author | erikj |
Tue, 12 Sep 2017 19:03:39 +0200 | |
changeset 47216 | 71c04702a3d5 |
parent 45839 | jdk/test/sun/security/tools/keytool/WeakAlg.java@6df5e24443fc |
child 47420 | a2bf68a0365f |
permissions | -rw-r--r-- |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
1 |
/* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
2 |
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
4 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
8 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
13 |
* accompanied this code). |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
14 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
15 |
* You should have received a copy of the GNU General Public License version |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
18 |
* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
20 |
* or visit www.oracle.com if you need additional information or have any |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
21 |
* questions. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
22 |
*/ |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
23 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
24 |
/* |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
25 |
* @test |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
26 |
* @bug 8171319 8177569 |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
27 |
* @summary keytool should print out warnings when reading or generating |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
28 |
* cert/cert req using weak algorithms |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
29 |
* @library /test/lib |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
30 |
* @modules java.base/sun.security.tools.keytool |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
31 |
* java.base/sun.security.tools |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
32 |
* java.base/sun.security.util |
45467
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
33 |
* @build jdk.test.lib.SecurityTools |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
34 |
* jdk.test.lib.Utils |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
35 |
* jdk.test.lib.Asserts |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
36 |
* jdk.test.lib.JDKToolFinder |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
37 |
* jdk.test.lib.JDKToolLauncher |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
38 |
* jdk.test.lib.Platform |
99c87a16a8e4
8181761: add explicit @build actions for jdk.test.lib classes in all :tier2 tests
iignatyev
parents:
44419
diff
changeset
|
39 |
* jdk.test.lib.process.* |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
40 |
* @run main/othervm/timeout=600 -Duser.language=en -Duser.country=US WeakAlg |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
41 |
*/ |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
42 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
43 |
import jdk.test.lib.SecurityTools; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
44 |
import jdk.test.lib.process.OutputAnalyzer; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
45 |
import sun.security.tools.KeyStoreUtil; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
46 |
import sun.security.util.DisabledAlgorithmConstraints; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
47 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
48 |
import java.io.ByteArrayInputStream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
49 |
import java.io.ByteArrayOutputStream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
50 |
import java.io.IOException; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
51 |
import java.io.InputStream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
52 |
import java.io.PrintStream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
53 |
import java.nio.file.Files; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
54 |
import java.nio.file.Paths; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
55 |
import java.nio.file.StandardCopyOption; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
56 |
import java.security.CryptoPrimitive; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
57 |
import java.security.KeyStore; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
58 |
import java.security.cert.X509Certificate; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
59 |
import java.util.Collections; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
60 |
import java.util.EnumSet; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
61 |
import java.util.Set; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
62 |
import java.util.stream.Collectors; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
63 |
import java.util.stream.Stream; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
64 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
65 |
public class WeakAlg { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
66 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
67 |
public static void main(String[] args) throws Throwable { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
68 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
69 |
rm("ks"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
70 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
71 |
// -genkeypair, and -printcert, -list -alias, -exportcert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
72 |
// (w/ different formats) |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
73 |
checkGenKeyPair("a", "-keyalg RSA -sigalg MD5withRSA", "MD5withRSA"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
74 |
checkGenKeyPair("b", "-keyalg RSA -keysize 512", "512-bit RSA key"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
75 |
checkGenKeyPair("c", "-keyalg RSA", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
76 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
77 |
kt("-list") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
78 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
79 |
.shouldMatch("<a>.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
80 |
.shouldMatch("<b>.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
81 |
kt("-list -v") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
82 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
83 |
.shouldMatch("<a>.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
84 |
.shouldContain("MD5withRSA (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
85 |
.shouldMatch("<b>.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
86 |
.shouldContain("512-bit RSA key (weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
87 |
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
88 |
// Multiple warnings for multiple cert in -printcert |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
89 |
// or -list or -exportcert |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
90 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
91 |
// -certreq, -printcertreq, -gencert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
92 |
checkCertReq("a", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
93 |
gencert("c-a", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
94 |
.shouldNotContain("Warning"); // new sigalg is not weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
95 |
gencert("c-a", "-sigalg MD2withRSA") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
96 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
97 |
.shouldMatch("The generated certificate.*MD2withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
98 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
99 |
checkCertReq("a", "-sigalg MD5withRSA", "MD5withRSA"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
100 |
gencert("c-a", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
101 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
102 |
.shouldMatch("The certificate request.*MD5withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
103 |
gencert("c-a", "-sigalg MD2withRSA") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
