| author | weijun |
| Wed, 25 Feb 2015 18:30:29 +0800 | |
| changeset 29111 | e9103f166a4a |
| parent 29110 | ea89fdd8a5d5 |
| child 29120 | db85cf043b4f |
| permissions | -rw-r--r-- |
| 2 | 1 |
/* |
|
12871
b583b4c82a82
7174351: test/sun/security/tools/keytool/standard.sh failed after new Hashtable
weijun
parents:
10138
diff
changeset
|
2 |
* Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. |
| 2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. |
|
8 |
* |
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
13 |
* accompanied this code). |
|
14 |
* |
|
15 |
* You should have received a copy of the GNU General Public License version |
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 |
* |
|
| 5506 | 19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
20 |
* or visit www.oracle.com if you need additional information or have any |
|
21 |
* questions. |
|
| 2 | 22 |
*/ |
23 |
||
24 |
/* |
|
25 |
* |
|
26 |
* |
|
27 |
* @summary Testing keytool |
|
28 |
* @author weijun.wang |
|
29 |
* |
|
30 |
* Run through autotest.sh and manualtest.sh |
|
31 |
* |
|
32 |
* Testing non-PKCS11 keystores: |
|
33 |
* echo | java -Dfile KeyToolTest |
|
34 |
* |
|
35 |
* Testing NSS PKCS11 keystores: |
|
36 |
* # testing NSS |
|
37 |
* # make sure the NSS db files are in current directory and writable |
|
38 |
* echo | java -Dnss -Dnss.lib=/path/to/libsoftokn3.so KeyToolTest |
|
39 |
* |
|
40 |
* Testing Solaris Cryptography Framework PKCS11 keystores: |
|
41 |
* # make sure you've already run pktool and set test12 as pin |
|
42 |
* echo | java -Dsolaris KeyToolTest |
|
43 |
* |
|
44 |
* ATTENTION: |
|
45 |
* Exception in thread "main" java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE |
|
46 |
* at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:420) |
|
47 |
* ... |
|
48 |
* Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE |
|
49 |
* at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method) |
|
50 |
* at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:391) |
|
51 |
* ... |
|
52 |
* been observed. Possibly a Solaris bug |
|
53 |
* |
|
54 |
* ATTENTION: |
|
55 |
* NSS PKCS11 config file are changed, DSA not supported now. |
|
56 |
*/ |
|
57 |
||
58 |
import java.security.KeyStore; |
|
59 |
import sun.security.x509.*; |
|
60 |
import java.io.*; |
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
61 |
import java.security.KeyPairGenerator; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
62 |
import java.security.NoSuchAlgorithmException; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
63 |
import java.util.*; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
64 |
import java.security.cert.X509Certificate; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
65 |
import sun.security.util.ObjectIdentifier; |
| 2 | 66 |
|
67 |
public class KeyToolTest {
|
|
68 |
||
69 |
// The stdout and stderr outputs after a keytool run |
|
70 |
String out; |
|
71 |
String err; |
|
72 |
||
73 |
// the output of println() in KeyTool.run |
|
74 |
String ex; |
|
75 |
||
76 |
String lastInput = "", lastCommand = ""; |
|
77 |
private static final boolean debug = |
|
78 |
System.getProperty("debug") != null;
|
|
79 |
||
80 |
static final String NSS_P11_ARG = |
|
81 |
"-keystore NONE -storetype PKCS11 -providerName SunPKCS11-nss -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nss.txt "; |
|
82 |
static final String NSS_SRC_P11_ARG = |
|
83 |
"-srckeystore NONE -srcstoretype PKCS11 -srcproviderName SunPKCS11-nss -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nss.txt "; |
|
84 |
static final String NZZ_P11_ARG = |
|
85 |
"-keystore NONE -storetype PKCS11 -providerName SunPKCS11-nzz -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nzz.txt "; |
|
86 |
static final String NZZ_SRC_P11_ARG = |
|
87 |
"-srckeystore NONE -srcstoretype PKCS11 -srcproviderName SunPKCS11-nzz -providerClass sun.security.pkcs11.SunPKCS11 -providerArg p11-nzz.txt "; |
|
88 |
static final String SUN_P11_ARG = "-keystore NONE -storetype PKCS11 "; |
|
89 |
static final String SUN_SRC_P11_ARG = "-srckeystore NONE -srcstoretype PKCS11 "; |
|
90 |
||
91 |
String p11Arg, srcP11Arg; |
|
92 |
||
93 |
/** Creates a new instance of KeyToolTest */ |
|
94 |
KeyToolTest() {
|
|
95 |
// so that there is "Warning" and not translated into other language |
|
96 |
Locale.setDefault(Locale.US); |
|
97 |
} |
|
98 |
||
99 |
/** |
|
100 |
* Helper, removes a file |
|
101 |
*/ |
|
102 |
void remove(String filename) {
|
|
103 |
if (debug) {
|
|
104 |
System.err.println("Removing " + filename);
|
|
105 |
} |
|
106 |
new File(filename).delete(); |
|
107 |
if (new File(filename).exists()) {
|
|
108 |
throw new RuntimeException("Error deleting " + filename);
|
|
109 |
} |
|
110 |
} |
|
111 |
||
112 |
/** |
|
113 |
* Run a set of keytool command with given terminal input. |
|
114 |
* @param input the terminal inputs, the characters typed by human |
|
115 |
* if <code>cmd</code> is running on a terminal |
|
116 |
* @param cmd the argument of a keytool command line |
|
117 |
* @throws if keytool goes wrong in some place |
|
118 |
*/ |
|
119 |
void test(String input, String cmd) throws Exception {
|
|
120 |
lastInput = input; |
|
121 |
lastCommand = cmd; |
|
122 |
||
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
123 |
// "X" is appended so that we can precisely test how input is consumed |
| 2 | 124 |
HumanInputStream in = new HumanInputStream(input+"X"); |
125 |
test(in, cmd); |
|
126 |
// make sure the input string is no more no less |
|
127 |
if(in.read() != 'X' || in.read() != -1) |
|
128 |
throw new Exception("Input not consumed exactly");
|
|
129 |
} |
|
130 |
||
131 |
void test(InputStream in, String cmd) throws Exception {
|
|
132 |
||
133 |
// save the original 3 streams |
|
134 |
if (debug) {
|
|
135 |
System.err.println(cmd); |
|
136 |
} else {
|
|
137 |
System.err.print(".");
|
|
138 |
} |
|
139 |
PrintStream p1 = System.out; |
|
140 |
PrintStream p2 = System.err; |
|
141 |
InputStream i1 = System.in; |
|
142 |
||
143 |
ByteArrayOutputStream b1 = new ByteArrayOutputStream(); |
|
144 |
ByteArrayOutputStream b2 = new ByteArrayOutputStream(); |
|
145 |
||
146 |
try {
|
|
147 |
System.setIn(in); |
|
148 |
System.setOut(new PrintStream(b1)); |
|
149 |
System.setErr(new PrintStream(b2)); |
|
150 |
||
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12871
diff
changeset
|
151 |
// since System.in is overrided, the |
|
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12871
diff
changeset
|
152 |
// sun.security.tools.keytool.Main.main() method will |
| 2 | 153 |
// never block at user input |
154 |
||
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12871
diff
changeset
|
155 |
// use -debug so that main() will throw an Exception |
| 2 | 156 |
// instead of calling System.exit() |
|
14182
3041082abb40
7194449: String resources for Key Tool and Policy Tool should be in their respective packages
sflores
parents:
12871
diff
changeset
|
157 |
sun.security.tools.keytool.Main.main(("-debug "+cmd).split("\\s+"));
|
| 2 | 158 |
} finally {
|
159 |
out = b1.toString(); |
|
160 |
err = b2.toString(); |
|
161 |
ex = out; // now it goes to System.out |
|
162 |
System.setIn(i1); |
|
163 |
System.setOut(p1); |
|
164 |
System.setErr(p2); |
|
165 |
} |
|
166 |
} |
|
167 |
||
168 |
/** |
|
169 |
* Call this method if you expect test(input, cmd) should go OK |
|
170 |
*/ |
|
171 |
void testOK(String input, String cmd) throws Exception {
|
|
172 |
try {
|
|
|
27344
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
173 |
// Workaround for "8057810: Make SHA256withDSA the default |
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
174 |
// jarsigner and keytool algorithm for DSA keys". Unfortunately |
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
175 |
// SunPKCS11-NSS does not support SHA256withDSA yet. |
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
176 |
if (cmd.contains("p11-nss.txt") && cmd.contains("-genkey")
|
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
177 |
&& !cmd.contains("-keyalg")) {
|
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
178 |
cmd += " -sigalg SHA1withDSA -keysize 1024"; |
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
179 |
} |
| 2 | 180 |
test(input, cmd); |
181 |
} catch(Exception e) {
|
|
182 |
afterFail(input, cmd, "OK"); |
|
183 |
throw e; |
|
184 |
} |
|
185 |
} |
|
186 |
||
187 |
/** |
|
188 |
* Call this method if you expect test(input, cmd) should fail and throw |
|
189 |
* an exception |
|
190 |
*/ |
|
191 |
void testFail(String input, String cmd) throws Exception {
|
|
192 |
boolean ok; |
|
193 |
try {
|
|
194 |
test(input, cmd); |
|
195 |
ok = true; |
|
196 |
} catch(Exception e) {
|
|
197 |
if (e instanceof MissingResourceException) {
|
|
198 |
ok = true; |
|
199 |
} else {
|
|
200 |
ok = false; |
|
201 |
} |
|
202 |
} |
|
203 |
if(ok) {
|
|
204 |
afterFail(input, cmd, "FAIL"); |
|
205 |
throw new RuntimeException(); |
|
206 |
} |
|
207 |
} |
|
208 |
||
209 |
/** |
|
210 |
* Call this method if you expect test(input, cmd) should go OK |
|
211 |
*/ |
|
212 |
void testOK(InputStream is, String cmd) throws Exception {
|
|
213 |
try {
|
|
214 |
test(is, cmd); |
|
215 |
} catch(Exception e) {
|
|
216 |
afterFail("", cmd, "OK");
|
|
217 |
throw e; |
|
218 |
} |
|
219 |
} |
|
220 |
||
221 |
/** |
|
222 |
* Call this method if you expect test(input, cmd) should fail and throw |
|
223 |
* an exception |
|
224 |
*/ |
|
225 |
