; |
|
2221 |
if (replyCerts.length == 1) { |
|
2222 |
// single-cert reply |
|
2223 |
newChain = establishCertChain(userCert, replyCerts[0]); |
|
2224 |
} else { |
|
2225 |
// cert-chain reply (e.g., PKCS#7) |
|
2226 |
newChain = validateReply(alias, userCert, replyCerts); |
|
2227 |
} |
|
2228 |
||
2229 |
// Now store the newly established chain in the keystore. The new |
|
2230 |
// chain replaces the old one. |
|
2231 |
if (newChain != null) { |
|
2232 |
keyStore.setKeyEntry(alias, privKey, |
|
2233 |
(keyPass != null) ? keyPass : storePass, |
|
2234 |
newChain); |
|
2235 |
return true; |
|
2236 |
} else { |
|
2237 |
return false; |
|
2238 |
} |
|
2239 |
} |
|
2240 |
||
2241 |
/** |
|
2242 |
* Imports a certificate and adds it to the list of trusted certificates. |
|
2243 |
* |
|
2244 |
* @return true if the certificate was added, otherwise false. |
|
2245 |
*/ |
|
2246 |
private boolean addTrustedCert(String alias, InputStream in) |
|
2247 |
throws Exception |
|
2248 |
{ |
|
2249 |
if (alias == null) { |
|
2250 |
throw new Exception(rb.getString("Must specify alias")); |
|
2251 |
} |
|
2252 |
if (keyStore.containsAlias(alias)) { |
|
2253 |
MessageFormat form = new MessageFormat(rb.getString |
|
2254 |
("Certificate not imported, alias <alias> already exists")); |
|
2255 |
Object[] source = {alias}; |
|
2256 |
throw new Exception(form.format(source)); |
|
2257 |
} |
|
2258 |
||
2259 |
// Read the certificate |
|
2260 |
X509Certificate cert = null; |
|
2261 |
try { |
|
2262 |
cert = (X509Certificate)cf.generateCertificate(in); |
|
2263 |
} catch (ClassCastException cce) { |
|
2264 |
throw new Exception(rb.getString("Input not an X.509 certificate")); |
|
2265 |
} catch (CertificateException ce) { |
|
2266 |
throw new Exception(rb.getString("Input not an X.509 certificate")); |
|
2267 |
} |
|
2268 |
||
2269 |
// if certificate is self-signed, make sure it verifies |
|
2270 |
boolean selfSigned = false; |
|
2271 |
if (isSelfSigned(cert)) { |
|
2272 |
cert.verify(cert.getPublicKey()); |
|
2273 |
selfSigned = true; |
|
2274 |
} |
|
2275 |
||
2276 |
if (noprompt) { |
|
2277 |
keyStore.setCertificateEntry(alias, cert); |
|
2278 |
return true; |
|
2279 |
} |
|
2280 |
||
2281 |
// check if cert already exists in keystore |
|
2282 |
String reply = null; |
|
2283 |
String trustalias = keyStore.getCertificateAlias(cert); |
|
2284 |
if (trustalias != null) { |
|
2285 |
MessageFormat form = new MessageFormat(rb.getString |
|
2286 |
("Certificate already exists in keystore under alias <trustalias>")); |
|
2287 |
Object[] source = {trustalias}; |
|
2288 |
System.err.println(form.format(source)); |
|
2289 |
reply = getYesNoReply |
|
2290 |
(rb.getString("Do you still want to add it? [no]: ")); |
|
2291 |
} else if (selfSigned) { |
|
2292 |
if (trustcacerts && (caks != null) && |
|
2293 |
((trustalias=caks.getCertificateAlias(cert)) != null)) { |
|
2294 |
MessageFormat form = new MessageFormat(rb.getString |
|
2295 |
("Certificate already exists in system-wide CA keystore under alias <trustalias>")); |
|
2296 |
Object[] source = {trustalias}; |
|
2297 |
System.err.println(form.format(source)); |
|
2298 |
reply = getYesNoReply |
|
2299 |
(rb.getString("Do you still want to add it to your own keystore? [no]: ")); |
|
2300 |
} |
|
2301 |
if (trustalias == null) { |
|
2302 |
// Print the cert and ask user if they really want to add |
|
2303 |
// it to their keystore |
|
2304 |
printX509Cert(cert, System.out); |
|
2305 |
reply = getYesNoReply |
|
2306 |
(rb.getString("Trust this certificate? [no]: ")); |
|
2307 |
} |
|
2308 |
} |
|
2309 |
if (reply != null) { |
|
2310 |
if ("YES".equals(reply)) { |
|
2311 |
keyStore.setCertificateEntry(alias, cert); |
|
2312 |
return true; |
|
2313 |
} else { |
|
2314 |
return false; |
|
2315 |
} |
|
2316 |
} |
|
2317 |
||
2318 |
// Try to establish trust chain |
|
2319 |
try { |
|
2320 |
Certificate[] chain = establishCertChain(null, cert); |
|
2321 |
if (chain != null) { |
|
2322 |
keyStore.setCertificateEntry(alias, cert); |
|
2323 |
return true; |
|
2324 |
} |
|
2325 |
} catch (Exception e) { |
|
2326 |
// Print the cert and ask user if they really want to add it to |
|
2327 |
// their keystore |
|
2328 |
printX509Cert(cert, System.out); |
|
2329 |
reply = getYesNoReply |
|
2330 |
(rb.getString("Trust this certificate? [no]: ")); |
|
2331 |
if ("YES".equals(reply)) { |
|
2332 |
keyStore.setCertificateEntry(alias, cert); |
|
2333 |
return true; |
|
2334 |
} else { |
|
2335 |
return false; |
|
2336 |
} |
|
2337 |
} |
|
2338 |
||
2339 |
return false; |
|
2340 |
} |
|
2341 |
||
2342 |
/** |
|
2343 |
* Prompts user for new password. New password must be different from |
|
2344 |
* old one. |
|
2345 |
* |
|
2346 |
* @param prompt the message that gets prompted on the screen |
|
2347 |
* @param oldPasswd the current (i.e., old) password |
|
2348 |
*/ |
|
2349 |
private char[] getNewPasswd(String prompt, char[] oldPasswd) |
|
2350 |
throws Exception |
|
2351 |
{ |
|
2352 |
char[] entered = null; |
|
2353 |
char[] reentered = null; |
|
2354 |
||
2355 |
for (int count = 0; count < 3; count++) { |
|
2356 |
MessageFormat form = new MessageFormat |
|
2357 |
(rb.getString("New prompt: ")); |
|
2358 |
Object[] source = {prompt}; |
|
2359 |
System.err.print(form.format(source)); |
|
2360 |
entered = Password.readPassword(System.in); |
|
2361 |
passwords.add(entered); |
|
2362 |
if (entered == null || entered.length < 6) { |
|
2363 |
System.err.println(rb.getString |
|
2364 |
("Password is too short - must be at least 6 characters")); |
|
2365 |
} else if (Arrays.equals(entered, oldPasswd)) { |
|
2366 |
System.err.println(rb.getString("Passwords must differ")); |
|
2367 |
} else { |
|
2368 |
form = new MessageFormat |
|
2369 |
(rb.getString("Re-enter new prompt: ")); |
|
2370 |
Object[] src = {prompt}; |
|
2371 |
System.err.print(form.format(src)); |
|
2372 |
reentered = Password.readPassword(System.in); |
|
2373 |
passwords.add(reentered); |
|
2374 |
if (!Arrays.equals(entered, reentered)) { |
|
2375 |
System.err.println |
|
2376 |
(rb.getString("They don't match. Try again")); |
|
2377 |
} else { |
|
2378 |
Arrays.fill(reentered, ' '); |
|
2379 |
return entered; |
|
2380 |
} |
|
2381 |
} |
|
2382 |
if (entered != null) { |
|
2383 |
Arrays.fill(entered, ' '); |
|
2384 |
entered = null; |
|
2385 |
} |
|
2386 |
if (reentered != null) { |
|
2387 |
Arrays.fill(reentered, ' '); |
|
2388 |
reentered = null; |
|
2389 |
} |
|
2390 |
} |
|
2391 |
throw new Exception(rb.getString("Too many failures - try later")); |
|
2392 |
} |
|
2393 |
||
2394 |
/** |
|
2395 |
* Prompts user for alias name. |
|
2396 |
* @param prompt the {0} of "Enter {0} alias name: " in prompt line |
|
2397 |
* @returns the string entered by the user, without the \n at the end |
|
2398 |
*/ |
|
2399 |
private String getAlias(String prompt) throws Exception { |
|
2400 |
if (prompt != null) { |
|
2401 |
MessageFormat form = new MessageFormat |
|
2402 |
(rb.getString("Enter prompt alias name: ")); |
|
2403 |
Object[] source = {prompt}; |
|
2404 |
System.err.print(form.format(source)); |
|
2405 |
} else { |
|
2406 |
System.err.print(rb.getString("Enter alias name: ")); |
|
2407 |
} |
|
2408 |
return (new BufferedReader(new InputStreamReader( |
|
2409 |
System.in))).readLine(); |
|
2410 |
} |
|
2411 |
||
2412 |
/** |
|
2413 |
* Prompts user for an input string from the command line (System.in) |
|
2414 |
* @prompt the prompt string printed |
|
2415 |
* @returns the string entered by the user, without the \n at the end |
|
2416 |
*/ |
|
2417 |
private String inputStringFromStdin(String prompt) throws Exception { |
|
2418 |
System.err.print(prompt); |
|
2419 |
return (new BufferedReader(new InputStreamReader( |
|
2420 |
System.in))).readLine(); |
|
2421 |
} |
|
2422 |
||
2423 |
/** |
|
2424 |
* Prompts user for key password. User may select to choose the same |
|
2425 |
* password (<code>otherKeyPass</code>) as for <code>otherAlias</code>. |
|
2426 |
*/ |
|
2427 |
private char[] getKeyPasswd(String alias, String otherAlias, |
|
2428 |
char[] otherKeyPass) |
|
2429 |
throws Exception |
|
2430 |
{ |
|
2431 |
int count = 0; |
|
2432 |
char[] keyPass = null; |
|
2433 |
||
2434 |
do { |
|
2435 |
if (otherKeyPass != null) { |
|
2436 |
MessageFormat form = new MessageFormat(rb.getString |
|
2437 |
("Enter key password for <alias>")); |
|
2438 |
Object[] source = {alias}; |
|
2439 |
System.err.println(form.format(source)); |
|
2440 |
||
2441 |
form = new MessageFormat(rb.getString |
|
2442 |
("\t(RETURN if same as for <otherAlias>)")); |
|
2443 |
Object[] src = {otherAlias}; |
|
2444 |
System.err.print(form.format(src)); |
|
2445 |
} else { |
|
2446 |
MessageFormat form = new MessageFormat(rb.getString |
|
2447 |
("Enter key password for <alias>")); |
|
2448 |
Object[] source = {alias}; |
|
2449 |
System.err.print(form.format(source)); |
|
2450 |
} |
|
2451 |
System.err.flush(); |
|
2452 |
keyPass = Password.readPassword(System.in); |
|
2453 |
passwords.add(keyPass); |
|
2454 |
if (keyPass == null) { |
|
2455 |
keyPass = otherKeyPass; |
|
2456 |
} |
|
2457 |
count++; |
|
2458 |
} while ((keyPass == null) && count < 3); |
|
2459 |
||
2460 |
if (keyPass == null) { |
|
2461 |
throw new Exception(rb.getString("Too many failures - try later")); |
|
2462 |
} |
|
2463 |
||
2464 |
return keyPass; |
|
2465 |
} |
|
2466 |
||
2467 |
/** |
|
2468 |
* Prints a certificate in a human readable format. |
|
2469 |
*/ |
|
2470 |
private void printX509Cert(X509Certificate cert, PrintStream out) |
|
2471 |
throws Exception |
|
2472 |
{ |
|
2473 |
/* |
|
2474 |
out.println("Owner: " |
|
2475 |
+ cert.getSubjectDN().toString() |
|
2476 |
+ "\n" |
|
2477 |
+ "Issuer: " |
|
2478 |
+ cert.getIssuerDN().toString() |
|
2479 |
+ "\n" |
|
2480 |
+ "Serial number: " + cert.getSerialNumber().toString(16) |
|
2481 |
+ "\n" |
|
2482 |
+ "Valid from: " + cert.getNotBefore().toString() |
|
2483 |
+ " until: " + cert.getNotAfter().toString() |
|
2484 |
+ "\n" |
|
2485 |
+ "Certificate fingerprints:\n" |
|
2486 |
+ "\t MD5: " + getCertFingerPrint("MD5", cert) |
|
2487 |
+ "\n" |
|
2488 |
+ "\t SHA1: " + getCertFingerPrint("SHA1", cert)); |
|
2489 |
*/ |
|
2490 |
||
2491 |
MessageFormat form = new MessageFormat |
|
2492 |
(rb.getString("*PATTERN* printX509Cert")); |
|
2493 |
Object[] source = {cert.getSubjectDN().toString(), |
|
2494 |
cert.getIssuerDN().toString(), |
|
2495 |
cert.getSerialNumber().toString(16), |
|
2496 |
cert.getNotBefore().toString(), |
|
2497 |
cert.getNotAfter().toString(), |
|
2498 |
getCertFingerPrint("MD5", cert), |
|
2499 |
getCertFingerPrint("SHA1", cert), |
|
2500 |
cert.getSigAlgName(), |
|
2501 |
cert.getVersion() |
|
2502 |
}; |
|
2503 |
out.println(form.format(source)); |
|
2504 |
||
2505 |
if (cert instanceof X509CertImpl) { |
|
2506 |
X509CertImpl impl = (X509CertImpl)cert; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2507 |
X509CertInfo certInfo = (X509CertInfo)impl.get(X509CertImpl.NAME |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2508 |
