author | weijun |
Fri, 09 Sep 2011 11:18:18 +0800 | |
changeset 10436 | 4288852bdda6 |
parent 10336 | 0bb1999251f8 |
child 10782 | 01689c7b34ac |
permissions | -rw-r--r-- |
2 | 1 |
/* |
8556 | 2 |
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.tools; |
|
27 |
||
28 |
import java.io.*; |
|
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
29 |
import java.security.CodeSigner; |
2 | 30 |
import java.security.KeyStore; |
31 |
import java.security.KeyStoreException; |
|
32 |
import java.security.MessageDigest; |
|
33 |
import java.security.Key; |
|
34 |
import java.security.PublicKey; |
|
35 |
import java.security.PrivateKey; |
|
36 |
import java.security.Security; |
|
37 |
import java.security.Signature; |
|
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
38 |
import java.security.Timestamp; |
2 | 39 |
import java.security.UnrecoverableEntryException; |
40 |
import java.security.UnrecoverableKeyException; |
|
41 |
import java.security.Principal; |
|
42 |
import java.security.Provider; |
|
43 |
import java.security.cert.Certificate; |
|
44 |
import java.security.cert.CertificateFactory; |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
45 |
import java.security.cert.CRL; |
2 | 46 |
import java.security.cert.X509Certificate; |
47 |
import java.security.cert.CertificateException; |
|
48 |
import java.text.Collator; |
|
49 |
import java.text.MessageFormat; |
|
50 |
import java.util.*; |
|
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
51 |
import java.util.jar.JarEntry; |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
52 |
import java.util.jar.JarFile; |
2 | 53 |
import java.lang.reflect.Constructor; |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
54 |
import java.math.BigInteger; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
55 |
import java.net.URI; |
2 | 56 |
import java.net.URL; |
57 |
import java.net.URLClassLoader; |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
58 |
import java.security.cert.CertStore; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
59 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
60 |
import java.security.cert.X509CRL; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
61 |
import java.security.cert.X509CRLEntry; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
62 |
import java.security.cert.X509CRLSelector; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
63 |
import javax.security.auth.x500.X500Principal; |
2 | 64 |
import sun.misc.BASE64Encoder; |
65 |
import sun.security.util.ObjectIdentifier; |
|
66 |
import sun.security.pkcs.PKCS10; |
|
67 |
import sun.security.provider.X509Factory; |
|
68 |
import sun.security.util.Password; |
|
69 |
import sun.security.util.PathList; |
|
70 |
import javax.crypto.KeyGenerator; |
|
71 |
import javax.crypto.SecretKey; |
|
72 |
||
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
73 |
import javax.net.ssl.HostnameVerifier; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
74 |
import javax.net.ssl.HttpsURLConnection; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
75 |
import javax.net.ssl.SSLContext; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
76 |
import javax.net.ssl.SSLSession; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
77 |
import javax.net.ssl.TrustManager; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
78 |
import javax.net.ssl.X509TrustManager; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
79 |
import sun.misc.BASE64Decoder; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
80 |
import sun.security.pkcs.PKCS10Attribute; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
81 |
import sun.security.pkcs.PKCS9Attribute; |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
82 |
import sun.security.provider.certpath.ldap.LDAPCertStoreHelper; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
83 |
import sun.security.util.DerValue; |
2 | 84 |
import sun.security.x509.*; |
85 |
||
86 |
import static java.security.KeyStore.*; |
|
3948 | 87 |
import static sun.security.tools.KeyTool.Command.*; |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
88 |
import static sun.security.tools.KeyTool.Option.*; |
2 | 89 |
|
90 |
/** |
|
91 |
* This tool manages keystores. |
|
92 |
* |
|
93 |
* @author Jan Luehe |
|
94 |
* |
|
95 |
* |
|
96 |
* @see java.security.KeyStore |
|
97 |
* @see sun.security.provider.KeyProtector |
|
98 |
* @see sun.security.provider.JavaKeyStore |
|
99 |
* |
|
100 |
* @since 1.2 |
|
101 |
*/ |
|
102 |
public final class KeyTool { |
|
103 |
||
104 |
private boolean debug = false; |
|
3948 | 105 |
private Command command = null; |
2 | 106 |
private String sigAlgName = null; |
107 |
private String keyAlgName = null; |
|
108 |
private boolean verbose = false; |
|
109 |
private int keysize = -1; |
|
110 |
private boolean rfc = false; |
|
111 |
private long validity = (long)90; |
|
112 |
private String alias = null; |
|
113 |
private String dname = null; |
|
114 |
private String dest = null; |
|
115 |
private String filename = null; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
116 |
private String infilename = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
117 |
private String outfilename = null; |
2 | 118 |
private String srcksfname = null; |
119 |
||
120 |
// User-specified providers are added before any command is called. |
|
121 |
// However, they are not removed before the end of the main() method. |
|
122 |
// If you're calling KeyTool.main() directly in your own Java program, |
|
123 |
// please programtically add any providers you need and do not specify |
|
124 |
// them through the command line. |
|
125 |
||
126 |
private Set<Pair <String, String>> providers = null; |
|
127 |
private String storetype = null; |
|
128 |
private String srcProviderName = null; |
|
129 |
private String providerName = null; |
|
130 |
private String pathlist = null; |
|
131 |
private char[] storePass = null; |
|
132 |
private char[] storePassNew = null; |
|
133 |
private char[] keyPass = null; |
|
134 |
private char[] keyPassNew = null; |
|
135 |
private char[] newPass = null; |
|
136 |
private char[] destKeyPass = null; |
|
137 |
private char[] srckeyPass = null; |
|
138 |
private String ksfname = null; |
|
139 |
private File ksfile = null; |
|
140 |
private InputStream ksStream = null; // keystore stream |
|
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
141 |
private String sslserver = null; |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
142 |
private String jarfile = null; |
2 | 143 |
private KeyStore keyStore = null; |
144 |
private boolean token = false; |
|
145 |
private boolean nullStream = false; |
|
146 |
private boolean kssave = false; |
|
147 |
private boolean noprompt = false; |
|
148 |
private boolean trustcacerts = false; |
|
149 |
private boolean protectedPath = false; |
|
150 |
private boolean srcprotectedPath = false; |
|
151 |
private CertificateFactory cf = null; |
|
152 |
private KeyStore caks = null; // "cacerts" keystore |
|
153 |
private char[] srcstorePass = null; |
|
154 |
private String srcstoretype = null; |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
155 |
private Set<char[]> passwords = new HashSet<>(); |
2 | 156 |
private String startDate = null; |
157 |
||
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
158 |
private List<String> ids = new ArrayList<>(); // used in GENCRL |
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
159 |
private List<String> v3ext = new ArrayList<>(); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
160 |
|
3948 | 161 |
enum Command { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
162 |
CERTREQ("Generates.a.certificate.request", |
4918
13ed75166139
6925639: keytool -genkeypair -help missing dname option
weijun
parents:
4819
diff
changeset
|
163 |
ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME, |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
164 |
STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
165 |
PROVIDERARG, PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
166 |
CHANGEALIAS("Changes.an.entry.s.alias", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
167 |
ALIAS, DESTALIAS, KEYPASS, KEYSTORE, STOREPASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
168 |
STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
169 |
PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
170 |
DELETE("Deletes.an.entry", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
171 |
ALIAS, KEYSTORE, STOREPASS, STORETYPE, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
172 |
PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
173 |
PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
174 |
EXPORTCERT("Exports.certificate", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
175 |
RFC, ALIAS, FILEOUT, KEYSTORE, STOREPASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
176 |
STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
177 |
PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
178 |
GENKEYPAIR("Generates.a.key.pair", |
4918
13ed75166139
6925639: keytool -genkeypair -help missing dname option
weijun
parents:
4819
diff
changeset
|
179 |
ALIAS, KEYALG, KEYSIZE, SIGALG, DESTALIAS, DNAME, |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
180 |
STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
181 |
STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
182 |
PROVIDERARG, PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
183 |
GENSECKEY("Generates.a.secret.key", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
184 |
ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
185 |
STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
186 |
PROVIDERARG, PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
187 |
GENCERT("Generates.certificate.from.a.certificate.request", |
4918
13ed75166139
6925639: keytool -genkeypair -help missing dname option
weijun
parents:
4819
diff
changeset
|
188 |
RFC, INFILE, OUTFILE, ALIAS, SIGALG, DNAME, |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
189 |
STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
190 |
STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
191 |
PROVIDERARG, PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
192 |
IMPORTCERT("Imports.a.certificate.or.a.certificate.chain", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
193 |
NOPROMPT, TRUSTCACERTS, PROTECTED, ALIAS, FILEIN, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
194 |
KEYPASS, KEYSTORE, STOREPASS, STORETYPE, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
195 |
PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
196 |
PROVIDERPATH, V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
197 |
IMPORTKEYSTORE("Imports.one.or.all.entries.from.another.keystore", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
198 |
SRCKEYSTORE, DESTKEYSTORE, SRCSTORETYPE, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
199 |
DESTSTORETYPE, SRCSTOREPASS, DESTSTOREPASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
200 |
SRCPROTECTED, SRCPROVIDERNAME, DESTPROVIDERNAME, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
201 |
SRCALIAS, DESTALIAS, SRCKEYPASS, DESTKEYPASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
202 |
NOPROMPT, PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
203 |
V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
204 |
KEYPASSWD("Changes.the.key.password.of.an.entry", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
205 |
ALIAS, KEYPASS, NEW, KEYSTORE, STOREPASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
206 |
STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
207 |
PROVIDERPATH, V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
208 |
LIST("Lists.entries.in.a.keystore", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
209 |
RFC, ALIAS, KEYSTORE, STOREPASS, STORETYPE, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
210 |
PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
211 |
PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
212 |
PRINTCERT("Prints.the.content.of.a.certificate", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
213 |
RFC, FILEIN, SSLSERVER, JARFILE, V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
214 |
PRINTCERTREQ("Prints.the.content.of.a.certificate.request", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
215 |
FILEIN, V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
216 |
PRINTCRL("Prints.the.content.of.a.CRL.file", |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
217 |
FILEIN, V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
218 |
STOREPASSWD("Changes.the.store.password.of.a.keystore", |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
219 |
NEW, KEYSTORE, STOREPASS, STORETYPE, PROVIDERNAME, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
220 |
PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V), |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
221 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
222 |
// Undocumented start here, KEYCLONE is used a marker in -help; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
223 |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
224 |
KEYCLONE("Clones.a.key.entry", |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
225 |
ALIAS, DESTALIAS, KEYPASS, NEW, STORETYPE, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
226 |
KEYSTORE, STOREPASS, PROVIDERNAME, PROVIDERCLASS, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
227 |
PROVIDERARG, PROVIDERPATH, V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
228 |
SELFCERT("Generates.a.self.signed.certificate", |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
229 |
ALIAS, SIGALG, DNAME, STARTDATE, VALIDITY, KEYPASS, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
230 |
STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME, |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
231 |
PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
232 |
GENCRL("Generates.CRL", |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
233 |
RFC, FILEOUT, ID, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
234 |
ALIAS, SIGALG, EXT, KEYPASS, KEYSTORE, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
235 |
STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
236 |
PROVIDERARG, PROVIDERPATH, V, PROTECTED), |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
237 |
IDENTITYDB("Imports.entries.from.a.JDK.1.1.x.style.identity.database", |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
238 |
FILEIN, STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME, |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
239 |
PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V); |
3948 | 240 |
|
241 |
final String description; |
|
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
242 |
final Option[] options; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
243 |
Command(String d, Option... o) { |
3948 | 244 |
description = d; |
245 |
options = o; |
|
246 |
} |
|
247 |
@Override |
|
248 |
public String toString() { |
|
249 |
return "-" + name().toLowerCase(Locale.ENGLISH); |
|
250 |
} |
|
251 |
}; |
|
252 |
||
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
253 |
enum Option { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
254 |
ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
255 |
DESTALIAS("destalias", "<destalias>", "destination.alias"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
256 |
DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
257 |
DESTKEYSTORE("destkeystore", "<destkeystore>", "destination.keystore.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
258 |
DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
259 |
DESTPROVIDERNAME("destprovidername", "<destprovidername>", "destination.keystore.provider.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
260 |
DESTSTOREPASS("deststorepass", "<arg>", "destination.keystore.password"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
261 |
DESTSTORETYPE("deststoretype", "<deststoretype>", "destination.keystore.type"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
262 |
DNAME("dname", "<dname>", "distinguished.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
263 |
EXT("ext", "<value>", "X.509.extension"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
264 |
FILEOUT("file", "<filename>", "output.file.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
265 |
FILEIN("file", "<filename>", "input.file.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
266 |
ID("id", "<id:reason>", "Serial.ID.of.cert.to.revoke"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
267 |
INFILE("infile", "<filename>", "input.file.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
268 |
KEYALG("keyalg", "<keyalg>", "key.algorithm.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
269 |
KEYPASS("keypass", "<arg>", "key.password"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
270 |
KEYSIZE("keysize", "<keysize>", "key.bit.size"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
271 |
KEYSTORE("keystore", "<keystore>", "keystore.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
272 |
NEW("new", "<arg>", "new.password"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
273 |
NOPROMPT("noprompt", null, "do.not.prompt"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
274 |
OUTFILE("outfile", "<filename>", "output.file.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
275 |
PROTECTED("protected", null, "password.through.protected.mechanism"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
276 |
PROVIDERARG("providerarg", "<arg>", "provider.argument"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
277 |
PROVIDERCLASS("providerclass", "<providerclass>", "provider.class.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
278 |
PROVIDERNAME("providername", "<providername>", "provider.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
279 |
PROVIDERPATH("providerpath", "<pathlist>", "provider.classpath"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
280 |
RFC("rfc", null, "output.in.RFC.style"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
281 |
SIGALG("sigalg", "<sigalg>", "signature.algorithm.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
282 |
SRCALIAS("srcalias", "<srcalias>", "source.alias"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
283 |
SRCKEYPASS("srckeypass", "<arg>", "source.key.password"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
284 |
SRCKEYSTORE("srckeystore", "<srckeystore>", "source.keystore.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
285 |
SRCPROTECTED("srcprotected", null, "source.keystore.password.protected"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
286 |
SRCPROVIDERNAME("srcprovidername", "<srcprovidername>", "source.keystore.provider.name"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
287 |
SRCSTOREPASS("srcstorepass", "<arg>", "source.keystore.password"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
288 |
SRCSTORETYPE("srcstoretype", "<srcstoretype>", "source.keystore.type"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
289 |
SSLSERVER("sslserver", "<server[:port]>", "SSL.server.host.and.port"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
290 |
JARFILE("jarfile", "<filename>", "signed.jar.file"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
291 |
STARTDATE("startdate", "<startdate>", "certificate.validity.start.date.time"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
292 |
STOREPASS("storepass", "<arg>", "keystore.password"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
293 |
STORETYPE("storetype", "<storetype>", "keystore.type"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
294 |
TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
295 |
V("v", null, "verbose.output"), |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
296 |
VALIDITY("validity", "<valDays>", "validity.number.of.days"); |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
297 |
|
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
298 |
final String name, arg, description; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
299 |
Option(String name, String arg, String description) { |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
300 |
this.name = name; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
301 |
this.arg = arg; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
302 |
this.description = description; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
303 |
} |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
304 |
@Override |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
305 |
public String toString() { |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
306 |
return "-" + name; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
307 |
} |
3948 | 308 |
}; |
2 | 309 |
|
310 |
private static final Class[] PARAM_STRING = { String.class }; |
|
311 |
||
312 |
private static final String JKS = "jks"; |
|
313 |
private static final String NONE = "NONE"; |
|
314 |
private static final String P11KEYSTORE = "PKCS11"; |
|
315 |
private static final String P12KEYSTORE = "PKCS12"; |
|
316 |
private final String keyAlias = "mykey"; |
|
317 |
||
318 |
// for i18n |
|
319 |
private static final java.util.ResourceBundle rb = |
|
320 |
java.util.ResourceBundle.getBundle("sun.security.util.Resources"); |
|
321 |
private static final Collator collator = Collator.getInstance(); |
|
322 |
static { |
|
323 |
// this is for case insensitive string comparisons |
|
324 |
collator.setStrength(Collator.PRIMARY); |
|
325 |
}; |
|
326 |
||
327 |
private KeyTool() { } |
|
328 |
||
329 |
public static void main(String[] args) throws Exception { |
|
330 |
KeyTool kt = new KeyTool(); |
|
331 |
kt.run(args, System.out); |
|
332 |
} |
|
333 |
||
334 |
private void run(String[] args, PrintStream out) throws Exception { |
|
335 |
try { |
|
336 |
parseArgs(args); |
|
3948 | 337 |
if (command != null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
338 |
doCommands(out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
339 |
} |
2 | 340 |
} catch (Exception e) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
341 |
System.out.println(rb.getString("keytool.error.") + e); |
2 | 342 |
if (verbose) { |
343 |
e.printStackTrace(System.out); |
|
344 |
} |
|
345 |
if (!debug) { |
|
346 |
System.exit(1); |
|
347 |
} else { |
|
348 |
throw e; |
|
349 |
} |
|
350 |
} finally { |
|
351 |
for (char[] pass : passwords) { |
|
352 |
if (pass != null) { |
|
353 |
Arrays.fill(pass, ' '); |
|
354 |
pass = null; |
|
355 |
} |
|
356 |
} |
|
357 |
||
358 |
if (ksStream != null) { |
|
359 |
ksStream.close(); |
|
360 |
} |
|
361 |
} |
|
362 |
} |
|
363 |
||
364 |
/** |
|
365 |
* Parse command line arguments. |
|
366 |
*/ |
|
367 |
void parseArgs(String[] args) { |
|
368 |
||
369 |
int i=0; |
|
3948 | 370 |
boolean help = args.length == 0; |
2 | 371 |
|
372 |
for (i=0; (i < args.length) && args[i].startsWith("-"); i++) { |
|
373 |
||
374 |
String flags = args[i]; |
|
3948 | 375 |
|
376 |
// Check if the last option needs an arg |
|
377 |
if (i == args.length - 1) { |
|
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
378 |
for (Option option: Option.values()) { |
3948 | 379 |
// Only options with an arg need to be checked |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
380 |
if (collator.compare(flags, option.toString()) == 0) { |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
381 |
if (option.arg != null) errorNeedArgument(flags); |
3948 | 382 |
break; |
383 |
} |
|
384 |
} |
|
385 |
} |
|
386 |
||
2 | 387 |
/* |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
388 |
* Check modifiers |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
389 |
*/ |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
390 |
String modifier = null; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
391 |
int pos = flags.indexOf(':'); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
392 |
if (pos > 0) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
393 |
modifier = flags.substring(pos+1); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
394 |
flags = flags.substring(0, pos); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
395 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
396 |
/* |
2 | 397 |
* command modes |
398 |
*/ |
|
3948 | 399 |
boolean isCommand = false; |
400 |
for (Command c: Command.values()) { |
|
401 |
if (collator.compare(flags, c.toString()) == 0) { |
|
402 |
command = c; |
|
403 |
isCommand = true; |
|
404 |
break; |
|
405 |
} |
|
406 |
} |
|
407 |
||
408 |
if (isCommand) { |
|
409 |
// already recognized as a command |
|
410 |
} else if (collator.compare(flags, "-export") == 0) { |
|
2 | 411 |
command = EXPORTCERT; |
3948 | 412 |
} else if (collator.compare(flags, "-genkey") == 0) { |
2 | 413 |
command = GENKEYPAIR; |
3948 | 414 |
} else if (collator.compare(flags, "-import") == 0) { |
2 | 415 |
command = IMPORTCERT; |
3948 | 416 |
} |
417 |
/* |
|
418 |
* Help |
|
419 |
*/ |
|
420 |
else if (collator.compare(flags, "-help") == 0) { |
|
421 |
help = true; |
|
2 | 422 |
} |
423 |
||
424 |
/* |
|
425 |
* specifiers |
|
426 |
*/ |
|
427 |
else if (collator.compare(flags, "-keystore") == 0 || |
|
428 |
collator.compare(flags, "-destkeystore") == 0) { |
|
3948 | 429 |
ksfname = args[++i]; |
2 | 430 |
} else if (collator.compare(flags, "-storepass") == 0 || |
431 |
collator.compare(flags, "-deststorepass") == 0) { |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
432 |
storePass = getPass(modifier, args[++i]); |
2 | 433 |
passwords.add(storePass); |
434 |
} else if (collator.compare(flags, "-storetype") == 0 || |
|
435 |
collator.compare(flags, "-deststoretype") == 0) { |
|
3948 | 436 |
storetype = args[++i]; |
2 | 437 |
} else if (collator.compare(flags, "-srcstorepass") == 0) { |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
438 |
srcstorePass = getPass(modifier, args[++i]); |
2 | 439 |
passwords.add(srcstorePass); |
440 |
} else if (collator.compare(flags, "-srcstoretype") == 0) { |
|
3948 | 441 |
srcstoretype = args[++i]; |
2 | 442 |
} else if (collator.compare(flags, "-srckeypass") == 0) { |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
443 |
srckeyPass = getPass(modifier, args[++i]); |
2 | 444 |
passwords.add(srckeyPass); |
445 |
} else if (collator.compare(flags, "-srcprovidername") == 0) { |
|
3948 | 446 |
srcProviderName = args[++i]; |
2 | 447 |
} else if (collator.compare(flags, "-providername") == 0 || |
448 |
collator.compare(flags, "-destprovidername") == 0) { |
|
3948 | 449 |
providerName = args[++i]; |
2 | 450 |
} else if (collator.compare(flags, "-providerpath") == 0) { |
3948 | 451 |
pathlist = args[++i]; |
2 | 452 |
} else if (collator.compare(flags, "-keypass") == 0) { |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
453 |
keyPass = getPass(modifier, args[++i]); |
2 | 454 |
passwords.add(keyPass); |
455 |
} else if (collator.compare(flags, "-new") == 0) { |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
456 |
newPass = getPass(modifier, args[++i]); |
2 | 457 |
passwords.add(newPass); |
458 |
} else if (collator.compare(flags, "-destkeypass") == 0) { |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
459 |
destKeyPass = getPass(modifier, args[++i]); |
2 | 460 |
passwords.add(destKeyPass); |
461 |
} else if (collator.compare(flags, "-alias") == 0 || |
|
462 |
collator.compare(flags, "-srcalias") == 0) { |
|
3948 | 463 |
alias = args[++i]; |
2 | 464 |
} else if (collator.compare(flags, "-dest") == 0 || |
465 |
collator.compare(flags, "-destalias") == 0) { |
|
3948 | 466 |
dest = args[++i]; |
2 | 467 |
} else if (collator.compare(flags, "-dname") == 0) { |
3948 | 468 |
dname = args[++i]; |
2 | 469 |
} else if (collator.compare(flags, "-keysize") == 0) { |
3948 | 470 |
keysize = Integer.parseInt(args[++i]); |
2 | 471 |
} else if (collator.compare(flags, "-keyalg") == 0) { |
3948 | 472 |
keyAlgName = args[++i]; |
2 | 473 |
} else if (collator.compare(flags, "-sigalg") == 0) { |
3948 | 474 |
sigAlgName = args[++i]; |
2 | 475 |
} else if (collator.compare(flags, "-startdate") == 0) { |
3948 | 476 |
startDate = args[++i]; |
2 | 477 |
} else if (collator.compare(flags, "-validity") == 0) { |
3948 | 478 |
validity = Long.parseLong(args[++i]); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
479 |
} else if (collator.compare(flags, "-ext") == 0) { |
3948 | 480 |
v3ext.add(args[++i]); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
481 |
} else if (collator.compare(flags, "-id") == 0) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
482 |
ids.add(args[++i]); |
2 | 483 |
} else if (collator.compare(flags, "-file") == 0) { |
3948 | 484 |
filename = args[++i]; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
485 |
} else if (collator.compare(flags, "-infile") == 0) { |
3948 | 486 |
infilename = args[++i]; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
487 |
} else if (collator.compare(flags, "-outfile") == 0) { |
3948 | 488 |
outfilename = args[++i]; |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
489 |