void testFail(InputStream is, String cmd) throws Exception {
|
|
226 |
boolean ok; |
|
227 |
try {
|
|
228 |
test(is, cmd); |
|
229 |
ok = true; |
|
230 |
} catch(Exception e) {
|
|
231 |
ok = false; |
|
232 |
} |
|
233 |
if(ok) {
|
|
234 |
afterFail("", cmd, "FAIL");
|
|
235 |
throw new RuntimeException(); |
|
236 |
} |
|
237 |
} |
|
238 |
||
239 |
/** |
|
240 |
* Call this method if you just want to run the command and does |
|
241 |
* not care if it succeeds or fails. |
|
242 |
*/ |
|
243 |
void testAnyway(String input, String cmd) {
|
|
244 |
try {
|
|
245 |
test(input, cmd); |
|
246 |
} catch(Exception e) {
|
|
247 |
; |
|
248 |
} |
|
249 |
} |
|
250 |
||
251 |
/** |
|
252 |
* Helper method, print some output after a test does not do as expected |
|
253 |
*/ |
|
254 |
void afterFail(String input, String cmd, String should) {
|
|
|
27344
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
255 |
if (cmd.contains("p11-nss.txt")) {
|
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
256 |
cmd = "-J-Dnss.lib=" + System.getProperty("nss.lib") + " " + cmd;
|
|
890be6336eab
8057810: New defaults for DSA keys in jarsigner and keytool
weijun
parents:
14182
diff
changeset
|
257 |
} |
| 2 | 258 |
System.err.println("\nTest fails for the command ---\n" +
|
259 |
"keytool " + cmd + "\nOr its debug version ---\n" + |
|
260 |
"keytool -debug " + cmd); |
|
261 |
||
262 |
System.err.println("The command result should be " + should +
|
|
263 |
", but it's not. Try run the command manually and type" + |
|
264 |
" these input into it: "); |
|
265 |
char[] inputChars = input.toCharArray(); |
|
266 |
||
267 |
for (int i=0; i<inputChars.length; i++) {
|
|
268 |
char ch = inputChars[i]; |
|
269 |
if (ch == '\n') System.err.print("ENTER ");
|
|
270 |
else if (ch == ' ') System.err.print("SPACE ");
|
|
271 |
else System.err.print(ch + " "); |
|
272 |
} |
|
273 |
System.err.println("");
|
|
274 |
||
275 |
System.err.println("ERR is:\n"+err);
|
|
276 |
System.err.println("OUT is:\n"+out);
|
|
277 |
} |
|
278 |
||
279 |
void assertTrue(boolean bool, String msg) {
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
280 |
if (debug) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
281 |
System.err.println("If not " + bool + ", " + msg);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
282 |
} else {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
283 |
System.err.print("v");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
284 |
} |
| 2 | 285 |
if(!bool) {
|
286 |
afterFail(lastInput, lastCommand, "TRUE"); |
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
287 |
System.err.println(msg); |
| 2 | 288 |
throw new RuntimeException(msg); |
289 |
} |
|
290 |
} |
|
291 |
||
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
292 |
void assertTrue(boolean bool) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
293 |
assertTrue(bool, "well..."); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
294 |
} |
| 2 | 295 |
/** |
296 |
* Helper method, load a keystore |
|
297 |
* @param file file for keystore, null or "NONE" for PKCS11 |
|
298 |
* @pass password for the keystore |
|
299 |
* @type keystore type |
|
300 |
* @returns the KeyStore object |
|
301 |
* @exception Exception if anything goes wrong |
|
302 |
*/ |
|
303 |
KeyStore loadStore(String file, String pass, String type) throws Exception {
|
|
304 |
KeyStore ks = KeyStore.getInstance(type); |
|
305 |
FileInputStream is = null; |
|
306 |
if (file != null && !file.equals("NONE")) {
|
|
307 |
is = new FileInputStream(file); |
|
308 |
} |
|
309 |
ks.load(is, pass.toCharArray()); |
|
310 |
is.close(); |
|
311 |
return ks; |
|
312 |
} |
|
313 |
||
314 |
/** |
|
315 |
* The test suite. |
|
316 |
* Maybe it's better to put this outside the KeyToolTest class |
|
317 |
*/ |
|
318 |
void testAll() throws Exception {
|
|
319 |
KeyStore ks; |
|
320 |
||
321 |
remove("x.jks");
|
|
322 |
remove("x.jceks");
|
|
323 |
remove("x.p12");
|
|
324 |
remove("x2.jceks");
|
|
325 |
remove("x2.jks");
|
|
326 |
remove("x.jks.p1.cert");
|
|
327 |
||
328 |
// name changes: genkeypair, importcert, exportcert |
|
329 |
remove("x.jks");
|
|
330 |
remove("x.jks.p1.cert");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
331 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -alias p1 -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
332 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -exportcert -alias p1 -file x.jks.p1.cert");
|
| 2 | 333 |
ks = loadStore("x.jks", "changeit", "JKS");
|
334 |
assertTrue(ks.getKey("p1", "changeit".toCharArray()) != null,
|
|
335 |
"key not DSA"); |
|
336 |
assertTrue(new File("x.jks.p1.cert").exists(), "p1 export err");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
337 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias p1");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
338 |
testOK("y\n", "-keystore x.jks -storetype JKS -storepass changeit -importcert -alias c1 -file x.jks.p1.cert"); // importcert, prompt for Yes/No
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
339 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -importcert -alias c2 -file x.jks.p1.cert -noprompt"); // importcert, -noprompt
|
| 2 | 340 |
ks = loadStore("x.jks", "changeit", "JKS");
|
341 |
assertTrue(ks.getCertificate("c1") != null, "import c1 err");
|
|
342 |
||
343 |
// v3 |
|
344 |
byte[] encoded = ks.getCertificate("c1").getEncoded();
|
|
345 |
X509CertImpl certImpl = new X509CertImpl(encoded); |
|
346 |
assertTrue(certImpl.getVersion() == 3, "Version is not 3"); |
|
347 |
||
348 |
// changealias and keyclone |
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
349 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -alias p1 -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
350 |
testOK("changeit\n", "-keystore x.jks -storetype JKS -changealias -alias p1 -destalias p11");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
351 |
testOK("changeit\n", "-keystore x.jks -storetype JKS -changealias -alias c1 -destalias c11");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
352 |
testOK("changeit\n\n", "-keystore x.jks -storetype JKS -keyclone -alias p11 -destalias p111"); // press ENTER when prompt for p111's keypass
|
| 2 | 353 |
ks = loadStore("x.jks", "changeit", "JKS");
|
354 |
assertTrue(!ks.containsAlias("p1"), "there is no p1");
|
|
355 |
assertTrue(!ks.containsAlias("c1"), "there is no c1");
|
|
356 |
assertTrue(ks.containsAlias("p11"), "there is p11");
|
|
357 |
assertTrue(ks.containsAlias("c11"), "there is c11");
|
|
358 |
assertTrue(ks.containsAlias("p111"), "there is p111");
|
|
359 |
||
360 |
// genSecKey |
|
361 |
remove("x.jceks");
|
|
362 |
testOK("changeit\nchangeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s1"); // DES, no need keysize
|
|
363 |
testFail("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s11 -keysize 128"); // DES, keysize cannot be 128
|
|
364 |
testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -keyalg DESede -alias s2"); // DESede. no need keysize
|
|
365 |
testFail("changeit\n\n", "-keystore x.jceks -storetype AES -genseckey -keyalg Rijndael -alias s3"); // AES, need keysize
|
|
366 |
testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -keyalg AES -alias s3 -keysize 128");
|
|
367 |
// about keypass |
|
368 |
testOK("\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s4"); // can accept storepass
|
|
369 |
testOK("keypass\nkeypass\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s5"); // or a new one
|
|
370 |
testOK("bad\n\bad\nkeypass\nkeypass\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s6"); // keypass must be valid (prompt 3 times)
|
|
371 |
testFail("bad\n\bad\nbad\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s7"); // keypass must be valid (prompt 3 times)
|
|
372 |
testFail("bad\n\bad\nbad\nkeypass\n", "-keystore x.jceks -storetype JCEKS -storepass changeit -genseckey -alias s7"); // keypass must be valid (prompt 3 times)
|
|
373 |
ks = loadStore("x.jceks", "changeit", "JCEKS");
|
|
374 |
assertTrue(ks.getKey("s1", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s1 is DES");
|
|
375 |
assertTrue(ks.getKey("s1", "changeit".toCharArray()).getEncoded().length == 8, "DES is 56");
|
|
376 |
assertTrue(ks.getKey("s2", "changeit".toCharArray()).getEncoded().length == 24, "DESede is 168");
|
|
377 |
assertTrue(ks.getKey("s2", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("DESede"), "s2 is DESede");
|
|
378 |
assertTrue(ks.getKey("s3", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("AES"), "s3 is AES");
|
|
379 |
assertTrue(ks.getKey("s4", "changeit".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s4 is DES");
|
|
380 |
assertTrue(ks.getKey("s5", "keypass".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s5 is DES");
|
|
381 |
assertTrue(ks.getKey("s6", "keypass".toCharArray()).getAlgorithm().equalsIgnoreCase("DES"), "s6 is DES");
|
|
382 |
assertTrue(!ks.containsAlias("s7"), "s7 not created");
|
|
383 |
||
384 |
// maybe we needn't test this, one day JKS will support SecretKey |
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
385 |
//testFail("changeit\nchangeit\n", "-keystore x.jks -storetype JKS -genseckey -keyalg AES -alias s3 -keysize 128");
|
| 2 | 386 |
|
387 |
// importKeyStore |
|
388 |
remove("x.jks");
|
|
389 |
remove("x.jceks");
|
|
390 |
testOK("changeit\nchangeit\n\n", "-keystore x.jceks -storetype JCEKS -genkeypair -alias p1 -dname CN=Olala"); // create 2 entries...
