/*

 * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.tools;

import java.io.*;

import java.security.CodeSigner;

import java.security.KeyStore;

import java.security.KeyStoreException;

import java.security.MessageDigest;

import java.security.Key;

import java.security.PublicKey;

import java.security.PrivateKey;

import java.security.Security;

import java.security.Signature;

import java.security.Timestamp;

import java.security.UnrecoverableEntryException;

import java.security.UnrecoverableKeyException;

import java.security.Principal;

import java.security.Provider;

import java.security.cert.Certificate;

import java.security.cert.CertificateFactory;

import java.security.cert.CRL;

import java.security.cert.X509Certificate;

import java.security.cert.CertificateException;

import java.text.Collator;

import java.text.MessageFormat;

import java.util.*;

import java.util.jar.JarEntry;

import java.util.jar.JarFile;

import java.lang.reflect.Constructor;

import java.math.BigInteger;

import java.net.URI;

import java.net.URL;

import java.net.URLClassLoader;

import java.security.cert.CertStore;

import java.security.cert.X509CRL;

import java.security.cert.X509CRLEntry;

import java.security.cert.X509CRLSelector;

import javax.security.auth.x500.X500Principal;

import sun.misc.BASE64Encoder;

import sun.security.util.ObjectIdentifier;

import sun.security.pkcs.PKCS10;

import sun.security.provider.X509Factory;

import sun.security.util.Password;

import sun.security.util.PathList;

import javax.crypto.KeyGenerator;

import javax.crypto.SecretKey;

import javax.net.ssl.HostnameVerifier;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLSession;

import javax.net.ssl.TrustManager;

import javax.net.ssl.X509TrustManager;

import sun.misc.BASE64Decoder;

import sun.security.pkcs.PKCS10Attribute;

import sun.security.pkcs.PKCS9Attribute;

import sun.security.provider.certpath.ldap.LDAPCertStoreHelper;

import sun.security.util.DerValue;

import sun.security.x509.*;

import static java.security.KeyStore.*;

import static sun.security.tools.KeyTool.Command.*;

import static sun.security.tools.KeyTool.Option.*;

/**

 * This tool manages keystores.

 *

 * @author Jan Luehe

 *

 *

 * @see java.security.KeyStore

 * @see sun.security.provider.KeyProtector

 * @see sun.security.provider.JavaKeyStore

 *

 * @since 1.2

 */

public final class KeyTool {

    private boolean debug = false;

    private Command command = null;

    private String sigAlgName = null;

    private String keyAlgName = null;

    private boolean verbose = false;

    private int keysize = -1;

    private boolean rfc = false;

    private long validity = (long)90;

    private String alias = null;

    private String dname = null;

    private String dest = null;

    private String filename = null;

    private String infilename = null;

    private String outfilename = null;

    private String srcksfname = null;

    // User-specified providers are added before any command is called.

    // However, they are not removed before the end of the main() method.

    // If you're calling KeyTool.main() directly in your own Java program,

    // please programtically add any providers you need and do not specify

    // them through the command line.

    private Set<Pair <String, String>> providers = null;

    private String storetype = null;

    private String srcProviderName = null;

    private String providerName = null;

    private String pathlist = null;

    private char[] storePass = null;

    private char[] storePassNew = null;

    private char[] keyPass = null;

    private char[] keyPassNew = null;

    private char[] newPass = null;

    private char[] destKeyPass = null;

    private char[] srckeyPass = null;

    private String ksfname = null;

    private File ksfile = null;

    private InputStream ksStream = null; // keystore stream

    private String sslserver = null;

    private String jarfile = null;

    private KeyStore keyStore = null;

    private boolean token = false;

    private boolean nullStream = false;

    private boolean kssave = false;

    private boolean noprompt = false;

    private boolean trustcacerts = false;

    private boolean protectedPath = false;

    private boolean srcprotectedPath = false;

    private CertificateFactory cf = null;

    private KeyStore caks = null; // "cacerts" keystore

    private char[] srcstorePass = null;

    private String srcstoretype = null;

    private Set<char[]> passwords = new HashSet<>();

    private String startDate = null;

    private List<String> ids = new ArrayList<>();   // used in GENCRL

    private List<String> v3ext = new ArrayList<>();