104 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
105 |
.shouldMatch("The certificate request.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
106 |
.shouldMatch("The generated certificate.*MD2withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
107 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
108 |
checkCertReq("b", "", "512-bit RSA key"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
109 |
gencert("c-b", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
110 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
111 |
.shouldMatch("The certificate request.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
112 |
.shouldMatch("The generated certificate.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
113 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
114 |
checkCertReq("c", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
115 |
gencert("a-c", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
116 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
117 |
.shouldMatch("The issuer.*MD5withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
118 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
119 |
// but the new cert is not weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
120 |
kt("-printcert -file a-c.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
121 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
122 |
.shouldNotContain("weak"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
123 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
124 |
gencert("b-c", "") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
125 |
.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
126 |
.shouldMatch("The issuer.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
127 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
128 |
// -importcert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
129 |
checkImport(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
130 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
131 |
// -importkeystore |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
132 |
checkImportKeyStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
133 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
134 |
// -gencrl, -printcrl |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
135 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
136 |
checkGenCRL("a", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
137 |
checkGenCRL("a", "-sigalg MD5withRSA", "MD5withRSA"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
138 |
checkGenCRL("b", "", "512-bit RSA key"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
139 |
checkGenCRL("c", "", null); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
140 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
141 |
kt("-delete -alias b"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
142 |
kt("-printcrl -file b.crl") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
143 |
.shouldContain("WARNING: not verified"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
144 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
145 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
146 |
static void checkImportKeyStore() throws Exception { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
147 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
148 |
saveStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
149 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
150 |
rm("ks"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
151 |
kt("-importkeystore -srckeystore ks2 -srcstorepass changeit") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
152 |
.shouldContain("3 entries successfully imported") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
153 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
154 |
.shouldMatch("<b>.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
155 |
.shouldMatch("<a>.*MD5withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
156 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
157 |
rm("ks"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
158 |
kt("-importkeystore -srckeystore ks2 -srcstorepass changeit -srcalias a") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
159 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
160 |
.shouldMatch("<a>.*MD5withRSA.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
161 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
162 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
163 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
164 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
165 |
static void checkImport() throws Exception { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
166 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
167 |
saveStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
168 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
169 |
// add trusted cert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
170 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
171 |
// cert already in |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
172 |
kt("-importcert -alias d -file a.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
173 |
.shouldContain("Certificate already exists in keystore") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
174 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
175 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
176 |
.shouldContain("Do you still want to add it?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
177 |
kt("-importcert -alias d -file a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
178 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
179 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
180 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
181 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
182 |
// cert is self-signed |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
183 |
kt("-delete -alias a"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
184 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
185 |
kt("-importcert -alias d -file a.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
186 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
187 |
.shouldContain("MD5withRSA (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
188 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
189 |
.shouldContain("Trust this certificate?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
190 |
kt("-importcert -alias d -file a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
191 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
192 |
.shouldMatch("The input.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
193 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
194 |
|
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
195 |
// JDK-8177569: no warning for sigalg of trusted cert |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
196 |
String weakSigAlgCA = null; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
197 |
KeyStore ks = KeyStoreUtil.getCacertsKeyStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
198 |
if (ks != null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
199 |
DisabledAlgorithmConstraints disabledCheck = |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
200 |
new DisabledAlgorithmConstraints( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
201 |
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
202 |
Set<CryptoPrimitive> sigPrimitiveSet = Collections |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
203 |
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
204 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
205 |
for (String s : Collections.list(ks.aliases())) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
206 |
if (ks.isCertificateEntry(s)) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
207 |
X509Certificate c = (X509Certificate)ks.getCertificate(s); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
208 |