|
|
391 |
testOK("", "-keystore x.jceks -storetype JCEKS -storepass changeit -importcert -alias c1 -file x.jks.p1.cert -noprompt"); // ...
|
|
392 |
ks = loadStore("x.jceks", "changeit", "JCEKS");
|
|
393 |
assertTrue(ks.size() == 2, "2 entries in JCEKS"); |
|
394 |
// import, shouldn't mention destalias/srckeypass/destkeypass if srcalias is no given |
|
395 |
testFail("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -destalias pp");
|
|
396 |
testFail("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srckeypass changeit");
|
|
397 |
testFail("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -destkeypass changeit");
|
|
398 |
// normal import |
|
399 |
testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS");
|
|
400 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
401 |
assertTrue(ks.size() == 2, "2 entries in JKS"); |
|
402 |
// import again, type yes to overwrite old entries |
|
403 |
testOK("changeit\nchangeit\ny\ny\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS");
|
|
404 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
405 |
// import again, specify -nopromt |
|
406 |
testOK("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -noprompt");
|
|
407 |
assertTrue(err.indexOf("Warning") != -1, "noprompt will warn");
|
|
408 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
409 |
assertTrue(ks.size() == 2, "2 entries in JKS"); |
|
410 |
// import again, type into new aliases when prompted |
|
411 |
testOK("changeit\nchangeit\n\ns1\n\ns2\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS");
|
|
412 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
413 |
assertTrue(ks.size() == 4, "4 entries in JKS"); |
|
414 |
||
415 |
// importkeystore single |
|
416 |
remove("x.jks");
|
|
417 |
testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1"); // normal
|
|
418 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
419 |
assertTrue(ks.size() == 1, "1 entries in JKS"); |
|
420 |
testOK("changeit\nchangeit\ny\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1"); // overwrite
|
|
421 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
422 |
assertTrue(ks.size() == 1, "1 entries in JKS"); |
|
423 |
testOK("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1 -noprompt"); // noprompt
|
|
424 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
425 |
assertTrue(ks.size() == 1, "1 entries in JKS"); |
|
426 |
testOK("changeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1 -destalias p2"); // rename
|
|
427 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
428 |
assertTrue(ks.size() == 2, "2 entries in JKS"); |
|
429 |
testOK("changeit\nchangeit\n\nnewalias\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p1"); // another rename
|
|
430 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
431 |
assertTrue(ks.size() == 3, "3 entries in JKS"); |
|
432 |
||
433 |
// importkeystore single, different keypass |
|
434 |
remove("x.jks");
|
|
435 |
testOK("changeit\nkeypass\nkeypass\n", "-keystore x.jceks -storetype JCEKS -genkeypair -alias p2 -dname CN=Olala"); // generate entry with different keypass
|
|
436 |
testOK("changeit\nchangeit\nchangeit\nkeypass\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p2"); // prompt
|
|
437 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
438 |
assertTrue(ks.size() == 1, "1 entries in JKS"); |
|
439 |
testOK("changeit\nchangeit\nkeypass\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias p2 -destalias p3 -destkeypass keypass2"); // diff destkeypass
|
|
440 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
441 |
assertTrue(ks.size() == 2, "2 entries in JKS"); |
|
442 |
assertTrue(ks.getKey("p2", "keypass".toCharArray()) != null, "p2 has old password");
|
|
443 |
assertTrue(ks.getKey("p3", "keypass2".toCharArray()) != null, "p3 has new password");
|
|
444 |
||
445 |
// importkeystore single, cert |
|
446 |
remove("x.jks");
|
|
447 |
testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1"); // normal
|
|
448 |
testOK("changeit\n\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1 -destalias c2"); // in fact srcstorepass can be ignored
|
|
449 |
assertTrue(err.indexOf("WARNING") != -1, "But will warn");
|
|
450 |
testOK("changeit\n\ny\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1 -destalias c2"); // 2nd import, press y to overwrite ...
|
|
451 |
testOK("changeit\n\n\nc3\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias c1 -destalias c2"); // ... or rename
|
|
452 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
453 |
assertTrue(ks.size() == 3, "3 entries in JKS"); // c1, c2, c3 |
|
454 |
||
455 |
// importkeystore, secretkey |
|
456 |
remove("x.jks");
|
|
457 |
testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s1"); // create SecretKeyEntry
|
|
458 |
testOK("changeit\n\n", "-keystore x.jceks -storetype JCEKS -genseckey -alias s2"); // create SecretKeyEntry
|
|
459 |
testOK("changeit\n", "-keystore x.jceks -storetype JCEKS -delete -alias p2"); // remove the keypass!=storepass one
|
|
460 |
ks = loadStore("x.jceks", "changeit", "JCEKS");
|
|
461 |
assertTrue(ks.size() == 4, "4 entries in JCEKS"); // p1, c1, s1, s2 |
|
462 |
testOK("changeit\nchangeit\nchangeit\n", "-importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS -srcalias s1"); // normal
|
|
463 |
assertTrue(err.indexOf("not imported") != -1, "Not imported");
|
|
464 |
assertTrue(err.indexOf("Cannot store non-PrivateKeys") != -1, "Not imported");
|
|
465 |
||
|
12871
b583b4c82a82
7174351: test/sun/security/tools/keytool/standard.sh failed after new Hashtable
weijun
parents:
10138
diff
changeset
|
466 |
// Importing a JCEKS keystore to a JKS one. Will warn for the 2 SecretKey entries |
|
b583b4c82a82
7174351: test/sun/security/tools/keytool/standard.sh failed after new Hashtable
weijun
parents:
10138
diff
changeset
|
467 |
|
| 2 | 468 |
remove("x.jks");
|
|
12871
b583b4c82a82
7174351: test/sun/security/tools/keytool/standard.sh failed after new Hashtable
weijun
parents:
10138
diff
changeset
|
469 |
// Two "no" answers to bypass warnings |
| 2 | 470 |
testOK("\n\n", "-srcstorepass changeit -deststorepass changeit -importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS"); // normal
|
471 |
assertTrue(err.indexOf("s1 not") != -1, "s1 not");
|
|
472 |
assertTrue(err.indexOf("s2 not") != -1, "s2 not");
|
|
473 |
assertTrue(err.indexOf("c1 success") != -1, "c1 success");
|
|
474 |
assertTrue(err.indexOf("p1 success") != -1, "p1 success");
|
|
|
12871
b583b4c82a82
7174351: test/sun/security/tools/keytool/standard.sh failed after new Hashtable
weijun
parents:
10138
diff
changeset
|
475 |
remove("x.jks");
|
|
b583b4c82a82
7174351: test/sun/security/tools/keytool/standard.sh failed after new Hashtable
weijun
parents:
10138
diff
changeset
|
476 |
// One "yes" to stop |
| 2 | 477 |
testOK("yes\n", "-srcstorepass changeit -deststorepass changeit -importkeystore -srckeystore x.jceks -srcstoretype JCEKS -destkeystore x.jks -deststoretype JKS"); // normal
|
478 |
// maybe c1 or p1 has been imported before s1 or s2 is touched, anyway we know yesNo is only asked once. |
|
479 |
||
480 |
// pkcs12 |
|
481 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
482 |
testFail("changeit\nchangeit\n", "-keystore x.jks -storetype JKS -genkeypair -alias p1 -dname CN=olala"); // JKS prompt for keypass
|
| 2 | 483 |
remove("x.jks");
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
484 |
testOK("changeit\nchangeit\n\n", "-keystore x.jks -storetype JKS -genkeypair -alias p1 -dname CN=olala"); // just type ENTER means keypass=storepass
|
| 2 | 485 |
remove("x.p12");
|
486 |
testOK("", "-keystore x.p12 -storetype PKCS12 -storepass changeit -genkeypair -alias p0 -dname CN=olala"); // PKCS12 only need storepass
|
|
487 |
testOK("changeit\n", "-keystore x.p12 -storetype PKCS12 -genkeypair -alias p1 -dname CN=olala");
|
|
488 |
testOK("changeit\n", "-keystore x.p12 -keypass changeit -storetype PKCS12 -genkeypair -alias p3 -dname CN=olala"); // when specify keypass, make sure keypass==storepass...