} else if (collator.compare(flags, "-sslserver") == 0) { |
3948 | 490 |
sslserver = args[++i]; |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
491 |
} else if (collator.compare(flags, "-jarfile") == 0) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
492 |
jarfile = args[++i]; |
2 | 493 |
} else if (collator.compare(flags, "-srckeystore") == 0) { |
3948 | 494 |
srcksfname = args[++i]; |
2 | 495 |
} else if ((collator.compare(flags, "-provider") == 0) || |
496 |
(collator.compare(flags, "-providerclass") == 0)) { |
|
497 |
if (providers == null) { |
|
498 |
providers = new HashSet<Pair <String, String>> (3); |
|
499 |
} |
|
3948 | 500 |
String providerClass = args[++i]; |
2 | 501 |
String providerArg = null; |
502 |
||
503 |
if (args.length > (i+1)) { |
|
504 |
flags = args[i+1]; |
|
505 |
if (collator.compare(flags, "-providerarg") == 0) { |
|
506 |
if (args.length == (i+2)) errorNeedArgument(flags); |
|
507 |
providerArg = args[i+2]; |
|
508 |
i += 2; |
|
509 |
} |
|
510 |
} |
|
511 |
providers.add( |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
512 |
Pair.of(providerClass, providerArg)); |
2 | 513 |
} |
514 |
||
515 |
/* |
|
516 |
* options |
|
517 |
*/ |
|
518 |
else if (collator.compare(flags, "-v") == 0) { |
|
519 |
verbose = true; |
|
520 |
} else if (collator.compare(flags, "-debug") == 0) { |
|
521 |
debug = true; |
|
522 |
} else if (collator.compare(flags, "-rfc") == 0) { |
|
523 |
rfc = true; |
|
524 |
} else if (collator.compare(flags, "-noprompt") == 0) { |
|
525 |
noprompt = true; |
|
526 |
} else if (collator.compare(flags, "-trustcacerts") == 0) { |
|
527 |
trustcacerts = true; |
|
528 |
} else if (collator.compare(flags, "-protected") == 0 || |
|
529 |
collator.compare(flags, "-destprotected") == 0) { |
|
530 |
protectedPath = true; |
|
531 |
} else if (collator.compare(flags, "-srcprotected") == 0) { |
|
532 |
srcprotectedPath = true; |
|
533 |
} else { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
534 |
System.err.println(rb.getString("Illegal.option.") + flags); |
2 | 535 |
tinyHelp(); |
536 |
} |
|
537 |
} |
|
538 |
||
539 |
if (i<args.length) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
540 |
System.err.println(rb.getString("Illegal.option.") + args[i]); |
2 | 541 |
tinyHelp(); |
542 |
} |
|
3948 | 543 |
|
544 |
if (command == null) { |
|
545 |
if (help) { |
|
546 |
usage(); |
|
547 |
} else { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
548 |
System.err.println(rb.getString("Usage.error.no.command.provided")); |
3948 | 549 |
tinyHelp(); |
550 |
} |
|
551 |
} else if (help) { |
|
552 |
usage(); |
|
553 |
command = null; |
|
554 |
} |
|
2 | 555 |
} |
556 |
||
3948 | 557 |
boolean isKeyStoreRelated(Command cmd) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
558 |
return cmd != PRINTCERT && cmd != PRINTCERTREQ; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
559 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
560 |
|
2 | 561 |
/** |
562 |
* Execute the commands. |
|
563 |
*/ |
|
564 |
void doCommands(PrintStream out) throws Exception { |
|
565 |
||
566 |
if (storetype == null) { |
|
567 |
storetype = KeyStore.getDefaultType(); |
|
568 |
} |
|
569 |
storetype = KeyStoreUtil.niceStoreTypeName(storetype); |
|
570 |
||
571 |
if (srcstoretype == null) { |
|
572 |
srcstoretype = KeyStore.getDefaultType(); |
|
573 |
} |
|
574 |
srcstoretype = KeyStoreUtil.niceStoreTypeName(srcstoretype); |
|
575 |
||
576 |
if (P11KEYSTORE.equalsIgnoreCase(storetype) || |
|
577 |
KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
578 |
token = true; |
|
579 |
if (ksfname == null) { |
|
580 |
ksfname = NONE; |
|
581 |
} |
|
582 |
} |
|
583 |
if (NONE.equals(ksfname)) { |
|
584 |
nullStream = true; |
|
585 |
} |
|
586 |
||
587 |
if (token && !nullStream) { |
|
588 |
System.err.println(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
589 |
(".keystore.must.be.NONE.if.storetype.is.{0}"), storetype)); |
2 | 590 |
System.err.println(); |
591 |
tinyHelp(); |
|
592 |
} |
|
593 |
||
594 |
if (token && |
|
595 |
(command == KEYPASSWD || command == STOREPASSWD)) { |
|
596 |
throw new UnsupportedOperationException(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
597 |
(".storepasswd.and.keypasswd.commands.not.supported.if.storetype.is.{0}"), storetype)); |
2 | 598 |
} |
599 |
||
600 |
if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) { |
|
601 |
throw new UnsupportedOperationException(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
602 |
(".keypasswd.commands.not.supported.if.storetype.is.PKCS12")); |
2 | 603 |
} |
604 |
||
605 |
if (token && (keyPass != null || newPass != null || destKeyPass != null)) { |
|
606 |
throw new IllegalArgumentException(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
607 |
(".keypass.and.new.can.not.be.specified.if.storetype.is.{0}"), storetype)); |
2 | 608 |
} |
609 |
||
610 |
if (protectedPath) { |
|
611 |
if (storePass != null || keyPass != null || |
|
612 |
newPass != null || destKeyPass != null) { |
|
613 |
throw new IllegalArgumentException(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
614 |
("if.protected.is.specified.then.storepass.keypass.and.new.must.not.be.specified")); |
2 | 615 |
} |
616 |
} |
|
617 |
||
618 |
if (srcprotectedPath) { |
|
619 |
if (srcstorePass != null || srckeyPass != null) { |
|
620 |
throw new IllegalArgumentException(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
621 |
("if.srcprotected.is.specified.then.srcstorepass.and.srckeypass.must.not.be.specified")); |
2 | 622 |
} |
623 |
} |
|
624 |
||
625 |
if (KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
626 |
if (storePass != null || keyPass != null || |
|
627 |
newPass != null || destKeyPass != null) { |
|
628 |
throw new IllegalArgumentException(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
629 |
("if.keystore.is.not.password.protected.then.storepass.keypass.and.new.must.not.be.specified")); |
2 | 630 |
} |
631 |
} |
|
632 |
||
633 |
if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
634 |
if (srcstorePass != null || srckeyPass != null) { |
|
635 |
throw new IllegalArgumentException(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
636 |
("if.source.keystore.is.not.password.protected.then.srcstorepass.and.srckeypass.must.not.be.specified")); |
2 | 637 |
} |
638 |
} |
|
639 |
||
640 |
if (validity <= (long)0) { |
|
641 |
throw new Exception |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
642 |
(rb.getString("Validity.must.be.greater.than.zero")); |
2 | 643 |
} |
644 |
||
645 |
// Try to load and install specified provider |
|
646 |
if (providers != null) { |
|
647 |
ClassLoader cl = null; |
|
648 |
if (pathlist != null) { |
|
649 |
String path = null; |
|
650 |
path = PathList.appendPath( |
|
651 |
path, System.getProperty("java.class.path")); |
|
652 |
path = PathList.appendPath( |
|
653 |
path, System.getProperty("env.class.path")); |
|
654 |
path = PathList.appendPath(path, pathlist); |
|
655 |
||
656 |
URL[] urls = PathList.pathToURLs(path); |
|
657 |
cl = new URLClassLoader(urls); |
|
658 |
} else { |
|
659 |
cl = ClassLoader.getSystemClassLoader(); |
|
660 |
} |
|
661 |
||
662 |
for (Pair <String, String> provider: providers) { |
|
663 |
String provName = provider.fst; |
|
664 |
Class<?> provClass; |
|
665 |
if (cl != null) { |
|
666 |
provClass = cl.loadClass(provName); |
|
667 |
} else { |
|
668 |
provClass = Class.forName(provName); |
|
669 |
} |
|
670 |
||
671 |
String provArg = provider.snd; |
|
672 |
Object obj; |
|
673 |
if (provArg == null) { |
|
674 |
obj = provClass.newInstance(); |
|
675 |
} else { |
|
676 |
Constructor<?> c = provClass.getConstructor(PARAM_STRING); |
|
677 |
obj = c.newInstance(provArg); |
|
678 |
} |
|
679 |
if (!(obj instanceof Provider)) { |
|
680 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
681 |
(rb.getString("provName.not.a.provider")); |
2 | 682 |
Object[] source = {provName}; |
683 |
throw new Exception(form.format(source)); |
|
684 |
} |
|
685 |
Security.addProvider((Provider)obj); |
|
686 |
} |
|
687 |
} |
|
688 |
||
689 |
if (command == LIST && verbose && rfc) { |
|
690 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
691 |
("Must.not.specify.both.v.and.rfc.with.list.command")); |
2 | 692 |
tinyHelp(); |
693 |
} |
|
694 |
||
695 |
// Make sure provided passwords are at least 6 characters long |
|
696 |
if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) { |
|
697 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
698 |
("Key.password.must.be.at.least.6.characters")); |
2 | 699 |
} |
700 |
if (newPass != null && newPass.length < 6) { |
|
701 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
702 |
("New.password.must.be.at.least.6.characters")); |
2 | 703 |
} |
704 |
if (destKeyPass != null && destKeyPass.length < 6) { |
|
705 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
706 |
("New.password.must.be.at.least.6.characters")); |
2 | 707 |
} |
708 |
||
709 |
// Check if keystore exists. |
|
710 |
// If no keystore has been specified at the command line, try to use |
|
711 |
// the default, which is located in $HOME/.keystore. |
|
712 |
// If the command is "genkey", "identitydb", "import", or "printcert", |
|
713 |
// it is OK not to have a keystore. |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
714 |
if (isKeyStoreRelated(command)) { |
2 | 715 |
if (ksfname == null) { |
716 |
ksfname = System.getProperty("user.home") + File.separator |
|
717 |
+ ".keystore"; |
|
718 |
} |
|
719 |
||
720 |
if (!nullStream) { |
|
721 |
try { |
|
722 |
ksfile = new File(ksfname); |
|
723 |
// Check if keystore file is empty |
|
724 |
if (ksfile.exists() && ksfile.length() == 0) { |
|
725 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
726 |
("Keystore.file.exists.but.is.empty.") + ksfname); |
2 | 727 |
} |
728 |
ksStream = new FileInputStream(ksfile); |
|
729 |
} catch (FileNotFoundException e) { |
|
730 |
if (command != GENKEYPAIR && |
|
731 |
command != GENSECKEY && |
|
732 |
command != IDENTITYDB && |
|
733 |
command != IMPORTCERT && |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
734 |
command != IMPORTKEYSTORE && |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
735 |
command != PRINTCRL) { |
2 | 736 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
737 |
("Keystore.file.does.not.exist.") + ksfname); |
2 | 738 |
} |
739 |
} |
|
740 |
} |
|
741 |
} |
|
742 |
||
743 |
if ((command == KEYCLONE || command == CHANGEALIAS) |
|
744 |
&& dest == null) { |
|
745 |
dest = getAlias("destination"); |
|
746 |
if ("".equals(dest)) { |
|
747 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
748 |
("Must.specify.destination.alias")); |
2 | 749 |
} |
750 |
} |
|
751 |
||
752 |
if (command == DELETE && alias == null) { |
|
753 |
alias = getAlias(null); |
|
754 |
if ("".equals(alias)) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
755 |
throw new Exception(rb.getString("Must.specify.alias")); |
2 | 756 |
} |
757 |
} |
|
758 |
||
759 |
// Create new keystore |
|
760 |
if (providerName == null) { |
|
761 |
keyStore = KeyStore.getInstance(storetype); |
|
762 |
} else { |
|
763 |
keyStore = KeyStore.getInstance(storetype, providerName); |
|
764 |
} |
|
765 |
||
766 |
/* |
|
767 |
* Load the keystore data. |
|
768 |
* |
|
769 |
* At this point, it's OK if no keystore password has been provided. |
|
770 |
* We want to make sure that we can load the keystore data, i.e., |
|
771 |
* the keystore data has the right format. If we cannot load the |
|
772 |
* keystore, why bother asking the user for his or her password? |
|
773 |
* Only if we were able to load the keystore, and no keystore |
|
774 |
* password has been provided, will we prompt the user for the |
|
775 |
* keystore password to verify the keystore integrity. |
|
776 |
* This means that the keystore is loaded twice: first load operation |
|
777 |
* checks the keystore format, second load operation verifies the |
|
778 |
* keystore integrity. |
|
779 |
* |
|
780 |
* If the keystore password has already been provided (at the |
|
781 |
* command line), however, the keystore is loaded only once, and the |
|
782 |
* keystore format and integrity are checked "at the same time". |
|
783 |
* |
|
784 |
* Null stream keystores are loaded later. |
|
785 |
*/ |
|
786 |
if (!nullStream) { |
|
787 |
keyStore.load(ksStream, storePass); |
|
788 |
if (ksStream != null) { |
|
789 |
ksStream.close(); |
|
790 |
} |
|
791 |
} |
|
792 |
||
793 |
// All commands that create or modify the keystore require a keystore |
|
794 |
// password. |
|
795 |
||
796 |
if (nullStream && storePass != null) { |
|
797 |
keyStore.load(null, storePass); |
|
798 |
} else if (!nullStream && storePass != null) { |
|
799 |
// If we are creating a new non nullStream-based keystore, |
|
800 |
// insist that the password be at least 6 characters |
|
801 |
if (ksStream == null && storePass.length < 6) { |
|
802 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
803 |
("Keystore.password.must.be.at.least.6.characters")); |
2 | 804 |
} |
805 |
} else if (storePass == null) { |
|
806 |
||
807 |
// only prompt if (protectedPath == false) |
|
808 |
||
809 |
if (!protectedPath && !KeyStoreUtil.isWindowsKeyStore(storetype) && |
|
810 |
(command == CERTREQ || |
|
811 |
command == DELETE || |
|
812 |
command == GENKEYPAIR || |
|
813 |
command == GENSECKEY || |
|
814 |
command == IMPORTCERT || |
|
815 |
command == IMPORTKEYSTORE || |
|
816 |
command == KEYCLONE || |
|
817 |
command == CHANGEALIAS || |
|
818 |
command == SELFCERT || |
|
819 |
command == STOREPASSWD || |
|
820 |
command == KEYPASSWD || |
|
821 |
command == IDENTITYDB)) { |
|
822 |
int count = 0; |
|
823 |
do { |
|
824 |
if (command == IMPORTKEYSTORE) { |
|
825 |
System.err.print |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
826 |
(rb.getString("Enter.destination.keystore.password.")); |
2 | 827 |
} else { |
828 |
System.err.print |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
829 |
(rb.getString("Enter.keystore.password.")); |
2 | 830 |
} |
831 |
System.err.flush(); |
|
832 |
storePass = Password.readPassword(System.in); |
|
833 |
passwords.add(storePass); |
|
834 |
||
835 |
// If we are creating a new non nullStream-based keystore, |
|
836 |
// insist that the password be at least 6 characters |
|
837 |
if (!nullStream && (storePass == null || storePass.length < 6)) { |
|
838 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
839 |
("Keystore.password.is.too.short.must.be.at.least.6.characters")); |
2 | 840 |
storePass = null; |
841 |
} |
|
842 |
||
843 |
// If the keystore file does not exist and needs to be |
|
844 |
// created, the storepass should be prompted twice. |
|
845 |
if (storePass != null && !nullStream && ksStream == null) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
846 |
System.err.print(rb.getString("Re.enter.new.password.")); |
2 | 847 |
char[] storePassAgain = Password.readPassword(System.in); |
848 |
passwords.add(storePassAgain); |
|
849 |
if (!Arrays.equals(storePass, storePassAgain)) { |
|
850 |
System.err.println |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
851 |
(rb.getString("They.don.t.match.Try.again")); |
2 | 852 |
storePass = null; |
853 |
} |
|
854 |
} |
|
855 |
||
856 |
count++; |
|
857 |
} while ((storePass == null) && count < 3); |
|
858 |
||
859 |
||
860 |
if (storePass == null) { |
|
861 |
System.err.println |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
862 |
(rb.getString("Too.many.failures.try.later")); |
2 | 863 |
return; |
864 |
} |
|
865 |
} else if (!protectedPath |
|
866 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype) |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
867 |
&& isKeyStoreRelated(command)) { |
2 | 868 |
// here we have EXPORTCERT and LIST (info valid until STOREPASSWD) |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
869 |
if (command != PRINTCRL) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
870 |
System.err.print(rb.getString("Enter.keystore.password.")); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
871 |
System.err.flush(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
872 |
storePass = Password.readPassword(System.in); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
873 |
passwords.add(storePass); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
874 |
} |
2 | 875 |
} |
876 |
||
877 |
// Now load a nullStream-based keystore, |
|
878 |
// or verify the integrity of an input stream-based keystore |
|
879 |
if (nullStream) { |
|
880 |
keyStore.load(null, storePass); |
|
881 |
} else if (ksStream != null) { |
|
882 |
ksStream = new FileInputStream(ksfile); |
|
883 |
keyStore.load(ksStream, storePass); |
|
884 |
ksStream.close(); |
|
885 |
} |
|
886 |
} |
|
887 |
||
888 |
if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) { |
|
889 |
MessageFormat form = new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
890 |
"Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value.")); |
2 | 891 |
if (keyPass != null && !Arrays.equals(storePass, keyPass)) { |
892 |
Object[] source = {"-keypass"}; |
|
893 |
System.err.println(form.format(source)); |
|
894 |
keyPass = storePass; |
|
895 |
} |
|
896 |
if (newPass != null && !Arrays.equals(storePass, newPass)) { |
|
897 |
Object[] source = {"-new"}; |
|
898 |
System.err.println(form.format(source)); |
|
899 |
newPass = storePass; |
|
900 |
} |
|
901 |
if (destKeyPass != null && !Arrays.equals(storePass, destKeyPass)) { |
|
902 |
Object[] source = {"-destkeypass"}; |
|
903 |
System.err.println(form.format(source)); |
|
904 |
destKeyPass = storePass; |
|
905 |
} |
|
906 |
} |
|
907 |
||
908 |
// Create a certificate factory |
|
909 |
if (command == PRINTCERT || command == IMPORTCERT |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
910 |
|| command == IDENTITYDB || command == PRINTCRL) { |
2 | 911 |
cf = CertificateFactory.getInstance("X509"); |
912 |
} |
|
913 |
||
914 |
if (trustcacerts) { |
|
915 |
caks = getCacertsKeyStore(); |
|
916 |
} |
|
917 |
||
918 |
// Perform the specified command |
|
919 |
if (command == CERTREQ) { |
|
920 |
PrintStream ps = null; |
|
921 |
if (filename != null) { |
|
922 |
ps = new PrintStream(new FileOutputStream |
|
923 |
(filename)); |
|
924 |
out = ps; |
|
925 |
} |
|
926 |
try { |
|
927 |
doCertReq(alias, sigAlgName, out); |
|
928 |
} finally { |
|
929 |
if (ps != null) { |
|
930 |
ps.close(); |
|
931 |
} |
|
932 |
} |
|
933 |
if (verbose && filename != null) { |
|
934 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
935 |
("Certification.request.stored.in.file.filename.")); |
2 | 936 |
Object[] source = {filename}; |
937 |
System.err.println(form.format(source)); |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
938 |
System.err.println(rb.getString("Submit.this.to.your.CA")); |
2 | 939 |
} |
940 |
} else if (command == DELETE) { |
|
941 |
doDeleteEntry(alias); |
|
942 |
kssave = true; |
|
943 |
} else if (command == EXPORTCERT) { |
|
944 |
PrintStream ps = null; |
|
945 |
if (filename != null) { |
|
946 |
ps = new PrintStream(new FileOutputStream |
|
947 |
(filename)); |
|
948 |
out = ps; |
|
949 |
} |
|
950 |
try { |
|
951 |
doExportCert(alias, out); |
|
952 |
} finally { |
|
953 |
if (ps != null) { |
|
954 |
ps.close(); |
|
955 |
} |
|
956 |
} |
|
957 |
if (filename != null) { |
|
958 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
959 |
("Certificate.stored.in.file.filename.")); |
2 | 960 |
Object[] source = {filename}; |
961 |
System.err.println(form.format(source)); |
|
962 |
} |
|
963 |
} else if (command == GENKEYPAIR) { |
|
964 |
if (keyAlgName == null) { |
|
965 |
keyAlgName = "DSA"; |
|
966 |
} |
|
967 |
doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName); |
|
968 |
kssave = true; |
|
969 |
} else if (command == GENSECKEY) { |
|
970 |
if (keyAlgName == null) { |
|
971 |
keyAlgName = "DES"; |
|
972 |
} |
|
973 |
doGenSecretKey(alias, keyAlgName, keysize); |
|
974 |
kssave = true; |
|
975 |
} else if (command == IDENTITYDB) { |
|
976 |
InputStream inStream = System.in; |
|
977 |
if (filename != null) { |
|
978 |
inStream = new FileInputStream(filename); |
|
979 |
} |
|
980 |
try { |
|
981 |
doImportIdentityDatabase(inStream); |
|
982 |
} finally { |
|
983 |
if (inStream != System.in) { |
|
984 |
inStream.close(); |
|
985 |
} |
|
986 |
} |
|
987 |
} else if (command == IMPORTCERT) { |
|
988 |
InputStream inStream = System.in; |
|
989 |
if (filename != null) { |
|
990 |
inStream = new FileInputStream(filename); |
|
991 |
} |
|
5164
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
992 |
String importAlias = (alias!=null)?alias:keyAlias; |
2 | 993 |
try { |
5164
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
994 |
if (keyStore.entryInstanceOf( |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
995 |
importAlias, KeyStore.PrivateKeyEntry.class)) { |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
996 |
kssave = installReply(importAlias, inStream); |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
997 |
if (kssave) { |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
998 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
999 |
("Certificate.reply.was.installed.in.keystore")); |
5164
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1000 |
} else { |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1001 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1002 |
("Certificate.reply.was.not.installed.in.keystore")); |
5164
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1003 |
} |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1004 |
} else if (!keyStore.containsAlias(importAlias) || |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1005 |
keyStore.entryInstanceOf(importAlias, |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1006 |
KeyStore.TrustedCertificateEntry.class)) { |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1007 |
kssave = addTrustedCert(importAlias, inStream); |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1008 |
if (kssave) { |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1009 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1010 |
("Certificate.was.added.to.keystore")); |
5164
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1011 |
} else { |
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1012 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1013 |
("Certificate.was.not.added.to.keystore")); |
5164
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
1014 |
} |
2 | 1015 |
} |
1016 |
} finally { |
|
1017 |
if (inStream != System.in) { |
|
1018 |
inStream.close(); |
|
1019 |
} |
|
1020 |
} |
|
1021 |
} else if (command == IMPORTKEYSTORE) { |
|
1022 |
doImportKeyStore(); |
|
1023 |
kssave = true; |
|
1024 |
} else if (command == KEYCLONE) { |
|
1025 |
keyPassNew = newPass; |
|
1026 |
||
1027 |
// added to make sure only key can go thru |
|
1028 |
if (alias == null) { |
|
1029 |
alias = keyAlias; |
|
1030 |
} |
|
1031 |
if (keyStore.containsAlias(alias) == false) { |
|
1032 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1033 |
(rb.getString("Alias.alias.does.not.exist")); |
2 | 1034 |
Object[] source = {alias}; |
1035 |
throw new Exception(form.format(source)); |
|
1036 |
} |
|
1037 |
if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) { |
|
1038 |
MessageFormat form = new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1039 |
"Alias.alias.references.an.entry.type.that.is.not.a.private.key.entry.The.keyclone.command.only.supports.cloning.of.private.key")); |
2 | 1040 |
Object[] source = {alias}; |
1041 |
throw new Exception(form.format(source)); |
|
1042 |
} |
|
1043 |
||
1044 |
doCloneEntry(alias, dest, true); // Now everything can be cloned |
|
1045 |
kssave = true; |
|
1046 |
} else if (command == CHANGEALIAS) { |
|
1047 |
if (alias == null) { |
|
1048 |
alias = keyAlias; |
|
1049 |
} |
|
1050 |
doCloneEntry(alias, dest, false); |
|
1051 |
// in PKCS11, clone a PrivateKeyEntry will delete the old one |
|
1052 |
if (keyStore.containsAlias(alias)) { |
|
1053 |
doDeleteEntry(alias); |
|
1054 |
} |
|
1055 |
kssave = true; |
|
1056 |
} else if (command == KEYPASSWD) { |
|
1057 |
keyPassNew = newPass; |
|
1058 |
doChangeKeyPasswd(alias); |
|
1059 |
kssave = true; |
|
1060 |
} else if (command == LIST) { |
|
1061 |
if (alias != null) { |
|
1062 |
doPrintEntry(alias, out, true); |
|
1063 |
} else { |
|
1064 |
doPrintEntries(out); |
|
1065 |
} |
|
1066 |
} else if (command == PRINTCERT) { |
|
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
1067 |
doPrintCert(out); |
2 | 1068 |
} else if (command == SELFCERT) { |
1069 |
doSelfCert(alias, dname, sigAlgName); |
|
1070 |
kssave = true; |
|
1071 |
} else if (command == STOREPASSWD) { |
|
1072 |
storePassNew = newPass; |
|
1073 |
if (storePassNew == null) { |
|
1074 |
storePassNew = getNewPasswd("keystore password", storePass); |
|
1075 |
} |
|
1076 |
kssave = true; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1077 |
} else if (command == GENCERT) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1078 |
if (alias == null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1079 |
alias = keyAlias; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1080 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1081 |
InputStream inStream = System.in; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1082 |
if (infilename != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1083 |
inStream = new FileInputStream(infilename); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1084 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1085 |
PrintStream ps = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1086 |
if (outfilename != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1087 |
ps = new PrintStream(new FileOutputStream(outfilename)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1088 |
out = ps; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1089 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1090 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1091 |
doGenCert(alias, sigAlgName, inStream, out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1092 |
} finally { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1093 |
if (inStream != System.in) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1094 |
inStream.close(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1095 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1096 |
if (ps != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1097 |
ps.close(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1098 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1099 |
} |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1100 |
} else if (command == GENCRL) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1101 |
if (alias == null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1102 |
alias = keyAlias; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1103 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1104 |
PrintStream ps = null; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1105 |
if (filename != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1106 |
ps = new PrintStream(new FileOutputStream(filename)); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1107 |
out = ps; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1108 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1109 |
try { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1110 |
doGenCRL(out); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1111 |
} finally { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1112 |
if (ps != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1113 |
ps.close(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1114 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1115 |
} |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1116 |
} else if (command == PRINTCERTREQ) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1117 |
InputStream inStream = System.in; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1118 |
if (filename != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1119 |
inStream = new FileInputStream(filename); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1120 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1121 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1122 |
doPrintCertReq(inStream, out); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1123 |
} finally { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1124 |
if (inStream != System.in) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1125 |
inStream.close(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1126 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1127 |
} |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1128 |
} else if (command == PRINTCRL) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1129 |
doPrintCRL(filename, out); |
2 | 1130 |
} |
1131 |
||
1132 |
// If we need to save the keystore, do so. |
|
1133 |
if (kssave) { |
|
1134 |
if (verbose) { |
|
1135 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1136 |
(rb.getString(".Storing.ksfname.")); |
2 | 1137 |
Object[] source = {nullStream ? "keystore" : ksfname}; |
1138 |
System.err.println(form.format(source)); |