+ "." + |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2509 |
X509CertImpl.INFO); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2510 |
CertificateExtensions exts = (CertificateExtensions) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2511 |
certInfo.get(X509CertInfo.EXTENSIONS); |
2179
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
2512 |
if (exts != null) { |
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
2513 |
printExtensions(rb.getString("Extensions: "), exts, out); |
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
2514 |
} |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2515 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2516 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2517 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2518 |
private static void printExtensions(String title, CertificateExtensions exts, PrintStream out) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2519 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2520 |
int extnum = 0; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2521 |
Iterator<Extension> i1 = exts.getAllExtensions().iterator(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2522 |
Iterator<Extension> i2 = exts.getUnparseableExtensions().values().iterator(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2523 |
while (i1.hasNext() || i2.hasNext()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2524 |
Extension ext = i1.hasNext()?i1.next():i2.next(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2525 |
if (extnum == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2526 |
out.println(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2527 |
out.println(title); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2528 |
out.println(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2529 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2530 |
out.print("#"+(++extnum)+": "+ ext); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2531 |
if (ext.getClass() == Extension.class) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2532 |
byte[] v = ext.getExtensionValue(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2533 |
if (v.length == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2534 |
out.println(rb.getString("(Empty value)")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2535 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2536 |
new sun.misc.HexDumpEncoder().encode(ext.getExtensionValue(), out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2537 |
out.println(); |
2 | 2538 |
} |
2539 |
} |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2540 |
out.println(); |
2 | 2541 |
} |
2542 |
} |
|
2543 |
||
2544 |
/** |
|
2545 |
* Returns true if the certificate is self-signed, false otherwise. |
|
2546 |
*/ |
|
2547 |
private boolean isSelfSigned(X509Certificate cert) { |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2548 |
return signedBy(cert, cert); |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2549 |
} |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2550 |
|
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2551 |
private boolean signedBy(X509Certificate end, X509Certificate ca) { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2552 |
if (!ca.getSubjectDN().equals(end.getIssuerDN())) { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2553 |
return false; |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2554 |
} |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2555 |
try { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2556 |
end.verify(ca.getPublicKey()); |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2557 |
return true; |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2558 |
} catch (Exception e) { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2559 |
return false; |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2560 |
} |
2 | 2561 |
} |
2562 |
||
2563 |
/** |
|
2564 |
* Returns true if the given certificate is trusted, false otherwise. |
|
2565 |
*/ |
|
2566 |
private boolean isTrusted(Certificate cert) |
|
2567 |
throws Exception |
|
2568 |
{ |
|
2569 |
if (keyStore.getCertificateAlias(cert) != null) { |
|
2570 |
return true; // found in own keystore |
|
2571 |
} |
|
2572 |
if (trustcacerts && (caks != null) && |
|
2573 |
(caks.getCertificateAlias(cert) != null)) { |
|
2574 |
return true; // found in CA keystore |
|
2575 |
} |
|
2576 |
return false; |
|
2577 |
} |
|
2578 |
||
2579 |
/** |
|
2580 |
* Gets an X.500 name suitable for inclusion in a certification request. |
|
2581 |
*/ |
|
2582 |
private X500Name getX500Name() throws IOException { |
|
2583 |
BufferedReader in; |
|
2584 |
in = new BufferedReader(new InputStreamReader(System.in)); |
|
2585 |
String commonName = "Unknown"; |
|
2586 |
String organizationalUnit = "Unknown"; |
|
2587 |
String organization = "Unknown"; |
|
2588 |
String city = "Unknown"; |
|
2589 |
String state = "Unknown"; |
|
2590 |
String country = "Unknown"; |
|
2591 |
X500Name name; |
|
2592 |
String userInput = null; |
|
2593 |
||
2594 |
int maxRetry = 20; |
|
2595 |
do { |
|
2596 |
if (maxRetry-- < 0) { |
|
2597 |
throw new RuntimeException(rb.getString( |
|
2598 |
"Too may retries, program terminated")); |
|
2599 |
} |
|
2600 |
commonName = inputString(in, |
|
2601 |
rb.getString("What is your first and last name?"), |
|
2602 |
commonName); |
|
2603 |
organizationalUnit = inputString(in, |
|
2604 |
rb.getString |
|
2605 |
("What is the name of your organizational unit?"), |
|
2606 |
organizationalUnit); |
|
2607 |
organization = inputString(in, |
|
2608 |
rb.getString("What is the name of your organization?"), |
|
2609 |
organization); |
|
2610 |
city = inputString(in, |
|
2611 |
rb.getString("What is the name of your City or Locality?"), |
|
2612 |
city); |
|
2613 |
state = inputString(in, |
|
2614 |
rb.getString("What is the name of your State or Province?"), |
|
2615 |
state); |
|
2616 |
country = inputString(in, |
|
2617 |
rb.getString |
|
2618 |
("What is the two-letter country code for this unit?"), |
|
2619 |
country); |
|
2620 |
name = new X500Name(commonName, organizationalUnit, organization, |
|
2621 |
city, state, country); |
|
2622 |
MessageFormat form = new MessageFormat |
|
2623 |
(rb.getString("Is <name> correct?")); |
|
2624 |
Object[] source = {name}; |
|
2625 |
userInput = inputString |
|
2626 |
(in, form.format(source), rb.getString("no")); |
|
2627 |
} while (collator.compare(userInput, rb.getString("yes")) != 0 && |
|
2628 |
collator.compare(userInput, rb.getString("y")) != 0); |
|
2629 |
||
2630 |
System.err.println(); |
|
2631 |
return name; |
|
2632 |
} |
|
2633 |
||
2634 |
private String inputString(BufferedReader in, String prompt, |
|
2635 |
String defaultValue) |
|
2636 |
throws IOException |
|
2637 |
{ |
|
2638 |
System.err.println(prompt); |
|
2639 |
MessageFormat form = new MessageFormat |
|
2640 |
(rb.getString(" [defaultValue]: ")); |
|
2641 |
Object[] source = {defaultValue}; |
|
2642 |
System.err.print(form.format(source)); |
|
2643 |
System.err.flush(); |
|
2644 |
||
2645 |
String value = in.readLine(); |
|
2646 |
if (value == null || collator.compare(value, "") == 0) { |
|
2647 |
value = defaultValue; |
|
2648 |
} |
|
2649 |
return value; |
|
2650 |
} |
|
2651 |
||
2652 |
/** |
|
2653 |
* Writes an X.509 certificate in base64 or binary encoding to an output |
|
2654 |
* stream. |
|
2655 |
*/ |
|
2656 |
private void dumpCert(Certificate cert, PrintStream out) |
|
2657 |
throws IOException, CertificateException |
|
2658 |
{ |
|
2659 |
if (rfc) { |
|
2660 |
BASE64Encoder encoder = new BASE64Encoder(); |
|
2661 |
out.println(X509Factory.BEGIN_CERT); |
|
2662 |
encoder.encodeBuffer(cert.getEncoded(), out); |
|
2663 |
out.println(X509Factory.END_CERT); |
|
2664 |
} else { |
|
2665 |
out.write(cert.getEncoded()); // binary |
|
2666 |
} |
|
2667 |
} |
|
2668 |
||
2669 |
/** |
|
2670 |
* Converts a byte to hex digit and writes to the supplied buffer |
|
2671 |
*/ |
|
2672 |
private void byte2hex(byte b, StringBuffer buf) { |
|
2673 |
char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', |
|
2674 |
'9', 'A', 'B', 'C', 'D', 'E', 'F' }; |
|
2675 |
int high = ((b & 0xf0) >> 4); |
|
2676 |
int low = (b & 0x0f); |
|
2677 |
buf.append(hexChars[high]); |
|
2678 |
buf.append(hexChars[low]); |
|
2679 |
} |
|
2680 |
||
2681 |
/** |
|
2682 |
* Converts a byte array to hex string |
|
2683 |
*/ |
|
2684 |
private String toHexString(byte[] block) { |
|
2685 |
StringBuffer buf = new StringBuffer(); |
|
2686 |
int len = block.length; |
|
2687 |
for (int i = 0; i < len; i++) { |
|
2688 |
byte2hex(block[i], buf); |
|
2689 |
if (i < len-1) { |
|
2690 |
buf.append(":"); |
|
2691 |
} |
|
2692 |
} |
|
2693 |
return buf.toString(); |
|
2694 |
} |
|
2695 |
||
2696 |
/** |
|
2697 |
* Recovers (private) key associated with given alias. |
|
2698 |
* |
|
2699 |
* @return an array of objects, where the 1st element in the array is the |
|
2700 |
* recovered private key, and the 2nd element is the password used to |
|
2701 |
* recover it. |
|
2702 |
*/ |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2703 |
private Pair<Key,char[]> recoverKey(String alias, char[] storePass, |
2 | 2704 |
char[] keyPass) |
2705 |
throws Exception |
|
2706 |
{ |
|
2707 |
Key key = null; |
|
2708 |
||
2709 |
if (keyStore.containsAlias(alias) == false) { |
|
2710 |
MessageFormat form = new MessageFormat |
|
2711 |
(rb.getString("Alias <alias> does not exist")); |
|
2712 |
Object[] source = {alias}; |
|
2713 |
throw new Exception(form.format(source)); |
|
2714 |
} |
|
2715 |
if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class) && |
|
2716 |
!keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) { |
|
2717 |
MessageFormat form = new MessageFormat |
|
2718 |
(rb.getString("Alias <alias> has no key")); |
|
2719 |
Object[] source = {alias}; |
|
2720 |
throw new Exception(form.format(source)); |
|
2721 |
} |
|
2722 |
||
2723 |
if (keyPass == null) { |
|
2724 |
// Try to recover the key using the keystore password |
|
2725 |
try { |
|
2726 |
key = keyStore.getKey(alias, storePass); |
|
2727 |
||
2728 |
keyPass = storePass; |
|
2729 |
passwords.add(keyPass); |
|
2730 |
} catch (UnrecoverableKeyException e) { |
|
2731 |
// Did not work out, so prompt user for key password |
|
2732 |
if (!token) { |
|
2733 |
keyPass = getKeyPasswd(alias, null, null); |
|
2734 |
key = keyStore.getKey(alias, keyPass); |
|
2735 |
} else { |
|
2736 |
throw e; |
|
2737 |
} |
|
2738 |
} |
|
2739 |
} else { |
|
2740 |
key = keyStore.getKey(alias, keyPass); |
|
2741 |
} |
|
2742 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2743 |
return Pair.of(key, keyPass); |
2 | 2744 |
} |
2745 |
||
2746 |
/** |
|
2747 |
* Recovers entry associated with given alias. |
|
2748 |
* |
|
2749 |
* @return an array of objects, where the 1st element in the array is the |
|
2750 |
* recovered entry, and the 2nd element is the password used to |
|
2751 |
* recover it (null if no password). |
|
2752 |