|
|
489 |
assertTrue(err.indexOf("Warning") == -1, "PKCS12 silent when keypass == storepass");
|
|
490 |
testOK("changeit\n", "-keystore x.p12 -keypass another -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala"); // otherwise, print a warning
|
|
491 |
assertTrue(err.indexOf("Warning") != -1, "PKCS12 warning when keypass != storepass");
|
|
492 |
testFail("", "-keystore x.p12 -storepass changeit -storetype PKCS12 -keypasswd -new changeit -alias p3"); // no -keypasswd for PKCS12
|
|
493 |
testOK("", "-keystore x.p12 -storepass changeit -storetype PKCS12 -changealias -alias p3 -destalias p33");
|
|
494 |
testOK("", "-keystore x.p12 -storepass changeit -storetype PKCS12 -keyclone -alias p33 -destalias p3");
|
|
495 |
||
496 |
// pkcs12 |
|
497 |
remove("x.p12");
|
|
498 |
testOK("", "-keystore x.p12 -storetype PKCS12 -storepass changeit -genkeypair -alias p0 -dname CN=olala"); // PKCS12 only need storepass
|
|
499 |
testOK("", "-storepass changeit -keystore x.p12 -storetype PKCS12 -genkeypair -alias p1 -dname CN=olala");
|
|
500 |
testOK("", "-storepass changeit -keystore x.p12 -keypass changeit -storetype PKCS12 -genkeypair -alias p3 -dname CN=olala"); // when specify keypass, make sure keypass==storepass...
|
|
501 |
assertTrue(err.indexOf("Warning") == -1, "PKCS12 silent when keypass == storepass");
|
|
502 |
testOK("", "-storepass changeit -keystore x.p12 -keypass another -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala"); // otherwise, print a warning
|
|
503 |
assertTrue(err.indexOf("Warning") != -1, "PKCS12 warning when keypass != storepass");
|
|
504 |
||
505 |
remove("x.jks");
|
|
506 |
remove("x.jceks");
|
|
507 |
remove("x.p12");
|
|
508 |
remove("x2.jceks");
|
|
509 |
remove("x2.jks");
|
|
510 |
remove("x.jks.p1.cert");
|
|
511 |
} |
|
512 |
||
513 |
void testPKCS11() throws Exception {
|
|
514 |
KeyStore ks; |
|
515 |
// pkcs11, the password maybe different and maybe PKCS11 is not supported |
|
516 |
||
517 |
// in case last test is not executed successfully |
|
518 |
testAnyway("", p11Arg + "-storepass test12 -delete -alias p1");
|
|
519 |
testAnyway("", p11Arg + "-storepass test12 -delete -alias p2");
|
|
520 |
testAnyway("", p11Arg + "-storepass test12 -delete -alias p3");
|
|
521 |
testAnyway("", p11Arg + "-storepass test12 -delete -alias nss");
|
|
522 |
||
523 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
524 |
assertTrue(out.indexOf("Your keystore contains 0 entries") != -1, "*** MAKE SURE YOU HAVE NO ENTRIES IN YOUR PKCS11 KEYSTORE BEFORE THIS TEST ***");
|
|
525 |
||
526 |
testOK("", p11Arg + "-storepass test12 -genkeypair -alias p1 -dname CN=olala");
|
|
527 |
testOK("test12\n", p11Arg + "-genkeypair -alias p2 -dname CN=olala2");
|
|
528 |
testFail("test12\n", p11Arg + "-keypass test12 -genkeypair -alias p3 -dname CN=olala3"); // cannot provide keypass for PKCS11
|
|
529 |
testFail("test12\n", p11Arg + "-keypass nonsense -genkeypair -alias p3 -dname CN=olala3"); // cannot provide keypass for PKCS11
|
|
530 |
||
531 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
532 |
assertTrue(out.indexOf("Your keystore contains 2 entries") != -1, "2 entries in p11");
|
|
533 |
||
534 |
testOK("test12\n", p11Arg + "-alias p1 -changealias -destalias p3");
|
|
535 |
testOK("", p11Arg + "-storepass test12 -list -alias p3");
|
|
536 |
testFail("", p11Arg + "-storepass test12 -list -alias p1");
|
|
537 |
||
538 |
testOK("test12\n", p11Arg + "-alias p3 -keyclone -destalias p1");
|
|
539 |
testFail("", p11Arg + "-storepass test12 -list -alias p3"); // in PKCS11, keyclone will delete old
|
|
540 |
testOK("", p11Arg + "-storepass test12 -list -alias p1");
|
|
541 |
||
542 |
testFail("test12\n", p11Arg + "-alias p1 -keypasswd -new another"); // cannot change password for PKCS11
|
|
543 |
||
544 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
545 |
assertTrue(out.indexOf("Your keystore contains 2 entries") != -1, "2 entries in p11");
|
|
546 |
||
547 |
testOK("", p11Arg + "-storepass test12 -delete -alias p1");
|
|
548 |
testOK("", p11Arg + "-storepass test12 -delete -alias p2");
|
|
549 |
||
550 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
551 |
assertTrue(out.indexOf("Your keystore contains 0 entries") != -1, "*** MAKE SURE YOU HAVE NO ENTRIES IN YOUR PKCS11 KEYSTORE BEFORE THIS TEST ***");
|
|
552 |
} |
|
553 |
||
554 |
void testPKCS11ImportKeyStore() throws Exception {
|
|
555 |
||
556 |
KeyStore ks; |
|
557 |
testOK("", p11Arg + "-storepass test12 -genkeypair -alias p1 -dname CN=olala");
|
|
558 |
testOK("test12\n", p11Arg + "-genkeypair -alias p2 -dname CN=olala2");
|
|
559 |
// test importkeystore for pkcs11 |
|
560 |
||
561 |
remove("x.jks");
|
|
562 |
// pkcs11 -> jks |
|
563 |
testOK("changeit\nchangeit\ntest12\n", srcP11Arg + "-importkeystore -destkeystore x.jks -deststoretype JKS -srcalias p1");
|
|
564 |
assertTrue(err.indexOf("not imported") != -1, "cannot import key without destkeypass");
|
|
565 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
566 |
assertTrue(!ks.containsAlias("p1"), "p1 is not imported");
|
|
567 |
||
568 |
testOK("changeit\ntest12\n", srcP11Arg + "-importkeystore -destkeystore x.jks -deststoretype JKS -srcalias p1 -destkeypass changeit");
|
|
569 |
testOK("changeit\ntest12\n", srcP11Arg + "-importkeystore -destkeystore x.jks -deststoretype JKS -srcalias p2 -destkeypass changeit");
|
|
570 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
571 |
assertTrue(ks.containsAlias("p1"), "p1 is imported");
|
|
572 |
assertTrue(ks.containsAlias("p2"), "p2 is imported");
|
|
573 |
// jks -> pkcs11 |
|
574 |
testOK("", p11Arg + "-storepass test12 -delete -alias p1");
|
|
575 |
testOK("", p11Arg + "-storepass test12 -delete -alias p2");
|
|
576 |
testOK("test12\nchangeit\n", p11Arg + "-importkeystore -srckeystore x.jks -srcstoretype JKS");
|
|
577 |
testOK("", p11Arg + "-storepass test12 -list -alias p1");
|
|
578 |
testOK("", p11Arg + "-storepass test12 -list -alias p2");
|
|
579 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
580 |
assertTrue(out.indexOf("Your keystore contains 2 entries") != -1, "2 entries in p11");
|
|
581 |
// clean up |
|
582 |
testOK("", p11Arg + "-storepass test12 -delete -alias p1");
|
|
583 |
testOK("", p11Arg + "-storepass test12 -delete -alias p2");
|
|
584 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
585 |
assertTrue(out.indexOf("Your keystore contains 0 entries") != -1, "empty p11");
|
|
586 |
||
587 |
remove("x.jks");
|
|
588 |
} |
|
589 |
||
590 |
// The sqeTest reflects the test suggested by judy.gao and bill.situ at |
|
591 |
// /net/sqesvr-nfs/global/nfs/sec/ws_6.0_int/security/src/SecurityTools/Keytool |
|
592 |
// |
|
593 |
void sqeTest() throws Exception {
|
|
594 |
FileOutputStream fos = new FileOutputStream("badkeystore");
|
|
595 |
for (int i=0; i<100; i++) {
|
|
596 |
fos.write(i); |
|
597 |
} |
|
598 |
fos.close(); |
|
599 |
||
600 |
sqeCsrTest(); |
|
601 |
sqePrintcertTest(); |
|
602 |
sqeDeleteTest(); |
|
603 |
sqeExportTest(); |
|
604 |
sqeGenkeyTest(); |
|
605 |
sqeImportTest(); |
|
606 |
sqeKeyclonetest(); |
|
607 |
sqeKeypasswdTest(); |
|
608 |
sqeListTest(); |
|
609 |
sqeSelfCertTest(); |
|
610 |
sqeStorepassTest(); |
|
611 |
||
612 |
remove("badkeystore");
|
|
613 |
} |
|
614 |
||
615 |
// Import: cacert, prompt, trusted, non-trusted, bad chain, not match |
|
616 |
void sqeImportTest() throws Exception {
|
|
617 |
KeyStore ks; |
|
618 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
619 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
620 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -exportcert -file x.jks.p1.cert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
621 |
/* deleted */ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
622 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert -noprompt");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
623 |
/* deleted */ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
624 |
testOK("yes\n", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert");
|
| 2 | 625 |
ks = loadStore("x.jks", "changeit", "JKS");
|
626 |
assertTrue(ks.containsAlias("mykey"), "imported");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
627 |
/* deleted */ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
628 |
testOK("\n", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert");
|
| 2 | 629 |
ks = loadStore("x.jks", "changeit", "JKS");
|
630 |
assertTrue(!ks.containsAlias("mykey"), "imported");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
631 |
testOK("no\n", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert");
|
| 2 | 632 |
ks = loadStore("x.jks", "changeit", "JKS");
|
633 |
assertTrue(!ks.containsAlias("mykey"), "imported");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
634 |
testFail("no\n", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file nonexist");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
635 |
testFail("no\n", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks");
|
| 2 | 636 |
remove("x.jks");
|
637 |
} |
|
638 |
// keyclone: exist. nonexist err, cert err, dest exist, misc |
|
639 |
void sqeKeyclonetest() throws Exception {
|
|
640 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
641 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
642 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -new newpass -keyclone -dest p0"); // new pass
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
643 |
testOK("\n", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -keyclone -dest p1"); // new pass
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
644 |
testOK("\n", "-keystore x.jks -storetype JKS -storepass changeit -keyclone -dest p2");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
645 |
testFail("\n", "-keystore x.jks -storetype JKS -storepass changeit -keyclone -dest p2");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
646 |
testFail("\n", "-keystore x.jks -storetype JKS -storepass changeit -keyclone -dest p3 -alias noexist");
|
| 2 | 647 |
// no cert |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
648 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -exportcert -file x.jks.p1.cert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
649 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
650 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert -noprompt");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
651 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -new newpass -keyclone -dest p0"); // new pass
|
| 2 | 652 |
remove("x.jks");
|
653 |
} |
|
654 |
// keypasswd: exist, short, nonexist err, cert err, misc |
|
655 |
void sqeKeypasswdTest() throws Exception {
|
|
656 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
657 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
658 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -keypasswd -new newpass");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
659 |
/*change back*/ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass newpass -keypasswd -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
660 |
testOK("newpass\nnewpass\n", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -keypasswd");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
661 |
/*change back*/ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass newpass -keypasswd -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
662 |
testOK("new\nnew\nnewpass\nnewpass\n", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -keypasswd");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
663 |
/*change back*/ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass newpass -keypasswd -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
664 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypasswd -new newpass");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
665 |
/*change back*/ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass newpass -keypasswd -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
666 |
testOK("changeit\n", "-keystore x.jks -storetype JKS -keypasswd -new newpass");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
667 |
/*change back*/ testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass newpass -keypasswd -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
668 |
testFail("", "-keystore x.jks -storetype JKS -storepass badpass -keypass changeit -keypasswd -new newpass");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
669 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass bad -keypasswd -new newpass");
|
| 2 | 670 |
// no cert |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
671 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -exportcert -file x.jks.p1.cert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
672 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
673 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert -noprompt");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