|
1139 |
} |
|
1140 |
||
1141 |
if (token) { |
|
1142 |
keyStore.store(null, null); |
|
1143 |
} else { |
|
10436 | 1144 |
char[] pass = (storePassNew!=null) ? storePassNew : storePass; |
1145 |
if (nullStream) { |
|
1146 |
keyStore.store(null, pass); |
|
1147 |
} else { |
|
1148 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
|
1149 |
keyStore.store(bout, pass); |
|
1150 |
try (FileOutputStream fout = new FileOutputStream(ksfname)) { |
|
1151 |
fout.write(bout.toByteArray()); |
|
2 | 1152 |
} |
1153 |
} |
|
1154 |
} |
|
1155 |
} |
|
1156 |
} |
|
1157 |
||
1158 |
/** |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1159 |
* Generate a certificate: Read PKCS10 request from in, and print |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1160 |
* certificate to out. Use alias as CA, sigAlgName as the signature |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1161 |
* type. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1162 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1163 |
private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStream out) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1164 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1165 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1166 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1167 |
Certificate signerCert = keyStore.getCertificate(alias); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1168 |
byte[] encoded = signerCert.getEncoded(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1169 |
X509CertImpl signerCertImpl = new X509CertImpl(encoded); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1170 |
X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1171 |
X509CertImpl.NAME + "." + X509CertImpl.INFO); |
3316
32d30c561c5a
6847026: keytool should be able to generate certreq and cert without subject name
weijun
parents:
2437
diff
changeset
|
1172 |
X500Name issuer = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." + |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1173 |
CertificateSubjectName.DN_NAME); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1174 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1175 |
Date firstDate = getStartDate(startDate); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1176 |
Date lastDate = new Date(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1177 |
lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1178 |
CertificateValidity interval = new CertificateValidity(firstDate, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1179 |
lastDate); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1180 |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1181 |
PrivateKey privateKey = |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1182 |
(PrivateKey)recoverKey(alias, storePass, keyPass).fst; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1183 |
if (sigAlgName == null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1184 |
sigAlgName = getCompatibleSigAlgName(privateKey.getAlgorithm()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1185 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1186 |
Signature signature = Signature.getInstance(sigAlgName); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1187 |
signature.initSign(privateKey); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1188 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1189 |
X509CertInfo info = new X509CertInfo(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1190 |
info.set(X509CertInfo.VALIDITY, interval); |
2293
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
1191 |
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber( |
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
1192 |
new java.util.Random().nextInt() & 0x7fffffff)); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1193 |
info.set(X509CertInfo.VERSION, |
4350
2a593a20d962
6876158: Remove dependencies on Signer, Certificate, Identity, IdentityScope classes from java.security pkg
vinnie
parents:
4169
diff
changeset
|
1194 |
new CertificateVersion(CertificateVersion.V3)); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1195 |
info.set(X509CertInfo.ALGORITHM_ID, |
4350
2a593a20d962
6876158: Remove dependencies on Signer, Certificate, Identity, IdentityScope classes from java.security pkg
vinnie
parents:
4169
diff
changeset
|
1196 |
new CertificateAlgorithmId( |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
1197 |
AlgorithmId.get(sigAlgName))); |
4350
2a593a20d962
6876158: Remove dependencies on Signer, Certificate, Identity, IdentityScope classes from java.security pkg
vinnie
parents:
4169
diff
changeset
|
1198 |
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer)); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1199 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1200 |
BufferedReader reader = new BufferedReader(new InputStreamReader(in)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1201 |
boolean canRead = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1202 |
StringBuffer sb = new StringBuffer(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1203 |
while (true) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1204 |
String s = reader.readLine(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1205 |
if (s == null) break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1206 |
// OpenSSL does not use NEW |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1207 |
//if (s.startsWith("-----BEGIN NEW CERTIFICATE REQUEST-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1208 |
if (s.startsWith("-----BEGIN") && s.indexOf("REQUEST") >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1209 |
canRead = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1210 |
//} else if (s.startsWith("-----END NEW CERTIFICATE REQUEST-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1211 |
} else if (s.startsWith("-----END") && s.indexOf("REQUEST") >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1212 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1213 |
} else if (canRead) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1214 |
sb.append(s); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1215 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1216 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1217 |
byte[] rawReq = new BASE64Decoder().decodeBuffer(new String(sb)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1218 |
PKCS10 req = new PKCS10(rawReq); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1219 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1220 |
info.set(X509CertInfo.KEY, new CertificateX509Key(req.getSubjectPublicKeyInfo())); |
3316
32d30c561c5a
6847026: keytool should be able to generate certreq and cert without subject name
weijun
parents:
2437
diff
changeset
|
1221 |
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName( |
32d30c561c5a
6847026: keytool should be able to generate certreq and cert without subject name
weijun
parents:
2437
diff
changeset
|
1222 |
dname==null?req.getSubjectName():new X500Name(dname))); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1223 |
CertificateExtensions reqex = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1224 |
Iterator<PKCS10Attribute> attrs = req.getAttributes().getAttributes().iterator(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1225 |
while (attrs.hasNext()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1226 |
PKCS10Attribute attr = attrs.next(); |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
1227 |
if (attr.getAttributeId().equals((Object)PKCS9Attribute.EXTENSION_REQUEST_OID)) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1228 |
reqex = (CertificateExtensions)attr.getAttributeValue(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1229 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1230 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1231 |
CertificateExtensions ext = createV3Extensions( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1232 |
reqex, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1233 |
null, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1234 |
v3ext, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1235 |
req.getSubjectPublicKeyInfo(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1236 |
signerCert.getPublicKey()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1237 |
info.set(X509CertInfo.EXTENSIONS, ext); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1238 |
X509CertImpl cert = new X509CertImpl(info); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1239 |
cert.sign(privateKey, sigAlgName); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1240 |
dumpCert(cert, out); |
5296 | 1241 |
for (Certificate ca: keyStore.getCertificateChain(alias)) { |
1242 |
if (ca instanceof X509Certificate) { |
|
1243 |
X509Certificate xca = (X509Certificate)ca; |
|
1244 |
if (!isSelfSigned(xca)) { |
|
1245 |
dumpCert(xca, out); |
|
1246 |
} |
|
1247 |
} |
|
1248 |
} |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1249 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1250 |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1251 |
private void doGenCRL(PrintStream out) |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1252 |
throws Exception { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1253 |
if (ids == null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1254 |
throw new Exception("Must provide -id when -gencrl"); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1255 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1256 |
Certificate signerCert = keyStore.getCertificate(alias); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1257 |
byte[] encoded = signerCert.getEncoded(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1258 |
X509CertImpl signerCertImpl = new X509CertImpl(encoded); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1259 |
X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get( |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1260 |
X509CertImpl.NAME + "." + X509CertImpl.INFO); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1261 |
X500Name owner = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." + |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1262 |
CertificateSubjectName.DN_NAME); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1263 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1264 |
Date firstDate = getStartDate(startDate); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1265 |
Date lastDate = (Date) firstDate.clone(); |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
1266 |
lastDate.setTime(lastDate.getTime() + validity*1000*24*60*60); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1267 |
CertificateValidity interval = new CertificateValidity(firstDate, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1268 |
lastDate); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1269 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1270 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1271 |
PrivateKey privateKey = |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1272 |
(PrivateKey)recoverKey(alias, storePass, keyPass).fst; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1273 |
if (sigAlgName == null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1274 |
sigAlgName = getCompatibleSigAlgName(privateKey.getAlgorithm()); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1275 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1276 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1277 |
X509CRLEntry[] badCerts = new X509CRLEntry[ids.size()]; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1278 |
for (int i=0; i<ids.size(); i++) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1279 |
String id = ids.get(i); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1280 |
int d = id.indexOf(':'); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1281 |
if (d >= 0) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1282 |
CRLExtensions ext = new CRLExtensions(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1283 |
ext.set("Reason", new CRLReasonCodeExtension(Integer.parseInt(id.substring(d+1)))); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1284 |
badCerts[i] = new X509CRLEntryImpl(new BigInteger(id.substring(0, d)), |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1285 |
firstDate, ext); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1286 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1287 |
badCerts[i] = new X509CRLEntryImpl(new BigInteger(ids.get(i)), firstDate); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1288 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1289 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1290 |
X509CRLImpl crl = new X509CRLImpl(owner, firstDate, lastDate, badCerts); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1291 |
crl.sign(privateKey, sigAlgName); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1292 |
if (rfc) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1293 |
out.println("-----BEGIN X509 CRL-----"); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1294 |
new BASE64Encoder().encodeBuffer(crl.getEncodedInternal(), out); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1295 |
out.println("-----END X509 CRL-----"); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1296 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1297 |
out.write(crl.getEncodedInternal()); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1298 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1299 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
1300 |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1301 |
/** |
2 | 1302 |
* Creates a PKCS#10 cert signing request, corresponding to the |
1303 |
* keys (and name) associated with a given alias. |
|
1304 |
*/ |
|
1305 |
private void doCertReq(String alias, String sigAlgName, PrintStream out) |
|
1306 |
throws Exception |
|
1307 |
{ |
|
1308 |
if (alias == null) { |
|
1309 |
alias = keyAlias; |
|
1310 |
} |
|
1311 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1312 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1313 |
PrivateKey privKey = (PrivateKey)objs.fst; |
2 | 1314 |
if (keyPass == null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1315 |
keyPass = objs.snd; |
2 | 1316 |
} |
1317 |
||
1318 |
Certificate cert = keyStore.getCertificate(alias); |
|
1319 |
if (cert == null) { |
|
1320 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1321 |
(rb.getString("alias.has.no.public.key.certificate.")); |
2 | 1322 |
Object[] source = {alias}; |
1323 |
throw new Exception(form.format(source)); |
|
1324 |
} |
|
1325 |
PKCS10 request = new PKCS10(cert.getPublicKey()); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1326 |
CertificateExtensions ext = createV3Extensions(null, null, v3ext, cert.getPublicKey(), null); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1327 |
// Attribute name is not significant |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1328 |
request.getAttributes().setAttribute(X509CertInfo.EXTENSIONS, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1329 |
new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ext)); |
2 | 1330 |
|
4350
2a593a20d962
6876158: Remove dependencies on Signer, Certificate, Identity, IdentityScope classes from java.security pkg
vinnie
parents:
4169
diff
changeset
|
1331 |
// Construct a Signature object, so that we can sign the request |
2 | 1332 |
if (sigAlgName == null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1333 |
sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm()); |
2 | 1334 |
} |
1335 |
||
1336 |
Signature signature = Signature.getInstance(sigAlgName); |
|
1337 |
signature.initSign(privKey); |
|
3316
32d30c561c5a
6847026: keytool should be able to generate certreq and cert without subject name
weijun
parents:
2437
diff
changeset
|
1338 |
X500Name subject = dname == null? |
32d30c561c5a
6847026: keytool should be able to generate certreq and cert without subject name
weijun
parents:
2437
diff
changeset
|
1339 |
new X500Name(((X509Certificate)cert).getSubjectDN().toString()): |
32d30c561c5a
6847026: keytool should be able to generate certreq and cert without subject name
weijun
parents:
2437
diff
changeset
|
1340 |
new X500Name(dname); |
2 | 1341 |
|
1342 |
// Sign the request and base-64 encode it |
|
4350
2a593a20d962
6876158: Remove dependencies on Signer, Certificate, Identity, IdentityScope classes from java.security pkg
vinnie
parents:
4169
diff
changeset
|
1343 |
request.encodeAndSign(subject, signature); |
2 | 1344 |
request.print(out); |
1345 |
} |
|
1346 |
||
1347 |
/** |
|
1348 |
* Deletes an entry from the keystore. |
|
1349 |
*/ |
|
1350 |
private void doDeleteEntry(String alias) throws Exception { |
|
1351 |
if (keyStore.containsAlias(alias) == false) { |
|
1352 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1353 |
(rb.getString("Alias.alias.does.not.exist")); |
2 | 1354 |
Object[] source = {alias}; |
1355 |
throw new Exception(form.format(source)); |
|
1356 |
} |
|
1357 |
keyStore.deleteEntry(alias); |
|
1358 |
} |
|
1359 |
||
1360 |
/** |
|
1361 |
* Exports a certificate from the keystore. |
|
1362 |
*/ |
|
1363 |
private void doExportCert(String alias, PrintStream out) |
|
1364 |
throws Exception |
|
1365 |
{ |
|
1366 |
if (storePass == null |
|
1367 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1368 |
printWarning(); |
|
1369 |
} |
|
1370 |
if (alias == null) { |
|
1371 |
alias = keyAlias; |
|
1372 |
} |
|
1373 |
if (keyStore.containsAlias(alias) == false) { |
|
1374 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1375 |
(rb.getString("Alias.alias.does.not.exist")); |
2 | 1376 |
Object[] source = {alias}; |
1377 |
throw new Exception(form.format(source)); |
|
1378 |
} |
|
1379 |
||
1380 |
X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias); |
|
1381 |
if (cert == null) { |
|
1382 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1383 |
(rb.getString("Alias.alias.has.no.certificate")); |
2 | 1384 |
Object[] source = {alias}; |
1385 |
throw new Exception(form.format(source)); |
|
1386 |
} |
|
1387 |
dumpCert(cert, out); |
|
1388 |
} |
|
1389 |
||
1390 |
/** |
|
1391 |
* Prompt the user for a keypass when generating a key entry. |
|
1392 |
* @param alias the entry we will set password for |
|
1393 |
* @param orig the original entry of doing a dup, null if generate new |
|
1394 |
* @param origPass the password to copy from if user press ENTER |
|
1395 |
*/ |
|
1396 |
private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{ |
|
1397 |
if (P12KEYSTORE.equalsIgnoreCase(storetype)) { |
|
1398 |
return origPass; |
|
10436 | 1399 |
} else if (!token && !protectedPath) { |
2 | 1400 |
// Prompt for key password |
1401 |
int count; |
|
1402 |
for (count = 0; count < 3; count++) { |
|
1403 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1404 |
("Enter.key.password.for.alias.")); |
2 | 1405 |
Object[] source = {alias}; |
1406 |
System.err.println(form.format(source)); |
|
1407 |
if (orig == null) { |
|
1408 |
System.err.print(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1409 |
(".RETURN.if.same.as.keystore.password.")); |
2 | 1410 |
} else { |
1411 |
form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1412 |
(".RETURN.if.same.as.for.otherAlias.")); |
2 | 1413 |
Object[] src = {orig}; |
1414 |
System.err.print(form.format(src)); |
|
1415 |
} |
|
1416 |
System.err.flush(); |
|
1417 |
char[] entered = Password.readPassword(System.in); |
|
1418 |
passwords.add(entered); |
|
1419 |
if (entered == null) { |
|
1420 |
return origPass; |
|
1421 |
} else if (entered.length >= 6) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1422 |
System.err.print(rb.getString("Re.enter.new.password.")); |
2 | 1423 |
char[] passAgain = Password.readPassword(System.in); |
1424 |
passwords.add(passAgain); |
|
1425 |
if (!Arrays.equals(entered, passAgain)) { |
|
1426 |
System.err.println |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1427 |
(rb.getString("They.don.t.match.Try.again")); |
2 | 1428 |
continue; |
1429 |
} |
|
1430 |
return entered; |
|
1431 |
} else { |
|
1432 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1433 |
("Key.password.is.too.short.must.be.at.least.6.characters")); |
2 | 1434 |
} |
1435 |
} |
|
1436 |
if (count == 3) { |
|
1437 |
if (command == KEYCLONE) { |
|
1438 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1439 |
("Too.many.failures.Key.entry.not.cloned")); |
2 | 1440 |
} else { |
1441 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1442 |
("Too.many.failures.key.not.added.to.keystore")); |
2 | 1443 |
} |
1444 |
} |
|
1445 |
} |
|
10436 | 1446 |
return null; // PKCS11, MSCAPI, or -protected |
2 | 1447 |
} |
1448 |
/** |
|
1449 |
* Creates a new secret key. |
|
1450 |
*/ |
|
1451 |
private void doGenSecretKey(String alias, String keyAlgName, |
|
1452 |
int keysize) |
|
1453 |
throws Exception |
|
1454 |
{ |
|
1455 |
if (alias == null) { |
|
1456 |
alias = keyAlias; |
|
1457 |
} |
|
1458 |
if (keyStore.containsAlias(alias)) { |
|
1459 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1460 |
("Secret.key.not.generated.alias.alias.already.exists")); |
2 | 1461 |
Object[] source = {alias}; |
1462 |
throw new Exception(form.format(source)); |
|
1463 |
} |
|
1464 |
||
1465 |
SecretKey secKey = null; |
|
1466 |
KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName); |
|
1467 |
if (keysize != -1) { |
|
1468 |
keygen.init(keysize); |
|
1469 |
} else if ("DES".equalsIgnoreCase(keyAlgName)) { |
|
1470 |
keygen.init(56); |
|
1471 |
} else if ("DESede".equalsIgnoreCase(keyAlgName)) { |
|
1472 |
keygen.init(168); |
|
1473 |
} else { |
|
1474 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1475 |
("Please.provide.keysize.for.secret.key.generation")); |
2 | 1476 |
} |
1477 |
||
1478 |
secKey = keygen.generateKey(); |
|
1479 |
if (keyPass == null) { |
|
1480 |
keyPass = promptForKeyPass(alias, null, storePass); |
|
1481 |
} |
|
1482 |
keyStore.setKeyEntry(alias, secKey, keyPass, null); |
|
1483 |
} |
|
1484 |
||
1485 |
/** |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1486 |
* If no signature algorithm was specified at the command line, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1487 |
* we choose one that is compatible with the selected private key |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1488 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1489 |
private static String getCompatibleSigAlgName(String keyAlgName) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1490 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1491 |
if ("DSA".equalsIgnoreCase(keyAlgName)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1492 |
return "SHA1WithDSA"; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1493 |
} else if ("RSA".equalsIgnoreCase(keyAlgName)) { |
3318
dade78e63c92
6561126: keytool should use larger default keysize for keypairs
weijun
parents:
3316
diff
changeset
|
1494 |
return "SHA256WithRSA"; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1495 |
} else if ("EC".equalsIgnoreCase(keyAlgName)) { |
4152
bc36a9f01ac6
6870812: enhance security tools to use ECC algorithms
weijun
parents:
3951
diff
changeset
|
1496 |
return "SHA256withECDSA"; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1497 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1498 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1499 |
("Cannot.derive.signature.algorithm")); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1500 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1501 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1502 |
/** |
2 | 1503 |
* Creates a new key pair and self-signed certificate. |
1504 |
*/ |
|
1505 |
private void doGenKeyPair(String alias, String dname, String keyAlgName, |
|
1506 |
int keysize, String sigAlgName) |
|
1507 |
throws Exception |
|
1508 |
{ |
|
1509 |
if (keysize == -1) { |
|
1510 |
if ("EC".equalsIgnoreCase(keyAlgName)) { |
|
1511 |
keysize = 256; |
|
3318
dade78e63c92
6561126: keytool should use larger default keysize for keypairs
weijun
parents:
3316
diff
changeset
|
1512 |
} else if ("RSA".equalsIgnoreCase(keyAlgName)) { |
dade78e63c92
6561126: keytool should use larger default keysize for keypairs
weijun
parents:
3316
diff
changeset
|
1513 |
keysize = 2048; |
2 | 1514 |
} else { |
1515 |
keysize = 1024; |
|
1516 |
} |
|
1517 |
} |
|
1518 |
||
1519 |
if (alias == null) { |
|
1520 |
alias = keyAlias; |
|
1521 |
} |
|
1522 |
||
1523 |
if (keyStore.containsAlias(alias)) { |
|
1524 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1525 |
("Key.pair.not.generated.alias.alias.already.exists")); |
2 | 1526 |
Object[] source = {alias}; |
1527 |
throw new Exception(form.format(source)); |
|
1528 |
} |
|
1529 |
||
1530 |
if (sigAlgName == null) { |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1531 |
sigAlgName = getCompatibleSigAlgName(keyAlgName); |
2 | 1532 |
} |
1533 |
CertAndKeyGen keypair = |
|
1534 |
new CertAndKeyGen(keyAlgName, sigAlgName, providerName); |
|
1535 |
||
1536 |
||
1537 |
// If DN is provided, parse it. Otherwise, prompt the user for it. |
|
1538 |
X500Name x500Name; |
|
1539 |
if (dname == null) { |
|
1540 |
x500Name = getX500Name(); |
|
1541 |
} else { |
|
1542 |
x500Name = new X500Name(dname); |
|
1543 |
} |
|
1544 |
||
1545 |
keypair.generate(keysize); |
|
1546 |
PrivateKey privKey = keypair.getPrivateKey(); |
|
1547 |
||
1548 |
X509Certificate[] chain = new X509Certificate[1]; |
|
1549 |
chain[0] = keypair.getSelfCertificate( |
|
1550 |
x500Name, getStartDate(startDate), validity*24L*60L*60L); |
|
1551 |
||
1552 |
if (verbose) { |
|
1553 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1554 |
("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for")); |
2 | 1555 |
Object[] source = {new Integer(keysize), |
1556 |
privKey.getAlgorithm(), |
|
1557 |
chain[0].getSigAlgName(), |
|
1558 |
new Long(validity), |
|
1559 |
x500Name}; |
|
1560 |
System.err.println(form.format(source)); |
|
1561 |
} |
|
1562 |
||
1563 |
if (keyPass == null) { |
|
1564 |
keyPass = promptForKeyPass(alias, null, storePass); |
|
1565 |
} |
|
1566 |
keyStore.setKeyEntry(alias, privKey, keyPass, chain); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1567 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1568 |
// resign so that -ext are applied. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1569 |
doSelfCert(alias, null, sigAlgName); |
2 | 1570 |
} |
1571 |
||
1572 |
/** |
|
1573 |
* Clones an entry |
|
1574 |
* @param orig original alias |
|
1575 |
* @param dest destination alias |
|
1576 |
* @changePassword if the password can be changed |
|
1577 |
*/ |
|
1578 |
private void doCloneEntry(String orig, String dest, boolean changePassword) |
|
1579 |
throws Exception |
|
1580 |
{ |
|
1581 |
if (orig == null) { |
|
1582 |
orig = keyAlias; |
|
1583 |
} |
|
1584 |
||
1585 |
if (keyStore.containsAlias(dest)) { |
|
1586 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1587 |
(rb.getString("Destination.alias.dest.already.exists")); |
2 | 1588 |
Object[] source = {dest}; |
1589 |
throw new Exception(form.format(source)); |
|
1590 |
} |
|
1591 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1592 |
Pair<Entry,char[]> objs = recoverEntry(keyStore, orig, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1593 |
Entry entry = objs.fst; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1594 |
keyPass = objs.snd; |
2 | 1595 |
|
1596 |
PasswordProtection pp = null; |
|
1597 |
||
1598 |
if (keyPass != null) { // protected |
|
1599 |
if (!changePassword || P12KEYSTORE.equalsIgnoreCase(storetype)) { |
|
1600 |
keyPassNew = keyPass; |
|
1601 |
} else { |
|
1602 |
if (keyPassNew == null) { |
|
1603 |
keyPassNew = promptForKeyPass(dest, orig, keyPass); |
|
1604 |
} |
|
1605 |
} |
|
1606 |
pp = new PasswordProtection(keyPassNew); |
|
1607 |
} |
|
1608 |
keyStore.setEntry(dest, entry, pp); |
|
1609 |
} |
|
1610 |
||
1611 |
/** |
|
1612 |
* Changes a key password. |
|
1613 |
*/ |
|
1614 |
private void doChangeKeyPasswd(String alias) throws Exception |
|
1615 |
{ |
|
1616 |
||
1617 |
if (alias == null) { |
|
1618 |
alias = keyAlias; |
|
1619 |
} |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1620 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1621 |
Key privKey = objs.fst; |
2 | 1622 |
if (keyPass == null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1623 |
keyPass = objs.snd; |
2 | 1624 |
} |
1625 |
||
1626 |
if (keyPassNew == null) { |
|
1627 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1628 |
(rb.getString("key.password.for.alias.")); |
2 | 1629 |
Object[] source = {alias}; |
1630 |
keyPassNew = getNewPasswd(form.format(source), keyPass); |
|
1631 |
} |
|
1632 |
keyStore.setKeyEntry(alias, privKey, keyPassNew, |
|
1633 |
keyStore.getCertificateChain(alias)); |
|
1634 |
} |
|
1635 |
||
1636 |
/** |
|
1637 |
* Imports a JDK 1.1-style identity database. We can only store one |
|
1638 |
* certificate per identity, because we use the identity's name as the |
|
1639 |
