/*

 * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

/*

 *

 *

 * @summary Testing keytool

 * @author weijun.wang

 *

 * Run through autotest.sh and manualtest.sh

 *

 * Testing non-PKCS11 keystores:

 *       echo | java -Dfile KeyToolTest

 *

 * Testing NSS PKCS11 keystores:

 *       # testing NSS

 *       # make sure the NSS db files are in current directory and writable

 *       echo | java -Dnss -Dnss.lib=/path/to/libsoftokn3.so KeyToolTest

 *

 * Testing Solaris Cryptography Framework PKCS11 keystores:

 *       # make sure you've already run pktool and set test12 as pin

 *       echo | java -Dsolaris KeyToolTest

 *

 * ATTENTION:

 * Exception in thread "main" java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE

 *       at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:420)

 *       ...

 * Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE

 *       at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)

 *       at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:391)

 *       ...

 * been observed. Possibly a Solaris bug

 *

 * ATTENTION:

 * NSS PKCS11 config file are changed, DSA not supported now.

 */

import java.security.KeyStore;

import sun.security.x509.*;

import java.io.*;

import java.security.KeyPairGenerator;

import java.security.NoSuchAlgorithmException;

import java.util.*;

import java.security.cert.X509Certificate;

import sun.security.util.ObjectIdentifier;

public class KeyToolTest {

    // The stdout and stderr outputs after a keytool run

    String out;

    String err;

    // the output of println() in KeyTool.run

    String ex;

    String lastInput = "", lastCommand = "";

    private static final boolean debug =

        System.getProperty("debug") != null;

    static final String NSS_P11_ARG =

            "-keystore NONE -storetype PKCS11 -providerName SunPKCS11-nss -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nss.txt ";

    static final String NSS_SRC_P11_ARG =

            "-srckeystore NONE -srcstoretype PKCS11 -srcproviderName SunPKCS11-nss -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nss.txt ";

    static final String NZZ_P11_ARG =

            "-keystore NONE -storetype PKCS11 -providerName SunPKCS11-nzz -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nzz.txt ";

    static final String NZZ_SRC_P11_ARG =

            "-srckeystore NONE -srcstoretype PKCS11 -srcproviderName SunPKCS11-nzz -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nzz.txt ";

    static final String SUN_P11_ARG = "-keystore NONE -storetype PKCS11 ";

    static final String SUN_SRC_P11_ARG = "-srckeystore NONE -srcstoretype PKCS11 ";

    String p11Arg, srcP11Arg;

    /** Creates a new instance of KeyToolTest */

    KeyToolTest() {

        // so that there is "Warning" and not translated into other language

        Locale.setDefault(Locale.US);

    }

    /**

     * Helper, removes a file

     */

    void remove(String filename) {

        if (debug) {

            System.err.println("Removing " + filename);

        }

        new File(filename).delete();

        if (new File(filename).exists()) {

            throw new RuntimeException("Error deleting " + filename);

        }

    }

    /**

     * Run a set of keytool command with given terminal input.

     * @param input the terminal inputs, the characters typed by human

     *        if <code>cmd</code> is running on a terminal

     * @param cmd the argument of a keytool command line

     * @throws if keytool goes wrong in some place

     */

    void test(String input, String cmd) throws Exception {

        lastInput = input;

        lastCommand = cmd;

        // "X" is appended so that we can precisely test how input is consumed

        HumanInputStream in = new HumanInputStream(input+"X");

        test(in, cmd);

        // make sure the input string is no more no less

        if(in.read() != 'X' || in.read() != -1)

            throw new Exception("Input not consumed exactly");

    }

    void test(InputStream in, String cmd) throws Exception {

        // save the original 3 streams

        if (debug) {

            System.err.println(cmd);

        } else {

            System.err.print(".");

        }

        PrintStream p1 = System.out;

        PrintStream p2 = System.err;

        InputStream i1 = System.in;

        ByteArrayOutputStream b1 = new ByteArrayOutputStream();

        ByteArrayOutputStream b2 = new ByteArrayOutputStream();

        try {

            System.setIn(in);

            System.setOut(new PrintStream(b1));

            System.setErr(new PrintStream(b2));

            // never block at user input

            // instead of calling System.exit()