String sigAlg = c.getSigAlgName(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
209 |
if (!disabledCheck.permits(sigPrimitiveSet, sigAlg, null)) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
210 |
weakSigAlgCA = sigAlg; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
211 |
Files.write(Paths.get("ca.cert"), |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
212 |
ks.getCertificate(s).getEncoded()); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
213 |
break; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
214 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
215 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
216 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
217 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
218 |
if (weakSigAlgCA != null) { |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
219 |
// The following 2 commands still have a warning on why not using |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
220 |
// the -cacerts option directly. |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
221 |
kt("-list -keystore " + KeyStoreUtil.getCacerts()) |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
222 |
.shouldNotContain("risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
223 |
kt("-list -v -keystore " + KeyStoreUtil.getCacerts()) |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
224 |
.shouldNotContain("risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
225 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
226 |
// -printcert will always show warnings |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
227 |
kt("-printcert -file ca.cert") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
228 |
.shouldContain("name: " + weakSigAlgCA + " (weak)") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
229 |
.shouldContain("Warning") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
230 |
.shouldMatch("The certificate.*" + weakSigAlgCA + ".*risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
231 |
kt("-printcert -file ca.cert -trustcacerts") // -trustcacerts useless |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
232 |
.shouldContain("name: " + weakSigAlgCA + " (weak)") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
233 |
.shouldContain("Warning") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
234 |
.shouldMatch("The certificate.*" + weakSigAlgCA + ".*risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
235 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
236 |
// Importing with -trustcacerts ignore CA cert's sig alg |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
237 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
238 |
kt("-importcert -alias d -trustcacerts -file ca.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
239 |
.shouldContain("Certificate already exists in system-wide CA") |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
240 |
.shouldNotContain("risk") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
241 |
.shouldContain("Do you still want to add it to your own keystore?"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
242 |
kt("-importcert -alias d -trustcacerts -file ca.cert -noprompt") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
243 |
.shouldNotContain("risk") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
244 |
.shouldNotContain("[no]"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
245 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
246 |
// but not without -trustcacerts |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
247 |
kt("-delete -alias d"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
248 |
kt("-importcert -alias d -file ca.cert", "no") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
249 |
.shouldContain("name: " + weakSigAlgCA + " (weak)") |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
250 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
251 |
.shouldMatch("The input.*" + weakSigAlgCA + ".*risk") |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
252 |
.shouldContain("Trust this certificate?"); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
253 |
kt("-importcert -alias d -file ca.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
254 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
255 |
.shouldMatch("The input.*" + weakSigAlgCA + ".*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
256 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
257 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
258 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
259 |
// a non self-signed weak cert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
260 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
261 |
certreq("b", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
262 |
gencert("c-b", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
263 |
kt("-importcert -alias d -file c-b.cert") // weak only, no prompt |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
264 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
265 |
.shouldNotContain("512-bit RSA key (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
266 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
267 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
268 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
269 |
kt("-delete -alias b"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
270 |
kt("-delete -alias c"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
271 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
272 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
273 |
kt("-importcert -alias d -file c-b.cert", "no") // weak and not trusted |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
274 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
275 |
.shouldContain("512-bit RSA key (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
276 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
277 |
.shouldContain("Trust this certificate?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
278 |
kt("-importcert -alias d -file c-b.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
279 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
280 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
281 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
282 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
283 |
// a non self-signed strong cert |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
284 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
285 |
certreq("a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
286 |
gencert("c-a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
287 |
kt("-importcert -alias d -file c-a.cert") // trusted |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
288 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
289 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
290 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
291 |
kt("-delete -alias a"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
292 |
kt("-delete -alias c"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
293 |
kt("-delete -alias d"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
294 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
295 |
kt("-importcert -alias d -file c-a.cert", "no") // not trusted |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
296 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
297 |
.shouldContain("Trust this certificate?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
298 |
kt("-importcert -alias d -file c-a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
299 |
.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
300 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
301 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
302 |
// install reply |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
303 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
304 |
reStore(); |
44419
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
305 |
certreq("c", ""); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