* alias (which references a keystore entry), and aliases must be unique. |
|
1640 |
*/ |
|
1641 |
private void doImportIdentityDatabase(InputStream in) |
|
1642 |
throws Exception |
|
1643 |
{ |
|
4350
2a593a20d962
6876158: Remove dependencies on Signer, Certificate, Identity, IdentityScope classes from java.security pkg
vinnie
parents:
4169
diff
changeset
|
1644 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1645 |
("No.entries.from.identity.database.added")); |
2 | 1646 |
} |
1647 |
||
1648 |
/** |
|
1649 |
* Prints a single keystore entry. |
|
1650 |
*/ |
|
1651 |
private void doPrintEntry(String alias, PrintStream out, |
|
1652 |
boolean printWarning) |
|
1653 |
throws Exception |
|
1654 |
{ |
|
1655 |
if (storePass == null && printWarning |
|
1656 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1657 |
printWarning(); |
|
1658 |
} |
|
1659 |
||
1660 |
if (keyStore.containsAlias(alias) == false) { |
|
1661 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1662 |
(rb.getString("Alias.alias.does.not.exist")); |
2 | 1663 |
Object[] source = {alias}; |
1664 |
throw new Exception(form.format(source)); |
|
1665 |
} |
|
1666 |
||
1667 |
if (verbose || rfc || debug) { |
|
1668 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1669 |
(rb.getString("Alias.name.alias")); |
2 | 1670 |
Object[] source = {alias}; |
1671 |
out.println(form.format(source)); |
|
1672 |
||
1673 |
if (!token) { |
|
1674 |
form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1675 |
("Creation.date.keyStore.getCreationDate.alias.")); |
2 | 1676 |
Object[] src = {keyStore.getCreationDate(alias)}; |
1677 |
out.println(form.format(src)); |
|
1678 |
} |
|
1679 |
} else { |
|
1680 |
if (!token) { |
|
1681 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1682 |
(rb.getString("alias.keyStore.getCreationDate.alias.")); |
2 | 1683 |
Object[] source = {alias, keyStore.getCreationDate(alias)}; |
1684 |
out.print(form.format(source)); |
|
1685 |
} else { |
|
1686 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1687 |
(rb.getString("alias.")); |
2 | 1688 |
Object[] source = {alias}; |
1689 |
out.print(form.format(source)); |
|
1690 |
} |
|
1691 |
} |
|
1692 |
||
1693 |
if (keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) { |
|
1694 |
if (verbose || rfc || debug) { |
|
1695 |
Object[] source = {"SecretKeyEntry"}; |
|
1696 |
out.println(new MessageFormat( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1697 |
rb.getString("Entry.type.type.")).format(source)); |
2 | 1698 |
} else { |
1699 |
out.println("SecretKeyEntry, "); |
|
1700 |
} |
|
1701 |
} else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) { |
|
1702 |
if (verbose || rfc || debug) { |
|
1703 |
Object[] source = {"PrivateKeyEntry"}; |
|
1704 |
out.println(new MessageFormat( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1705 |
rb.getString("Entry.type.type.")).format(source)); |
2 | 1706 |
} else { |
1707 |
out.println("PrivateKeyEntry, "); |
|
1708 |
} |
|
1709 |
||
1710 |
// Get the chain |
|
1711 |
Certificate[] chain = keyStore.getCertificateChain(alias); |
|
1712 |
if (chain != null) { |
|
1713 |
if (verbose || rfc || debug) { |
|
1714 |
out.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1715 |
("Certificate.chain.length.") + chain.length); |
2 | 1716 |
for (int i = 0; i < chain.length; i ++) { |
1717 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1718 |
(rb.getString("Certificate.i.1.")); |
2 | 1719 |
Object[] source = {new Integer((i + 1))}; |
1720 |
out.println(form.format(source)); |
|
1721 |
if (verbose && (chain[i] instanceof X509Certificate)) { |
|
1722 |
printX509Cert((X509Certificate)(chain[i]), out); |
|
1723 |
} else if (debug) { |
|
1724 |
out.println(chain[i].toString()); |
|
1725 |
} else { |
|
1726 |
dumpCert(chain[i], out); |
|
1727 |
} |
|
1728 |
} |
|
1729 |
} else { |
|
1730 |
// Print the digest of the user cert only |
|
1731 |
out.println |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1732 |
(rb.getString("Certificate.fingerprint.SHA1.") + |
909
c7bb1699d1b0
6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
weijun
parents:
904
diff
changeset
|
1733 |
getCertFingerPrint("SHA1", chain[0])); |
2 | 1734 |
} |
1735 |
} |
|
1736 |
} else if (keyStore.entryInstanceOf(alias, |
|
1737 |
KeyStore.TrustedCertificateEntry.class)) { |
|
1738 |
// We have a trusted certificate entry |
|
1739 |
Certificate cert = keyStore.getCertificate(alias); |
|
9011
c08eb9697ee4
7019937: Translatability bug - Remove Unused String - String ID , read end of file
mullan
parents:
8556
diff
changeset
|
1740 |
Object[] source = {"trustedCertEntry"}; |
c08eb9697ee4
7019937: Translatability bug - Remove Unused String - String ID , read end of file
mullan
parents:
8556
diff
changeset
|
1741 |
String mf = new MessageFormat( |
c08eb9697ee4
7019937: Translatability bug - Remove Unused String - String ID , read end of file
mullan
parents:
8556
diff
changeset
|
1742 |
rb.getString("Entry.type.type.")).format(source) + "\n"; |
2 | 1743 |
if (verbose && (cert instanceof X509Certificate)) { |
9011
c08eb9697ee4
7019937: Translatability bug - Remove Unused String - String ID , read end of file
mullan
parents:
8556
diff
changeset
|
1744 |
out.println(mf); |
2 | 1745 |
printX509Cert((X509Certificate)cert, out); |
1746 |
} else if (rfc) { |
|
9011
c08eb9697ee4
7019937: Translatability bug - Remove Unused String - String ID , read end of file
mullan
parents:
8556
diff
changeset
|
1747 |
out.println(mf); |
2 | 1748 |
dumpCert(cert, out); |
1749 |
} else if (debug) { |
|
1750 |
out.println(cert.toString()); |
|
1751 |
} else { |
|
9011
c08eb9697ee4
7019937: Translatability bug - Remove Unused String - String ID , read end of file
mullan
parents:
8556
diff
changeset
|
1752 |
out.println("trustedCertEntry, "); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1753 |
out.println(rb.getString("Certificate.fingerprint.SHA1.") |
909
c7bb1699d1b0
6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
weijun
parents:
904
diff
changeset
|
1754 |
+ getCertFingerPrint("SHA1", cert)); |
2 | 1755 |
} |
1756 |
} else { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1757 |
out.println(rb.getString("Unknown.Entry.Type")); |
2 | 1758 |
} |
1759 |
} |
|
1760 |
||
1761 |
/** |
|
1762 |
* Load the srckeystore from a stream, used in -importkeystore |
|
1763 |
* @returns the src KeyStore |
|
1764 |
*/ |
|
1765 |
KeyStore loadSourceKeyStore() throws Exception { |
|
1766 |
boolean isPkcs11 = false; |
|
1767 |
||
1768 |
InputStream is = null; |
|
1769 |
||
1770 |
if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) || |
|
1771 |
KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
1772 |
if (!NONE.equals(srcksfname)) { |
|
1773 |
System.err.println(MessageFormat.format(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1774 |
(".keystore.must.be.NONE.if.storetype.is.{0}"), srcstoretype)); |
2 | 1775 |
System.err.println(); |
1776 |
tinyHelp(); |
|
1777 |
} |
|
1778 |
isPkcs11 = true; |
|
1779 |
} else { |
|
1780 |
if (srcksfname != null) { |
|
1781 |
File srcksfile = new File(srcksfname); |
|
1782 |
if (srcksfile.exists() && srcksfile.length() == 0) { |
|
1783 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1784 |
("Source.keystore.file.exists.but.is.empty.") + |
2 | 1785 |
srcksfname); |
1786 |
} |
|
1787 |
is = new FileInputStream(srcksfile); |
|
1788 |
} else { |
|
1789 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1790 |
("Please.specify.srckeystore")); |
2 | 1791 |
} |
1792 |
} |
|
1793 |
||
1794 |
KeyStore store; |
|
1795 |
try { |
|
1796 |
if (srcProviderName == null) { |
|
1797 |
store = KeyStore.getInstance(srcstoretype); |
|
1798 |
} else { |
|
1799 |
store = KeyStore.getInstance(srcstoretype, srcProviderName); |
|
1800 |
} |
|
1801 |
||
1802 |
if (srcstorePass == null |
|
1803 |
&& !srcprotectedPath |
|
1804 |
&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1805 |
System.err.print(rb.getString("Enter.source.keystore.password.")); |
2 | 1806 |
System.err.flush(); |
1807 |
srcstorePass = Password.readPassword(System.in); |
|
1808 |
passwords.add(srcstorePass); |
|
1809 |
} |
|
1810 |
||
1811 |
// always let keypass be storepass when using pkcs12 |
|
1812 |
if (P12KEYSTORE.equalsIgnoreCase(srcstoretype)) { |
|
1813 |
if (srckeyPass != null && srcstorePass != null && |
|
1814 |
!Arrays.equals(srcstorePass, srckeyPass)) { |
|
1815 |
MessageFormat form = new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1816 |
"Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value.")); |
2 | 1817 |
Object[] source = {"-srckeypass"}; |
1818 |
System.err.println(form.format(source)); |
|
1819 |
srckeyPass = srcstorePass; |
|
1820 |
} |
|
1821 |
} |
|
1822 |
||
1823 |
store.load(is, srcstorePass); // "is" already null in PKCS11 |
|
1824 |
} finally { |
|
1825 |
if (is != null) { |
|
1826 |
is.close(); |
|
1827 |
} |
|
1828 |
} |
|
1829 |
||
1830 |
if (srcstorePass == null |
|
1831 |
&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { |
|
1832 |
// anti refactoring, copied from printWarning(), |
|
1833 |
// but change 2 lines |
|
1834 |
System.err.println(); |
|
1835 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1836 |
(".WARNING.WARNING.WARNING.")); |
2 | 1837 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1838 |
(".The.integrity.of.the.information.stored.in.the.srckeystore.")); |
2 | 1839 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1840 |
(".WARNING.WARNING.WARNING.")); |
2 | 1841 |
System.err.println(); |
1842 |
} |
|
1843 |
||
1844 |
return store; |
|
1845 |
} |
|
1846 |
||
1847 |
/** |
|
1848 |
* import all keys and certs from importkeystore. |
|
1849 |
* keep alias unchanged if no name conflict, otherwise, prompt. |
|
1850 |
* keep keypass unchanged for keys |
|
1851 |
*/ |
|
1852 |
private void doImportKeyStore() throws Exception { |
|
1853 |
||
1854 |
if (alias != null) { |
|
1855 |
doImportKeyStoreSingle(loadSourceKeyStore(), alias); |
|
1856 |
} else { |
|
1857 |
if (dest != null || srckeyPass != null || destKeyPass != null) { |
|
1858 |
throw new Exception(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1859 |
"if.alias.not.specified.destalias.srckeypass.and.destkeypass.must.not.be.specified")); |
2 | 1860 |
} |
1861 |
doImportKeyStoreAll(loadSourceKeyStore()); |
|
1862 |
} |
|
1863 |
/* |
|
1864 |
* Information display rule of -importkeystore |
|
1865 |
* 1. inside single, shows failure |
|
1866 |
* 2. inside all, shows sucess |
|
1867 |
* 3. inside all where there is a failure, prompt for continue |
|
1868 |
* 4. at the final of all, shows summary |
|
1869 |
*/ |
|
1870 |
} |
|
1871 |
||
1872 |
/** |
|
1873 |
* Import a single entry named alias from srckeystore |
|
1874 |
* @returns 1 if the import action succeed |
|
1875 |
* 0 if user choose to ignore an alias-dumplicated entry |
|
1876 |
* 2 if setEntry throws Exception |
|
1877 |
*/ |
|
1878 |
private int doImportKeyStoreSingle(KeyStore srckeystore, String alias) |
|
1879 |
throws Exception { |
|
1880 |
||
1881 |
String newAlias = (dest==null) ? alias : dest; |
|
1882 |
||
1883 |
if (keyStore.containsAlias(newAlias)) { |
|
1884 |
Object[] source = {alias}; |
|
1885 |
if (noprompt) { |
|
1886 |
System.err.println(new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1887 |
"Warning.Overwriting.existing.alias.alias.in.destination.keystore")).format(source)); |
2 | 1888 |
} else { |
1889 |
String reply = getYesNoReply(new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1890 |
"Existing.entry.alias.alias.exists.overwrite.no.")).format(source)); |
2 | 1891 |
if ("NO".equals(reply)) { |
1892 |
newAlias = inputStringFromStdin(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1893 |
("Enter.new.alias.name.RETURN.to.cancel.import.for.this.entry.")); |
2 | 1894 |
if ("".equals(newAlias)) { |
1895 |
System.err.println(new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1896 |
"Entry.for.alias.alias.not.imported.")).format( |
2 | 1897 |
source)); |
1898 |
return 0; |
|
1899 |
} |
|
1900 |
} |
|
1901 |
} |
|
1902 |
} |
|
1903 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1904 |
Pair<Entry,char[]> objs = recoverEntry(srckeystore, alias, srcstorePass, srckeyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1905 |
Entry entry = objs.fst; |
2 | 1906 |
|
1907 |
PasswordProtection pp = null; |
|
1908 |
||
1909 |
// According to keytool.html, "The destination entry will be protected |
|
1910 |
// using destkeypass. If destkeypass is not provided, the destination |
|
1911 |
// entry will be protected with the source entry password." |
|
1912 |
// so always try to protect with destKeyPass. |
|
1913 |
if (destKeyPass != null) { |
|
1914 |
pp = new PasswordProtection(destKeyPass); |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1915 |
} else if (objs.snd != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
1916 |
pp = new PasswordProtection(objs.snd); |
2 | 1917 |
} |
1918 |
||
1919 |
try { |
|
1920 |
keyStore.setEntry(newAlias, entry, pp); |
|
1921 |
return 1; |
|
1922 |
} catch (KeyStoreException kse) { |
|
1923 |
Object[] source2 = {alias, kse.toString()}; |
|
1924 |
MessageFormat form = new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1925 |
"Problem.importing.entry.for.alias.alias.exception.Entry.for.alias.alias.not.imported.")); |
2 | 1926 |
System.err.println(form.format(source2)); |
1927 |
return 2; |
|
1928 |
} |
|
1929 |
} |
|
1930 |
||
1931 |
private void doImportKeyStoreAll(KeyStore srckeystore) throws Exception { |
|
1932 |
||
1933 |
int ok = 0; |
|
1934 |
int count = srckeystore.size(); |
|
1935 |
for (Enumeration<String> e = srckeystore.aliases(); |
|
1936 |
e.hasMoreElements(); ) { |
|
1937 |
String alias = e.nextElement(); |
|
1938 |
int result = doImportKeyStoreSingle(srckeystore, alias); |
|
1939 |
if (result == 1) { |
|
1940 |
ok++; |
|
1941 |
Object[] source = {alias}; |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1942 |
MessageFormat form = new MessageFormat(rb.getString("Entry.for.alias.alias.successfully.imported.")); |
2 | 1943 |
System.err.println(form.format(source)); |
1944 |
} else if (result == 2) { |
|
1945 |
if (!noprompt) { |
|
1946 |
String reply = getYesNoReply("Do you want to quit the import process? [no]: "); |
|
1947 |
if ("YES".equals(reply)) { |
|
1948 |
break; |
|
1949 |
} |
|
1950 |
} |
|
1951 |
} |
|
1952 |
} |
|
1953 |
Object[] source = {ok, count-ok}; |
|
1954 |
MessageFormat form = new MessageFormat(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1955 |
"Import.command.completed.ok.entries.successfully.imported.fail.entries.failed.or.cancelled")); |
2 | 1956 |
System.err.println(form.format(source)); |
1957 |
} |
|
1958 |
||
1959 |
/** |
|
1960 |
* Prints all keystore entries. |
|
1961 |
*/ |
|
1962 |
private void doPrintEntries(PrintStream out) |
|
1963 |
throws Exception |
|
1964 |
{ |
|
1965 |
if (storePass == null |
|
1966 |
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) { |
|
1967 |
printWarning(); |
|
1968 |
} else { |
|
1969 |
out.println(); |
|
1970 |
} |
|
1971 |
||
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1972 |
out.println(rb.getString("Keystore.type.") + keyStore.getType()); |
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1973 |
out.println(rb.getString("Keystore.provider.") + |
2 | 1974 |
keyStore.getProvider().getName()); |
1975 |
out.println(); |
|
1976 |
||
1977 |
MessageFormat form; |
|
1978 |
form = (keyStore.size() == 1) ? |
|
1979 |
new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1980 |
("Your.keystore.contains.keyStore.size.entry")) : |
2 | 1981 |
new MessageFormat(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1982 |
("Your.keystore.contains.keyStore.size.entries")); |
2 | 1983 |
Object[] source = {new Integer(keyStore.size())}; |
1984 |
out.println(form.format(source)); |
|
1985 |
out.println(); |
|
1986 |
||
1987 |
for (Enumeration<String> e = keyStore.aliases(); |
|
1988 |
e.hasMoreElements(); ) { |
|
1989 |
String alias = e.nextElement(); |
|
1990 |
doPrintEntry(alias, out, false); |
|
1991 |
if (verbose || rfc) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1992 |
out.println(rb.getString("NEWLINE")); |
2 | 1993 |
out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1994 |
("STAR")); |
2 | 1995 |
out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
1996 |
("STARNN")); |
2 | 1997 |
} |
1998 |
} |
|
1999 |
} |
|
2000 |
||
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2001 |
private static <T> Iterable<T> e2i(final Enumeration<T> e) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2002 |
return new Iterable<T>() { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2003 |
@Override |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2004 |
public Iterator<T> iterator() { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2005 |
return new Iterator<T>() { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2006 |
@Override |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2007 |
public boolean hasNext() { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2008 |
return e.hasMoreElements(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2009 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2010 |
@Override |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2011 |
public T next() { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2012 |
return e.nextElement(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2013 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2014 |
public void remove() { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2015 |
throw new UnsupportedOperationException("Not supported yet."); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2016 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2017 |
}; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2018 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2019 |
}; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2020 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2021 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2022 |
/** |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2023 |
* Loads CRLs from a source. This method is also called in JarSigner. |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2024 |
* @param src the source, which means System.in if null, or a URI, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2025 |
* or a bare file path name |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2026 |
*/ |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2027 |
public static Collection<? extends CRL> loadCRLs(String src) throws Exception { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2028 |
InputStream in = null; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2029 |
URI uri = null; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2030 |
if (src == null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2031 |
in = System.in; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2032 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2033 |
try { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2034 |
uri = new URI(src); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2035 |
if (uri.getScheme().equals("ldap")) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2036 |
// No input stream for LDAP |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2037 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2038 |
in = uri.toURL().openStream(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2039 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2040 |
} catch (Exception e) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2041 |
try { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2042 |
in = new FileInputStream(src); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2043 |
} catch (Exception e2) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2044 |
if (uri == null || uri.getScheme() == null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2045 |
throw e2; // More likely a bare file path |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2046 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2047 |
throw e; // More likely a protocol or network problem |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2048 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2049 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2050 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2051 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2052 |
if (in != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2053 |
try { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2054 |
// Read the full stream before feeding to X509Factory, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2055 |
// otherwise, keytool -gencrl | keytool -printcrl |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2056 |
// might not work properly, since -gencrl is slow |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2057 |
// and there's no data in the pipe at the beginning. |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2058 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2059 |
byte[] b = new byte[4096]; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2060 |
while (true) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2061 |
int len = in.read(b); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2062 |
if (len < 0) break; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2063 |
bout.write(b, 0, len); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2064 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2065 |
return CertificateFactory.getInstance("X509").generateCRLs( |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2066 |
new ByteArrayInputStream(bout.toByteArray())); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2067 |
} finally { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2068 |
if (in != System.in) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2069 |
in.close(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2070 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2071 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2072 |
} else { // must be LDAP, and uri is not null |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2073 |
String path = uri.getPath(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2074 |
if (path.charAt(0) == '/') path = path.substring(1); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2075 |
LDAPCertStoreHelper h = new LDAPCertStoreHelper(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2076 |
CertStore s = h.getCertStore(uri); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2077 |
X509CRLSelector sel = |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2078 |
h.wrap(new X509CRLSelector(), null, path); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2079 |
return s.getCRLs(sel); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2080 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2081 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2082 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2083 |
/** |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2084 |
* Returns CRLs described in a X509Certificate's CRLDistributionPoints |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2085 |
* Extension. Only those containing a general name of type URI are read. |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2086 |
*/ |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2087 |
public static List<CRL> readCRLsFromCert(X509Certificate cert) |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2088 |
throws Exception { |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
2089 |
List<CRL> crls = new ArrayList<>(); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2090 |
CRLDistributionPointsExtension ext = |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2091 |
X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2092 |
if (ext == null) return crls; |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
2093 |
List<DistributionPoint> distPoints = |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
2094 |
ext.get(CRLDistributionPointsExtension.POINTS); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
2095 |
for (DistributionPoint o: distPoints) { |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2096 |
GeneralNames names = o.getFullName(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2097 |
if (names != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2098 |
for (GeneralName name: names.names()) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2099 |
if (name.getType() == GeneralNameInterface.NAME_URI) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2100 |
URIName uriName = (URIName)name.getName(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2101 |
for (CRL crl: KeyTool.loadCRLs(uriName.getName())) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2102 |
if (crl instanceof X509CRL) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2103 |
crls.add((X509CRL)crl); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2104 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2105 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2106 |
break; // Different name should point to same CRL |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2107 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2108 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2109 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2110 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2111 |
return crls; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2112 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2113 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2114 |
private static String verifyCRL(KeyStore ks, CRL crl) |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2115 |
throws Exception { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2116 |
X509CRLImpl xcrl = (X509CRLImpl)crl; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2117 |
X500Principal issuer = xcrl.getIssuerX500Principal(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2118 |
for (String s: e2i(ks.aliases())) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2119 |
Certificate cert = ks.getCertificate(s); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2120 |
if (cert instanceof X509Certificate) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2121 |
X509Certificate xcert = (X509Certificate)cert; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2122 |
if (xcert.getSubjectX500Principal().equals(issuer)) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2123 |
try { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2124 |
((X509CRLImpl)crl).verify(cert.getPublicKey()); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2125 |
return s; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2126 |
} catch (Exception e) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2127 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2128 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2129 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2130 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2131 |
return null; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2132 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2133 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2134 |
private void doPrintCRL(String src, PrintStream out) |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2135 |
throws Exception { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2136 |
for (CRL crl: loadCRLs(src)) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2137 |
printCRL(crl, out); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2138 |
String issuer = null; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2139 |
if (caks != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2140 |
issuer = verifyCRL(caks, crl); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2141 |
if (issuer != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2142 |
System.out.println("Verified by " + issuer + " in cacerts"); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2143 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2144 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2145 |
if (issuer == null && keyStore != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2146 |
issuer = verifyCRL(keyStore, crl); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2147 |
if (issuer != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2148 |
System.out.println("Verified by " + issuer + " in keystore"); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2149 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2150 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2151 |
if (issuer == null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2152 |
out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2153 |
("STAR")); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2154 |
out.println("WARNING: not verified. Make sure -keystore and -alias are correct."); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2155 |
out.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2156 |