674 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -keypasswd -new newpass");
|
| 2 | 675 |
// diff pass |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
676 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
677 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass keypass -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
678 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypasswd -new newpass");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
679 |
testOK("keypass\n", "-keystore x.jks -storetype JKS -storepass changeit -keypasswd -new newpass");
|
| 2 | 680 |
// i hate those misc test |
681 |
remove("x.jks");
|
|
682 |
} |
|
683 |
// list: -f -alias, exist, nonexist err; otherwise, check all shows, -rfc shows more, and misc |
|
684 |
void sqeListTest() throws Exception {
|
|
685 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
686 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
687 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -list");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
688 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -list -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
689 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -list -alias notexist");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
690 |
testFail("", "-keystore x.jks -storetype JKS -storepass badpass -list -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
691 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass badpass -list -alias mykey"); // keypass ignore
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
692 |
testOK("\n", "-keystore x.jks -storetype JKS -list");
|
| 2 | 693 |
assertTrue(err.indexOf("WARNING") != -1, "no storepass");
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
694 |
testOK("changeit\n", "-keystore x.jks -storetype JKS -list");
|
| 2 | 695 |
assertTrue(err.indexOf("WARNING") == -1, "has storepass");
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
696 |
testFail("badpass\n", "-keystore x.jks -storetype JKS -list");
|
| 2 | 697 |
// misc |
698 |
testFail("", "-keystore aa\\bb//cc -storepass changeit -list");
|
|
699 |
testFail("", "-keystore nonexisting -storepass changeit -list");
|
|
700 |
testFail("", "-keystore badkeystore -storepass changeit -list");
|
|
701 |
remove("x.jks");
|
|
702 |
} |
|
703 |
// selfcert: exist, non-exist err, cert err, sig..., dname, wrong keypass, misc |
|
704 |
void sqeSelfCertTest() throws Exception {
|
|
705 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
706 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
707 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -selfcert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
708 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -selfcert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
709 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -selfcert -alias nonexisting"); // not exist
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
710 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -selfcert -dname CN=NewName");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
711 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -selfcert -sigalg MD5withRSA"); // sig not compatible
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
712 |
testFail("", "-keystore x.jks -storetype JKS -storepass wrong -keypass changeit -selfcert"); // bad pass
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
713 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass wrong -selfcert"); // bad pass
|
| 2 | 714 |
//misc |
715 |
testFail("", "-keystore nonexist -storepass changeit -keypass changeit -selfcert");
|
|
716 |
testFail("", "-keystore aa//dd\\gg -storepass changeit -keypass changeit -selfcert");
|
|
717 |
// diff pass |
|
718 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
719 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass keypass -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
720 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -selfcert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
721 |
testOK("keypass\n", "-keystore x.jks -storetype JKS -storepass changeit -selfcert");
|
| 2 | 722 |
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
723 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -exportcert -file x.jks.p1.cert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
724 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
725 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert -noprompt");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
726 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -selfcert"); // certentry cannot do selfcert
|
| 2 | 727 |
remove("x.jks");
|
728 |
} |
|
729 |
// storepass: bad old, short new, misc |
|
730 |
void sqeStorepassTest() throws Exception {
|
|
731 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
732 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
733 |
testOK("", "-storepasswd -keystore x.jks -storetype JKS -storepass changeit -new newstore"); // all in arg
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
734 |
/* Change back */ testOK("", "-storepasswd -keystore x.jks -storetype JKS -storepass newstore -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
735 |
testOK("changeit\nnewstore\nnewstore\n", "-storepasswd -keystore x.jks -storetype JKS"); // all not in arg, new twice
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
736 |
/* Change back */ testOK("", "-storepasswd -keystore x.jks -storetype JKS -storepass newstore -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
737 |
testOK("changeit\n", "-storepasswd -keystore x.jks -storetype JKS -new newstore"); // new in arg
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
738 |
/* Change back */ testOK("", "-storepasswd -keystore x.jks -storetype JKS -storepass newstore -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
739 |
testOK("newstore\nnewstore\n", "-storepasswd -keystore x.jks -storetype JKS -storepass changeit"); // old in arg
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
740 |
/* Change back */ testOK("", "-storepasswd -keystore x.jks -storetype JKS -storepass newstore -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
741 |
testOK("new\nnew\nnewstore\nnewstore\n", "-storepasswd -keystore x.jks -storetype JKS -storepass changeit"); // old in arg
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
742 |
/* Change back */ testOK("", "-storepasswd -keystore x.jks -storetype JKS -storepass newstore -new changeit");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
743 |
testFail("", "-storepasswd -keystore x.jks -storetype JKS -storepass badold -new newstore"); // bad old
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
744 |
testFail("", "-storepasswd -keystore x.jks -storetype JKS -storepass changeit -new new"); // short new
|
| 2 | 745 |
// misc |
746 |
testFail("", "-storepasswd -keystore nonexist -storepass changeit -new newstore"); // non exist
|
|
747 |
testFail("", "-storepasswd -keystore badkeystore -storepass changeit -new newstore"); // bad file
|
|
748 |
testFail("", "-storepasswd -keystore aa\\bb//cc//dd -storepass changeit -new newstore"); // bad file
|
|
749 |
remove("x.jks");
|
|
750 |
} |
|
751 |
||
752 |
void sqeGenkeyTest() throws Exception {
|
|
753 |
||
754 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
755 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
756 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
757 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -alias newentry");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
758 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -alias newentry");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
759 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg DSA -alias n1");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
760 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg RSA -alias n2");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
761 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg NoSuchAlg -alias n3");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
762 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keysize 56 -alias n4");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
763 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keysize 999 -alias n5");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
764 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keysize 512 -alias n6");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
765 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keysize 1024 -alias n7");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
766 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -sigalg NoSuchAlg -alias n8");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
767 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg RSA -sigalg MD2withRSA -alias n9");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
768 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg RSA -sigalg MD5withRSA -alias n10");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
769 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg RSA -sigalg SHA1withRSA -alias n11");
|
| 2 | 770 |
testFail("", "-keystore aa\\bb//cc\\dd -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg RSA -sigalg NoSuchAlg -alias n12");
|
771 |
testFail("", "-keystore badkeystore -storepass changeit -keypass changeit -genkeypair -dname CN=olala -alias n14");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
772 |
testFail("", "-keystore x.jks -storetype JKS -storepass badpass -keypass changeit -genkeypair -dname CN=olala -alias n16");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
773 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CNN=olala -alias n17");
|
| 2 | 774 |
remove("x.jks");
|
775 |
} |
|
776 |
||
777 |
void sqeExportTest() throws Exception {
|
|
778 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
779 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -export -file mykey.cert -alias mykey"); // nonexist
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
780 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
781 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -export -file mykey.cert -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
782 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
783 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -import -file mykey.cert -noprompt -alias c1");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
784 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -export -file mykey.cert2 -alias c1");
|
| 2 | 785 |
testFail("", "-keystore aa\\bb//cc\\dd -storepass changeit -export -file mykey.cert2 -alias c1");
|
786 |
testFail("", "-keystore nonexistkeystore -storepass changeit -export -file mykey.cert2 -alias c1");
|
|
787 |
testFail("", "-keystore badkeystore -storepass changeit -export -file mykey.cert2 -alias c1");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
788 |
testFail("", "-keystore x.jks -storetype JKS -storepass badpass -export -file mykey.cert2 -alias c1");
|
| 2 | 789 |
remove("mykey.cert");
|
790 |
remove("mykey.cert2");
|
|
791 |
remove("x.jks");
|
|
792 |
} |
|
793 |
||
794 |
void sqeDeleteTest() throws Exception {
|
|
795 |
remove("x.jks");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
796 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey"); // nonexist
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
797 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
798 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
799 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
| 2 | 800 |
testFail("", "-keystore aa\\bb//cc\\dd -storepass changeit -delete -alias mykey"); // keystore name illegal
|
801 |
testFail("", "-keystore nonexistkeystore -storepass changeit -delete -alias mykey"); // keystore not exist
|
|
802 |
testFail("", "-keystore badkeystore -storepass changeit -delete -alias mykey"); // keystore invalid
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
803 |
testFail("", "-keystore x.jks -storetype JKS -storepass xxxxxxxx -delete -alias mykey"); // wrong pass
|
| 2 | 804 |
remove("x.jks");
|
805 |
} |
|
806 |
||
807 |
void sqeCsrTest() throws Exception {
|
|
808 |
remove("x.jks");
|
|
809 |
remove("x.jks.p1.cert");
|
|
810 |
remove("csr1");
|
|
811 |
// PrivateKeyEntry can do certreq |
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
812 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keysize 1024");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
813 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1 -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
814 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
815 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1 -sigalg SHA1withDSA");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
816 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1 -sigalg MD5withRSA"); // unmatched sigalg