*/ |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2753 |
private Pair<Entry,char[]> recoverEntry(KeyStore ks, |
2 | 2754 |
String alias, |
2755 |
char[] pstore, |
|
2756 |
char[] pkey) throws Exception { |
|
2757 |
||
2758 |
if (ks.containsAlias(alias) == false) { |
|
2759 |
MessageFormat form = new MessageFormat |
|
2760 |
(rb.getString("Alias <alias> does not exist")); |
|
2761 |
Object[] source = {alias}; |
|
2762 |
throw new Exception(form.format(source)); |
|
2763 |
} |
|
2764 |
||
2765 |
PasswordProtection pp = null; |
|
2766 |
Entry entry; |
|
2767 |
||
2768 |
try { |
|
2769 |
// First attempt to access entry without key password |
|
2770 |
// (PKCS11 entry or trusted certificate entry, for example) |
|
2771 |
||
2772 |
entry = ks.getEntry(alias, pp); |
|
2773 |
pkey = null; |
|
2774 |
} catch (UnrecoverableEntryException une) { |
|
2775 |
||
2776 |
if(P11KEYSTORE.equalsIgnoreCase(ks.getType()) || |
|
2777 |
KeyStoreUtil.isWindowsKeyStore(ks.getType())) { |
|
2778 |
// should not happen, but a possibility |
|
2779 |
throw une; |
|
2780 |
} |
|
2781 |
||
2782 |
// entry is protected |
|
2783 |
||
2784 |
if (pkey != null) { |
|
2785 |
||
2786 |
// try provided key password |
|
2787 |
||
2788 |
pp = new PasswordProtection(pkey); |
|
2789 |
entry = ks.getEntry(alias, pp); |
|
2790 |
||
2791 |
} else { |
|
2792 |
||
2793 |
// try store pass |
|
2794 |
||
2795 |
try { |
|
2796 |
pp = new PasswordProtection(pstore); |
|
2797 |
entry = ks.getEntry(alias, pp); |
|
2798 |
pkey = pstore; |
|
2799 |
} catch (UnrecoverableEntryException une2) { |
|
2800 |
if (P12KEYSTORE.equalsIgnoreCase(ks.getType())) { |
|
2801 |
||
2802 |
// P12 keystore currently does not support separate |
|
2803 |
// store and entry passwords |
|
2804 |
||
2805 |
throw une2; |
|
2806 |
} else { |
|
2807 |
||
2808 |
// prompt for entry password |
|
2809 |
||
2810 |
pkey = getKeyPasswd(alias, null, null); |
|
2811 |
pp = new PasswordProtection(pkey); |
|
2812 |
entry = ks.getEntry(alias, pp); |
|
2813 |
} |
|
2814 |
} |
|
2815 |
} |
|
2816 |
} |
|
2817 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2818 |
return Pair.of(entry, pkey); |
2 | 2819 |
} |
2820 |
/** |
|
2821 |
* Gets the requested finger print of the certificate. |
|
2822 |
*/ |
|
2823 |
private String getCertFingerPrint(String mdAlg, Certificate cert) |
|
2824 |
throws Exception |
|
2825 |
{ |
|
2826 |
byte[] encCertInfo = cert.getEncoded(); |
|
2827 |
MessageDigest md = MessageDigest.getInstance(mdAlg); |
|
2828 |
byte[] digest = md.digest(encCertInfo); |
|
2829 |
return toHexString(digest); |
|
2830 |
} |
|
2831 |
||
2832 |
/** |
|
2833 |
* Prints warning about missing integrity check. |
|
2834 |
*/ |
|
2835 |
private void printWarning() { |
|
2836 |
System.err.println(); |
|
2837 |
System.err.println(rb.getString |
|
2838 |
("***************** WARNING WARNING WARNING *****************")); |
|
2839 |
System.err.println(rb.getString |
|
2840 |
("* The integrity of the information stored in your keystore *")); |
|
2841 |
System.err.println(rb.getString |
|
2842 |
("* has NOT been verified! In order to verify its integrity, *")); |
|
2843 |
System.err.println(rb.getString |
|
2844 |
("* you must provide your keystore password. *")); |
|
2845 |
System.err.println(rb.getString |
|
2846 |
("***************** WARNING WARNING WARNING *****************")); |
|
2847 |
System.err.println(); |
|
2848 |
} |
|
2849 |
||
2850 |
/** |
|
2851 |
* Validates chain in certification reply, and returns the ordered |
|
2852 |
* elements of the chain (with user certificate first, and root |
|
2853 |
* certificate last in the array). |
|
2854 |
* |
|
2855 |
* @param alias the alias name |
|
2856 |
* @param userCert the user certificate of the alias |
|
2857 |
* @param replyCerts the chain provided in the reply |
|
2858 |
*/ |
|
2859 |
private Certificate[] validateReply(String alias, |
|
2860 |
Certificate userCert, |
|
2861 |
Certificate[] replyCerts) |
|
2862 |
throws Exception |
|
2863 |
{ |
|
2864 |
// order the certs in the reply (bottom-up). |
|
2865 |
// we know that all certs in the reply are of type X.509, because |
|
2866 |
// we parsed them using an X.509 certificate factory |
|
2867 |
int i; |
|
2868 |
PublicKey userPubKey = userCert.getPublicKey(); |
|
2869 |
for (i=0; i<replyCerts.length; i++) { |
|
2870 |
if (userPubKey.equals(replyCerts[i].getPublicKey())) { |
|
2871 |
break; |
|
2872 |
} |
|
2873 |
} |
|
2874 |
if (i == replyCerts.length) { |
|
2875 |
MessageFormat form = new MessageFormat(rb.getString |
|
2876 |
("Certificate reply does not contain public key for <alias>")); |
|
2877 |
Object[] source = {alias}; |
|
2878 |
throw new Exception(form.format(source)); |
|
2879 |
} |
|
2880 |
||
2881 |
Certificate tmpCert = replyCerts[0]; |
|
2882 |
replyCerts[0] = replyCerts[i]; |
|
2883 |
replyCerts[i] = tmpCert; |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2884 |
|
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2885 |
X509Certificate thisCert = (X509Certificate)replyCerts[0]; |
2 | 2886 |
|
2887 |
for (i=1; i < replyCerts.length-1; i++) { |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2888 |
// find a cert in the reply who signs thisCert |
2 | 2889 |
int j; |
2890 |
for (j=i; j<replyCerts.length; j++) { |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2891 |
if (signedBy(thisCert, (X509Certificate)replyCerts[j])) { |
2 | 2892 |
tmpCert = replyCerts[i]; |
2893 |
replyCerts[i] = replyCerts[j]; |
|
2894 |
replyCerts[j] = tmpCert; |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2895 |
thisCert = (X509Certificate)replyCerts[i]; |
2 | 2896 |
break; |
2897 |
} |
|
2898 |
} |
|
2899 |
if (j == replyCerts.length) { |
|
2900 |
throw new Exception |
|
2901 |
(rb.getString("Incomplete certificate chain in reply")); |
|
2902 |
} |
|
2903 |
} |
|
2904 |
||
2905 |
if (noprompt) { |
|
2906 |
return replyCerts; |
|
2907 |
} |
|
2908 |
||
2909 |
// do we trust the (root) cert at the top? |
|
2910 |
Certificate topCert = replyCerts[replyCerts.length-1]; |
|
2911 |
if (!isTrusted(topCert)) { |
|
2912 |
boolean verified = false; |
|
2913 |
Certificate rootCert = null; |
|
2914 |
if (trustcacerts && (caks!= null)) { |
|
2915 |
for (Enumeration<String> aliases = caks.aliases(); |
|
2916 |
aliases.hasMoreElements(); ) { |
|
2917 |
String name = aliases.nextElement(); |
|
2918 |
rootCert = caks.getCertificate(name); |
|
2919 |
if (rootCert != null) { |
|
2920 |
try { |
|
2921 |
topCert.verify(rootCert.getPublicKey()); |
|
2922 |
verified = true; |
|
2923 |
break; |
|
2924 |
} catch (Exception e) { |
|
2925 |
} |
|
2926 |
} |
|
2927 |
} |
|
2928 |
} |
|
2929 |
if (!verified) { |
|
2930 |
System.err.println(); |
|
2931 |
System.err.println |
|
2932 |
(rb.getString("Top-level certificate in reply:\n")); |
|
2933 |
printX509Cert((X509Certificate)topCert, System.out); |
|
2934 |
System.err.println(); |
|
2935 |
System.err.print(rb.getString("... is not trusted. ")); |
|
2936 |
String reply = getYesNoReply |
|
2937 |
(rb.getString("Install reply anyway? [no]: ")); |
|
2938 |
if ("NO".equals(reply)) { |
|
2939 |
return null; |
|
2940 |
} |
|
2941 |
} else { |
|
2942 |
if (!isSelfSigned((X509Certificate)topCert)) { |
|
2943 |
// append the (self-signed) root CA cert to the chain |
|
2944 |
Certificate[] tmpCerts = |
|
2945 |
new Certificate[replyCerts.length+1]; |
|
2946 |
System.arraycopy(replyCerts, 0, tmpCerts, 0, |
|
2947 |
replyCerts.length); |
|
2948 |
tmpCerts[tmpCerts.length-1] = rootCert; |
|
2949 |
replyCerts = tmpCerts; |
|
2950 |
} |
|
2951 |
} |
|
2952 |
} |
|
2953 |
||
2954 |
return replyCerts; |
|
2955 |
} |
|
2956 |
||
2957 |
/** |
|
2958 |
* Establishes a certificate chain (using trusted certificates in the |
|
2959 |
* keystore), starting with the user certificate |
|
2960 |
* and ending at a self-signed certificate found in the keystore. |
|
2961 |
* |
|
2962 |
* @param userCert the user certificate of the alias |
|
2963 |
* @param certToVerify the single certificate provided in the reply |
|
2964 |
*/ |
|
2965 |
private Certificate[] establishCertChain(Certificate userCert, |
|
2966 |
Certificate certToVerify) |
|
2967 |
throws Exception |
|
2968 |
{ |
|
2969 |
if (userCert != null) { |
|
2970 |
// Make sure that the public key of the certificate reply matches |
|
2971 |
// the original public key in the keystore |
|
2972 |
PublicKey origPubKey = userCert.getPublicKey(); |
|
2973 |
PublicKey replyPubKey = certToVerify.getPublicKey(); |
|
2974 |
if (!origPubKey.equals(replyPubKey)) { |
|
2975 |
throw new Exception(rb.getString |
|
2976 |
("Public keys in reply and keystore don't match")); |
|
2977 |
} |
|
2978 |
||
2979 |
// If the two certs are identical, we're done: no need to import |
|
2980 |
// anything |
|
2981 |
if (certToVerify.equals(userCert)) { |
|
2982 |
throw new Exception(rb.getString |
|
2983 |
("Certificate reply and certificate in keystore are identical")); |
|
2984 |
} |
|
2985 |
} |
|
2986 |
||
2987 |
// Build a hash table of all certificates in the keystore. |
|
2988 |
// Use the subject distinguished name as the key into the hash table. |
|
2989 |
// All certificates associated with the same subject distinguished |
|
2990 |
// name are stored in the same hash table entry as a vector. |
|
2991 |
Hashtable<Principal, Vector<Certificate>> certs = null; |
|
2992 |
if (keyStore.size() > 0) { |
|
2993 |
certs = new Hashtable<Principal, Vector<Certificate>>(11); |
|
2994 |
keystorecerts2Hashtable(keyStore, certs); |
|
2995 |
} |
|
2996 |
if (trustcacerts) { |
|
2997 |
if (caks!=null && caks.size()>0) { |
|
2998 |
if (certs == null) { |
|
2999 |
certs = new Hashtable<Principal, Vector<Certificate>>(11); |
|
3000 |
} |
|
3001 |
keystorecerts2Hashtable(caks, certs); |
|
3002 |
} |
|
3003 |
} |
|
3004 |
||
3005 |
// start building chain |
|
3006 |
Vector<Certificate> chain = new Vector<Certificate>(2); |
|
3007 |
if (buildChain((X509Certificate)certToVerify, chain, certs)) { |
|
3008 |
Certificate[] newChain = new Certificate[chain.size()]; |
|
3009 |
// buildChain() returns chain with self-signed root-cert first and |
|
3010 |
// user-cert last, so we need to invert the chain before we store |
|
3011 |
// it |
|
3012 |
int j=0; |
|
3013 |
for (int i=chain.size()-1; i>=0; i--) { |
|
3014 |
newChain[j] = chain.elementAt(i); |
|
3015 |
j++; |
|
3016 |
} |
|
3017 |
return newChain; |
|
3018 |
} else { |
|
3019 |
throw new Exception |
|
3020 |
(rb.getString("Failed to establish chain from reply")); |
|
3021 |
} |
|
3022 |
} |
|
3023 |
||
3024 |
/** |
|
3025 |
* Recursively tries to establish chain from pool of trusted certs. |
|
3026 |
* |
|
3027 |
* @param certToVerify the cert that needs to be verified. |
|
3028 |
* @param chain the chain that's being built. |
|
3029 |
* @param certs the pool of trusted certs |
|
3030 |
* |
|
3031 |
* @return true if successful, false otherwise. |
|
3032 |
*/ |
|
3033 |
private boolean buildChain(X509Certificate certToVerify, |
|
3034 |
Vector<Certificate> chain, |
|
3035 |
Hashtable<Principal, Vector<Certificate>> certs) { |
|
3036 |