("STARNN")); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2157 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2158 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2159 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2160 |
|
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2161 |
private void printCRL(CRL crl, PrintStream out) |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2162 |
throws Exception { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2163 |
if (rfc) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2164 |
X509CRL xcrl = (X509CRL)crl; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2165 |
out.println("-----BEGIN X509 CRL-----"); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2166 |
new BASE64Encoder().encodeBuffer(xcrl.getEncoded(), out); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2167 |
out.println("-----END X509 CRL-----"); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2168 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2169 |
out.println(crl.toString()); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2170 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2171 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
2172 |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2173 |
private void doPrintCertReq(InputStream in, PrintStream out) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2174 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2175 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2176 |
BufferedReader reader = new BufferedReader(new InputStreamReader(in)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2177 |
StringBuffer sb = new StringBuffer(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2178 |
boolean started = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2179 |
while (true) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2180 |
String s = reader.readLine(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2181 |
if (s == null) break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2182 |
if (!started) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2183 |
if (s.startsWith("-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2184 |
started = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2185 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2186 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2187 |
if (s.startsWith("-----")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2188 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2189 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2190 |
sb.append(s); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2191 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2192 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2193 |
PKCS10 req = new PKCS10(new BASE64Decoder().decodeBuffer(new String(sb))); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2194 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2195 |
PublicKey pkey = req.getSubjectPublicKeyInfo(); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2196 |
out.printf(rb.getString("PKCS.10.Certificate.Request.Version.1.0.Subject.s.Public.Key.s.format.s.key."), |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2197 |
req.getSubjectName(), pkey.getFormat(), pkey.getAlgorithm()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2198 |
for (PKCS10Attribute attr: req.getAttributes().getAttributes()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2199 |
ObjectIdentifier oid = attr.getAttributeId(); |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
2200 |
if (oid.equals((Object)PKCS9Attribute.EXTENSION_REQUEST_OID)) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2201 |
CertificateExtensions exts = (CertificateExtensions)attr.getAttributeValue(); |
2179
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
2202 |
if (exts != null) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2203 |
printExtensions(rb.getString("Extension.Request."), exts, out); |
2179
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
2204 |
} |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2205 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2206 |
out.println(attr.getAttributeId()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2207 |
out.println(attr.getAttributeValue()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2208 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2209 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2210 |
if (debug) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2211 |
out.println(req); // Just to see more, say, public key length... |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2212 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2213 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2214 |
|
2 | 2215 |
/** |
2216 |
* Reads a certificate (or certificate chain) and prints its contents in |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2217 |
* a human readable format. |
2 | 2218 |
*/ |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2219 |
private void printCertFromStream(InputStream in, PrintStream out) |
2 | 2220 |
throws Exception |
2221 |
{ |
|
2222 |
Collection<? extends Certificate> c = null; |
|
2223 |
try { |
|
2224 |
c = cf.generateCertificates(in); |
|
2225 |
} catch (CertificateException ce) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2226 |
throw new Exception(rb.getString("Failed.to.parse.input"), ce); |
2 | 2227 |
} |
2228 |
if (c.isEmpty()) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2229 |
throw new Exception(rb.getString("Empty.input")); |
2 | 2230 |
} |
2231 |
Certificate[] certs = c.toArray(new Certificate[c.size()]); |
|
2232 |
for (int i=0; i<certs.length; i++) { |
|
2233 |
X509Certificate x509Cert = null; |
|
2234 |
try { |
|
2235 |
x509Cert = (X509Certificate)certs[i]; |
|
2236 |
} catch (ClassCastException cce) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2237 |
throw new Exception(rb.getString("Not.X.509.certificate")); |
2 | 2238 |
} |
2239 |
if (certs.length > 1) { |
|
2240 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2241 |
(rb.getString("Certificate.i.1.")); |
2 | 2242 |
Object[] source = {new Integer(i + 1)}; |
2243 |
out.println(form.format(source)); |
|
2244 |
} |
|
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2245 |
if (rfc) dumpCert(x509Cert, out); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2246 |
else printX509Cert(x509Cert, out); |
2 | 2247 |
if (i < (certs.length-1)) { |
2248 |
out.println(); |
|
2249 |
} |
|
2250 |
} |
|
2251 |
} |
|
2252 |
||
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2253 |
private void doPrintCert(final PrintStream out) throws Exception { |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2254 |
if (jarfile != null) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2255 |
JarFile jf = new JarFile(jarfile, true); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2256 |
Enumeration<JarEntry> entries = jf.entries(); |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
2257 |
Set<CodeSigner> ss = new HashSet<>(); |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2258 |
byte[] buffer = new byte[8192]; |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2259 |
int pos = 0; |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2260 |
while (entries.hasMoreElements()) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2261 |
JarEntry je = entries.nextElement(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2262 |
InputStream is = null; |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2263 |
try { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2264 |
is = jf.getInputStream(je); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2265 |
while (is.read(buffer) != -1) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2266 |
// we just read. this will throw a SecurityException |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2267 |
// if a signature/digest check fails. This also |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2268 |
// populate the signers |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2269 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2270 |
} finally { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2271 |
if (is != null) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2272 |
is.close(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2273 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2274 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2275 |
CodeSigner[] signers = je.getCodeSigners(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2276 |
if (signers != null) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2277 |
for (CodeSigner signer: signers) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2278 |
if (!ss.contains(signer)) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2279 |
ss.add(signer); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2280 |
out.printf(rb.getString("Signer.d."), ++pos); |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2281 |
out.println(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2282 |
out.println(); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2283 |
out.println(rb.getString("Signature.")); |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2284 |
out.println(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2285 |
for (Certificate cert: signer.getSignerCertPath().getCertificates()) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2286 |
X509Certificate x = (X509Certificate)cert; |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2287 |
if (rfc) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2288 |
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n"); |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2289 |
dumpCert(x, out); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2290 |
} else { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2291 |
printX509Cert(x, out); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2292 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2293 |
out.println(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2294 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2295 |
Timestamp ts = signer.getTimestamp(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2296 |
if (ts != null) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2297 |
out.println(rb.getString("Timestamp.")); |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2298 |
out.println(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2299 |
for (Certificate cert: ts.getSignerCertPath().getCertificates()) { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2300 |
X509Certificate x = (X509Certificate)cert; |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2301 |
if (rfc) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2302 |
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n"); |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2303 |
dumpCert(x, out); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2304 |
} else { |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2305 |
printX509Cert(x, out); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2306 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2307 |
out.println(); |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2308 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2309 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2310 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2311 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2312 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2313 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2314 |
jf.close(); |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
2315 |
if (ss.isEmpty()) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2316 |
out.println(rb.getString("Not.a.signed.jar.file")); |
4169
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2317 |
} |
0ca7e3e74ba4
6890872: keytool -printcert to recognize signed jar files
weijun
parents:
4152
diff
changeset
|
2318 |
} else if (sslserver != null) { |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2319 |
SSLContext sc = SSLContext.getInstance("SSL"); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2320 |
final boolean[] certPrinted = new boolean[1]; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2321 |
sc.init(null, new TrustManager[] { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2322 |
new X509TrustManager() { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2323 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2324 |
public java.security.cert.X509Certificate[] getAcceptedIssuers() { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2325 |
return null; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2326 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2327 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2328 |
public void checkClientTrusted( |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2329 |
java.security.cert.X509Certificate[] certs, String authType) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2330 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2331 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2332 |
public void checkServerTrusted( |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2333 |
java.security.cert.X509Certificate[] certs, String authType) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2334 |
for (int i=0; i<certs.length; i++) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2335 |
X509Certificate cert = certs[i]; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2336 |
try { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2337 |
if (rfc) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2338 |
dumpCert(cert, out); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2339 |
} else { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2340 |
out.println("Certificate #" + i); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2341 |
out.println("===================================="); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2342 |
printX509Cert(cert, out); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2343 |
out.println(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2344 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2345 |
} catch (Exception e) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2346 |
if (debug) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2347 |
e.printStackTrace(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2348 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2349 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2350 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2351 |
|
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2352 |
// Set to true where there's something to print |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2353 |
if (certs.length > 0) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2354 |
certPrinted[0] = true; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2355 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2356 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2357 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2358 |
}, null); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2359 |
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2360 |
HttpsURLConnection.setDefaultHostnameVerifier( |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2361 |
new HostnameVerifier() { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2362 |
public boolean verify(String hostname, SSLSession session) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2363 |
return true; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2364 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2365 |
}); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2366 |
// HTTPS instead of raw SSL, so that -Dhttps.proxyHost and |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2367 |
// -Dhttps.proxyPort can be used. Since we only go through |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2368 |
// the handshake process, an HTTPS server is not needed. |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2369 |
// This program should be able to deal with any SSL-based |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2370 |
// network service. |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2371 |
Exception ex = null; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2372 |
try { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2373 |
new URL("https://" + sslserver).openConnection().connect(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2374 |
} catch (Exception e) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2375 |
ex = e; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2376 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2377 |
// If the certs are not printed out, we consider it an error even |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2378 |
// if the URL connection is successful. |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2379 |
if (!certPrinted[0]) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2380 |
Exception e = new Exception( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2381 |
rb.getString("No.certificate.from.the.SSL.server")); |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2382 |
if (ex != null) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2383 |
e.initCause(ex); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2384 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2385 |
throw e; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2386 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2387 |
} else { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2388 |
InputStream inStream = System.in; |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2389 |
if (filename != null) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2390 |
inStream = new FileInputStream(filename); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2391 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2392 |
try { |
5164
337ae296b6d6
6813340: X509Factory should not depend on is.available()==0
weijun
parents:
4918
diff
changeset
|
2393 |
printCertFromStream(inStream, out); |
904
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2394 |
} finally { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2395 |
if (inStream != System.in) { |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2396 |
inStream.close(); |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2397 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2398 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2399 |
} |
eadc9fa4b700
6480981: keytool should be able to import certificates from remote SSL servers
weijun
parents:
2
diff
changeset
|
2400 |
} |
2 | 2401 |
/** |
2402 |
* Creates a self-signed certificate, and stores it as a single-element |
|
2403 |
* certificate chain. |
|
2404 |
*/ |
|
2405 |
private void doSelfCert(String alias, String dname, String sigAlgName) |
|
2406 |
throws Exception |
|
2407 |
{ |
|
2408 |
if (alias == null) { |
|
2409 |
alias = keyAlias; |
|
2410 |
} |
|
2411 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2412 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2413 |
PrivateKey privKey = (PrivateKey)objs.fst; |
2 | 2414 |
if (keyPass == null) |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2415 |
keyPass = objs.snd; |
2 | 2416 |
|
2417 |
// Determine the signature algorithm |
|
2418 |
if (sigAlgName == null) { |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2419 |
sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm()); |
2 | 2420 |
} |
2421 |
||
2422 |
// Get the old certificate |
|
2423 |
Certificate oldCert = keyStore.getCertificate(alias); |
|
2424 |
if (oldCert == null) { |
|
2425 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2426 |
(rb.getString("alias.has.no.public.key")); |
2 | 2427 |
Object[] source = {alias}; |
2428 |
throw new Exception(form.format(source)); |
|
2429 |
} |
|
2430 |
if (!(oldCert instanceof X509Certificate)) { |
|
2431 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2432 |
(rb.getString("alias.has.no.X.509.certificate")); |
2 | 2433 |
Object[] source = {alias}; |
2434 |
throw new Exception(form.format(source)); |
|
2435 |
} |
|
2436 |
||
2437 |
// convert to X509CertImpl, so that we can modify selected fields |
|
2438 |
// (no public APIs available yet) |
|
2439 |
byte[] encoded = oldCert.getEncoded(); |
|
2440 |
X509CertImpl certImpl = new X509CertImpl(encoded); |
|
2441 |
X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME |
|
2442 |
+ "." + |
|
2443 |
X509CertImpl.INFO); |
|
2444 |
||
2445 |
// Extend its validity |
|
2446 |
Date firstDate = getStartDate(startDate); |
|
2447 |
Date lastDate = new Date(); |
|
2448 |
lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L); |
|
2449 |
CertificateValidity interval = new CertificateValidity(firstDate, |
|
2450 |
lastDate); |
|
2451 |
certInfo.set(X509CertInfo.VALIDITY, interval); |
|
2452 |
||
2453 |
// Make new serial number |
|
2293
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
2454 |
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber( |
cb6d01cb3c3d
6820606: keytool can generate serialno more randomly
weijun
parents:
2289
diff
changeset
|
2455 |
new java.util.Random().nextInt() & 0x7fffffff)); |
2 | 2456 |
|
2457 |
// Set owner and issuer fields |
|
2458 |
X500Name owner; |
|
2459 |
if (dname == null) { |
|
2460 |
// Get the owner name from the certificate |
|
2461 |
owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." + |
|
2462 |
CertificateSubjectName.DN_NAME); |
|
2463 |
} else { |
|
2464 |
// Use the owner name specified at the command line |
|
2465 |
owner = new X500Name(dname); |
|
2466 |
certInfo.set(X509CertInfo.SUBJECT + "." + |
|
2467 |
CertificateSubjectName.DN_NAME, owner); |
|
2468 |
} |
|
2469 |
// Make issuer same as owner (self-signed!) |
|
2470 |
certInfo.set(X509CertInfo.ISSUER + "." + |
|
2471 |
CertificateIssuerName.DN_NAME, owner); |
|
2472 |
||
2473 |
// The inner and outer signature algorithms have to match. |
|
2474 |
// The way we achieve that is really ugly, but there seems to be no |
|
2475 |
// other solution: We first sign the cert, then retrieve the |
|
2476 |
// outer sigalg and use it to set the inner sigalg |
|
2477 |
X509CertImpl newCert = new X509CertImpl(certInfo); |
|
2478 |
newCert.sign(privKey, sigAlgName); |
|
2479 |
AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG); |
|
2480 |
certInfo.set(CertificateAlgorithmId.NAME + "." + |
|
2481 |
CertificateAlgorithmId.ALGORITHM, sigAlgid); |
|
2482 |
||
2483 |
certInfo.set(X509CertInfo.VERSION, |
|
2484 |
new CertificateVersion(CertificateVersion.V3)); |
|
2485 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2486 |
CertificateExtensions ext = createV3Extensions( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2487 |
null, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2488 |
(CertificateExtensions)certInfo.get(X509CertInfo.EXTENSIONS), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2489 |
v3ext, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2490 |
oldCert.getPublicKey(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2491 |
null); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2492 |
certInfo.set(X509CertInfo.EXTENSIONS, ext); |
2 | 2493 |
// Sign the new certificate |
2494 |
newCert = new X509CertImpl(certInfo); |
|
2495 |
newCert.sign(privKey, sigAlgName); |
|
2496 |
||
2497 |
// Store the new certificate as a single-element certificate chain |
|
2498 |
keyStore.setKeyEntry(alias, privKey, |
|
2499 |
(keyPass != null) ? keyPass : storePass, |
|
2500 |
new Certificate[] { newCert } ); |
|
2501 |
||
2502 |
if (verbose) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2503 |
System.err.println(rb.getString("New.certificate.self.signed.")); |
2 | 2504 |
System.err.print(newCert.toString()); |
2505 |
System.err.println(); |
|
2506 |
} |
|
2507 |
} |
|
2508 |
||
2509 |
/** |
|
2510 |
* Processes a certificate reply from a certificate authority. |
|
2511 |
* |
|
2512 |
* <p>Builds a certificate chain on top of the certificate reply, |
|
2513 |
* using trusted certificates from the keystore. The chain is complete |
|
2514 |
* after a self-signed certificate has been encountered. The self-signed |
|
2515 |
* certificate is considered a root certificate authority, and is stored |
|
2516 |
* at the end of the chain. |
|
2517 |
* |
|
2518 |
* <p>The newly generated chain replaces the old chain associated with the |
|
2519 |
* key entry. |
|
2520 |
* |
|
2521 |
* @return true if the certificate reply was installed, otherwise false. |
|
2522 |
*/ |
|
2523 |
private boolean installReply(String alias, InputStream in) |
|
2524 |
throws Exception |
|
2525 |
{ |
|
2526 |
if (alias == null) { |
|
2527 |
alias = keyAlias; |
|
2528 |
} |
|
2529 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2530 |
Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2531 |
PrivateKey privKey = (PrivateKey)objs.fst; |
2 | 2532 |
if (keyPass == null) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2533 |
keyPass = objs.snd; |
2 | 2534 |
} |
2535 |
||
2536 |
Certificate userCert = keyStore.getCertificate(alias); |
|
2537 |
if (userCert == null) { |
|
2538 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2539 |
(rb.getString("alias.has.no.public.key.certificate.")); |
2 | 2540 |
Object[] source = {alias}; |
2541 |
throw new Exception(form.format(source)); |
|
2542 |
} |
|
2543 |
||
2544 |
// Read the certificates in the reply |
|
2545 |
Collection<? extends Certificate> c = cf.generateCertificates(in); |
|
2546 |
if (c.isEmpty()) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2547 |
throw new Exception(rb.getString("Reply.has.no.certificates")); |
2 | 2548 |
} |
2549 |
Certificate[] replyCerts = c.toArray(new Certificate[c.size()]); |
|
2550 |
Certificate[] newChain; |
|
2551 |
if (replyCerts.length == 1) { |
|
2552 |
// single-cert reply |
|
2553 |
newChain = establishCertChain(userCert, replyCerts[0]); |
|
2554 |
} else { |
|
2555 |
// cert-chain reply (e.g., PKCS#7) |
|
2556 |
newChain = validateReply(alias, userCert, replyCerts); |
|
2557 |
} |
|
2558 |
||
2559 |
// Now store the newly established chain in the keystore. The new |
|
2560 |
// chain replaces the old one. |
|
2561 |
if (newChain != null) { |
|
2562 |
keyStore.setKeyEntry(alias, privKey, |
|
2563 |
(keyPass != null) ? keyPass : storePass, |
|
2564 |
newChain); |
|
2565 |
return true; |
|
2566 |
} else { |
|
2567 |
return false; |
|
2568 |
} |
|
2569 |
} |
|
2570 |
||
2571 |
/** |
|
2572 |
* Imports a certificate and adds it to the list of trusted certificates. |
|
2573 |
* |
|
2574 |
* @return true if the certificate was added, otherwise false. |
|
2575 |
*/ |
|
2576 |
private boolean addTrustedCert(String alias, InputStream in) |
|
2577 |
throws Exception |
|
2578 |
{ |
|
2579 |
if (alias == null) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2580 |
throw new Exception(rb.getString("Must.specify.alias")); |
2 | 2581 |
} |
2582 |
if (keyStore.containsAlias(alias)) { |
|
2583 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2584 |
("Certificate.not.imported.alias.alias.already.exists")); |
2 | 2585 |
Object[] source = {alias}; |
2586 |
throw new Exception(form.format(source)); |
|
2587 |
} |
|
2588 |
||
2589 |
// Read the certificate |
|
2590 |
X509Certificate cert = null; |
|
2591 |
try { |
|
2592 |
cert = (X509Certificate)cf.generateCertificate(in); |
|
2593 |
} catch (ClassCastException cce) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2594 |
throw new Exception(rb.getString("Input.not.an.X.509.certificate")); |
2 | 2595 |
} catch (CertificateException ce) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2596 |
throw new Exception(rb.getString("Input.not.an.X.509.certificate")); |
2 | 2597 |
} |
2598 |
||
2599 |
// if certificate is self-signed, make sure it verifies |
|
2600 |
boolean selfSigned = false; |
|
2601 |
if (isSelfSigned(cert)) { |
|
2602 |
cert.verify(cert.getPublicKey()); |
|
2603 |
selfSigned = true; |
|
2604 |
} |
|
2605 |
||
2606 |
if (noprompt) { |
|
2607 |
keyStore.setCertificateEntry(alias, cert); |
|
2608 |
return true; |
|
2609 |
} |
|
2610 |
||
2611 |
// check if cert already exists in keystore |
|
2612 |
String reply = null; |
|
2613 |
String trustalias = keyStore.getCertificateAlias(cert); |
|
2614 |
if (trustalias != null) { |
|
2615 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2616 |
("Certificate.already.exists.in.keystore.under.alias.trustalias.")); |
2 | 2617 |
Object[] source = {trustalias}; |
2618 |
System.err.println(form.format(source)); |
|
2619 |
reply = getYesNoReply |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2620 |
(rb.getString("Do.you.still.want.to.add.it.no.")); |
2 | 2621 |
} else if (selfSigned) { |
2622 |
if (trustcacerts && (caks != null) && |
|
2623 |
((trustalias=caks.getCertificateAlias(cert)) != null)) { |
|
2624 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2625 |