        } finally {

            out = b1.toString();

            err = b2.toString();

            ex = out;   // now it goes to System.out

            System.setIn(i1);

            System.setOut(p1);

            System.setErr(p2);

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should go OK

     */

    void testOK(String input, String cmd) throws Exception {

        try {

            test(input, cmd);

        } catch(Exception e) {

            afterFail(input, cmd, "OK");

            throw e;

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should fail and throw

     * an exception

     */

    void testFail(String input, String cmd) throws Exception {

        boolean ok;

        try {

            test(input, cmd);

            ok = true;

        } catch(Exception e) {

            if (e instanceof MissingResourceException) {

                ok = true;

            } else {

                ok = false;

            }

        }

        if(ok) {

            afterFail(input, cmd, "FAIL");

            throw new RuntimeException();

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should go OK

     */

    void testOK(InputStream is, String cmd) throws Exception {

        try {

            test(is, cmd);

        } catch(Exception e) {

            afterFail("", cmd, "OK");

            throw e;

        }

    }

    /**

     * Call this method if you expect test(input, cmd) should fail and throw

     * an exception

     */

    void testFail(InputStream is, String cmd) throws Exception {

        boolean ok;

        try {

            test(is, cmd);

            ok = true;

        } catch(Exception e) {

            ok = false;

        }

        if(ok) {

            afterFail("", cmd, "FAIL");

            throw new RuntimeException();

        }

    }

    /**

     * Call this method if you just want to run the command and does

     * not care if it succeeds or fails.

     */

    void testAnyway(String input, String cmd) {

        try {

            test(input, cmd);

        } catch(Exception e) {

            ;

        }

    }

    /**

     * Helper method, print some output after a test does not do as expected

     */

    void afterFail(String input, String cmd, String should) {

        System.err.println("\nTest fails for the command ---\n" +

                "keytool " + cmd + "\nOr its debug version ---\n" +

                "keytool -debug " + cmd);

        System.err.println("The command result should be " + should +

                ", but it's not. Try run the command manually and type" +

                " these input into it: ");

        char[] inputChars = input.toCharArray();

        for (int i=0; i<inputChars.length; i++) {

            char ch = inputChars[i];

            if (ch == '\n') System.err.print("ENTER ");

            else if (ch == ' ') System.err.print("SPACE ");

            else System.err.print(ch + " ");

        }

        System.err.println("");

        System.err.println("ERR is:\n"+err);

        System.err.println("OUT is:\n"+out);

    }

    void assertTrue(boolean bool, String msg) {

        if (debug) {

            System.err.println("If not " + bool + ", " + msg);

        } else {

            System.err.print("v");

        }

        if(!bool) {

            afterFail(lastInput, lastCommand, "TRUE");

                System.err.println(msg);

            throw new RuntimeException(msg);

        }

    }

    void assertTrue(boolean bool) {

        assertTrue(bool, "well...");

    }

    /**

     * Helper method, load a keystore

     * @param file file for keystore, null or "NONE" for PKCS11

     * @pass password for the keystore

     * @type keystore type

     * @returns the KeyStore object

     * @exception Exception if anything goes wrong

     */

    KeyStore loadStore(String file, String pass, String type) throws Exception {

        KeyStore ks = KeyStore.getInstance(type);

        FileInputStream is = null;

        if (file != null && !file.equals("NONE")) {

            is = new FileInputStream(file);

        }

        ks.load(is, pass.toCharArray());

        is.close();

        return ks;

    }

    /**

     * The test suite.

     * Maybe it's better to put this outside the KeyToolTest class

     */

    void testAll() throws Exception {

        KeyStore ks;

        remove("x.jks");

        remove("x.jceks");

        remove("x.p12");

        remove("x2.jceks");

        remove("x2.jks");

        remove("x.jks.p1.cert");

        // name changes: genkeypair, importcert, exportcert

        remove("x.jks");

        remove("x.jks.p1.cert");

        testOK("", "-keystore x.jks -storepass changeit -keypass changeit -genkeypair -alias p1 -dname CN=olala");

        testOK("", "-keystore x.jks -storepass changeit -exportcert -alias p1 -file x.jks.p1.cert");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.getKey("p1", "changeit".toCharArray()) != null,