    enum Command {

        CERTREQ("Generates.a.certificate.request",

            ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME,

            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,

            PROVIDERARG, PROVIDERPATH, V, PROTECTED),

        CHANGEALIAS("Changes.an.entry.s.alias",

            ALIAS, DESTALIAS, KEYPASS, KEYSTORE, STOREPASS,

            STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,

            PROVIDERPATH, V, PROTECTED),

        DELETE("Deletes.an.entry",

            ALIAS, KEYSTORE, STOREPASS, STORETYPE,

            PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,

            PROVIDERPATH, V, PROTECTED),

        EXPORTCERT("Exports.certificate",

            RFC, ALIAS, FILEOUT, KEYSTORE, STOREPASS,

            STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,

            PROVIDERPATH, V, PROTECTED),

        GENKEYPAIR("Generates.a.key.pair",

            ALIAS, KEYALG, KEYSIZE, SIGALG, DESTALIAS, DNAME,

            STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,

            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,

            PROVIDERARG, PROVIDERPATH, V, PROTECTED),

        GENSECKEY("Generates.a.secret.key",

            ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE,

            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,

            PROVIDERARG, PROVIDERPATH, V, PROTECTED),

        GENCERT("Generates.certificate.from.a.certificate.request",

            RFC, INFILE, OUTFILE, ALIAS, SIGALG, DNAME,

            STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,

            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,

            PROVIDERARG, PROVIDERPATH, V, PROTECTED),

        IMPORTCERT("Imports.a.certificate.or.a.certificate.chain",

            NOPROMPT, TRUSTCACERTS, PROTECTED, ALIAS, FILEIN,

            KEYPASS, KEYSTORE, STOREPASS, STORETYPE,

            PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,

            PROVIDERPATH, V),

        IMPORTKEYSTORE("Imports.one.or.all.entries.from.another.keystore",

            SRCKEYSTORE, DESTKEYSTORE, SRCSTORETYPE,

            DESTSTORETYPE, SRCSTOREPASS, DESTSTOREPASS,

            SRCPROTECTED, SRCPROVIDERNAME, DESTPROVIDERNAME,

            SRCALIAS, DESTALIAS, SRCKEYPASS, DESTKEYPASS,

            NOPROMPT, PROVIDERCLASS, PROVIDERARG, PROVIDERPATH,

            V),

        KEYPASSWD("Changes.the.key.password.of.an.entry",

            ALIAS, KEYPASS, NEW, KEYSTORE, STOREPASS,

            STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,

            PROVIDERPATH, V),

        LIST("Lists.entries.in.a.keystore",

            RFC, ALIAS, KEYSTORE, STOREPASS, STORETYPE,

            PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,

            PROVIDERPATH, V, PROTECTED),

        PRINTCERT("Prints.the.content.of.a.certificate",

            RFC, FILEIN, SSLSERVER, JARFILE, V),

        PRINTCERTREQ("Prints.the.content.of.a.certificate.request",

            FILEIN, V),

        PRINTCRL("Prints.the.content.of.a.CRL.file",

            FILEIN, V),

        STOREPASSWD("Changes.the.store.password.of.a.keystore",

            NEW, KEYSTORE, STOREPASS, STORETYPE, PROVIDERNAME,

            PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V),

        // Undocumented start here, KEYCLONE is used a marker in -help;

        KEYCLONE("Clones.a.key.entry",

            ALIAS, DESTALIAS, KEYPASS, NEW, STORETYPE,

            KEYSTORE, STOREPASS, PROVIDERNAME, PROVIDERCLASS,

            PROVIDERARG, PROVIDERPATH, V),

        SELFCERT("Generates.a.self.signed.certificate",

            ALIAS, SIGALG, DNAME, STARTDATE, VALIDITY, KEYPASS,

            STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,

            PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V),

        GENCRL("Generates.CRL",

            RFC, FILEOUT, ID,

            ALIAS, SIGALG, EXT, KEYPASS, KEYSTORE,

            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,

            PROVIDERARG, PROVIDERPATH, V, PROTECTED),

        IDENTITYDB("Imports.entries.from.a.JDK.1.1.x.style.identity.database",

            FILEIN, STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,

            PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V);

        final String description;

        final Option[] options;

        Command(String d, Option... o) {

            description = d;

            options = o;

        }

        @Override

        public String toString() {

            return "-" + name().toLowerCase(Locale.ENGLISH);

        }

    };

    enum Option {

        ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"),

        DESTALIAS("destalias", "<destalias>", "destination.alias"),

        DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"),

        DESTKEYSTORE("destkeystore", "<destkeystore>", "destination.keystore.name"),

        DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"),

        DESTPROVIDERNAME("destprovidername", "<destprovidername>", "destination.keystore.provider.name"),