|
| 2 | 817 |
// misc test |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
818 |
testFail("", "-keystore x.jks -storetype JKS -storepass badstorepass -certreq -file csr1"); // bad storepass
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
819 |
testOK("changeit\n", "-keystore x.jks -storetype JKS -certreq -file csr1"); // storepass from terminal
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
820 |
testFail("\n", "-keystore x.jks -storetype JKS -certreq -file csr1"); // must provide storepass
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
821 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -keypass badkeypass -certreq -file csr1"); // bad keypass
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
822 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file aa\\bb//cc\\dd"); // bad filepath
|
| 2 | 823 |
testFail("", "-keystore noexistks -storepass changeit -certreq -file csr1"); // non-existing keystore
|
824 |
// Try the RSA private key |
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
825 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
826 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keyalg RSA");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
827 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1 -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
828 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
829 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1 -sigalg SHA1withDSA"); // unmatched sigalg
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
830 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1 -sigalg MD5withRSA");
|
| 2 | 831 |
// TrustedCertificateEntry cannot do certreq |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
832 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -exportcert -file x.jks.p1.cert");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
833 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -delete -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
834 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -importcert -file x.jks.p1.cert -noprompt");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
835 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1 -alias mykey");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
836 |
testFail("", "-keystore x.jks -storetype JKS -storepass changeit -certreq -file csr1");
|
| 2 | 837 |
remove("x.jks");
|
838 |
remove("x.jks.p1.cert");
|
|
839 |
remove("csr1");
|
|
840 |
} |
|
841 |
||
842 |
void sqePrintcertTest() throws Exception {
|
|
843 |
remove("x.jks");
|
|
844 |
remove("mykey.cert");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
845 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -genkeypair -dname CN=olala");
|
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
846 |
testOK("", "-keystore x.jks -storetype JKS -storepass changeit -export -file mykey.cert -alias mykey");
|
| 2 | 847 |
testFail("", "-printcert -file badkeystore");
|
848 |
testFail("", "-printcert -file a/b/c/d");
|
|
849 |
testOK("", "-printcert -file mykey.cert");
|
|
850 |
FileInputStream fin = new FileInputStream("mykey.cert");
|
|
851 |
testOK(fin, "-printcert"); |
|
852 |
fin.close(); |
|
853 |
remove("x.jks");
|
|
854 |
remove("mykey.cert");
|
|
855 |
} |
|
856 |
||
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
857 |
void v3extTest(String keyAlg) throws Exception {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
858 |
KeyStore ks; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
859 |
remove("x.jks");
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
860 |
String simple = "-keystore x.jks -storetype JKS -storepass changeit -keypass changeit -noprompt -keyalg " + keyAlg + " "; |
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
861 |
String pre = simple + "-genkeypair -dname CN=Olala -alias "; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
862 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
863 |
// Version and SKID |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
864 |
testOK("", pre + "o1");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
865 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
866 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
867 |
assertTrue(((X509Certificate)ks.getCertificate("o1")).getVersion() == 3);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
868 |
assertTrue(((X509CertImpl)ks.getCertificate("o1")).getSubjectKeyIdentifierExtension() != null);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
869 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
870 |
// BC |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
871 |
testOK("", pre + "b1 -ext BC:critical");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
872 |
testOK("", pre + "b2 -ext BC");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
873 |
testOK("", pre + "b3 -ext bc");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
874 |
testOK("", pre + "b4 -ext BasicConstraints");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
875 |
testOK("", pre + "b5 -ext basicconstraints");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
876 |
testOK("", pre + "b6 -ext BC=ca:true,pathlen:12");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
877 |
testOK("", pre + "b7 -ext BC=ca:false");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
878 |
testOK("", pre + "b8 -ext BC:critical=ca:false");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
879 |
testOK("", pre + "b9 -ext BC=12");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
880 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
881 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
882 |
assertTrue(((X509CertImpl)ks.getCertificate("b1")).getBasicConstraintsExtension().isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
883 |
assertTrue(!((X509CertImpl)ks.getCertificate("b2")).getBasicConstraintsExtension().isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
884 |
assertTrue(((X509CertImpl)ks.getCertificate("b8")).getBasicConstraintsExtension().isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
885 |
assertTrue(((X509Certificate)ks.getCertificate("b1")).getBasicConstraints() == Integer.MAX_VALUE);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
886 |
assertTrue(((X509Certificate)ks.getCertificate("b2")).getBasicConstraints() == Integer.MAX_VALUE);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
887 |
assertTrue(((X509Certificate)ks.getCertificate("b3")).getBasicConstraints() == Integer.MAX_VALUE);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
888 |
assertTrue(((X509Certificate)ks.getCertificate("b4")).getBasicConstraints() == Integer.MAX_VALUE);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
889 |
assertTrue(((X509Certificate)ks.getCertificate("b5")).getBasicConstraints() == Integer.MAX_VALUE);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
890 |
assertTrue(((X509Certificate)ks.getCertificate("b6")).getBasicConstraints() == 12);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
891 |
assertTrue(((X509Certificate)ks.getCertificate("b7")).getBasicConstraints() == -1);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
892 |
assertTrue(((X509Certificate)ks.getCertificate("b9")).getBasicConstraints() == 12);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
893 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
894 |
// KU |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
895 |
testOK("", pre + "ku1 -ext KeyUsage:critical=digitalsignature");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
896 |
testOK("", pre + "ku2 -ext KU=digitalSignature");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
897 |
testOK("", pre + "ku3 -ext KU=ds");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
898 |
testOK("", pre + "ku4 -ext KU=dig");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
899 |
testFail("", pre + "ku5 -ext KU=d"); // ambigous value
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
900 |
testFail("", pre + "ku6 -ext KU=cs"); // cRLSign cannot be cs
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
901 |
testOK("", pre + "ku11 -ext KU=nr");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
902 |
testFail("", pre + "ku12 -ext KU=ke"); // ke also means keyAgreement
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
903 |
testOK("", pre + "ku12 -ext KU=keyE");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
904 |
testFail("", pre + "ku13 -ext KU=de"); // de also means decipherOnly
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
905 |
testOK("", pre + "ku13 -ext KU=dataE");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
906 |
testOK("", pre + "ku14 -ext KU=ka");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
907 |
testOK("", pre + "ku15 -ext KU=kcs");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
908 |
testOK("", pre + "ku16 -ext KU=crls");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
909 |
testOK("", pre + "ku17 -ext KU=eo");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
910 |
testOK("", pre + "ku18 -ext KU=do");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
911 |
testOK("", pre + "ku19 -ext KU=cc");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
912 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
913 |
testOK("", pre + "ku017 -ext KU=ds,cc,eo");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
914 |
testOK("", pre + "ku135 -ext KU=nr,dataEncipherment,keyCertSign");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
915 |
testOK("", pre + "ku246 -ext KU=keyEnc,cRL,keyA");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
916 |
testOK("", pre + "ku1234 -ext KU=ka,da,keyE,nonR");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
917 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
918 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
919 |
class CheckKU {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
920 |
void check(KeyStore ks, String alias, int... pos) throws Exception {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
921 |
System.err.print("x");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
922 |
boolean[] bs = ((X509Certificate)ks.getCertificate(alias)).getKeyUsage(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
923 |
bs = Arrays.copyOf(bs, 9); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
924 |
for (int i=0; i<bs.length; i++) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
925 |
boolean found = false; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
926 |
for (int p: pos) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
927 |
if (p == i) found = true; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
928 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
929 |
if (!found ^ bs[i]) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
930 |
// OK |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
931 |
} else {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
932 |
throw new RuntimeException("KU not match at " + i +
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
933 |
": " + found + " vs " + bs[i]); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
934 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
935 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
936 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
937 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
938 |
CheckKU c = new CheckKU(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
939 |
assertTrue(((X509CertImpl)ks.getCertificate("ku1")).getExtension(PKIXExtensions.KeyUsage_Id).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
940 |
assertTrue(!((X509CertImpl)ks.getCertificate("ku2")).getExtension(PKIXExtensions.KeyUsage_Id).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
941 |
c.check(ks, "ku1", 0); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
942 |
c.check(ks, "ku2", 0); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
943 |
c.check(ks, "ku3", 0); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
944 |
c.check(ks, "ku4", 0); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
945 |
c.check(ks, "ku11", 1); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
946 |
c.check(ks, "ku12", 2); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
947 |
c.check(ks, "ku13", 3); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
948 |
c.check(ks, "ku14", 4); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
949 |
c.check(ks, "ku15", 5); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
950 |
c.check(ks, "ku16", 6); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
951 |
c.check(ks, "ku17", 7); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
952 |
c.check(ks, "ku18", 8); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
953 |
c.check(ks, "ku19", 1); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
954 |
c.check(ks, "ku11", 1); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