            "key not DSA");

        assertTrue(new File("x.jks.p1.cert").exists(), "p1 export err");

        testOK("", "-keystore x.jks -storepass changeit -delete -alias p1");

        testOK("y\n", "-keystore x.jks -storepass changeit -importcert -alias c1 -file x.jks.p1.cert");  // importcert, prompt for Yes/No

        testOK("", "-keystore x.jks -storepass changeit -importcert -alias c2 -file x.jks.p1.cert -noprompt"); // importcert, -noprompt

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.getCertificate("c1") != null, "import c1 err");

        // v3

        byte[] encoded = ks.getCertificate("c1").getEncoded();

        X509CertImpl certImpl = new X509CertImpl(encoded);

        assertTrue(certImpl.getVersion() == 3, "Version is not 3");

        // changealias and keyclone

        testOK("", "-keystore x.jks -storepass changeit -keypass changeit -genkeypair -alias p1 -dname CN=olala");

        testOK("changeit\n", "-keystore x.jks -changealias -alias p1 -destalias p11");

        testOK("changeit\n", "-keystore x.jks -changealias -alias c1 -destalias c11");

        testOK("changeit\n\n", "-keystore x.jks -keyclone -alias p11 -destalias p111"); // press ENTER when prompt for p111's keypass

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(!ks.containsAlias("p1"), "there is no p1");

        assertTrue(!ks.containsAlias("c1"), "there is no c1");

        assertTrue(ks.containsAlias("p11"), "there is p11");

        assertTrue(ks.containsAlias("c11"), "there is c11");

        assertTrue(ks.containsAlias("p111"), "there is p111");

        // genSecKey

        remove("x.jceks");

        testOK("changeit\nchangeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s1"); // DES, no need keysize

        testFail("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s11 -keysize 128"); // DES, keysize cannot be 128

        testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -keyalg DESede -alias s2"); // DESede. no need keysize

        testFail("changeit\n\n", "-keystore x.jceks -storetype AES -genseckey -keyalg Rijndael -alias s3"); // AES, need keysize

        testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -keyalg AES -alias s3 -keysize 128");

                // about keypass

        testOK("\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s4"); // can accept storepass

        testOK("keypass\nkeypass\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s5"); // or a new one

        testOK("bad\n\bad\nkeypass\nkeypass\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s6"); // keypass must be valid (prompt 3 times)

        testFail("bad\n\bad\nbad\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s7"); // keypass must be valid (prompt 3 times)

        testFail("bad\n\bad\nbad\nkeypass\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s7"); // keypass must be valid (prompt 3 times)

        ks = loadStore("x.jceks", "changeit", "JCEKS");

        assertTrue(ks.getKey("s1", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s1 is DES");

        assertTrue(ks.getKey("s1", "changeit".toCharArray()).getEncoded().length == 8,  "DES is 56");

        assertTrue(ks.getKey("s2", "changeit".toCharArray()).getEncoded().length == 24,  "DESede is 168");

        assertTrue(ks.getKey("s2", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("DESede"), "s2 is DESede");

        assertTrue(ks.getKey("s3", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("AES"), "s3 is AES");

        assertTrue(ks.getKey("s4", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s4 is DES");

        assertTrue(ks.getKey("s5", "keypass".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s5 is DES");

        assertTrue(ks.getKey("s6", "keypass".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s6 is DES");

        assertTrue(!ks.containsAlias("s7"), "s7 not created");

        // maybe we needn't test this, one day JKS will support SecretKey

        //testFail("changeit\nchangeit\n", "-keystore x.jks -genseckey -keyalg AES -alias s3 -keysize 128");

        // importKeyStore

        remove("x.jks");

        remove("x.jceks");

        testOK("changeit\nchangeit\n\n", "-keystore x.jceks -storetype JCEKS -genkeypair -alias p1 -dname CN=Olala"); // create 2 entries...

        testOK("", "-keystore x.jceks -storetype JCEKS -storepass changeit -importcert -alias c1 -file x.jks.p1.cert -noprompt"); // ...

        ks = loadStore("x.jceks", "changeit", "JCEKS");

        assertTrue(ks.size() == 2, "2 entries in JCEKS");