Principal issuer = certToVerify.getIssuerDN(); |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
3037 |
if (isSelfSigned(certToVerify)) { |
2 | 3038 |
// reached self-signed root cert; |
3039 |
// no verification needed because it's trusted. |
|
3040 |
chain.addElement(certToVerify); |
|
3041 |
return true; |
|
3042 |
} |
|
3043 |
||
3044 |
// Get the issuer's certificate(s) |
|
3045 |
Vector<Certificate> vec = certs.get(issuer); |
|
3046 |
if (vec == null) { |
|
3047 |
return false; |
|
3048 |
} |
|
3049 |
||
3050 |
// Try out each certificate in the vector, until we find one |
|
3051 |
// whose public key verifies the signature of the certificate |
|
3052 |
// in question. |
|
3053 |
for (Enumeration<Certificate> issuerCerts = vec.elements(); |
|
3054 |
issuerCerts.hasMoreElements(); ) { |
|
3055 |
X509Certificate issuerCert |
|
3056 |
= (X509Certificate)issuerCerts.nextElement(); |
|
3057 |
PublicKey issuerPubKey = issuerCert.getPublicKey(); |
|
3058 |
try { |
|
3059 |
certToVerify.verify(issuerPubKey); |
|
3060 |
} catch (Exception e) { |
|
3061 |
continue; |
|
3062 |
} |
|
3063 |
if (buildChain(issuerCert, chain, certs)) { |
|
3064 |
chain.addElement(certToVerify); |
|
3065 |
return true; |
|
3066 |
} |
|
3067 |
} |
|
3068 |
return false; |
|
3069 |
} |
|
3070 |
||
3071 |
/** |
|
3072 |
* Prompts user for yes/no decision. |
|
3073 |
* |
|
3074 |
* @return the user's decision, can only be "YES" or "NO" |
|
3075 |
*/ |
|
3076 |
private String getYesNoReply(String prompt) |
|
3077 |
throws IOException |
|
3078 |
{ |
|
3079 |
String reply = null; |
|
3080 |
int maxRetry = 20; |
|
3081 |
do { |
|
3082 |
if (maxRetry-- < 0) { |
|
3083 |
throw new RuntimeException(rb.getString( |
|
3084 |
"Too may retries, program terminated")); |
|
3085 |
} |
|
3086 |
System.err.print(prompt); |
|
3087 |
System.err.flush(); |
|
3088 |
reply = (new BufferedReader(new InputStreamReader |
|
3089 |
(System.in))).readLine(); |
|
3090 |
if (collator.compare(reply, "") == 0 || |
|
3091 |
collator.compare(reply, rb.getString("n")) == 0 || |
|
3092 |
collator.compare(reply, rb.getString("no")) == 0) { |
|
3093 |
reply = "NO"; |
|
3094 |
} else if (collator.compare(reply, rb.getString("y")) == 0 || |
|
3095 |
collator.compare(reply, rb.getString("yes")) == 0) { |
|
3096 |
reply = "YES"; |
|
3097 |
} else { |
|
3098 |
System.err.println(rb.getString("Wrong answer, try again")); |
|
3099 |
reply = null; |
|
3100 |
} |
|
3101 |
} while (reply == null); |
|
3102 |
return reply; |
|
3103 |
} |
|
3104 |
||
3105 |
/** |
|
3106 |
* Returns the keystore with the configured CA certificates. |
|
3107 |
*/ |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2293
diff
changeset
|
3108 |
public static KeyStore getCacertsKeyStore() |
2 | 3109 |
throws Exception |
3110 |
{ |
|
3111 |
String sep = File.separator; |
|
3112 |
File file = new File(System.getProperty("java.home") + sep |
|
3113 |
+ "lib" + sep + "security" + sep |
|
3114 |
+ "cacerts"); |
|
3115 |
if (!file.exists()) { |
|
3116 |
return null; |
|
3117 |
} |
|
3118 |
FileInputStream fis = null; |
|
3119 |
KeyStore caks = null; |
|
3120 |
try { |
|
3121 |
fis = new FileInputStream(file); |
|
3122 |
caks = KeyStore.getInstance(JKS); |
|
3123 |
caks.load(fis, null); |
|
3124 |
} finally { |
|
3125 |
if (fis != null) { |
|
3126 |
fis.close(); |
|
3127 |
} |
|
3128 |
} |
|
3129 |
return caks; |
|
3130 |
} |
|
3131 |
||
3132 |
/** |
|
3133 |
* Stores the (leaf) certificates of a keystore in a hashtable. |
|
3134 |
* All certs belonging to the same CA are stored in a vector that |
|
3135 |
* in turn is stored in the hashtable, keyed by the CA's subject DN |
|
3136 |
*/ |
|
3137 |
private void keystorecerts2Hashtable(KeyStore ks, |
|
3138 |
Hashtable<Principal, Vector<Certificate>> hash) |
|
3139 |
throws Exception { |
|
3140 |
||
3141 |
for (Enumeration<String> aliases = ks.aliases(); |
|
3142 |
aliases.hasMoreElements(); ) { |
|
3143 |
String alias = aliases.nextElement(); |
|
3144 |
Certificate cert = ks.getCertificate(alias); |
|
3145 |
if (cert != null) { |
|
3146 |
Principal subjectDN = ((X509Certificate)cert).getSubjectDN(); |
|
3147 |
Vector<Certificate> vec = hash.get(subjectDN); |
|
3148 |
if (vec == null) { |
|
3149 |
vec = new Vector<Certificate>(); |
|
3150 |
vec.addElement(cert); |
|
3151 |
} else { |
|
3152 |
if (!vec.contains(cert)) { |
|
3153 |
vec.addElement(cert); |
|
3154 |
} |
|
3155 |
} |
|
3156 |
hash.put(subjectDN, vec); |
|
3157 |
} |
|
3158 |
} |
|
3159 |
} |
|
3160 |
||
3161 |
/** |
|
3162 |
* Returns the issue time that's specified the -startdate option |
|
3163 |
* @param s the value of -startdate option |
|
3164 |
*/ |
|
3165 |
private static Date getStartDate(String s) throws IOException { |
|
3166 |
Calendar c = new GregorianCalendar(); |
|
3167 |
if (s != null) { |
|
3168 |
IOException ioe = new IOException( |
|
3169 |
rb.getString("Illegal startdate value")); |
|
3170 |
int len = s.length(); |
|
3171 |
if (len == 0) { |
|
3172 |
throw ioe; |
|
3173 |
} |
|
3174 |
if (s.charAt(0) == '-' || s.charAt(0) == '+') { |
|
3175 |
// Form 1: ([+-]nnn[ymdHMS])+ |
|
3176 |
int start = 0; |
|
3177 |
while (start < len) { |
|
3178 |
int sign = 0; |
|
3179 |
switch (s.charAt(start)) { |
|
3180 |
case '+': sign = 1; break; |
|
3181 |
case '-': sign = -1; break; |
|
3182 |
default: throw ioe; |
|
3183 |
} |
|
3184 |
int i = start+1; |
|
3185 |
for (; i<len; i++) { |
|
3186 |
char ch = s.charAt(i); |
|
3187 |
if (ch < '0' || ch > '9') break; |
|
3188 |
} |
|
3189 |
if (i == start+1) throw ioe; |
|
3190 |
int number = Integer.parseInt(s.substring(start+1, i)); |
|
3191 |
if (i >= len) throw ioe; |
|
3192 |
int unit = 0; |
|
3193 |
switch (s.charAt(i)) { |
|
3194 |
case 'y': unit = Calendar.YEAR; break; |
|
3195 |
case 'm': unit = Calendar.MONTH; break; |
|
3196 |
case 'd': unit = Calendar.DATE; break; |
|
3197 |
case 'H': unit = Calendar.HOUR; break; |
|
3198 |
case 'M': unit = Calendar.MINUTE; break; |
|
3199 |
case 'S': unit = Calendar.SECOND; break; |
|
3200 |
default: throw ioe; |
|
3201 |
} |
|
3202 |
c.add(unit, sign * number); |
|
3203 |
start = i + 1; |
|
3204 |
} |
|
3205 |
} else { |
|
3206 |
// Form 2: [yyyy/mm/dd] [HH:MM:SS] |
|
3207 |
String date = null, time = null; |
|
3208 |
if (len == 19) { |
|
3209 |
date = s.substring(0, 10); |
|
3210 |
time = s.substring(11); |
|
3211 |
if (s.charAt(10) != ' ') |
|
3212 |
throw ioe; |
|
3213 |
} else if (len == 10) { |
|
3214 |
date = s; |
|
3215 |
} else if (len == 8) { |
|
3216 |
time = s; |
|
3217 |
} else { |
|
3218 |
throw ioe; |
|
3219 |
} |
|
3220 |
if (date != null) { |
|
3221 |
if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) { |
|
3222 |
c.set(Integer.valueOf(date.substring(0, 4)), |
|
3223 |
Integer.valueOf(date.substring(5, 7))-1, |
|
3224 |
Integer.valueOf(date.substring(8, 10))); |
|
3225 |
} else { |
|
3226 |
throw ioe; |
|
3227 |
} |
|
3228 |
} |
|
3229 |
if (time != null) { |
|
3230 |
if (time.matches("\\d\\d:\\d\\d:\\d\\d")) { |
|
3231 |
c.set(Calendar.HOUR_OF_DAY, Integer.valueOf(time.substring(0, 2))); |
|
3232 |
c.set(Calendar.MINUTE, Integer.valueOf(time.substring(0, 2))); |
|
3233 |
c.set(Calendar.SECOND, Integer.valueOf(time.substring(0, 2))); |
|
3234 |
c.set(Calendar.MILLISECOND, 0); |
|
3235 |
} else { |
|
3236 |
throw ioe; |
|
3237 |
} |
|
3238 |
} |
|
3239 |
} |
|
3240 |
} |
|
3241 |
return c.getTime(); |
|
3242 |
} |
|
3243 |
||
3244 |
/** |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3245 |
* Match a command (may be abbreviated) with a command set. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3246 |
* @param s the command provided |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3247 |
* @param list the legal command set |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3248 |
* @return the position of a single match, or -1 if none matched |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3249 |
* @throws Exception if s is ambiguous |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3250 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3251 |
private static int oneOf(String s, String... list) throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3252 |
int[] match = new int[list.length]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3253 |
int nmatch = 0; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3254 |
for (int i = 0; i<list.length; i++) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3255 |
String one = list[i]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3256 |
if (one.toLowerCase().startsWith(s.toLowerCase())) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3257 |
match[nmatch++] = i; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3258 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3259 |
StringBuffer sb = new StringBuffer(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3260 |
boolean first = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3261 |
for (char c: one.toCharArray()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3262 |
if (first) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3263 |
sb.append(c); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3264 |
first = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3265 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3266 |
if (!Character.isLowerCase(c)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3267 |
sb.append(c); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3268 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3269 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3270 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3271 |
if (sb.toString().equalsIgnoreCase(s)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3272 |
match[nmatch++] = i; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3273 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3274 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3275 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3276 |
if (nmatch == 0) return -1; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3277 |
if (nmatch == 1) return match[0]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3278 |
StringBuffer sb = new StringBuffer(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3279 |
MessageFormat form = new MessageFormat(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3280 |
("command {0} is ambiguous:")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3281 |
Object[] source = {s}; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3282 |
sb.append(form.format(source) +"\n "); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3283 |
for (int i=0; i<nmatch; i++) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3284 |
sb.append(" " + list[match[i]]); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3285 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3286 |
throw new Exception(sb.toString()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3287 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3288 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3289 |