("Certificate.already.exists.in.system.wide.CA.keystore.under.alias.trustalias.")); |
2 | 2626 |
Object[] source = {trustalias}; |
2627 |
System.err.println(form.format(source)); |
|
2628 |
reply = getYesNoReply |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2629 |
(rb.getString("Do.you.still.want.to.add.it.to.your.own.keystore.no.")); |
2 | 2630 |
} |
2631 |
if (trustalias == null) { |
|
2632 |
// Print the cert and ask user if they really want to add |
|
2633 |
// it to their keystore |
|
2634 |
printX509Cert(cert, System.out); |
|
2635 |
reply = getYesNoReply |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2636 |
(rb.getString("Trust.this.certificate.no.")); |
2 | 2637 |
} |
2638 |
} |
|
2639 |
if (reply != null) { |
|
2640 |
if ("YES".equals(reply)) { |
|
2641 |
keyStore.setCertificateEntry(alias, cert); |
|
2642 |
return true; |
|
2643 |
} else { |
|
2644 |
return false; |
|
2645 |
} |
|
2646 |
} |
|
2647 |
||
2648 |
// Try to establish trust chain |
|
2649 |
try { |
|
2650 |
Certificate[] chain = establishCertChain(null, cert); |
|
2651 |
if (chain != null) { |
|
2652 |
keyStore.setCertificateEntry(alias, cert); |
|
2653 |
return true; |
|
2654 |
} |
|
2655 |
} catch (Exception e) { |
|
2656 |
// Print the cert and ask user if they really want to add it to |
|
2657 |
// their keystore |
|
2658 |
printX509Cert(cert, System.out); |
|
2659 |
reply = getYesNoReply |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2660 |
(rb.getString("Trust.this.certificate.no.")); |
2 | 2661 |
if ("YES".equals(reply)) { |
2662 |
keyStore.setCertificateEntry(alias, cert); |
|
2663 |
return true; |
|
2664 |
} else { |
|
2665 |
return false; |
|
2666 |
} |
|
2667 |
} |
|
2668 |
||
2669 |
return false; |
|
2670 |
} |
|
2671 |
||
2672 |
/** |
|
2673 |
* Prompts user for new password. New password must be different from |
|
2674 |
* old one. |
|
2675 |
* |
|
2676 |
* @param prompt the message that gets prompted on the screen |
|
2677 |
* @param oldPasswd the current (i.e., old) password |
|
2678 |
*/ |
|
2679 |
private char[] getNewPasswd(String prompt, char[] oldPasswd) |
|
2680 |
throws Exception |
|
2681 |
{ |
|
2682 |
char[] entered = null; |
|
2683 |
char[] reentered = null; |
|
2684 |
||
2685 |
for (int count = 0; count < 3; count++) { |
|
2686 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2687 |
(rb.getString("New.prompt.")); |
2 | 2688 |
Object[] source = {prompt}; |
2689 |
System.err.print(form.format(source)); |
|
2690 |
entered = Password.readPassword(System.in); |
|
2691 |
passwords.add(entered); |
|
2692 |
if (entered == null || entered.length < 6) { |
|
2693 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2694 |
("Password.is.too.short.must.be.at.least.6.characters")); |
2 | 2695 |
} else if (Arrays.equals(entered, oldPasswd)) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2696 |
System.err.println(rb.getString("Passwords.must.differ")); |
2 | 2697 |
} else { |
2698 |
form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2699 |
(rb.getString("Re.enter.new.prompt.")); |
2 | 2700 |
Object[] src = {prompt}; |
2701 |
System.err.print(form.format(src)); |
|
2702 |
reentered = Password.readPassword(System.in); |
|
2703 |
passwords.add(reentered); |
|
2704 |
if (!Arrays.equals(entered, reentered)) { |
|
2705 |
System.err.println |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2706 |
(rb.getString("They.don.t.match.Try.again")); |
2 | 2707 |
} else { |
2708 |
Arrays.fill(reentered, ' '); |
|
2709 |
return entered; |
|
2710 |
} |
|
2711 |
} |
|
2712 |
if (entered != null) { |
|
2713 |
Arrays.fill(entered, ' '); |
|
2714 |
entered = null; |
|
2715 |
} |
|
2716 |
if (reentered != null) { |
|
2717 |
Arrays.fill(reentered, ' '); |
|
2718 |
reentered = null; |
|
2719 |
} |
|
2720 |
} |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2721 |
throw new Exception(rb.getString("Too.many.failures.try.later")); |
2 | 2722 |
} |
2723 |
||
2724 |
/** |
|
2725 |
* Prompts user for alias name. |
|
2726 |
* @param prompt the {0} of "Enter {0} alias name: " in prompt line |
|
2727 |
* @returns the string entered by the user, without the \n at the end |
|
2728 |
*/ |
|
2729 |
private String getAlias(String prompt) throws Exception { |
|
2730 |
if (prompt != null) { |
|
2731 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2732 |
(rb.getString("Enter.prompt.alias.name.")); |
2 | 2733 |
Object[] source = {prompt}; |
2734 |
System.err.print(form.format(source)); |
|
2735 |
} else { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2736 |
System.err.print(rb.getString("Enter.alias.name.")); |
2 | 2737 |
} |
2738 |
return (new BufferedReader(new InputStreamReader( |
|
2739 |
System.in))).readLine(); |
|
2740 |
} |
|
2741 |
||
2742 |
/** |
|
2743 |
* Prompts user for an input string from the command line (System.in) |
|
2744 |
* @prompt the prompt string printed |
|
2745 |
* @returns the string entered by the user, without the \n at the end |
|
2746 |
*/ |
|
2747 |
private String inputStringFromStdin(String prompt) throws Exception { |
|
2748 |
System.err.print(prompt); |
|
2749 |
return (new BufferedReader(new InputStreamReader( |
|
2750 |
System.in))).readLine(); |
|
2751 |
} |
|
2752 |
||
2753 |
/** |
|
2754 |
* Prompts user for key password. User may select to choose the same |
|
2755 |
* password (<code>otherKeyPass</code>) as for <code>otherAlias</code>. |
|
2756 |
*/ |
|
2757 |
private char[] getKeyPasswd(String alias, String otherAlias, |
|
2758 |
char[] otherKeyPass) |
|
2759 |
throws Exception |
|
2760 |
{ |
|
2761 |
int count = 0; |
|
2762 |
char[] keyPass = null; |
|
2763 |
||
2764 |
do { |
|
2765 |
if (otherKeyPass != null) { |
|
2766 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2767 |
("Enter.key.password.for.alias.")); |
2 | 2768 |
Object[] source = {alias}; |
2769 |
System.err.println(form.format(source)); |
|
2770 |
||
2771 |
form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2772 |
(".RETURN.if.same.as.for.otherAlias.")); |
2 | 2773 |
Object[] src = {otherAlias}; |
2774 |
System.err.print(form.format(src)); |
|
2775 |
} else { |
|
2776 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2777 |
("Enter.key.password.for.alias.")); |
2 | 2778 |
Object[] source = {alias}; |
2779 |
System.err.print(form.format(source)); |
|
2780 |
} |
|
2781 |
System.err.flush(); |
|
2782 |
keyPass = Password.readPassword(System.in); |
|
2783 |
passwords.add(keyPass); |
|
2784 |
if (keyPass == null) { |
|
2785 |
keyPass = otherKeyPass; |
|
2786 |
} |
|
2787 |
count++; |
|
2788 |
} while ((keyPass == null) && count < 3); |
|
2789 |
||
2790 |
if (keyPass == null) { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2791 |
throw new Exception(rb.getString("Too.many.failures.try.later")); |
2 | 2792 |
} |
2793 |
||
2794 |
return keyPass; |
|
2795 |
} |
|
2796 |
||
2797 |
/** |
|
2798 |
* Prints a certificate in a human readable format. |
|
2799 |
*/ |
|
2800 |
private void printX509Cert(X509Certificate cert, PrintStream out) |
|
2801 |
throws Exception |
|
2802 |
{ |
|
2803 |
/* |
|
2804 |
out.println("Owner: " |
|
2805 |
+ cert.getSubjectDN().toString() |
|
2806 |
+ "\n" |
|
2807 |
+ "Issuer: " |
|
2808 |
+ cert.getIssuerDN().toString() |
|
2809 |
+ "\n" |
|
2810 |
+ "Serial number: " + cert.getSerialNumber().toString(16) |
|
2811 |
+ "\n" |
|
2812 |
+ "Valid from: " + cert.getNotBefore().toString() |
|
2813 |
+ " until: " + cert.getNotAfter().toString() |
|
2814 |
+ "\n" |
|
2815 |
+ "Certificate fingerprints:\n" |
|
2816 |
+ "\t MD5: " + getCertFingerPrint("MD5", cert) |
|
2817 |
+ "\n" |
|
2818 |
+ "\t SHA1: " + getCertFingerPrint("SHA1", cert)); |
|
2819 |
*/ |
|
2820 |
||
2821 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2822 |
(rb.getString(".PATTERN.printX509Cert")); |
2 | 2823 |
Object[] source = {cert.getSubjectDN().toString(), |
2824 |
cert.getIssuerDN().toString(), |
|
2825 |
cert.getSerialNumber().toString(16), |
|
2826 |
cert.getNotBefore().toString(), |
|
2827 |
cert.getNotAfter().toString(), |
|
2828 |
getCertFingerPrint("MD5", cert), |
|
2829 |
getCertFingerPrint("SHA1", cert), |
|
3318
dade78e63c92
6561126: keytool should use larger default keysize for keypairs
weijun
parents:
3316
diff
changeset
|
2830 |
getCertFingerPrint("SHA-256", cert), |
2 | 2831 |
cert.getSigAlgName(), |
2832 |
cert.getVersion() |
|
2833 |
}; |
|
2834 |
out.println(form.format(source)); |
|
2835 |
||
2836 |
if (cert instanceof X509CertImpl) { |
|
2837 |
X509CertImpl impl = (X509CertImpl)cert; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2838 |
X509CertInfo certInfo = (X509CertInfo)impl.get(X509CertImpl.NAME |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2839 |
+ "." + |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2840 |
X509CertImpl.INFO); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2841 |
CertificateExtensions exts = (CertificateExtensions) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2842 |
certInfo.get(X509CertInfo.EXTENSIONS); |
2179
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
2843 |
if (exts != null) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2844 |
printExtensions(rb.getString("Extensions."), exts, out); |
2179
e172c13ca87a
6813402: keytool cannot -printcert entries without extensions
weijun
parents:
2067
diff
changeset
|
2845 |
} |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2846 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2847 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2848 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2849 |
private static void printExtensions(String title, CertificateExtensions exts, PrintStream out) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2850 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2851 |
int extnum = 0; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2852 |
Iterator<Extension> i1 = exts.getAllExtensions().iterator(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2853 |
Iterator<Extension> i2 = exts.getUnparseableExtensions().values().iterator(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2854 |
while (i1.hasNext() || i2.hasNext()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2855 |
Extension ext = i1.hasNext()?i1.next():i2.next(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2856 |
if (extnum == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2857 |
out.println(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2858 |
out.println(title); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2859 |
out.println(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2860 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2861 |
out.print("#"+(++extnum)+": "+ ext); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2862 |
if (ext.getClass() == Extension.class) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2863 |
byte[] v = ext.getExtensionValue(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2864 |
if (v.length == 0) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2865 |
out.println(rb.getString(".Empty.value.")); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2866 |
} else { |
5457 | 2867 |
new sun.misc.HexDumpEncoder().encodeBuffer(ext.getExtensionValue(), out); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2868 |
out.println(); |
2 | 2869 |
} |
2870 |
} |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
2871 |
out.println(); |
2 | 2872 |
} |
2873 |
} |
|
2874 |
||
2875 |
/** |
|
2876 |
* Returns true if the certificate is self-signed, false otherwise. |
|
2877 |
*/ |
|
2878 |
private boolean isSelfSigned(X509Certificate cert) { |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2879 |
return signedBy(cert, cert); |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2880 |
} |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2881 |
|
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2882 |
private boolean signedBy(X509Certificate end, X509Certificate ca) { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2883 |
if (!ca.getSubjectDN().equals(end.getIssuerDN())) { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2884 |
return false; |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2885 |
} |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2886 |
try { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2887 |
end.verify(ca.getPublicKey()); |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2888 |
return true; |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2889 |
} catch (Exception e) { |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2890 |
return false; |
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
2891 |
} |
2 | 2892 |
} |
2893 |
||
2894 |
/** |
|
5296 | 2895 |
* Locates a signer for a given certificate from a given keystore and |
2896 |
* returns the signer's certificate. |
|
2897 |
* @param cert the certificate whose signer is searched, not null |
|
2898 |
* @param ks the keystore to search with, not null |
|
2899 |
* @return <code>cert</code> itself if it's already inside <code>ks</code>, |
|
2900 |
* or a certificate inside <code>ks</code> who signs <code>cert</code>, |
|
2901 |
* or null otherwise. |
|
2 | 2902 |
*/ |
5296 | 2903 |
private static Certificate getTrustedSigner(Certificate cert, KeyStore ks) |
2904 |
throws Exception { |
|
2905 |
if (ks.getCertificateAlias(cert) != null) { |
|
2906 |
return cert; |
|
2 | 2907 |
} |
5296 | 2908 |
for (Enumeration<String> aliases = ks.aliases(); |
2909 |
aliases.hasMoreElements(); ) { |
|
2910 |
String name = aliases.nextElement(); |
|
2911 |
Certificate trustedCert = ks.getCertificate(name); |
|
2912 |
if (trustedCert != null) { |
|
2913 |
try { |
|
2914 |
cert.verify(trustedCert.getPublicKey()); |
|
2915 |
return trustedCert; |
|
2916 |
} catch (Exception e) { |
|
2917 |
// Not verified, skip to the next one |
|
2918 |
} |
|
2919 |
} |
|
2 | 2920 |
} |
5296 | 2921 |
return null; |
2 | 2922 |
} |
2923 |
||
2924 |
/** |
|
2925 |
* Gets an X.500 name suitable for inclusion in a certification request. |
|
2926 |
*/ |
|
2927 |
private X500Name getX500Name() throws IOException { |
|
2928 |
BufferedReader in; |
|
2929 |
in = new BufferedReader(new InputStreamReader(System.in)); |
|
2930 |
String commonName = "Unknown"; |
|
2931 |
String organizationalUnit = "Unknown"; |
|
2932 |
String organization = "Unknown"; |
|
2933 |
String city = "Unknown"; |
|
2934 |
String state = "Unknown"; |
|
2935 |
String country = "Unknown"; |
|
2936 |
X500Name name; |
|
2937 |
String userInput = null; |
|
2938 |
||
2939 |
int maxRetry = 20; |
|
2940 |
do { |
|
2941 |
if (maxRetry-- < 0) { |
|
2942 |
throw new RuntimeException(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2943 |
"Too.many.retries.program.terminated")); |
2 | 2944 |
} |
2945 |
commonName = inputString(in, |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2946 |
rb.getString("What.is.your.first.and.last.name."), |
2 | 2947 |
commonName); |
2948 |
organizationalUnit = inputString(in, |
|
2949 |
rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2950 |
("What.is.the.name.of.your.organizational.unit."), |
2 | 2951 |
organizationalUnit); |
2952 |
organization = inputString(in, |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2953 |
rb.getString("What.is.the.name.of.your.organization."), |
2 | 2954 |
organization); |
2955 |
city = inputString(in, |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2956 |
rb.getString("What.is.the.name.of.your.City.or.Locality."), |
2 | 2957 |
city); |
2958 |
state = inputString(in, |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2959 |
rb.getString("What.is.the.name.of.your.State.or.Province."), |
2 | 2960 |
state); |
2961 |
country = inputString(in, |
|
2962 |
rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2963 |
("What.is.the.two.letter.country.code.for.this.unit."), |
2 | 2964 |
country); |
2965 |
name = new X500Name(commonName, organizationalUnit, organization, |
|
2966 |
city, state, country); |
|
2967 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2968 |
(rb.getString("Is.name.correct.")); |
2 | 2969 |
Object[] source = {name}; |
2970 |
userInput = inputString |
|
2971 |
(in, form.format(source), rb.getString("no")); |
|
2972 |
} while (collator.compare(userInput, rb.getString("yes")) != 0 && |
|
2973 |
collator.compare(userInput, rb.getString("y")) != 0); |
|
2974 |
||
2975 |
System.err.println(); |
|
2976 |
return name; |
|
2977 |
} |
|
2978 |
||
2979 |
private String inputString(BufferedReader in, String prompt, |
|
2980 |
String defaultValue) |
|
2981 |
throws IOException |
|
2982 |
{ |
|
2983 |
System.err.println(prompt); |
|
2984 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
2985 |
(rb.getString(".defaultValue.")); |
2 | 2986 |
Object[] source = {defaultValue}; |
2987 |
System.err.print(form.format(source)); |
|
2988 |
System.err.flush(); |
|
2989 |
||
2990 |
String value = in.readLine(); |
|
2991 |
if (value == null || collator.compare(value, "") == 0) { |
|
2992 |
value = defaultValue; |
|
2993 |
} |
|
2994 |
return value; |
|
2995 |
} |
|
2996 |
||
2997 |
/** |
|
2998 |
* Writes an X.509 certificate in base64 or binary encoding to an output |
|
2999 |
* stream. |
|
3000 |
*/ |
|
3001 |
private void dumpCert(Certificate cert, PrintStream out) |
|
3002 |
throws IOException, CertificateException |
|
3003 |
{ |
|
3004 |
if (rfc) { |
|
3005 |
BASE64Encoder encoder = new BASE64Encoder(); |
|
3006 |
out.println(X509Factory.BEGIN_CERT); |
|
3007 |
encoder.encodeBuffer(cert.getEncoded(), out); |
|
3008 |
out.println(X509Factory.END_CERT); |
|
3009 |
} else { |
|
3010 |
out.write(cert.getEncoded()); // binary |
|
3011 |
} |
|
3012 |
} |
|
3013 |
||
3014 |
/** |
|
3015 |
* Converts a byte to hex digit and writes to the supplied buffer |
|
3016 |
*/ |
|
3017 |
private void byte2hex(byte b, StringBuffer buf) { |
|
3018 |
char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', |
|
3019 |
'9', 'A', 'B', 'C', 'D', 'E', 'F' }; |
|
3020 |
int high = ((b & 0xf0) >> 4); |
|
3021 |
int low = (b & 0x0f); |
|
3022 |
buf.append(hexChars[high]); |
|
3023 |
buf.append(hexChars[low]); |
|
3024 |
} |
|
3025 |
||
3026 |
/** |
|
3027 |
* Converts a byte array to hex string |
|
3028 |
*/ |
|
3029 |
private String toHexString(byte[] block) { |
|
3030 |
StringBuffer buf = new StringBuffer(); |
|
3031 |
int len = block.length; |
|
3032 |
for (int i = 0; i < len; i++) { |
|
3033 |
byte2hex(block[i], buf); |
|
3034 |
if (i < len-1) { |
|
3035 |
buf.append(":"); |
|
3036 |
} |
|
3037 |
} |
|
3038 |
return buf.toString(); |
|
3039 |
} |
|
3040 |
||
3041 |
/** |
|
3042 |
* Recovers (private) key associated with given alias. |
|
3043 |
* |
|
3044 |
* @return an array of objects, where the 1st element in the array is the |
|
3045 |
* recovered private key, and the 2nd element is the password used to |
|
3046 |
* recover it. |
|
3047 |
*/ |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3048 |
private Pair<Key,char[]> recoverKey(String alias, char[] storePass, |
2 | 3049 |
char[] keyPass) |
3050 |
throws Exception |
|
3051 |
{ |
|
3052 |
Key key = null; |
|
3053 |
||
3054 |
if (keyStore.containsAlias(alias) == false) { |
|
3055 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3056 |
(rb.getString("Alias.alias.does.not.exist")); |
2 | 3057 |
Object[] source = {alias}; |
3058 |
throw new Exception(form.format(source)); |
|
3059 |
} |
|
3060 |
if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class) && |
|
3061 |
!keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) { |
|
3062 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3063 |
(rb.getString("Alias.alias.has.no.key")); |
2 | 3064 |
Object[] source = {alias}; |
3065 |
throw new Exception(form.format(source)); |
|
3066 |
} |
|
3067 |
||
3068 |
if (keyPass == null) { |
|
3069 |
// Try to recover the key using the keystore password |
|
3070 |
try { |
|
3071 |
key = keyStore.getKey(alias, storePass); |
|
3072 |
||
3073 |
keyPass = storePass; |
|
3074 |
passwords.add(keyPass); |
|
3075 |
} catch (UnrecoverableKeyException e) { |
|
3076 |
// Did not work out, so prompt user for key password |
|
3077 |
if (!token) { |
|
3078 |
keyPass = getKeyPasswd(alias, null, null); |
|
3079 |
key = keyStore.getKey(alias, keyPass); |
|
3080 |
} else { |
|
3081 |
throw e; |
|
3082 |
} |
|
3083 |
} |
|
3084 |
} else { |
|
3085 |
key = keyStore.getKey(alias, keyPass); |
|
3086 |
} |
|
3087 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3088 |
return Pair.of(key, keyPass); |
2 | 3089 |
} |
3090 |
||
3091 |
/** |
|
3092 |
* Recovers entry associated with given alias. |
|
3093 |
* |
|
3094 |
* @return an array of objects, where the 1st element in the array is the |
|
3095 |
* recovered entry, and the 2nd element is the password used to |
|
3096 |
* recover it (null if no password). |
|
3097 |
*/ |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3098 |
private Pair<Entry,char[]> recoverEntry(KeyStore ks, |
2 | 3099 |
String alias, |
3100 |
char[] pstore, |
|
3101 |
char[] pkey) throws Exception { |
|
3102 |
||
3103 |
if (ks.containsAlias(alias) == false) { |
|
3104 |
MessageFormat form = new MessageFormat |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3105 |
(rb.getString("Alias.alias.does.not.exist")); |
2 | 3106 |
Object[] source = {alias}; |
3107 |
throw new Exception(form.format(source)); |
|
3108 |
} |
|
3109 |
||
3110 |
PasswordProtection pp = null; |
|
3111 |
Entry entry; |
|
3112 |
||
3113 |
try { |
|
3114 |
// First attempt to access entry without key password |
|
3115 |
// (PKCS11 entry or trusted certificate entry, for example) |
|
3116 |
||
3117 |
entry = ks.getEntry(alias, pp); |
|
3118 |
pkey = null; |
|
3119 |
} catch (UnrecoverableEntryException une) { |
|
3120 |
||
3121 |
if(P11KEYSTORE.equalsIgnoreCase(ks.getType()) || |
|
3122 |
KeyStoreUtil.isWindowsKeyStore(ks.getType())) { |
|
3123 |
// should not happen, but a possibility |
|
3124 |
throw une; |
|
3125 |
} |
|
3126 |
||
3127 |
// entry is protected |
|
3128 |
||
3129 |
if (pkey != null) { |
|
3130 |
||
3131 |
// try provided key password |
|
3132 |
||
3133 |
pp = new PasswordProtection(pkey); |
|
3134 |
entry = ks.getEntry(alias, pp); |
|
3135 |
||
3136 |
} else { |
|
3137 |
||
3138 |
// try store pass |
|
3139 |
||
3140 |
try { |
|
3141 |
pp = new PasswordProtection(pstore); |
|
3142 |
entry = ks.getEntry(alias, pp); |
|
3143 |
pkey = pstore; |
|
3144 |
} catch (UnrecoverableEntryException une2) { |
|
3145 |
if (P12KEYSTORE.equalsIgnoreCase(ks.getType())) { |
|
3146 |
||
3147 |
// P12 keystore currently does not support separate |
|
3148 |
// store and entry passwords |
|
3149 |
||
3150 |
throw une2; |
|
3151 |
} else { |
|
3152 |
||
3153 |
// prompt for entry password |
|
3154 |
||
3155 |
pkey = getKeyPasswd(alias, null, null); |
|
3156 |
pp = new PasswordProtection(pkey); |
|
3157 |
entry = ks.getEntry(alias, pp); |
|
3158 |
} |
|
3159 |
} |
|
3160 |
} |
|
3161 |
} |
|
3162 |
||
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3163 |
return Pair.of(entry, pkey); |
2 | 3164 |
} |
3165 |
/** |
|
3166 |
* Gets the requested finger print of the certificate. |
|
3167 |
*/ |
|
3168 |
private String getCertFingerPrint(String mdAlg, Certificate cert) |
|
3169 |
throws Exception |
|
3170 |
{ |
|
3171 |
byte[] encCertInfo = cert.getEncoded(); |
|
3172 |
MessageDigest md = MessageDigest.getInstance(mdAlg); |
|
3173 |
byte[] digest = md.digest(encCertInfo); |
|
3174 |
return toHexString(digest); |
|
3175 |
} |
|
3176 |
||
3177 |
/** |
|
3178 |
* Prints warning about missing integrity check. |
|
3179 |
*/ |
|
3180 |
private void printWarning() { |
|
3181 |
System.err.println(); |
|
3182 |
System.err.println(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3183 |
(".WARNING.WARNING.WARNING.")); |
2 | 3184 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3185 |
(".The.integrity.of.the.information.stored.in.your.keystore.")); |
2 | 3186 |
System.err.println(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3187 |
(".WARNING.WARNING.WARNING.")); |
2 | 3188 |
System.err.println(); |
3189 |
} |
|
3190 |
||
3191 |
/** |
|
3192 |
* Validates chain in certification reply, and returns the ordered |
|
3193 |
* elements of the chain (with user certificate first, and root |
|
3194 |
* certificate last in the array). |
|
3195 |
* |
|
3196 |
* @param alias the alias name |
|
3197 |
* @param userCert the user certificate of the alias |
|
3198 |
* @param replyCerts the chain provided in the reply |
|
3199 |
*/ |
|
3200 |
private Certificate[] validateReply(String alias, |
|
3201 |
Certificate userCert, |
|
3202 |
Certificate[] replyCerts) |
|
3203 |
throws Exception |
|
3204 |
{ |
|
3205 |
// order the certs in the reply (bottom-up). |
|
3206 |
// we know that all certs in the reply are of type X.509, because |
|
3207 |
// we parsed them using an X.509 certificate factory |
|
3208 |
int i; |
|
3209 |
PublicKey userPubKey = userCert.getPublicKey(); |
|
3210 |
for (i=0; i<replyCerts.length; i++) { |
|
3211 |
if (userPubKey.equals(replyCerts[i].getPublicKey())) { |
|
3212 |
break; |
|
3213 |
} |
|
3214 |
} |
|
3215 |
if (i == replyCerts.length) { |
|
3216 |
MessageFormat form = new MessageFormat(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3217 |
("Certificate.reply.does.not.contain.public.key.for.alias.")); |
2 | 3218 |
Object[] source = {alias}; |
3219 |
throw new Exception(form.format(source)); |
|
3220 |
} |
|
3221 |
||
3222 |
Certificate tmpCert = replyCerts[0]; |
|
3223 |
replyCerts[0] = replyCerts[i]; |
|
3224 |
replyCerts[i] = tmpCert; |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
3225 |
|
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
3226 |
X509Certificate thisCert = (X509Certificate)replyCerts[0]; |
2 | 3227 |
|
3228 |
for (i=1; i < replyCerts.length-1; i++) { |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
3229 |
// find a cert in the reply who signs thisCert |
2 | 3230 |
int j; |
3231 |
for (j=i; j<replyCerts.length; j++) { |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
3232 |
if (signedBy(thisCert, (X509Certificate)replyCerts[j])) { |
2 | 3233 |
tmpCert = replyCerts[i]; |
3234 |
replyCerts[i] = replyCerts[j]; |
|
3235 |
replyCerts[j] = tmpCert; |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
3236 |
thisCert = (X509Certificate)replyCerts[i]; |
2 | 3237 |
break; |
3238 |
} |
|
3239 |
} |
|
3240 |
if (j == replyCerts.length) { |
|
3241 |
throw new Exception |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3242 |
(rb.getString("Incomplete.certificate.chain.in.reply")); |
2 | 3243 |
} |
3244 |
} |
|
3245 |
||
3246 |
if (noprompt) { |
|
3247 |
return replyCerts; |
|
3248 |
} |
|
3249 |
||
5296 | 3250 |
// do we trust the cert at the top? |
2 | 3251 |
Certificate topCert = replyCerts[replyCerts.length-1]; |
5296 | 3252 |
Certificate root = getTrustedSigner(topCert, keyStore); |
3253 |
if (root == null && trustcacerts && caks != null) { |
|
3254 |
root = getTrustedSigner(topCert, caks); |
|
3255 |
} |
|
3256 |
if (root == null) { |
|
3257 |
System.err.println(); |
|
3258 |
System.err.println |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3259 |
(rb.getString("Top.level.certificate.in.reply.")); |
5296 | 3260 |
printX509Cert((X509Certificate)topCert, System.out); |
3261 |
System.err.println(); |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3262 |
System.err.print(rb.getString(".is.not.trusted.")); |
5296 | 3263 |
String reply = getYesNoReply |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3264 |
(rb.getString("Install.reply.anyway.no.")); |
5296 | 3265 |
if ("NO".equals(reply)) { |
3266 |
return null; |
|
2 | 3267 |
} |
5296 | 3268 |
} else { |
3269 |
if (root != topCert) { |
|
3270 |
// append the root CA cert to the chain |
|
3271 |
Certificate[] tmpCerts = |
|
3272 |
new Certificate[replyCerts.length+1]; |
|
3273 |
System.arraycopy(replyCerts, 0, tmpCerts, 0, |
|
3274 |
replyCerts.length); |
|
3275 |
tmpCerts[tmpCerts.length-1] = root; |
|
3276 |
replyCerts = tmpCerts; |
|
2 | 3277 |
} |
3278 |
} |
|
3279 |
||
3280 |
return replyCerts; |
|
3281 |
} |
|
3282 |
||
3283 |
/** |
|
3284 |
* Establishes a certificate chain (using trusted certificates in the |
|
3285 |
* keystore), starting with the user certificate |
|
3286 |
* and ending at a self-signed certificate found in the keystore. |
|
3287 |
* |
|
3288 |
* @param userCert the user certificate of the alias |
|
3289 |
* @param certToVerify the single certificate provided in the reply |
|
3290 |
*/ |
|
3291 |
private Certificate[] establishCertChain(Certificate userCert, |
|
3292 |
Certificate certToVerify) |
|
3293 |
throws Exception |
|
3294 |
{ |
|
3295 |
if (userCert != null) { |
|
3296 |
// Make sure that the public key of the certificate reply matches |
|
3297 |
// the original public key in the keystore |
|
3298 |
PublicKey origPubKey = userCert.getPublicKey(); |
|
3299 |
PublicKey replyPubKey = certToVerify.getPublicKey(); |
|
3300 |
if (!origPubKey.equals(replyPubKey)) { |
|
3301 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3302 |
("Public.keys.in.reply.and.keystore.don.t.match")); |
2 | 3303 |
} |
3304 |
||
3305 |
// If the two certs are identical, we're done: no need to import |
|
3306 |
// anything |
|
3307 |