        // import, shouldn't mention destalias/srckeypass/destkeypass if srcalias is no given

        testFail("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -destalias pp");

        testFail("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srckeypass changeit");

        testFail("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -destkeypass changeit");

        // normal import

        testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 2, "2 entries in JKS");

        // import again, type yes to overwrite old entries

        testOK("changeit\nchangeit\ny\ny\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS");

        ks = loadStore("x.jks", "changeit", "JKS");

        // import again, specify -nopromt

        testOK("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -noprompt");

        assertTrue(err.indexOf("Warning") != -1, "noprompt will warn");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 2, "2 entries in JKS");

        // import again, type into new aliases when prompted

        testOK("changeit\nchangeit\n\ns1\n\ns2\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS");

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 4, "4 entries in JKS");

        // importkeystore single

        remove("x.jks");

        testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1"); // normal

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 1, "1 entries in JKS");

        testOK("changeit\nchangeit\ny\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1"); // overwrite

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 1, "1 entries in JKS");

        testOK("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1 -noprompt"); // noprompt

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 1, "1 entries in JKS");

        testOK("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1 -destalias p2"); // rename

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 2, "2 entries in JKS");

        testOK("changeit\nchangeit\n\nnewalias\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1"); // another rename

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 3, "3 entries in JKS");

        // importkeystore single, different keypass

        remove("x.jks");

        testOK("changeit\nkeypass\nkeypass\n", "-keystore x.jceks -storetype JCEKS -genkeypair -alias p2 -dname CN=Olala"); // generate entry with different keypass

        testOK("changeit\nchangeit\nchangeit\nkeypass\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p2"); // prompt

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 1, "1 entries in JKS");

        testOK("changeit\nchangeit\nkeypass\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p2 -destalias p3 -destkeypass keypass2"); // diff destkeypass

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 2, "2 entries in JKS");

        assertTrue(ks.getKey("p2", "keypass".toCharArray()) != null, "p2 has old password");

        assertTrue(ks.getKey("p3", "keypass2".toCharArray()) != null, "p3 has new password");

        // importkeystore single, cert

        remove("x.jks");

        testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1"); // normal

        testOK("changeit\n\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1 -destalias c2");   // in fact srcstorepass can be ignored

        assertTrue(err.indexOf("WARNING") != -1, "But will warn");

        testOK("changeit\n\ny\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1 -destalias c2");   // 2nd import, press y to overwrite ...

        testOK("changeit\n\n\nc3\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1 -destalias c2");   // ... or rename

        ks = loadStore("x.jks", "changeit", "JKS");

        assertTrue(ks.size() == 3, "3 entries in JKS"); // c1, c2, c3

        // importkeystore, secretkey

        remove("x.jks");

        testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s1"); // create SecretKeyEntry

        testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s2"); // create SecretKeyEntry

        testOK("changeit\n", "-keystore x.jceks -storetype JCEKS -delete -alias p2"); // remove the keypass!=storepass one

        ks = loadStore("x.jceks", "changeit", "JCEKS");

        assertTrue(ks.size() == 4, "4 entries in JCEKS");       // p1, c1, s1, s2

        testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias s1"); // normal

        assertTrue(err.indexOf("not imported") != -1, "Not imported");

        assertTrue(err.indexOf("Cannot store non-PrivateKeys") != -1, "Not imported");

        // Importing a JCEKS keystore to a JKS one. Will warn for the 2 SecretKey entries

        remove("x.jks");

        // Two "no" answers to bypass warnings

        testOK("\n\n", "-srcstorepass changeit -deststorepass changeit -importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS"); // normal

        assertTrue(err.indexOf("s1 not") != -1, "s1 not");

        assertTrue(err.indexOf("s2 not") != -1, "s2 not");

        assertTrue(err.indexOf("c1 success") != -1, "c1 success");

        assertTrue(err.indexOf("p1 success") != -1, "p1 success");

        remove("x.jks");

        // One "yes" to stop

        testOK("yes\n", "-srcstorepass changeit -deststorepass changeit -importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS"); // normal

        // maybe c1 or p1 has been imported before s1 or s2 is touched, anyway we know yesNo is only asked once.