/** |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3290 |
* Create a GeneralName object from known types |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3291 |
* @param t one of 5 known types |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3292 |
* @param v value |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3293 |
* @return which one |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3294 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3295 |
private GeneralName createGeneralName(String t, String v) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3296 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3297 |
GeneralNameInterface gn; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3298 |
int p = oneOf(t, "EMAIL", "URI", "DNS", "IP", "OID"); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3299 |
if (p < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3300 |
throw new Exception(rb.getString( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3301 |
"Unrecognized GeneralName type: ") + t); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3302 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3303 |
switch (p) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3304 |
case 0: gn = new RFC822Name(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3305 |
case 1: gn = new URIName(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3306 |
case 2: gn = new DNSName(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3307 |
case 3: gn = new IPAddressName(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3308 |
default: gn = new OIDName(v); break; //4 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3309 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3310 |
return new GeneralName(gn); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3311 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3312 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3313 |
private static final String[] extSupported = { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3314 |
"BasicConstraints", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3315 |
"KeyUsage", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3316 |
"ExtendedKeyUsage", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3317 |
"SubjectAlternativeName", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3318 |
"IssuerAlternativeName", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3319 |
"SubjectInfoAccess", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3320 |
"AuthorityInfoAccess", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3321 |
}; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3322 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3323 |
private ObjectIdentifier findOidForExtName(String type) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3324 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3325 |
switch (oneOf(type, extSupported)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3326 |
case 0: return PKIXExtensions.BasicConstraints_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3327 |
case 1: return PKIXExtensions.KeyUsage_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3328 |
case 2: return PKIXExtensions.ExtendedKeyUsage_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3329 |
case 3: return PKIXExtensions.SubjectAlternativeName_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3330 |
case 4: return PKIXExtensions.IssuerAlternativeName_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3331 |
case 5: return PKIXExtensions.SubjectInfoAccess_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3332 |
case 6: return PKIXExtensions.AuthInfoAccess_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3333 |
default: return new ObjectIdentifier(type); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3334 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3335 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3336 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3337 |
/** |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3338 |
* Create X509v3 extensions from a string representation. Note that the |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3339 |
* SubjectKeyIdentifierExtension will always be created non-critical besides |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3340 |
* the extension requested in the <code>extstr</code> argument. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3341 |
* |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3342 |
* @param reqex the requested extensions, can be null, used for -gencert |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3343 |
* @param ext the original extensions, can be null, used for -selfcert |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3344 |
* @param extstrs -ext values, Read keytool doc |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3345 |
* @param pkey the public key for the certificate |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3346 |
* @param akey the public key for the authority (issuer) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3347 |
* @return the created CertificateExtensions |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3348 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3349 |
private CertificateExtensions createV3Extensions( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3350 |
CertificateExtensions reqex, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3351 |
CertificateExtensions ext, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3352 |
List <String> extstrs, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3353 |
PublicKey pkey, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3354 |
PublicKey akey) throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3355 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3356 |
if (ext != null && reqex != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3357 |
// This should not happen |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3358 |
throw new Exception("One of request and original should be null."); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3359 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3360 |
if (ext == null) ext = new CertificateExtensions(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3361 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3362 |
// name{:critical}{=value} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3363 |
// Honoring requested extensions |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3364 |
if (reqex != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3365 |
for(String extstr: extstrs) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3366 |
if (extstr.toLowerCase().startsWith("honored=")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3367 |
List<String> list = Arrays.asList( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3368 |
extstr.toLowerCase().substring(8).split(",")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3369 |
// First check existence of "all" |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3370 |
if (list.contains("all")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3371 |
ext = reqex; // we know ext was null |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3372 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3373 |
// one by one for others |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3374 |
for (String item: list) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3375 |
if (item.equals("all")) continue; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3376 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3377 |
// add or remove |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3378 |
boolean add = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3379 |
// -1, unchanged, 0 crtical, 1 non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3380 |
int action = -1; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3381 |
String type = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3382 |
if (item.startsWith("-")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3383 |
add = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3384 |
type = item.substring(1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3385 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3386 |
int colonpos = item.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3387 |
if (colonpos >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3388 |
type = item.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3389 |
action = oneOf(item.substring(colonpos+1), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3390 |
"critical", "non-critical"); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3391 |
if (action == -1) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3392 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3393 |
("Illegal value: ") + item); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3394 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3395 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3396 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3397 |
String n = reqex.getNameByOid(findOidForExtName(type)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3398 |
if (add) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3399 |
Extension e = (Extension)reqex.get(n); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3400 |
if (!e.isCritical() && action == 0 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3401 |
|| e.isCritical() && action == 1) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3402 |
e = Extension.newExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3403 |
e.getExtensionId(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3404 |
!e.isCritical(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3405 |
e.getExtensionValue()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3406 |
ext.set(n, e); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3407 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3408 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3409 |
ext.delete(n); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3410 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3411 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3412 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3413 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3414 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3415 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3416 |
for(String extstr: extstrs) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3417 |
String name, value; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3418 |
boolean isCritical = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3419 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3420 |
int eqpos = extstr.indexOf('='); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3421 |