955 |
c.check(ks, "ku11", 1); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
956 |
c.check(ks, "ku11", 1); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
957 |
c.check(ks, "ku017", 0, 1, 7); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
958 |
c.check(ks, "ku135", 1, 3, 5); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
959 |
c.check(ks, "ku246", 6, 2, 4); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
960 |
c.check(ks, "ku1234", 1, 2, 3, 4); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
961 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
962 |
// EKU |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
963 |
testOK("", pre + "eku1 -ext EKU:critical=sa");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
964 |
testOK("", pre + "eku2 -ext ExtendedKeyUsage=ca");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
965 |
testOK("", pre + "eku3 -ext EKU=cs");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
966 |
testOK("", pre + "eku4 -ext EKU=ep");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
967 |
testOK("", pre + "eku8 -ext EKU=ts");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
968 |
testFail("", pre + "eku9 -ext EKU=os");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
969 |
testOK("", pre + "eku9 -ext EKU=ocsps");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
970 |
testOK("", pre + "eku10 -ext EKU=any");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
971 |
testOK("", pre + "eku11 -ext EKU=1.2.3.4,1.3.5.7,ep");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
972 |
testFail("", pre + "eku12 -ext EKU=c");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
973 |
testFail("", pre + "eku12 -ext EKU=nothing");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
974 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
975 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
976 |
class CheckEKU {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
977 |
void check(KeyStore ks, String alias, String... pos) throws Exception {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
978 |
System.err.print("x");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
979 |
List<String> bs = ((X509Certificate)ks.getCertificate(alias)).getExtendedKeyUsage(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
980 |
int found = 0; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
981 |
for (String p: pos) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
982 |
if (bs.contains(p)) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
983 |
found++; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
984 |
} else {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
985 |
throw new RuntimeException("EKU: not included " + p);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
986 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
987 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
988 |
if (found != bs.size()) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
989 |
throw new RuntimeException("EKU: more items than expected");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
990 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
991 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
992 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
993 |
CheckEKU cx = new CheckEKU(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
994 |
assertTrue(((X509CertImpl)ks.getCertificate("eku1")).getExtension(PKIXExtensions.ExtendedKeyUsage_Id).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
995 |
assertTrue(!((X509CertImpl)ks.getCertificate("eku2")).getExtension(PKIXExtensions.ExtendedKeyUsage_Id).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
996 |
cx.check(ks, "eku1", "1.3.6.1.5.5.7.3.1"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
997 |
cx.check(ks, "eku2", "1.3.6.1.5.5.7.3.2"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
998 |
cx.check(ks, "eku3", "1.3.6.1.5.5.7.3.3"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
999 |
cx.check(ks, "eku4", "1.3.6.1.5.5.7.3.4"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1000 |
cx.check(ks, "eku8", "1.3.6.1.5.5.7.3.8"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1001 |
cx.check(ks, "eku9", "1.3.6.1.5.5.7.3.9"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1002 |
cx.check(ks, "eku10", "2.5.29.37.0"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1003 |
cx.check(ks, "eku11", "1.3.6.1.5.5.7.3.4", "1.2.3.4", "1.3.5.7"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1004 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1005 |
// SAN |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1006 |
testOK("", pre+"san1 -ext san:critical=email:me@me.org");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1007 |
testOK("", pre+"san2 -ext san=uri:http://me.org");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1008 |
testOK("", pre+"san3 -ext san=dns:me.org");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1009 |
testOK("", pre+"san4 -ext san=ip:192.168.0.1");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1010 |
testOK("", pre+"san5 -ext san=oid:1.2.3.4");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1011 |
testOK("", pre+"san235 -ext san=uri:http://me.org,dns:me.org,oid:1.2.3.4");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1012 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1013 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1014 |
class CheckSAN {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1015 |
// Please sort items with name type |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1016 |
void check(KeyStore ks, String alias, int type, Object... items) throws Exception {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1017 |
int pos = 0; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1018 |
System.err.print("x");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1019 |
Object[] names = null; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1020 |
if (type == 0) names = ((X509Certificate)ks.getCertificate(alias)).getSubjectAlternativeNames().toArray(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1021 |
else names = ((X509Certificate)ks.getCertificate(alias)).getIssuerAlternativeNames().toArray(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1022 |
Arrays.sort(names, new Comparator() {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1023 |
public int compare(Object o1, Object o2) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1024 |
int i1 = (Integer)((List)o1).get(0); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1025 |
int i2 = (Integer)((List)o2).get(0); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1026 |
return i1 - i2; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1027 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1028 |
}); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1029 |
for (Object o: names) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1030 |
List l = (List)o; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1031 |
for (Object o2: l) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1032 |
if (!items[pos++].equals(o2)) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1033 |
throw new RuntimeException("Not equals at " + pos
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1034 |
+ ": " + items[pos-1] + " vs " + o2); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1035 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1036 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1037 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1038 |
if (pos != items.length) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1039 |
throw new RuntimeException("Extra items, pos is " + pos);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1040 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1041 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1042 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1043 |
CheckSAN csan = new CheckSAN(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1044 |
assertTrue(((X509CertImpl)ks.getCertificate("san1")).getSubjectAlternativeNameExtension().isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1045 |
assertTrue(!((X509CertImpl)ks.getCertificate("san2")).getSubjectAlternativeNameExtension().isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1046 |
csan.check(ks, "san1", 0, 1, "me@me.org"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1047 |
csan.check(ks, "san2", 0, 6, "http://me.org"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1048 |
csan.check(ks, "san3", 0, 2, "me.org"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1049 |
csan.check(ks, "san4", 0, 7, "192.168.0.1"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1050 |
csan.check(ks, "san5", 0, 8, "1.2.3.4"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1051 |
csan.check(ks, "san235", 0, 2, "me.org", 6, "http://me.org", 8, "1.2.3.4"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1052 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1053 |
// IAN |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1054 |
testOK("", pre+"ian1 -ext ian:critical=email:me@me.org");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1055 |
testOK("", pre+"ian2 -ext ian=uri:http://me.org");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1056 |
testOK("", pre+"ian3 -ext ian=dns:me.org");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1057 |
testOK("", pre+"ian4 -ext ian=ip:192.168.0.1");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1058 |
testOK("", pre+"ian5 -ext ian=oid:1.2.3.4");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1059 |
testOK("", pre+"ian235 -ext ian=uri:http://me.org,dns:me.org,oid:1.2.3.4");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1060 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1061 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1062 |
assertTrue(((X509CertImpl)ks.getCertificate("ian1")).getIssuerAlternativeNameExtension().isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1063 |
assertTrue(!((X509CertImpl)ks.getCertificate("ian2")).getIssuerAlternativeNameExtension().isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1064 |
csan.check(ks, "ian1", 1, 1, "me@me.org"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1065 |
csan.check(ks, "ian2", 1, 6, "http://me.org"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1066 |
csan.check(ks, "ian3", 1, 2, "me.org"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1067 |
csan.check(ks, "ian4", 1, 7, "192.168.0.1"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1068 |
csan.check(ks, "ian5", 1, 8, "1.2.3.4"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1069 |
csan.check(ks, "ian235", 1, 2, "me.org", 6, "http://me.org", 8, "1.2.3.4"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1070 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1071 |
// SIA |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1072 |
testOK("", pre+"sia1 -ext sia=care:uri:ldap://ca.com/cn=CA");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1073 |
testOK("", pre+"sia2 -ext sia=ts:email:ts@ca.com");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1074 |
testFail("SIA never critical", pre+"sia3 -ext sia:critical=ts:email:ts@ca.com");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1075 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1076 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1077 |
class CheckSia {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1078 |
void check(KeyStore ks, String alias, int type, Object... items) throws Exception {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1079 |
int pos = 0; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1080 |
System.err.print("x");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1081 |
AccessDescription[] ads = null; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1082 |
if (type == 0) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1083 |
SubjectInfoAccessExtension siae = (SubjectInfoAccessExtension)((X509CertImpl)ks.getCertificate(alias)).getExtension(PKIXExtensions.SubjectInfoAccess_Id); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1084 |
ads = siae.getAccessDescriptions().toArray(new AccessDescription[0]); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1085 |
} else {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1086 |
AuthorityInfoAccessExtension aiae = (AuthorityInfoAccessExtension)((X509CertImpl)ks.getCertificate(alias)).getExtension(PKIXExtensions.AuthInfoAccess_Id); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1087 |
ads = aiae.getAccessDescriptions().toArray(new AccessDescription[0]); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1088 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1089 |
Arrays.sort(ads, new Comparator<AccessDescription>() {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1090 |