        // pkcs12

        remove("x.jks");

        testFail("changeit\nchangeit\n", "-keystore x.jks -genkeypair -alias p1 -dname CN=olala"); // JKS prompt for keypass

        remove("x.jks");

        testOK("changeit\nchangeit\n\n", "-keystore x.jks -genkeypair -alias p1 -dname CN=olala"); // just type ENTER means keypass=storepass

        remove("x.p12");

        testOK("", "-keystore x.p12 -storetype PKCS12 -storepass changeit -genkeypair -alias p0 -dname CN=olala"); // PKCS12 only need storepass

        testOK("changeit\n", "-keystore x.p12 -storetype PKCS12 -genkeypair -alias p1 -dname CN=olala");

        testOK("changeit\n", "-keystore x.p12 -keypass changeit -storetype PKCS12 -genkeypair -alias p3 -dname CN=olala"); // when specify keypass, make sure keypass==storepass...

        assertTrue(err.indexOf("Warning") == -1, "PKCS12 silent when keypass == storepass");

        testOK("changeit\n", "-keystore x.p12 -keypass another -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala"); // otherwise, print a warning

        assertTrue(err.indexOf("Warning") != -1, "PKCS12 warning when keypass != storepass");

        testFail("", "-keystore x.p12 -storepass changeit -storetype PKCS12 -keypasswd -new changeit -alias p3"); // no -keypasswd for PKCS12

        testOK("", "-keystore x.p12 -storepass changeit -storetype PKCS12 -changealias -alias p3 -destalias p33");

        testOK("", "-keystore x.p12 -storepass changeit -storetype PKCS12 -keyclone -alias p33 -destalias p3");

        // pkcs12

        remove("x.p12");

        testOK("", "-keystore x.p12 -storetype PKCS12 -storepass changeit -genkeypair -alias p0 -dname CN=olala"); // PKCS12 only need storepass

        testOK("", "-storepass changeit -keystore x.p12 -storetype PKCS12 -genkeypair -alias p1 -dname CN=olala");

        testOK("", "-storepass changeit -keystore x.p12 -keypass changeit -storetype PKCS12 -genkeypair -alias p3 -dname CN=olala"); // when specify keypass, make sure keypass==storepass...

        assertTrue(err.indexOf("Warning") == -1, "PKCS12 silent when keypass == storepass");

        testOK("", "-storepass changeit -keystore x.p12 -keypass another -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala"); // otherwise, print a warning

        assertTrue(err.indexOf("Warning") != -1, "PKCS12 warning when keypass != storepass");

        remove("x.jks");

        remove("x.jceks");

        remove("x.p12");

        remove("x2.jceks");

        remove("x2.jks");

        remove("x.jks.p1.cert");

    }

    void testPKCS11() throws Exception {

        KeyStore ks;

        // pkcs11, the password maybe different and maybe PKCS11 is not supported

        // in case last test is not executed successfully

        testAnyway("", p11Arg + "-storepass test12 -delete -alias p1");

        testAnyway("", p11Arg + "-storepass test12 -delete -alias p2");

        testAnyway("", p11Arg + "-storepass test12 -delete -alias p3");

        testAnyway("", p11Arg + "-storepass test12 -delete -alias nss");

        testOK("", p11Arg + "-storepass test12 -list");

        assertTrue(out.indexOf("Your keystore contains 0 entries") != -1, "*** MAKE SURE YOU HAVE NO ENTRIES IN YOUR PKCS11 KEYSTORE BEFORE THIS TEST ***");

        testOK("", p11Arg + "-storepass test12 -genkeypair -alias p1 -dname CN=olala");

        testOK("test12\n", p11Arg + "-genkeypair -alias p2 -dname CN=olala2");

        testFail("test12\n", p11Arg + "-keypass test12 -genkeypair -alias p3 -dname CN=olala3"); // cannot provide keypass for PKCS11

        testFail("test12\n", p11Arg + "-keypass nonsense -genkeypair -alias p3 -dname CN=olala3"); // cannot provide keypass for PKCS11

        testOK("", p11Arg + "-storepass test12 -list");

        assertTrue(out.indexOf("Your keystore contains 2 entries") != -1, "2 entries in p11");

        testOK("test12\n", p11Arg + "-alias p1 -changealias -destalias p3");

        testOK("", p11Arg + "-storepass test12 -list -alias p3");