if (eqpos >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3422 |
name = extstr.substring(0, eqpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3423 |
value = extstr.substring(eqpos+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3424 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3425 |
name = extstr; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3426 |
value = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3427 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3428 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3429 |
int colonpos = name.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3430 |
if (colonpos >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3431 |
if (name.substring(colonpos+1).equalsIgnoreCase("critical")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3432 |
isCritical = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3433 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3434 |
name = name.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3435 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3436 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3437 |
if (name.equalsIgnoreCase("honored")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3438 |
continue; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3439 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3440 |
int exttype = oneOf(name, extSupported); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3441 |
switch (exttype) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3442 |
case 0: // BC |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3443 |
int pathLen = -1; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3444 |
boolean isCA = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3445 |
if (value == null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3446 |
isCA = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3447 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3448 |
try { // the abbr format |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3449 |
pathLen = Integer.parseInt(value); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3450 |
isCA = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3451 |
} catch (NumberFormatException ufe) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3452 |
// ca:true,pathlen:1 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3453 |
for (String part: value.split(",")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3454 |
String[] nv = part.split(":"); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3455 |
if (nv.length != 2) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3456 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3457 |
("Illegal value: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3458 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3459 |
if (nv[0].equalsIgnoreCase("ca")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3460 |
isCA = Boolean.parseBoolean(nv[1]); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3461 |
} else if (nv[0].equalsIgnoreCase("pathlen")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3462 |
pathLen = Integer.parseInt(nv[1]); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3463 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3464 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3465 |
("Illegal value: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3466 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3467 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3468 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3469 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3470 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3471 |
ext.set(BasicConstraintsExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3472 |
new BasicConstraintsExtension(isCritical, isCA, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3473 |
pathLen)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3474 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3475 |
case 1: // KU |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3476 |
if(value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3477 |
boolean[] ok = new boolean[9]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3478 |
for (String s: value.split(",")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3479 |
int p = oneOf(s, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3480 |
"digitalSignature", // (0), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3481 |
"nonRepudiation", // (1) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3482 |
"keyEncipherment", // (2), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3483 |
"dataEncipherment", // (3), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3484 |
"keyAgreement", // (4), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3485 |
"keyCertSign", // (5), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3486 |
"cRLSign", // (6), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3487 |
"encipherOnly", // (7), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3488 |
"decipherOnly", // (8) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3489 |
"contentCommitment" // also (1) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3490 |
); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3491 |
if (p < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3492 |
throw new Exception(rb.getString("Unknown keyUsage type: ") + s); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3493 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3494 |
if (p == 9) p = 1; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3495 |
ok[p] = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3496 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3497 |
KeyUsageExtension kue = new KeyUsageExtension(ok); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3498 |
// The above KeyUsageExtension constructor does not |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3499 |
// allow isCritical value, so... |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3500 |
ext.set(KeyUsageExtension.NAME, Extension.newExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3501 |
kue.getExtensionId(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3502 |
isCritical, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3503 |
kue.getExtensionValue())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3504 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3505 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3506 |
("Illegal value: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3507 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3508 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3509 |
case 2: // EKU |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3510 |
if(value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3511 |
Vector <ObjectIdentifier> v = |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3512 |
new Vector <ObjectIdentifier>(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3513 |
for (String s: value.split(",")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3514 |
int p = oneOf(s, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3515 |
"anyExtendedKeyUsage", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3516 |
"serverAuth", //1 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3517 |
"clientAuth", //2 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3518 |
"codeSigning", //3 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3519 |
"emailProtection", //4 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3520 |
"", //5 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3521 |
"", //6 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3522 |
"", //7 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3523 |
"timeStamping", //8 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3524 |
"OCSPSigning" //9 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3525 |
); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3526 |
if (p < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3527 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3528 |
v.add(new ObjectIdentifier(s)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3529 |
} catch (Exception e) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3530 |
throw new Exception(rb.getString( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3531 |
"Unknown extendedkeyUsage type: ") + s); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3532 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3533 |
} else if (p == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3534 |
v.add(new ObjectIdentifier("2.5.29.37.0")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3535 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3536 |
v.add(new ObjectIdentifier("1.3.6.1.5.5.7.3." + p)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3537 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3538 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3539 |
ext.set(ExtendedKeyUsageExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3540 |
new ExtendedKeyUsageExtension(isCritical, v)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3541 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3542 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3543 |
("Illegal value: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3544 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3545 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3546 |
case 3: // SAN |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3547 |
case 4: // IAN |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3548 |
if(value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3549 |
String[] ps = value.split(","); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3550 |
GeneralNames gnames = new GeneralNames(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3551 |
for(String item: ps) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3552 |
colonpos = item.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3553 |
if (colonpos < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3554 |
throw new Exception("Illegal item " + item + " in " + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3555 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3556 |
String t = item.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3557 |
String v = item.substring(colonpos+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3558 |
gnames.add(createGeneralName(t, v)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3559 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3560 |
if (exttype == 3) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3561 |
ext.set(SubjectAlternativeNameExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3562 |
new SubjectAlternativeNameExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3563 |