        DESTSTOREPASS("deststorepass", "<arg>", "destination.keystore.password"),

        DESTSTORETYPE("deststoretype", "<deststoretype>", "destination.keystore.type"),

        DNAME("dname", "<dname>", "distinguished.name"),

        EXT("ext", "<value>", "X.509.extension"),

        FILEOUT("file", "<filename>", "output.file.name"),

        FILEIN("file", "<filename>", "input.file.name"),

        ID("id", "<id:reason>", "Serial.ID.of.cert.to.revoke"),

        INFILE("infile", "<filename>", "input.file.name"),

        KEYALG("keyalg", "<keyalg>", "key.algorithm.name"),

        KEYPASS("keypass", "<arg>", "key.password"),

        KEYSIZE("keysize", "<keysize>", "key.bit.size"),

        KEYSTORE("keystore", "<keystore>", "keystore.name"),

        NEW("new", "<arg>", "new.password"),

        NOPROMPT("noprompt", null, "do.not.prompt"),

        OUTFILE("outfile", "<filename>", "output.file.name"),

        PROTECTED("protected", null, "password.through.protected.mechanism"),

        PROVIDERARG("providerarg", "<arg>", "provider.argument"),

        PROVIDERCLASS("providerclass", "<providerclass>", "provider.class.name"),

        PROVIDERNAME("providername", "<providername>", "provider.name"),

        PROVIDERPATH("providerpath", "<pathlist>", "provider.classpath"),

        RFC("rfc", null, "output.in.RFC.style"),

        SIGALG("sigalg", "<sigalg>", "signature.algorithm.name"),

        SRCALIAS("srcalias", "<srcalias>", "source.alias"),

        SRCKEYPASS("srckeypass", "<arg>", "source.key.password"),

        SRCKEYSTORE("srckeystore", "<srckeystore>", "source.keystore.name"),

        SRCPROTECTED("srcprotected", null, "source.keystore.password.protected"),

        SRCPROVIDERNAME("srcprovidername", "<srcprovidername>", "source.keystore.provider.name"),

        SRCSTOREPASS("srcstorepass", "<arg>", "source.keystore.password"),

        SRCSTORETYPE("srcstoretype", "<srcstoretype>", "source.keystore.type"),

        SSLSERVER("sslserver", "<server[:port]>", "SSL.server.host.and.port"),

        JARFILE("jarfile", "<filename>", "signed.jar.file"),

        STARTDATE("startdate", "<startdate>", "certificate.validity.start.date.time"),

        STOREPASS("storepass", "<arg>", "keystore.password"),

        STORETYPE("storetype", "<storetype>", "keystore.type"),

        TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"),

        V("v", null, "verbose.output"),

        VALIDITY("validity", "<valDays>", "validity.number.of.days");

        final String name, arg, description;

        Option(String name, String arg, String description) {

            this.name = name;

            this.arg = arg;

            this.description = description;

        }

        @Override

        public String toString() {

            return "-" + name;

        }

    };

    private static final Class[] PARAM_STRING = { String.class };

    private static final String JKS = "jks";

    private static final String NONE = "NONE";

    private static final String P11KEYSTORE = "PKCS11";

    private static final String P12KEYSTORE = "PKCS12";

    private final String keyAlias = "mykey";

    // for i18n

    private static final java.util.ResourceBundle rb =

        java.util.ResourceBundle.getBundle("sun.security.util.Resources");

    private static final Collator collator = Collator.getInstance();

    static {

        // this is for case insensitive string comparisons

        collator.setStrength(Collator.PRIMARY);

    };

    private KeyTool() { }

    public static void main(String[] args) throws Exception {

        KeyTool kt = new KeyTool();

        kt.run(args, System.out);

    }

    private void run(String[] args, PrintStream out) throws Exception {

        try {

            parseArgs(args);

            if (command != null) {

                doCommands(out);

            }

        } catch (Exception e) {

            System.out.println(rb.getString("keytool.error.") + e);

            if (verbose) {

                e.printStackTrace(System.out);

            }

            if (!debug) {

                System.exit(1);

            } else {

                throw e;

            }

        } finally {

            for (char[] pass : passwords) {

                if (pass != null) {

                    Arrays.fill(pass, ' ');

                    pass = null;

                }

            }

            if (ksStream != null) {

                ksStream.close();

            }

        }

    }

    /**

     * Parse command line arguments.