306 |
gencert("a-c", ""); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
307 |
kt("-importcert -alias c -file a-c.cert") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
308 |
.shouldContain("Warning") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
309 |
.shouldMatch("Issuer <a>.*MD5withRSA.*risk"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
310 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
311 |
// JDK-8177569: no warning for sigalg of trusted cert |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
312 |
reStore(); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
313 |
// Change a into a TrustedCertEntry |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
314 |
kt("-exportcert -alias a -file a.cert"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
315 |
kt("-delete -alias a"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
316 |
kt("-importcert -alias a -file a.cert -noprompt"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
317 |
kt("-list -alias a -v") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
318 |
.shouldNotContain("weak") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
319 |
.shouldNotContain("Warning"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
320 |
// This time a is trusted and no warning on its weak sig alg |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
321 |
kt("-importcert -alias c -file a-c.cert") |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
322 |
.shouldNotContain("Warning"); |
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
323 |
|
c29f26282ba0
8177569: keytool should not warn if signature algorithm used in cacerts is weak
weijun
parents:
44046
diff
changeset
|
324 |
reStore(); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
325 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
326 |
gencert("a-b", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
327 |
gencert("b-c", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
328 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
329 |
// Full chain with root |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
330 |
cat("a-a-b-c.cert", "b-c.cert", "a-b.cert", "a.cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
331 |
kt("-importcert -alias c -file a-a-b-c.cert") // only weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
332 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
333 |
.shouldMatch("Reply #2 of 3.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
334 |
.shouldMatch("Reply #3 of 3.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
335 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
336 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
337 |
// Without root |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
338 |
cat("a-b-c.cert", "b-c.cert", "a-b.cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
339 |
kt("-importcert -alias c -file a-b-c.cert") // only weak |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
340 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
341 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
342 |
.shouldMatch("Issuer <a>.*MD5withRSA.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
343 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
344 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
345 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
346 |
gencert("b-a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
347 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
348 |
kt("-importcert -alias a -file b-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
349 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
350 |
.shouldMatch("Issuer <b>.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
351 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
352 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
353 |
kt("-importcert -alias a -file c-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
354 |
.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
355 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
356 |
kt("-importcert -alias b -file c-b.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
357 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
358 |
.shouldMatch("The input.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
359 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
360 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
361 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
362 |
gencert("b-a", ""); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
363 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
364 |
cat("c-b-a.cert", "b-a.cert", "c-b.cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
365 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
366 |
kt("-printcert -file c-b-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
367 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
368 |
.shouldMatch("The certificate #2 of 2.*512-bit RSA key.*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
369 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
370 |
kt("-delete -alias b"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
371 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
372 |
kt("-importcert -alias a -file c-b-a.cert") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
373 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
374 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
375 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
376 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
377 |
kt("-delete -alias c"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
378 |
kt("-importcert -alias a -file c-b-a.cert", "no") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
379 |
.shouldContain("Top-level certificate in reply:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
380 |
.shouldContain("512-bit RSA key (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
381 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
382 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
383 |
.shouldContain("Install reply anyway?"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
384 |
kt("-importcert -alias a -file c-b-a.cert -noprompt") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
385 |
.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
386 |
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
387 |
.shouldNotContain("[no]"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
388 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
389 |
reStore(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
390 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
391 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
392 |
private static void cat(String dest, String... src) throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
393 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
394 |
System.out.printf("$ cat "); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
395 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
396 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
397 |
for (String s : src) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
398 |
System.out.printf(s + " "); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
399 |
bout.write(Files.readAllBytes(Paths.get(s))); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
400 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
401 |
Files.write(Paths.get(dest), bout.toByteArray()); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
402 |
System.out.println("> " + dest); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
403 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
404 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
405 |
static void checkGenCRL(String alias, String options, String bad) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
406 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
407 |
OutputAnalyzer oa = kt("-gencrl -alias " + alias |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
408 |