isCritical, gnames)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3564 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3565 |
ext.set(IssuerAlternativeNameExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3566 |
new IssuerAlternativeNameExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3567 |
isCritical, gnames)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3568 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3569 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3570 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3571 |
("Illegal value: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3572 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3573 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3574 |
case 5: // SIA, always non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3575 |
case 6: // AIA, always non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3576 |
if (isCritical) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3577 |
throw new Exception(rb.getString( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3578 |
"This extension cannot be marked as critical. ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3579 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3580 |
if(value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3581 |
List<AccessDescription> accessDescriptions = |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3582 |
new ArrayList<AccessDescription>(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3583 |
String[] ps = value.split(","); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3584 |
for(String item: ps) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3585 |
colonpos = item.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3586 |
int colonpos2 = item.indexOf(':', colonpos+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3587 |
if (colonpos < 0 || colonpos2 < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3588 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3589 |
("Illegal value: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3590 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3591 |
String m = item.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3592 |
String t = item.substring(colonpos+1, colonpos2); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3593 |
String v = item.substring(colonpos2+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3594 |
int p = oneOf(m, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3595 |
"", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3596 |
"ocsp", //1 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3597 |
"caIssuers", //2 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3598 |
"timeStamping", //3 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3599 |
"", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3600 |
"caRepository" //5 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3601 |
); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3602 |
ObjectIdentifier oid; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3603 |
if (p < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3604 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3605 |
oid = new ObjectIdentifier(m); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3606 |
} catch (Exception e) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3607 |
throw new Exception(rb.getString( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3608 |
"Unknown AccessDescription type: ") + m); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3609 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3610 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3611 |
oid = new ObjectIdentifier("1.3.6.1.5.5.7.48." + p); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3612 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3613 |
accessDescriptions.add(new AccessDescription( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3614 |
oid, createGeneralName(t, v))); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3615 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3616 |
if (exttype == 5) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3617 |
ext.set(SubjectInfoAccessExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3618 |
new SubjectInfoAccessExtension(accessDescriptions)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3619 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3620 |
ext.set(AuthorityInfoAccessExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3621 |
new AuthorityInfoAccessExtension(accessDescriptions)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3622 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3623 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3624 |
throw new Exception(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3625 |
("Illegal value: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3626 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3627 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3628 |
case -1: |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3629 |
ObjectIdentifier oid = new ObjectIdentifier(name); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3630 |
byte[] data = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3631 |
if (value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3632 |
data = new byte[value.length() / 2 + 1]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3633 |
int pos = 0; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3634 |
for (char c: value.toCharArray()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3635 |
int hex; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3636 |
if (c >= '0' && c <= '9') { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3637 |
hex = c - '0' ; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3638 |
} else if (c >= 'A' && c <= 'F') { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3639 |
hex = c - 'A' + 10; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3640 |
} else if (c >= 'a' && c <= 'f') { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3641 |
hex = c - 'a' + 10; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3642 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3643 |
continue; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3644 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3645 |
if (pos % 2 == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3646 |
data[pos/2] = (byte)(hex << 4); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3647 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3648 |
data[pos/2] += hex; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3649 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3650 |
pos++; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3651 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3652 |
if (pos % 2 != 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3653 |
throw new Exception(rb.getString( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3654 |
"Odd number of hex digits found: ") + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3655 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3656 |
data = Arrays.copyOf(data, pos/2); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3657 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3658 |
data = new byte[0]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3659 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3660 |
ext.set(oid.toString(), new Extension(oid, isCritical, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3661 |
new DerValue(DerValue.tag_OctetString, data) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3662 |
.toByteArray())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3663 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3664 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3665 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3666 |
// always non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3667 |
ext.set(SubjectKeyIdentifierExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3668 |
new SubjectKeyIdentifierExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3669 |
new KeyIdentifier(pkey).getIdentifier())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3670 |
if (akey != null && !pkey.equals(akey)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3671 |
ext.set(AuthorityKeyIdentifierExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3672 |
new AuthorityKeyIdentifierExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3673 |
new KeyIdentifier(akey), null, null)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3674 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3675 |
} catch(IOException e) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3676 |
throw new RuntimeException(e); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3677 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3678 |
return ext; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3679 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3680 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3681 |
/** |
2 | 3682 |
* Prints the usage of this tool. |
3683 |
*/ |
|
3684 |
private void usage() { |
|
3685 |
System.err.println(rb.getString("keytool usage:\n")); |
|
3686 |
||
3687 |
System.err.println(rb.getString |
|
3688 |
("-certreq [-v] [-protected]")); |
|
3689 |
System.err.println(rb.getString |
|
3690 |
("\t [-alias <alias>] [-sigalg <sigalg>]")); |
|
3691 |
System.err.println(rb.getString |
|
3692 |
("\t [-file <csr_file>] [-keypass <keypass>]")); |
|
3693 |
System.err.println(rb.getString |
|
3694 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3695 |
System.err.println(rb.getString |
|
3696 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3697 |
System.err.println(rb.getString |
|
3698 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3699 |
System.err.println(rb.getString |
|
3700 |
("\t [-providerpath <pathlist>]")); |
|
3701 |
System.err.println(); |
|
3702 |
||
3703 |
System.err.println(rb.getString |
|
3704 |
("-changealias [-v] [-protected] -alias <alias> -destalias <destalias>")); |
|
3705 |
System.err.println(rb.getString |
|
3706 |
("\t [-keypass <keypass>]")); |
|
3707 |
System.err.println(rb.getString |
|
3708 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3709 |
System.err.println(rb.getString |
|
3710 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3711 |
System.err.println(rb.getString |
|
3712 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3713 |
System.err.println(rb.getString |
|
3714 |
("\t [-providerpath <pathlist>]")); |
|
3715 |
System.err.println(); |
|
3716 |
||
3717 |
System.err.println(rb.getString |
|
3718 |
("-delete [-v] [-protected] -alias <alias>")); |
|
3719 |
System.err.println(rb.getString |
|
3720 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3721 |
System.err.println(rb.getString |
|
3722 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3723 |
System.err.println(rb.getString |