if (certToVerify.equals(userCert)) { |
|
3308 |
throw new Exception(rb.getString |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3309 |
("Certificate.reply.and.certificate.in.keystore.are.identical")); |
2 | 3310 |
} |
3311 |
} |
|
3312 |
||
3313 |
// Build a hash table of all certificates in the keystore. |
|
3314 |
// Use the subject distinguished name as the key into the hash table. |
|
3315 |
// All certificates associated with the same subject distinguished |
|
3316 |
// name are stored in the same hash table entry as a vector. |
|
3317 |
Hashtable<Principal, Vector<Certificate>> certs = null; |
|
3318 |
if (keyStore.size() > 0) { |
|
3319 |
certs = new Hashtable<Principal, Vector<Certificate>>(11); |
|
3320 |
keystorecerts2Hashtable(keyStore, certs); |
|
3321 |
} |
|
3322 |
if (trustcacerts) { |
|
3323 |
if (caks!=null && caks.size()>0) { |
|
3324 |
if (certs == null) { |
|
3325 |
certs = new Hashtable<Principal, Vector<Certificate>>(11); |
|
3326 |
} |
|
3327 |
keystorecerts2Hashtable(caks, certs); |
|
3328 |
} |
|
3329 |
} |
|
3330 |
||
3331 |
// start building chain |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
3332 |
Vector<Certificate> chain = new Vector<>(2); |
2 | 3333 |
if (buildChain((X509Certificate)certToVerify, chain, certs)) { |
3334 |
Certificate[] newChain = new Certificate[chain.size()]; |
|
3335 |
// buildChain() returns chain with self-signed root-cert first and |
|
3336 |
// user-cert last, so we need to invert the chain before we store |
|
3337 |
// it |
|
3338 |
int j=0; |
|
3339 |
for (int i=chain.size()-1; i>=0; i--) { |
|
3340 |
newChain[j] = chain.elementAt(i); |
|
3341 |
j++; |
|
3342 |
} |
|
3343 |
return newChain; |
|
3344 |
} else { |
|
3345 |
throw new Exception |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3346 |
(rb.getString("Failed.to.establish.chain.from.reply")); |
2 | 3347 |
} |
3348 |
} |
|
3349 |
||
3350 |
/** |
|
3351 |
* Recursively tries to establish chain from pool of trusted certs. |
|
3352 |
* |
|
3353 |
* @param certToVerify the cert that needs to be verified. |
|
3354 |
* @param chain the chain that's being built. |
|
3355 |
* @param certs the pool of trusted certs |
|
3356 |
* |
|
3357 |
* @return true if successful, false otherwise. |
|
3358 |
*/ |
|
3359 |
private boolean buildChain(X509Certificate certToVerify, |
|
3360 |
Vector<Certificate> chain, |
|
3361 |
Hashtable<Principal, Vector<Certificate>> certs) { |
|
3362 |
Principal issuer = certToVerify.getIssuerDN(); |
|
2437
098db6faaf66
6825352: support self-issued certificate in keytool
weijun
parents:
2432
diff
changeset
|
3363 |
if (isSelfSigned(certToVerify)) { |
2 | 3364 |
// reached self-signed root cert; |
3365 |
// no verification needed because it's trusted. |
|
3366 |
chain.addElement(certToVerify); |
|
3367 |
return true; |
|
3368 |
} |
|
3369 |
||
3370 |
// Get the issuer's certificate(s) |
|
3371 |
Vector<Certificate> vec = certs.get(issuer); |
|
3372 |
if (vec == null) { |
|
3373 |
return false; |
|
3374 |
} |
|
3375 |
||
3376 |
// Try out each certificate in the vector, until we find one |
|
3377 |
// whose public key verifies the signature of the certificate |
|
3378 |
// in question. |
|
3379 |
for (Enumeration<Certificate> issuerCerts = vec.elements(); |
|
3380 |
issuerCerts.hasMoreElements(); ) { |
|
3381 |
X509Certificate issuerCert |
|
3382 |
= (X509Certificate)issuerCerts.nextElement(); |
|
3383 |
PublicKey issuerPubKey = issuerCert.getPublicKey(); |
|
3384 |
try { |
|
3385 |
certToVerify.verify(issuerPubKey); |
|
3386 |
} catch (Exception e) { |
|
3387 |
continue; |
|
3388 |
} |
|
3389 |
if (buildChain(issuerCert, chain, certs)) { |
|
3390 |
chain.addElement(certToVerify); |
|
3391 |
return true; |
|
3392 |
} |
|
3393 |
} |
|
3394 |
return false; |
|
3395 |
} |
|
3396 |
||
3397 |
/** |
|
3398 |
* Prompts user for yes/no decision. |
|
3399 |
* |
|
3400 |
* @return the user's decision, can only be "YES" or "NO" |
|
3401 |
*/ |
|
3402 |
private String getYesNoReply(String prompt) |
|
3403 |
throws IOException |
|
3404 |
{ |
|
3405 |
String reply = null; |
|
3406 |
int maxRetry = 20; |
|
3407 |
do { |
|
3408 |
if (maxRetry-- < 0) { |
|
3409 |
throw new RuntimeException(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3410 |
"Too.many.retries.program.terminated")); |
2 | 3411 |
} |
3412 |
System.err.print(prompt); |
|
3413 |
System.err.flush(); |
|
3414 |
reply = (new BufferedReader(new InputStreamReader |
|
3415 |
(System.in))).readLine(); |
|
3416 |
if (collator.compare(reply, "") == 0 || |
|
3417 |
collator.compare(reply, rb.getString("n")) == 0 || |
|
3418 |
collator.compare(reply, rb.getString("no")) == 0) { |
|
3419 |
reply = "NO"; |
|
3420 |
} else if (collator.compare(reply, rb.getString("y")) == 0 || |
|
3421 |
collator.compare(reply, rb.getString("yes")) == 0) { |
|
3422 |
reply = "YES"; |
|
3423 |
} else { |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3424 |
System.err.println(rb.getString("Wrong.answer.try.again")); |
2 | 3425 |
reply = null; |
3426 |
} |
|
3427 |
} while (reply == null); |
|
3428 |
return reply; |
|
3429 |
} |
|
3430 |
||
3431 |
/** |
|
3432 |
* Returns the keystore with the configured CA certificates. |
|
3433 |
*/ |
|
2432
dc17f417ef85
6802846: jarsigner needs enhanced cert validation(options)
weijun
parents:
2293
diff
changeset
|
3434 |
public static KeyStore getCacertsKeyStore() |
2 | 3435 |
throws Exception |
3436 |
{ |
|
3437 |
String sep = File.separator; |
|
3438 |
File file = new File(System.getProperty("java.home") + sep |
|
3439 |
+ "lib" + sep + "security" + sep |
|
3440 |
+ "cacerts"); |
|
3441 |
if (!file.exists()) { |
|
3442 |
return null; |
|
3443 |
} |
|
3444 |
FileInputStream fis = null; |
|
3445 |
KeyStore caks = null; |
|
3446 |
try { |
|
3447 |
fis = new FileInputStream(file); |
|
3448 |
caks = KeyStore.getInstance(JKS); |
|
3449 |
caks.load(fis, null); |
|
3450 |
} finally { |
|
3451 |
if (fis != null) { |
|
3452 |
fis.close(); |
|
3453 |
} |
|
3454 |
} |
|
3455 |
return caks; |
|
3456 |
} |
|
3457 |
||
3458 |
/** |
|
3459 |
* Stores the (leaf) certificates of a keystore in a hashtable. |
|
3460 |
* All certs belonging to the same CA are stored in a vector that |
|
3461 |
* in turn is stored in the hashtable, keyed by the CA's subject DN |
|
3462 |
*/ |
|
3463 |
private void keystorecerts2Hashtable(KeyStore ks, |
|
3464 |
Hashtable<Principal, Vector<Certificate>> hash) |
|
3465 |
throws Exception { |
|
3466 |
||
3467 |
for (Enumeration<String> aliases = ks.aliases(); |
|
3468 |
aliases.hasMoreElements(); ) { |
|
3469 |
String alias = aliases.nextElement(); |
|
3470 |
Certificate cert = ks.getCertificate(alias); |
|
3471 |
if (cert != null) { |
|
3472 |
Principal subjectDN = ((X509Certificate)cert).getSubjectDN(); |
|
3473 |
Vector<Certificate> vec = hash.get(subjectDN); |
|
3474 |
if (vec == null) { |
|
3475 |
vec = new Vector<Certificate>(); |
|
3476 |
vec.addElement(cert); |
|
3477 |
} else { |
|
3478 |
if (!vec.contains(cert)) { |
|
3479 |
vec.addElement(cert); |
|
3480 |
} |
|
3481 |
} |
|
3482 |
hash.put(subjectDN, vec); |
|
3483 |
} |
|
3484 |
} |
|
3485 |
} |
|
3486 |
||
3487 |
/** |
|
3488 |
* Returns the issue time that's specified the -startdate option |
|
3489 |
* @param s the value of -startdate option |
|
3490 |
*/ |
|
3491 |
private static Date getStartDate(String s) throws IOException { |
|
3492 |
Calendar c = new GregorianCalendar(); |
|
3493 |
if (s != null) { |
|
3494 |
IOException ioe = new IOException( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3495 |
rb.getString("Illegal.startdate.value")); |
2 | 3496 |
int len = s.length(); |
3497 |
if (len == 0) { |
|
3498 |
throw ioe; |
|
3499 |
} |
|
3500 |
if (s.charAt(0) == '-' || s.charAt(0) == '+') { |
|
3501 |
// Form 1: ([+-]nnn[ymdHMS])+ |
|
3502 |
int start = 0; |
|
3503 |
while (start < len) { |
|
3504 |
int sign = 0; |
|
3505 |
switch (s.charAt(start)) { |
|
3506 |
case '+': sign = 1; break; |
|
3507 |
case '-': sign = -1; break; |
|
3508 |
default: throw ioe; |
|
3509 |
} |
|
3510 |
int i = start+1; |
|
3511 |
for (; i<len; i++) { |
|
3512 |
char ch = s.charAt(i); |
|
3513 |
if (ch < '0' || ch > '9') break; |
|
3514 |
} |
|
3515 |
if (i == start+1) throw ioe; |
|
3516 |
int number = Integer.parseInt(s.substring(start+1, i)); |
|
3517 |
if (i >= len) throw ioe; |
|
3518 |
int unit = 0; |
|
3519 |
switch (s.charAt(i)) { |
|
3520 |
case 'y': unit = Calendar.YEAR; break; |
|
3521 |
case 'm': unit = Calendar.MONTH; break; |
|
3522 |
case 'd': unit = Calendar.DATE; break; |
|
3523 |
case 'H': unit = Calendar.HOUR; break; |
|
3524 |
case 'M': unit = Calendar.MINUTE; break; |
|
3525 |
case 'S': unit = Calendar.SECOND; break; |
|
3526 |
default: throw ioe; |
|
3527 |
} |
|
3528 |
c.add(unit, sign * number); |
|
3529 |
start = i + 1; |
|
3530 |
} |
|
3531 |
} else { |
|
3532 |
// Form 2: [yyyy/mm/dd] [HH:MM:SS] |
|
3533 |
String date = null, time = null; |
|
3534 |
if (len == 19) { |
|
3535 |
date = s.substring(0, 10); |
|
3536 |
time = s.substring(11); |
|
3537 |
if (s.charAt(10) != ' ') |
|
3538 |
throw ioe; |
|
3539 |
} else if (len == 10) { |
|
3540 |
date = s; |
|
3541 |
} else if (len == 8) { |
|
3542 |
time = s; |
|
3543 |
} else { |
|
3544 |
throw ioe; |
|
3545 |
} |
|
3546 |
if (date != null) { |
|
3547 |
if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) { |
|
3548 |
c.set(Integer.valueOf(date.substring(0, 4)), |
|
3549 |
Integer.valueOf(date.substring(5, 7))-1, |
|
3550 |
Integer.valueOf(date.substring(8, 10))); |
|
3551 |
} else { |
|
3552 |
throw ioe; |
|
3553 |
} |
|
3554 |
} |
|
3555 |
if (time != null) { |
|
3556 |
if (time.matches("\\d\\d:\\d\\d:\\d\\d")) { |
|
3557 |
c.set(Calendar.HOUR_OF_DAY, Integer.valueOf(time.substring(0, 2))); |
|
3558 |
c.set(Calendar.MINUTE, Integer.valueOf(time.substring(0, 2))); |
|
3559 |
c.set(Calendar.SECOND, Integer.valueOf(time.substring(0, 2))); |
|
3560 |
c.set(Calendar.MILLISECOND, 0); |
|
3561 |
} else { |
|
3562 |
throw ioe; |
|
3563 |
} |
|
3564 |
} |
|
3565 |
} |
|
3566 |
} |
|
3567 |
return c.getTime(); |
|
3568 |
} |
|
3569 |
||
3570 |
/** |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3571 |
* Match a command (may be abbreviated) with a command set. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3572 |
* @param s the command provided |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3573 |
* @param list the legal command set. If there is a null, commands after it |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3574 |
* are regarded experimental, which means they are supported but their |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3575 |
* existence should not be revealed to user. |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3576 |
* @return the position of a single match, or -1 if none matched |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3577 |
* @throws Exception if s is ambiguous |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3578 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3579 |
private static int oneOf(String s, String... list) throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3580 |
int[] match = new int[list.length]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3581 |
int nmatch = 0; |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3582 |
int experiment = Integer.MAX_VALUE; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3583 |
for (int i = 0; i<list.length; i++) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3584 |
String one = list[i]; |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3585 |
if (one == null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3586 |
experiment = i; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3587 |
continue; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3588 |
} |
3948 | 3589 |
if (one.toLowerCase(Locale.ENGLISH) |
3590 |
.startsWith(s.toLowerCase(Locale.ENGLISH))) { |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3591 |
match[nmatch++] = i; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3592 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3593 |
StringBuffer sb = new StringBuffer(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3594 |
boolean first = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3595 |
for (char c: one.toCharArray()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3596 |
if (first) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3597 |
sb.append(c); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3598 |
first = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3599 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3600 |
if (!Character.isLowerCase(c)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3601 |
sb.append(c); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3602 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3603 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3604 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3605 |
if (sb.toString().equalsIgnoreCase(s)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3606 |
match[nmatch++] = i; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3607 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3608 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3609 |
} |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3610 |
if (nmatch == 0) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3611 |
return -1; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3612 |
} else if (nmatch == 1) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3613 |
return match[0]; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3614 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3615 |
// If multiple matches is in experimental commands, ignore them |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3616 |
if (match[1] > experiment) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3617 |
return match[0]; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3618 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3619 |
StringBuffer sb = new StringBuffer(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3620 |
MessageFormat form = new MessageFormat(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3621 |
("command.{0}.is.ambiguous.")); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3622 |
Object[] source = {s}; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3623 |
sb.append(form.format(source)); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3624 |
sb.append("\n "); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3625 |
for (int i=0; i<nmatch && match[i]<experiment; i++) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3626 |
sb.append(' '); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3627 |
sb.append(list[match[i]]); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3628 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3629 |
throw new Exception(sb.toString()); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3630 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3631 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3632 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3633 |
/** |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3634 |
* Create a GeneralName object from known types |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3635 |
* @param t one of 5 known types |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3636 |
* @param v value |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3637 |
* @return which one |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3638 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3639 |
private GeneralName createGeneralName(String t, String v) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3640 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3641 |
GeneralNameInterface gn; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3642 |
int p = oneOf(t, "EMAIL", "URI", "DNS", "IP", "OID"); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3643 |
if (p < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3644 |
throw new Exception(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3645 |
"Unrecognized.GeneralName.type.") + t); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3646 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3647 |
switch (p) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3648 |
case 0: gn = new RFC822Name(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3649 |
case 1: gn = new URIName(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3650 |
case 2: gn = new DNSName(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3651 |
case 3: gn = new IPAddressName(v); break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3652 |
default: gn = new OIDName(v); break; //4 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3653 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3654 |
return new GeneralName(gn); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3655 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3656 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3657 |
private static final String[] extSupported = { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3658 |
"BasicConstraints", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3659 |
"KeyUsage", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3660 |
"ExtendedKeyUsage", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3661 |
"SubjectAlternativeName", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3662 |
"IssuerAlternativeName", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3663 |
"SubjectInfoAccess", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3664 |
"AuthorityInfoAccess", |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3665 |
null, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3666 |
"CRLDistributionPoints", |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3667 |
}; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3668 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3669 |
private ObjectIdentifier findOidForExtName(String type) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3670 |
throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3671 |
switch (oneOf(type, extSupported)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3672 |
case 0: return PKIXExtensions.BasicConstraints_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3673 |
case 1: return PKIXExtensions.KeyUsage_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3674 |
case 2: return PKIXExtensions.ExtendedKeyUsage_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3675 |
case 3: return PKIXExtensions.SubjectAlternativeName_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3676 |
case 4: return PKIXExtensions.IssuerAlternativeName_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3677 |
case 5: return PKIXExtensions.SubjectInfoAccess_Id; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3678 |
case 6: return PKIXExtensions.AuthInfoAccess_Id; |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3679 |
case 8: return PKIXExtensions.CRLDistributionPoints_Id; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3680 |
default: return new ObjectIdentifier(type); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3681 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3682 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3683 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3684 |
/** |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3685 |
* Create X509v3 extensions from a string representation. Note that the |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3686 |
* SubjectKeyIdentifierExtension will always be created non-critical besides |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3687 |
* the extension requested in the <code>extstr</code> argument. |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3688 |
* |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3689 |
* @param reqex the requested extensions, can be null, used for -gencert |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3690 |
* @param ext the original extensions, can be null, used for -selfcert |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3691 |
* @param extstrs -ext values, Read keytool doc |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3692 |
* @param pkey the public key for the certificate |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3693 |
* @param akey the public key for the authority (issuer) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3694 |
* @return the created CertificateExtensions |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3695 |
*/ |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3696 |
private CertificateExtensions createV3Extensions( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3697 |
CertificateExtensions reqex, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3698 |
CertificateExtensions ext, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3699 |
List <String> extstrs, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3700 |
PublicKey pkey, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3701 |
PublicKey akey) throws Exception { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3702 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3703 |
if (ext != null && reqex != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3704 |
// This should not happen |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3705 |
throw new Exception("One of request and original should be null."); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3706 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3707 |
if (ext == null) ext = new CertificateExtensions(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3708 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3709 |
// name{:critical}{=value} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3710 |
// Honoring requested extensions |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3711 |
if (reqex != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3712 |
for(String extstr: extstrs) { |
3948 | 3713 |
if (extstr.toLowerCase(Locale.ENGLISH).startsWith("honored=")) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3714 |
List<String> list = Arrays.asList( |
3948 | 3715 |
extstr.toLowerCase(Locale.ENGLISH).substring(8).split(",")); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3716 |
// First check existence of "all" |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3717 |
if (list.contains("all")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3718 |
ext = reqex; // we know ext was null |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3719 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3720 |
// one by one for others |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3721 |
for (String item: list) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3722 |
if (item.equals("all")) continue; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3723 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3724 |
// add or remove |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3725 |
boolean add = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3726 |
// -1, unchanged, 0 crtical, 1 non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3727 |
int action = -1; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3728 |
String type = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3729 |
if (item.startsWith("-")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3730 |
add = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3731 |
type = item.substring(1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3732 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3733 |
int colonpos = item.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3734 |
if (colonpos >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3735 |
type = item.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3736 |
action = oneOf(item.substring(colonpos+1), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3737 |
"critical", "non-critical"); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3738 |
if (action == -1) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3739 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3740 |
("Illegal.value.") + item); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3741 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3742 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3743 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3744 |
String n = reqex.getNameByOid(findOidForExtName(type)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3745 |
if (add) { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
10051
diff
changeset
|
3746 |
Extension e = reqex.get(n); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3747 |
if (!e.isCritical() && action == 0 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3748 |
|| e.isCritical() && action == 1) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3749 |
e = Extension.newExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3750 |
e.getExtensionId(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3751 |
!e.isCritical(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3752 |
e.getExtensionValue()); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3753 |
ext.set(n, e); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3754 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3755 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3756 |
ext.delete(n); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3757 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3758 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3759 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3760 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3761 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3762 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3763 |
for(String extstr: extstrs) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3764 |
String name, value; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3765 |
boolean isCritical = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3766 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3767 |
int eqpos = extstr.indexOf('='); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3768 |
if (eqpos >= 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3769 |
name = extstr.substring(0, eqpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3770 |
value = extstr.substring(eqpos+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3771 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3772 |
name = extstr; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3773 |
value = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3774 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3775 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3776 |
int colonpos = name.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3777 |
if (colonpos >= 0) { |
3316
32d30c561c5a
6847026: keytool should be able to generate certreq and cert without subject name
weijun
parents:
2437
diff
changeset
|
3778 |
if (oneOf(name.substring(colonpos+1), "critical") == 0) { |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3779 |
isCritical = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3780 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3781 |
name = name.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3782 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3783 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3784 |
if (name.equalsIgnoreCase("honored")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3785 |
continue; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3786 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3787 |
int exttype = oneOf(name, extSupported); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3788 |
switch (exttype) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3789 |
case 0: // BC |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3790 |
int pathLen = -1; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3791 |
boolean isCA = false; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3792 |
if (value == null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3793 |
isCA = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3794 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3795 |
try { // the abbr format |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3796 |
pathLen = Integer.parseInt(value); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3797 |
isCA = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3798 |
} catch (NumberFormatException ufe) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3799 |
// ca:true,pathlen:1 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3800 |
for (String part: value.split(",")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3801 |
String[] nv = part.split(":"); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3802 |