+ " -id 1 -file " + alias + ".crl " + options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
409 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
410 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
411 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
412 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
413 |
.shouldMatch("The generated CRL.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
414 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
415 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
416 |
oa = kt("-printcrl -file " + alias + ".crl"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
417 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
418 |
oa.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
419 |
.shouldContain("Verified by " + alias + " in keystore") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
420 |
.shouldNotContain("(weak"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
421 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
422 |
oa.shouldContain("Warning:") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
423 |
.shouldMatch("The CRL.*" + bad + ".*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
424 |
.shouldContain("Verified by " + alias + " in keystore") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
425 |
.shouldContain(bad + " (weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
426 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
427 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
428 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
429 |
static void checkCertReq( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
430 |
String alias, String options, String bad) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
431 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
432 |
OutputAnalyzer oa = certreq(alias, options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
433 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
434 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
435 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
436 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
437 |
.shouldMatch("The generated certificate request.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
438 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
439 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
440 |
oa = kt("-printcertreq -file " + alias + ".req"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
441 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
442 |
oa.shouldNotContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
443 |
.shouldNotContain("(weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
444 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
445 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
446 |
.shouldMatch("The certificate request.*" + bad + ".*risk") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
447 |
.shouldContain(bad + " (weak)"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
448 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
449 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
450 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
451 |
static void checkGenKeyPair( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
452 |
String alias, String options, String bad) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
453 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
454 |
OutputAnalyzer oa = genkeypair(alias, options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
455 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
456 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
457 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
458 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
459 |
.shouldMatch("The generated certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
460 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
461 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
462 |
oa = kt("-exportcert -alias " + alias + " -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
463 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
464 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
465 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
466 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
467 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
468 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
469 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
470 |
oa = kt("-exportcert -rfc -alias " + alias + " -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
471 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
472 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
473 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
474 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
475 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
476 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
477 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
478 |
oa = kt("-printcert -rfc -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
479 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
480 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
481 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
482 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
483 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
484 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
485 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
486 |
oa = kt("-list -alias " + alias); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
487 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
488 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
489 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
490 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
491 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
492 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
493 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
494 |
// With cert content |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
495 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
496 |
oa = kt("-printcert -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
497 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
498 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
499 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
500 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
501 |
.shouldContain(bad + " (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
502 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
503 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
504 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
505 |
oa = kt("-list -v -alias " + alias); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
506 |
if (bad == null) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
507 |
oa.shouldNotContain("Warning"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
508 |
} else { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
509 |
oa.shouldContain("Warning") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
510 |
.shouldContain(bad + " (weak)") |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
511 |
.shouldMatch("The certificate.*" + bad + ".*risk"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
512 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
513 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
514 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
515 |
// This is slow, but real keytool process is launched. |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
516 |
static OutputAnalyzer kt1(String cmd, String... input) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
517 |
cmd = "-keystore ks -storepass changeit " + |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
518 |
"-keypass changeit " + cmd; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
519 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
520 |
try { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
521 |
SecurityTools.setResponse(input); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