|
3724 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3725 |
System.err.println(rb.getString |
|
3726 |
("\t [-providerpath <pathlist>]")); |
|
3727 |
System.err.println(); |
|
3728 |
||
3729 |
System.err.println(rb.getString |
|
3730 |
("-exportcert [-v] [-rfc] [-protected]")); |
|
3731 |
System.err.println(rb.getString |
|
3732 |
("\t [-alias <alias>] [-file <cert_file>]")); |
|
3733 |
System.err.println(rb.getString |
|
3734 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3735 |
System.err.println(rb.getString |
|
3736 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3737 |
System.err.println(rb.getString |
|
3738 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3739 |
System.err.println(rb.getString |
|
3740 |
("\t [-providerpath <pathlist>]")); |
|
3741 |
System.err.println(); |
|
3742 |
||
3743 |
System.err.println(rb.getString |
|
3744 |
("-genkeypair [-v] [-protected]")); |
|
3745 |
System.err.println(rb.getString |
|
3746 |
("\t [-alias <alias>]")); |
|
3747 |
System.err.println(rb.getString |
|
3748 |
("\t [-keyalg <keyalg>] [-keysize <keysize>]")); |
|
3749 |
System.err.println(rb.getString |
|
3750 |
("\t [-sigalg <sigalg>] [-dname <dname>]")); |
|
3751 |
System.err.println(rb.getString |
|
3752 |
("\t [-startdate <startdate>]")); |
|
3753 |
System.err.println(rb.getString |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3754 |
("\t [-ext <key>[:critical][=<value>]]...")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3755 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3756 |
("\t [-validity <valDays>] [-keypass <keypass>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3757 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3758 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3759 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3760 |
("\t [-storetype <storetype>] [-providername <name>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3761 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3762 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3763 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3764 |
("\t [-providerpath <pathlist>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3765 |
System.err.println(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3766 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3767 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3768 |
("-gencert [-v] [-rfc] [-protected]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3769 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3770 |
("\t [-infile <infile>] [-outfile <outfile>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3771 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3772 |
("\t [-alias <alias>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3773 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3774 |
("\t [-sigalg <sigalg>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3775 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3776 |
("\t [-startdate <startdate>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3777 |
System.err.println(rb.getString |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3778 |
("\t [-ext <key>[:critical][=<value>]]...")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3779 |
System.err.println(rb.getString |
2 | 3780 |
("\t [-validity <valDays>] [-keypass <keypass>]")); |
3781 |
System.err.println(rb.getString |
|
3782 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3783 |
System.err.println(rb.getString |
|
3784 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3785 |
System.err.println(rb.getString |
|
3786 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3787 |
System.err.println(rb.getString |
|
3788 |
("\t [-providerpath <pathlist>]")); |
|
3789 |
System.err.println(); |
|
3790 |
||
3791 |
System.err.println(rb.getString |
|
3792 |
("-genseckey [-v] [-protected]")); |
|
3793 |
System.err.println(rb.getString |
|
3794 |
("\t [-alias <alias>] [-keypass <keypass>]")); |
|
3795 |
System.err.println(rb.getString |
|
3796 |
("\t [-keyalg <keyalg>] [-keysize <keysize>]")); |
|
3797 |
System.err.println(rb.getString |
|
3798 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3799 |
System.err.println(rb.getString |
|
3800 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3801 |
System.err.println(rb.getString |
|
3802 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3803 |
System.err.println(rb.getString |
|
3804 |
("\t [-providerpath <pathlist>]")); |
|
3805 |
System.err.println(); |
|
3806 |
||
3807 |
System.err.println(rb.getString("-help")); |
|
3808 |
System.err.println(); |
|
3809 |
||
3810 |
System.err.println(rb.getString |
|
3811 |
("-importcert [-v] [-noprompt] [-trustcacerts] [-protected]")); |
|
3812 |
System.err.println(rb.getString |
|
3813 |
("\t [-alias <alias>]")); |
|
3814 |
System.err.println(rb.getString |
|
3815 |
("\t [-file <cert_file>] [-keypass <keypass>]")); |
|
3816 |
System.err.println(rb.getString |
|
3817 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3818 |
System.err.println(rb.getString |
|
3819 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3820 |
System.err.println(rb.getString |
|
3821 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3822 |
System.err.println(rb.getString |
|
3823 |
("\t [-providerpath <pathlist>]")); |
|
3824 |
System.err.println(); |
|
3825 |
||
3826 |
System.err.println(rb.getString |
|
3827 |
("-importkeystore [-v] ")); |
|
3828 |
System.err.println(rb.getString |
|
3829 |
("\t [-srckeystore <srckeystore>] [-destkeystore <destkeystore>]")); |
|
3830 |
System.err.println(rb.getString |
|
3831 |
("\t [-srcstoretype <srcstoretype>] [-deststoretype <deststoretype>]")); |
|
3832 |
System.err.println(rb.getString |
|
3833 |
("\t [-srcstorepass <srcstorepass>] [-deststorepass <deststorepass>]")); |
|
3834 |
System.err.println(rb.getString |
|
3835 |
("\t [-srcprotected] [-destprotected]")); |
|
3836 |
System.err.println(rb.getString |
|
3837 |
("\t [-srcprovidername <srcprovidername>]\n\t [-destprovidername <destprovidername>]")); |
|
3838 |
System.err.println(rb.getString |
|
3839 |
("\t [-srcalias <srcalias> [-destalias <destalias>]")); |
|
3840 |
System.err.println(rb.getString |
|
3841 |
("\t [-srckeypass <srckeypass>] [-destkeypass <destkeypass>]]")); |
|
3842 |
System.err.println(rb.getString |
|
3843 |
("\t [-noprompt]")); |
|
3844 |
System.err.println(rb.getString |
|
3845 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3846 |
System.err.println(rb.getString |
|
3847 |
("\t [-providerpath <pathlist>]")); |
|
3848 |
System.err.println(); |
|
3849 |
||
3850 |
System.err.println(rb.getString |
|
3851 |
("-keypasswd [-v] [-alias <alias>]")); |
|
3852 |
System.err.println(rb.getString |
|
3853 |
("\t [-keypass <old_keypass>] [-new <new_keypass>]")); |
|
3854 |
System.err.println(rb.getString |
|
3855 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3856 |
System.err.println(rb.getString |
|
3857 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3858 |
System.err.println(rb.getString |
|
3859 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3860 |
System.err.println(rb.getString |
|
3861 |
("\t [-providerpath <pathlist>]")); |
|
3862 |
System.err.println(); |
|
3863 |
||
3864 |
System.err.println(rb.getString |
|
3865 |
("-list [-v | -rfc] [-protected]")); |
|
3866 |
System.err.println(rb.getString |
|
3867 |
("\t [-alias <alias>]")); |
|
3868 |
System.err.println(rb.getString |
|
3869 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3870 |
System.err.println(rb.getString |
|
3871 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3872 |
System.err.println(rb.getString |
|
3873 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3874 |
System.err.println(rb.getString |
|
3875 |
("\t [-providerpath <pathlist>]")); |
|
3876 |
System.err.println(); |
|
3877 |
||
3878 |
System.err.println(rb.getString |
|
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
3879 |
("-printcert [-v] [-rfc] [-file <cert_file> | -sslserver <host[:port]>]")); |
2 | 3880 |
System.err.println(); |
3881 |
||
3882 |
System.err.println(rb.getString |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3883 |
("-printcertreq [-v] [-file <cert_file>]")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3884 |
System.err.println(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3885 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3886 |
System.err.println(rb.getString |
2 | 3887 |
("-storepasswd [-v] [-new <new_storepass>]")); |
3888 |
System.err.println(rb.getString |
|
3889 |
("\t [-keystore <keystore>] [-storepass <storepass>]")); |
|
3890 |
System.err.println(rb.getString |
|
3891 |
("\t [-storetype <storetype>] [-providername <name>]")); |
|
3892 |
System.err.println(rb.getString |
|
3893 |
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ...")); |
|
3894 |
System.err.println(rb.getString |
|
3895 |
("\t [-providerpath <pathlist>]")); |
|
3896 |
} |
|
3897 |
||
3898 |
private void tinyHelp() { |
|
3899 |
System.err.println(rb.getString("Try keytool -help")); |
|
3900 |
||
3901 |
// do not drown user with the help lines. |
|
3902 |
if (debug) { |
|
3903 |
throw new RuntimeException("NO BIG ERROR, SORRY"); |
|
3904 |
} else { |
|
3905 |
System.exit(1); |
|
3906 |
} |
|
3907 |
} |
|
3908 |
||
3909 |
private void errorNeedArgument(String flag) { |
|
3910 |
Object[] source = {flag}; |
|
3911 |
System.err.println(new MessageFormat( |
|
3912 |
rb.getString("Command option <flag> needs an argument.")).format(source)); |
|
3913 |
tinyHelp(); |
|
3914 |
} |
|
3915 |
} |
|
3916 |
||
3917 |
// This class is exactly the same as com.sun.tools.javac.util.Pair, |
|
3918 |
// it's copied here since the original one is not included in JRE. |
|
3919 |
class Pair<A, B> { |
|
3920 |
||
3921 |
public final A fst; |
|
3922 |
public final B snd; |
|
3923 |
||
3924 |
public Pair(A fst, B snd) { |
|
3925 |
this.fst = fst; |
|
3926 |
this.snd = snd; |
|
3927 |
} |
|
3928 |
||
3929 |
public String toString() { |
|
3930 |
return "Pair[" + fst + "," + snd + "]"; |
|
3931 |
} |
|
3932 |
||
3933 |
private static boolean equals(Object x, Object y) { |
|
3934 |
return (x == null && y == null) || (x != null && x.equals(y)); |
|
3935 |
} |
|
3936 |
||
3937 |
public boolean equals(Object other) { |
|
3938 |
return |
|
3939 |
other instanceof Pair && |
|
3940 |
equals(fst, ((Pair)other).fst) && |
|
3941 |
equals(snd, ((Pair)other).snd); |
|
3942 |
} |
|
3943 |
||
3944 |
public int hashCode() { |
|
3945 |
if (fst == null) return (snd == null) ? 0 : snd.hashCode() + 1; |
|
3946 |
else if (snd == null) return fst.hashCode() + 2; |
|
3947 |
else return fst.hashCode() * 17 + snd.hashCode(); |
|
3948 |
} |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3949 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3950 |
public static <A,B> Pair<A,B> of(A a, B b) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3951 |
return new Pair<A,B>(a,b); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3952 |
} |
2 | 3953 |
} |