     */

    void parseArgs(String[] args) {

        int i=0;

        boolean help = args.length == 0;

        for (i=0; (i < args.length) && args[i].startsWith("-"); i++) {

            String flags = args[i];

            // Check if the last option needs an arg

            if (i == args.length - 1) {

                for (Option option: Option.values()) {

                    // Only options with an arg need to be checked

                    if (collator.compare(flags, option.toString()) == 0) {

                        if (option.arg != null) errorNeedArgument(flags);

                        break;

                    }

                }

            }

            /*

             * Check modifiers

             */

            String modifier = null;

            int pos = flags.indexOf(':');

            if (pos > 0) {

                modifier = flags.substring(pos+1);

                flags = flags.substring(0, pos);

            }

            /*

             * command modes

             */

            boolean isCommand = false;

            for (Command c: Command.values()) {

                if (collator.compare(flags, c.toString()) == 0) {

                    command = c;

                    isCommand = true;

                    break;

                }

            }

            if (isCommand) {

                // already recognized as a command

            } else if (collator.compare(flags, "-export") == 0) {

                command = EXPORTCERT;

            } else if (collator.compare(flags, "-genkey") == 0) {

                command = GENKEYPAIR;

            } else if (collator.compare(flags, "-import") == 0) {

                command = IMPORTCERT;

            }

            /*

             * Help

             */

            else if (collator.compare(flags, "-help") == 0) {

                help = true;

            }

            /*

             * specifiers

             */

            else if (collator.compare(flags, "-keystore") == 0 ||

                    collator.compare(flags, "-destkeystore") == 0) {

                ksfname = args[++i];

            } else if (collator.compare(flags, "-storepass") == 0 ||

                    collator.compare(flags, "-deststorepass") == 0) {

                storePass = getPass(modifier, args[++i]);

                passwords.add(storePass);

            } else if (collator.compare(flags, "-storetype") == 0 ||

                    collator.compare(flags, "-deststoretype") == 0) {

                storetype = args[++i];

            } else if (collator.compare(flags, "-srcstorepass") == 0) {

                srcstorePass = getPass(modifier, args[++i]);

                passwords.add(srcstorePass);

            } else if (collator.compare(flags, "-srcstoretype") == 0) {

                srcstoretype = args[++i];

            } else if (collator.compare(flags, "-srckeypass") == 0) {

                srckeyPass = getPass(modifier, args[++i]);

                passwords.add(srckeyPass);

            } else if (collator.compare(flags, "-srcprovidername") == 0) {

                srcProviderName = args[++i];

            } else if (collator.compare(flags, "-providername") == 0 ||

                    collator.compare(flags, "-destprovidername") == 0) {

                providerName = args[++i];

            } else if (collator.compare(flags, "-providerpath") == 0) {

                pathlist = args[++i];

            } else if (collator.compare(flags, "-keypass") == 0) {

                keyPass = getPass(modifier, args[++i]);

                passwords.add(keyPass);

            } else if (collator.compare(flags, "-new") == 0) {

                newPass = getPass(modifier, args[++i]);

                passwords.add(newPass);

            } else if (collator.compare(flags, "-destkeypass") == 0) {

                destKeyPass = getPass(modifier, args[++i]);

                passwords.add(destKeyPass);

            } else if (collator.compare(flags, "-alias") == 0 ||

                    collator.compare(flags, "-srcalias") == 0) {

                alias = args[++i];

            } else if (collator.compare(flags, "-dest") == 0 ||

                    collator.compare(flags, "-destalias") == 0) {

                dest = args[++i];

            } else if (collator.compare(flags, "-dname") == 0) {

                dname = args[++i];

            } else if (collator.compare(flags, "-keysize") == 0) {

                keysize = Integer.parseInt(args[++i]);

            } else if (collator.compare(flags, "-keyalg") == 0) {

                keyAlgName = args[++i];

            } else if (collator.compare(flags, "-sigalg") == 0) {

                sigAlgName = args[++i];

            } else if (collator.compare(flags, "-startdate") == 0) {

                startDate = args[++i];

            } else if (collator.compare(flags, "-validity") == 0) {

                validity = Long.parseLong(args[++i]);

            } else if (collator.compare(flags, "-ext") == 0) {

                v3ext.add(args[++i]);

            } else if (collator.compare(flags, "-id") == 0) {

                ids.add(args[++i]);

            } else if (collator.compare(flags, "-file") == 0) {

                filename = args[++i];

            } else if (collator.compare(flags, "-infile") == 0) {

                infilename = args[++i];

            } else if (collator.compare(flags, "-outfile") == 0) {

                outfilename = args[++i];

            } else if (collator.compare(flags, "-sslserver") == 0) {

                sslserver = args[++i];

            } else if (collator.compare(flags, "-jarfile") == 0) {

                jarfile = args[++i];

            } else if (collator.compare(flags, "-srckeystore") == 0) {

                srcksfname = args[++i];

            } else if ((collator.compare(flags, "-provider") == 0) ||

                        (collator.compare(flags, "-providerclass") == 0)) {

                if (providers == null) {

                    providers = new HashSet<Pair <String, String>> (3);

                }