if (nv.length != 2) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3803 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3804 |
("Illegal.value.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3805 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3806 |
if (nv[0].equalsIgnoreCase("ca")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3807 |
isCA = Boolean.parseBoolean(nv[1]); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3808 |
} else if (nv[0].equalsIgnoreCase("pathlen")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3809 |
pathLen = Integer.parseInt(nv[1]); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3810 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3811 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3812 |
("Illegal.value.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3813 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3814 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3815 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3816 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3817 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3818 |
ext.set(BasicConstraintsExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3819 |
new BasicConstraintsExtension(isCritical, isCA, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3820 |
pathLen)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3821 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3822 |
case 1: // KU |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3823 |
if(value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3824 |
boolean[] ok = new boolean[9]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3825 |
for (String s: value.split(",")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3826 |
int p = oneOf(s, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3827 |
"digitalSignature", // (0), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3828 |
"nonRepudiation", // (1) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3829 |
"keyEncipherment", // (2), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3830 |
"dataEncipherment", // (3), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3831 |
"keyAgreement", // (4), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3832 |
"keyCertSign", // (5), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3833 |
"cRLSign", // (6), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3834 |
"encipherOnly", // (7), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3835 |
"decipherOnly", // (8) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3836 |
"contentCommitment" // also (1) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3837 |
); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3838 |
if (p < 0) { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3839 |
throw new Exception(rb.getString("Unknown.keyUsage.type.") + s); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3840 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3841 |
if (p == 9) p = 1; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3842 |
ok[p] = true; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3843 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3844 |
KeyUsageExtension kue = new KeyUsageExtension(ok); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3845 |
// The above KeyUsageExtension constructor does not |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3846 |
// allow isCritical value, so... |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3847 |
ext.set(KeyUsageExtension.NAME, Extension.newExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3848 |
kue.getExtensionId(), |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3849 |
isCritical, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3850 |
kue.getExtensionValue())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3851 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3852 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3853 |
("Illegal.value.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3854 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3855 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3856 |
case 2: // EKU |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3857 |
if(value != null) { |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
3858 |
Vector<ObjectIdentifier> v = new Vector<>(); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3859 |
for (String s: value.split(",")) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3860 |
int p = oneOf(s, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3861 |
"anyExtendedKeyUsage", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3862 |
"serverAuth", //1 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3863 |
"clientAuth", //2 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3864 |
"codeSigning", //3 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3865 |
"emailProtection", //4 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3866 |
"", //5 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3867 |
"", //6 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3868 |
"", //7 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3869 |
"timeStamping", //8 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3870 |
"OCSPSigning" //9 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3871 |
); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3872 |
if (p < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3873 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3874 |
v.add(new ObjectIdentifier(s)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3875 |
} catch (Exception e) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3876 |
throw new Exception(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3877 |
"Unknown.extendedkeyUsage.type.") + s); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3878 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3879 |
} else if (p == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3880 |
v.add(new ObjectIdentifier("2.5.29.37.0")); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3881 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3882 |
v.add(new ObjectIdentifier("1.3.6.1.5.5.7.3." + p)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3883 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3884 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3885 |
ext.set(ExtendedKeyUsageExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3886 |
new ExtendedKeyUsageExtension(isCritical, v)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3887 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3888 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3889 |
("Illegal.value.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3890 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3891 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3892 |
case 3: // SAN |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3893 |
case 4: // IAN |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3894 |
if(value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3895 |
String[] ps = value.split(","); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3896 |
GeneralNames gnames = new GeneralNames(); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3897 |
for(String item: ps) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3898 |
colonpos = item.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3899 |
if (colonpos < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3900 |
throw new Exception("Illegal item " + item + " in " + extstr); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3901 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3902 |
String t = item.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3903 |
String v = item.substring(colonpos+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3904 |
gnames.add(createGeneralName(t, v)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3905 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3906 |
if (exttype == 3) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3907 |
ext.set(SubjectAlternativeNameExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3908 |
new SubjectAlternativeNameExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3909 |
isCritical, gnames)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3910 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3911 |
ext.set(IssuerAlternativeNameExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3912 |
new IssuerAlternativeNameExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3913 |
isCritical, gnames)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3914 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3915 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3916 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3917 |
("Illegal.value.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3918 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3919 |
break; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3920 |
case 5: // SIA, always non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3921 |
case 6: // AIA, always non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3922 |
if (isCritical) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3923 |
throw new Exception(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3924 |
"This.extension.cannot.be.marked.as.critical.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3925 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3926 |
if(value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3927 |
List<AccessDescription> accessDescriptions = |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
3928 |
new ArrayList<>(); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3929 |
String[] ps = value.split(","); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3930 |
for(String item: ps) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3931 |
colonpos = item.indexOf(':'); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3932 |
int colonpos2 = item.indexOf(':', colonpos+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3933 |
if (colonpos < 0 || colonpos2 < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3934 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3935 |
("Illegal.value.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3936 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3937 |
String m = item.substring(0, colonpos); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3938 |
String t = item.substring(colonpos+1, colonpos2); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3939 |
String v = item.substring(colonpos2+1); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3940 |
int p = oneOf(m, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3941 |
"", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3942 |
"ocsp", //1 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3943 |
"caIssuers", //2 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3944 |
"timeStamping", //3 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3945 |
"", |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3946 |
"caRepository" //5 |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3947 |
); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3948 |
ObjectIdentifier oid; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3949 |
if (p < 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3950 |
try { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3951 |
oid = new ObjectIdentifier(m); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3952 |
} catch (Exception e) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3953 |
throw new Exception(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3954 |
"Unknown.AccessDescription.type.") + m); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3955 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3956 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3957 |
oid = new ObjectIdentifier("1.3.6.1.5.5.7.48." + p); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3958 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3959 |
accessDescriptions.add(new AccessDescription( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3960 |
oid, createGeneralName(t, v))); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3961 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3962 |
if (exttype == 5) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3963 |
ext.set(SubjectInfoAccessExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3964 |
new SubjectInfoAccessExtension(accessDescriptions)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3965 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3966 |
ext.set(AuthorityInfoAccessExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3967 |
new AuthorityInfoAccessExtension(accessDescriptions)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3968 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3969 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3970 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3971 |
("Illegal.value.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3972 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3973 |
break; |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3974 |
case 8: // CRL, experimental, only support 1 distributionpoint |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3975 |
if(value != null) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3976 |
String[] ps = value.split(","); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3977 |
GeneralNames gnames = new GeneralNames(); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3978 |
for(String item: ps) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3979 |
colonpos = item.indexOf(':'); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3980 |
if (colonpos < 0) { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3981 |
throw new Exception("Illegal item " + item + " in " + extstr); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3982 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3983 |
String t = item.substring(0, colonpos); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3984 |
String v = item.substring(colonpos+1); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3985 |
gnames.add(createGeneralName(t, v)); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3986 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3987 |
ext.set(CRLDistributionPointsExtension.NAME, |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3988 |
new CRLDistributionPointsExtension( |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3989 |
isCritical, Collections.singletonList( |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3990 |
new DistributionPoint(gnames, null, null)))); |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3991 |
} else { |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3992 |
throw new Exception(rb.getString |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
3993 |
("Illegal.value.") + extstr); |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3994 |
} |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
3995 |
break; |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3996 |
case -1: |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3997 |
ObjectIdentifier oid = new ObjectIdentifier(name); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3998 |
byte[] data = null; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
3999 |
if (value != null) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4000 |
data = new byte[value.length() / 2 + 1]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4001 |
int pos = 0; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4002 |
for (char c: value.toCharArray()) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4003 |
int hex; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4004 |
if (c >= '0' && c <= '9') { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4005 |
hex = c - '0' ; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4006 |
} else if (c >= 'A' && c <= 'F') { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4007 |
hex = c - 'A' + 10; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4008 |
} else if (c >= 'a' && c <= 'f') { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4009 |
hex = c - 'a' + 10; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4010 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4011 |
continue; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4012 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4013 |
if (pos % 2 == 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4014 |
data[pos/2] = (byte)(hex << 4); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4015 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4016 |
data[pos/2] += hex; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4017 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4018 |
pos++; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4019 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4020 |
if (pos % 2 != 0) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4021 |
throw new Exception(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4022 |
"Odd.number.of.hex.digits.found.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4023 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4024 |
data = Arrays.copyOf(data, pos/2); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4025 |
} else { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4026 |
data = new byte[0]; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4027 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4028 |
ext.set(oid.toString(), new Extension(oid, isCritical, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4029 |
new DerValue(DerValue.tag_OctetString, data) |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4030 |
.toByteArray())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4031 |
break; |
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
4032 |
default: |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
4033 |
throw new Exception(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4034 |
"Unknown.extension.type.") + extstr); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4035 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4036 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4037 |
// always non-critical |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4038 |
ext.set(SubjectKeyIdentifierExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4039 |
new SubjectKeyIdentifierExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4040 |
new KeyIdentifier(pkey).getIdentifier())); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4041 |
if (akey != null && !pkey.equals(akey)) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4042 |
ext.set(AuthorityKeyIdentifierExtension.NAME, |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4043 |
new AuthorityKeyIdentifierExtension( |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4044 |
new KeyIdentifier(akey), null, null)); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4045 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4046 |
} catch(IOException e) { |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4047 |
throw new RuntimeException(e); |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4048 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4049 |
return ext; |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4050 |
} |
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4051 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4052 |
/** |
2 | 4053 |
* Prints the usage of this tool. |
4054 |
*/ |
|
4055 |
private void usage() { |
|
3948 | 4056 |
if (command != null) { |
4057 |
System.err.println("keytool " + command + |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4058 |
rb.getString(".OPTION.")); |
3948 | 4059 |
System.err.println(); |
4060 |
System.err.println(rb.getString(command.description)); |
|
4061 |
System.err.println(); |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4062 |
System.err.println(rb.getString("Options.")); |
3948 | 4063 |
System.err.println(); |
4064 |
||
4065 |
// Left and right sides of the options list |
|
4066 |
String[] left = new String[command.options.length]; |
|
4067 |
String[] right = new String[command.options.length]; |
|
4068 |
||
4069 |
// Check if there's an unknown option |
|
4070 |
boolean found = false; |
|
4071 |
||
4072 |
// Length of left side of options list |
|
4073 |
int lenLeft = 0; |
|
4074 |
for (int j=0; j<left.length; j++) { |
|
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
4075 |
Option opt = command.options[j]; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
4076 |
left[j] = opt.toString(); |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
4077 |
if (opt.arg != null) left[j] += " " + opt.arg; |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
4078 |
if (left[j].length() > lenLeft) { |
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
4079 |
lenLeft = left[j].length(); |
3948 | 4080 |
} |
4819
c1661a223e19
6922482: keytool's help on -file always shows 'output file'
weijun
parents:
4350
diff
changeset
|
4081 |
right[j] = rb.getString(opt.description); |
3948 | 4082 |
} |
4083 |
for (int j=0; j<left.length; j++) { |
|
4084 |
System.err.printf(" %-" + lenLeft + "s %s\n", |
|
4085 |
left[j], right[j]); |
|
4086 |
} |
|
4087 |
System.err.println(); |
|
4088 |
System.err.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4089 |
"Use.keytool.help.for.all.available.commands")); |
3948 | 4090 |
} else { |
4091 |
System.err.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4092 |
"Key.and.Certificate.Management.Tool")); |
3948 | 4093 |
System.err.println(); |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4094 |
System.err.println(rb.getString("Commands.")); |
3948 | 4095 |
System.err.println(); |
4096 |
for (Command c: Command.values()) { |
|
5462
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
4097 |
if (c == KEYCLONE) break; |
cb614e59f7f9
6890876: jarsigner can add CRL info into signed jar
weijun
parents:
5457
diff
changeset
|
4098 |
System.err.printf(" %-20s%s\n", c, rb.getString(c.description)); |
3948 | 4099 |
} |
4100 |
System.err.println(); |
|
4101 |
System.err.println(rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4102 |
"Use.keytool.command.name.help.for.usage.of.command.name")); |
3948 | 4103 |
} |
2 | 4104 |
} |
4105 |
||
4106 |
private void tinyHelp() { |
|
3948 | 4107 |
usage(); |
2 | 4108 |
if (debug) { |
4109 |
throw new RuntimeException("NO BIG ERROR, SORRY"); |
|
4110 |
} else { |
|
4111 |
System.exit(1); |
|
4112 |
} |
|
4113 |
} |
|
4114 |
||
4115 |
private void errorNeedArgument(String flag) { |
|
4116 |
Object[] source = {flag}; |
|
4117 |
System.err.println(new MessageFormat( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4118 |
rb.getString("Command.option.flag.needs.an.argument.")).format(source)); |
2 | 4119 |
tinyHelp(); |
4120 |
} |
|
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4121 |
|
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4122 |
private char[] getPass(String modifier, String arg) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4123 |
char[] output = getPassWithModifier(modifier, arg); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4124 |
if (output != null) return output; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4125 |
tinyHelp(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4126 |
return null; // Useless, tinyHelp() already exits. |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4127 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4128 |
|
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4129 |
// This method also used by JarSigner |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4130 |
public static char[] getPassWithModifier(String modifier, String arg) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4131 |
if (modifier == null) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4132 |
return arg.toCharArray(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4133 |
} else if (collator.compare(modifier, "env") == 0) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4134 |
String value = System.getenv(arg); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4135 |
if (value == null) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4136 |
System.err.println(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4137 |
"Cannot.find.environment.variable.") + arg); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4138 |
return null; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4139 |
} else { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4140 |
return value.toCharArray(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4141 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4142 |
} else if (collator.compare(modifier, "file") == 0) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4143 |
try { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4144 |
URL url = null; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4145 |
try { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4146 |
url = new URL(arg); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4147 |
} catch (java.net.MalformedURLException mue) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4148 |
File f = new File(arg); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4149 |
if (f.exists()) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4150 |
url = f.toURI().toURL(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4151 |
} else { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4152 |
System.err.println(rb.getString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4153 |
"Cannot.find.file.") + arg); |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4154 |
return null; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4155 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4156 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4157 |
BufferedReader br = new BufferedReader(new InputStreamReader( |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4158 |
url.openStream())); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4159 |
String value = br.readLine(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4160 |
br.close(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4161 |
if (value == null) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4162 |
return new char[0]; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4163 |
} else { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4164 |
return value.toCharArray(); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4165 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4166 |
} catch (IOException ioe) { |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4167 |
System.err.println(ioe); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4168 |
return null; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4169 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4170 |
} else { |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
6688
diff
changeset
|
4171 |
System.err.println(rb.getString("Unknown.password.type.") + |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4172 |
modifier); |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4173 |
return null; |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4174 |
} |
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4175 |
} |
2 | 4176 |
} |
4177 |
||
4178 |
// This class is exactly the same as com.sun.tools.javac.util.Pair, |
|
4179 |
// it's copied here since the original one is not included in JRE. |
|
4180 |
class Pair<A, B> { |
|
4181 |
||
4182 |
public final A fst; |
|
4183 |
public final B snd; |
|
4184 |
||
4185 |
public Pair(A fst, B snd) { |
|
4186 |
this.fst = fst; |
|
4187 |
this.snd = snd; |
|
4188 |
} |
|
4189 |
||
4190 |
public String toString() { |
|
4191 |
return "Pair[" + fst + "," + snd + "]"; |
|
4192 |
} |
|
4193 |
||
4194 |
public boolean equals(Object other) { |
|
4195 |
return |
|
4196 |
other instanceof Pair && |
|
10051 | 4197 |
Objects.equals(fst, ((Pair)other).fst) && |
4198 |
Objects.equals(snd, ((Pair)other).snd); |
|
2 | 4199 |
} |
4200 |
||
4201 |
public int hashCode() { |
|
4202 |
if (fst == null) return (snd == null) ? 0 : snd.hashCode() + 1; |
|
4203 |
else if (snd == null) return fst.hashCode() + 2; |
|
4204 |
else return fst.hashCode() * 17 + snd.hashCode(); |
|
4205 |
} |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4206 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4207 |
public static <A,B> Pair<A,B> of(A a, B b) { |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7179
diff
changeset
|
4208 |
return new Pair<>(a,b); |
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
909
diff
changeset
|
4209 |
} |
2 | 4210 |
} |
3951
e821908c953e
6868579: RFE: jarsigner to support reading password from environment variable
weijun
parents:
3948
diff
changeset
|
4211 |