522 |
return SecurityTools.keytool(cmd); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
523 |
} catch (Throwable e) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
524 |
throw new RuntimeException(e); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
525 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
526 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
527 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
528 |
// Fast keytool execution by directly calling its main() method |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
529 |
static OutputAnalyzer kt(String cmd, String... input) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
530 |
PrintStream out = System.out; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
531 |
PrintStream err = System.err; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
532 |
InputStream ins = System.in; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
533 |
ByteArrayOutputStream bout = new ByteArrayOutputStream(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
534 |
ByteArrayOutputStream berr = new ByteArrayOutputStream(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
535 |
boolean succeed = true; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
536 |
try { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
537 |
cmd = "-keystore ks -storepass changeit " + |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
538 |
"-keypass changeit " + cmd; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
539 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
540 |
System.out.println("$ keytool " + cmd); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
541 |
System.out.println(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
542 |
String feed = ""; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
543 |
if (input.length > 0) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
544 |
feed = Stream.of(input).collect(Collectors.joining("\n")) + "\n"; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
545 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
546 |
System.setIn(new ByteArrayInputStream(feed.getBytes())); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
547 |
System.setOut(new PrintStream(bout)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
548 |
System.setErr(new PrintStream(berr)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
549 |
sun.security.tools.keytool.Main.main( |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
550 |
cmd.trim().split("\\s+")); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
551 |
} catch (Exception e) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
552 |
// Might be a normal exception when -debug is on or |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
553 |
// SecurityException (thrown by jtreg) when System.exit() is called |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
554 |
if (!(e instanceof SecurityException)) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
555 |
e.printStackTrace(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
556 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
557 |
succeed = false; |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
558 |
} finally { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
559 |
System.setOut(out); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
560 |
System.setErr(err); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
561 |
System.setIn(ins); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
562 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
563 |
String sout = new String(bout.toByteArray()); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
564 |
String serr = new String(berr.toByteArray()); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
565 |
System.out.println("STDOUT:\n" + sout + "\nSTDERR:\n" + serr); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
566 |
if (!succeed) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
567 |
throw new RuntimeException(); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
568 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
569 |
return new OutputAnalyzer(sout, serr); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
570 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
571 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
572 |
static OutputAnalyzer genkeypair(String alias, String options) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
573 |
return kt("-genkeypair -alias " + alias + " -dname CN=" + alias |
45839
6df5e24443fc
8183509: keytool should not allow multiple commands
weijun
parents:
45467
diff
changeset
|
574 |
+ " -storetype JKS " + options); |
44046
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
575 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
576 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
577 |
static OutputAnalyzer certreq(String alias, String options) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
578 |
return kt("-certreq -alias " + alias |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
579 |
+ " -file " + alias + ".req " + options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
580 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
581 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
582 |
static OutputAnalyzer exportcert(String alias) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
583 |
return kt("-exportcert -alias " + alias + " -file " + alias + ".cert"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
584 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
585 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
586 |
static OutputAnalyzer gencert(String relation, String options) { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
587 |
int pos = relation.indexOf("-"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
588 |
String issuer = relation.substring(0, pos); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
589 |
String subject = relation.substring(pos + 1); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
590 |
return kt(" -gencert -alias " + issuer + " -infile " + subject |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
591 |
+ ".req -outfile " + relation + ".cert " + options); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
592 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
593 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
594 |
static void saveStore() throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
595 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
596 |
System.out.println("$ cp ks ks2"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
597 |
Files.copy(Paths.get("ks"), Paths.get("ks2"), |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
598 |
StandardCopyOption.REPLACE_EXISTING); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
599 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
600 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
601 |
static void reStore() throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
602 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
603 |
System.out.println("$ cp ks2 ks"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
604 |
Files.copy(Paths.get("ks2"), Paths.get("ks"), |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
605 |
StandardCopyOption.REPLACE_EXISTING); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
606 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
607 |
|
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
608 |
static void rm(String s) throws IOException { |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
609 |
System.out.println("---------------------------------------------"); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
610 |
System.out.println("$ rm " + s); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
611 |
Files.deleteIfExists(Paths.get(s)); |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
612 |
} |
762e807bfac1
8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
weijun
parents:
diff
changeset
|
613 |
} |