@Override |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1091 |
public int compare(AccessDescription o1, AccessDescription o2) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1092 |
return o1.getAccessMethod().toString().compareTo(o2.getAccessMethod().toString()); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1093 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1094 |
}); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1095 |
for (AccessDescription ad: ads) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1096 |
if (!ad.getAccessMethod().equals(items[pos++]) || |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1097 |
!new Integer(ad.getAccessLocation().getType()).equals(items[pos++])) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1098 |
throw new RuntimeException("Not same type at " + pos);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1099 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1100 |
String name = null; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1101 |
switch (ad.getAccessLocation().getType()) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1102 |
case 1: |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1103 |
name = ((RFC822Name)ad.getAccessLocation().getName()).getName(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1104 |
break; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1105 |
case 6: |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1106 |
name = ((URIName)ad.getAccessLocation().getName()).getURI().toString(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1107 |
break; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1108 |
default: |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1109 |
throw new RuntimeException("Not implemented: " + ad);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1110 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1111 |
if (!name.equals(items[pos++])) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1112 |
throw new Exception("Name not same for " + ad + " at pos " + pos);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1113 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1114 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1115 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1116 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1117 |
CheckSia csia = new CheckSia(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1118 |
assertTrue(!((X509CertImpl)ks.getCertificate("sia1")).getExtension(PKIXExtensions.SubjectInfoAccess_Id).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1119 |
csia.check(ks, "sia1", 0, AccessDescription.Ad_CAREPOSITORY_Id, 6, "ldap://ca.com/cn=CA"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1120 |
csia.check(ks, "sia2", 0, AccessDescription.Ad_TIMESTAMPING_Id, 1, "ts@ca.com"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1121 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1122 |
// AIA |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1123 |
testOK("", pre+"aia1 -ext aia=cai:uri:ldap://ca.com/cn=CA");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1124 |
testOK("", pre+"aia2 -ext aia=ocsp:email:ocsp@ca.com");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1125 |
testFail("AIA never critical", pre+"aia3 -ext aia:critical=ts:email:ts@ca.com");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1126 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1127 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1128 |
assertTrue(!((X509CertImpl)ks.getCertificate("aia1")).getExtension(PKIXExtensions.AuthInfoAccess_Id).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1129 |
csia.check(ks, "aia1", 1, AccessDescription.Ad_CAISSUERS_Id, 6, "ldap://ca.com/cn=CA"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1130 |
csia.check(ks, "aia2", 1, AccessDescription.Ad_OCSP_Id, 1, "ocsp@ca.com"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1131 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1132 |
// OID |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1133 |
testOK("", pre+"oid1 -ext 1.2.3:critical=0102");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1134 |
testOK("", pre+"oid2 -ext 1.2.3");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1135 |
testOK("", pre+"oid12 -ext 1.2.3 -ext 1.2.4=01:02:03");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1136 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1137 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1138 |
class CheckOid {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1139 |
void check(KeyStore ks, String alias, String oid, byte[] value) throws Exception {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1140 |
int pos = 0; |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1141 |
System.err.print("x");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1142 |
Extension ex = ((X509CertImpl)ks.getCertificate(alias)).getExtension(new ObjectIdentifier(oid)); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1143 |
if (!Arrays.equals(value, ex.getValue())) {
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1144 |
throw new RuntimeException("Not same content in " + alias + " for " + oid);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1145 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1146 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1147 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1148 |
CheckOid coid = new CheckOid(); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1149 |
assertTrue(((X509CertImpl)ks.getCertificate("oid1")).getExtension(new ObjectIdentifier("1.2.3")).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1150 |
assertTrue(!((X509CertImpl)ks.getCertificate("oid2")).getExtension(new ObjectIdentifier("1.2.3")).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1151 |
coid.check(ks, "oid1", "1.2.3", new byte[]{1,2});
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1152 |
coid.check(ks, "oid2", "1.2.3", new byte[]{});
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1153 |
coid.check(ks, "oid12", "1.2.3", new byte[]{});
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1154 |
coid.check(ks, "oid12", "1.2.4", new byte[]{1,2,3});
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1155 |
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1156 |
// honored |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1157 |
testOK("", pre+"ca");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1158 |
testOK("", pre+"a");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1159 |
// request: BC,KU,1.2.3,1.2.4,1.2.5 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1160 |
testOK("", simple+"-alias a -certreq " +
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1161 |
"-ext BC=1 -ext KU=crl " + |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1162 |
"-ext 1.2.3=01 -ext 1.2.4:critical=0102 -ext 1.2.5=010203 " + |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1163 |
"-rfc -file test.req"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1164 |
// printcertreq |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1165 |
testOK("", "-printcertreq -file test.req");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1166 |
// issue: deny KU, change criticality of 1.2.3 and 1.2.4, change content of BC, add 2.3.4 |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1167 |
testOK("", simple+"-gencert -alias ca -infile test.req -ext " +
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1168 |
"honored=all,-KU,1.2.3:critical,1.2.4:non-critical " + |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1169 |
"-ext BC=2 -ext 2.3.4=01020304 " + |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1170 |
"-debug -rfc -outfile test.cert"); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1171 |
testOK("", simple+"-importcert -file test.cert -alias a");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1172 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1173 |
X509CertImpl a = (X509CertImpl)ks.getCertificate("a");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1174 |
assertTrue(a.getAuthorityKeyIdentifierExtension() != null); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1175 |
assertTrue(a.getSubjectKeyIdentifierExtension() != null); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1176 |
assertTrue(a.getKeyUsage() == null); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1177 |
assertTrue(a.getExtension(new ObjectIdentifier("1.2.3")).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1178 |
assertTrue(!a.getExtension(new ObjectIdentifier("1.2.4")).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1179 |
assertTrue(!a.getExtension(new ObjectIdentifier("1.2.5")).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1180 |
assertTrue(a.getExtensionValue("1.2.3").length == 3);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1181 |
assertTrue(a.getExtensionValue("1.2.4").length == 4);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1182 |
assertTrue(a.getExtensionValue("1.2.5").length == 5);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1183 |
assertTrue(a.getBasicConstraints() == 2); |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1184 |
assertTrue(!a.getExtension(new ObjectIdentifier("2.3.4")).isCritical());
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1185 |
assertTrue(a.getExtensionValue("2.3.4").length == 6);
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1186 |
|
|
29110
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1187 |
// 8073181: keytool -ext honored not working correctly |
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1188 |
testOK("", simple+"-gencert -alias ca -infile test.req -ext " +
|
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1189 |
"honored=1.2.3,1.2.4:critical " + |
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1190 |
"-debug -rfc -outfile test2.cert"); |
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1191 |
testOK("", simple+"-importcert -file test2.cert -alias b");
|
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1192 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1193 |
X509CertImpl b = (X509CertImpl)ks.getCertificate("b");
|
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1194 |
assertTrue(!b.getExtension(new ObjectIdentifier("1.2.3")).isCritical());
|
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1195 |
assertTrue(b.getExtension(new ObjectIdentifier("1.2.4")).isCritical());
|
|
ea89fdd8a5d5
8073181: keytool -ext honored not working correctly
weijun
parents:
28243
diff
changeset
|
1196 |
|
|
29111
e9103f166a4a
8073182: keytool may generate duplicate extensions
weijun
parents:
29110
diff
changeset
|
1197 |
// 8073182: keytool may generate duplicate extensions |
|
e9103f166a4a
8073182: keytool may generate duplicate extensions
weijun
parents:
29110
diff
changeset
|
1198 |
testOK("", pre+"dup -ext bc=2 -ext 2.5.29.19=30030101FF -ext bc=3");
|
|
e9103f166a4a
8073182: keytool may generate duplicate extensions
weijun
parents:
29110
diff
changeset
|
1199 |
ks = loadStore("x.jks", "changeit", "JKS");
|
|
e9103f166a4a
8073182: keytool may generate duplicate extensions
weijun
parents:
29110
diff
changeset
|
1200 |
X509CertImpl dup = (X509CertImpl)ks.getCertificate("dup");
|
|
e9103f166a4a
8073182: keytool may generate duplicate extensions
weijun
parents:
29110
diff
changeset
|
1201 |
assertTrue(dup.getBasicConstraints() == 3); |
|
e9103f166a4a
8073182: keytool may generate duplicate extensions
weijun
parents:
29110
diff
changeset
|
1202 |
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1203 |
remove("x.jks");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1204 |
remove("test.req");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1205 |
remove("test.cert");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1206 |
} |
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1207 |
|
| 2 | 1208 |
void i18nTest() throws Exception {
|
1209 |
// 1. keytool -help |
|
1210 |
remove("x.jks");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1211 |
testOK("", "-help");
|
|
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1212 |
|
| 2 | 1213 |
// 2. keytool -genkey -v -keysize 512 Enter "a" for the keystore password. Check error (password too short). Enter "password" for the keystore password. Hit 'return' for "first and last name", "organizational unit", "City", "State", and "Country Code". Type "yes" when they ask you if everything is correct. Type 'return' for new key password. |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1214 |
testOK("a\npassword\npassword\nMe\nHere\nNow\nPlace\nPlace\nUS\nyes\n\n", "-genkey -v -keysize 512 -keystore x.jks -storetype JKS");
|
| 2 | 1215 |
// 3. keytool -list -v -storepass password |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1216 |
testOK("", "-list -v -storepass password -keystore x.jks -storetype JKS");
|
| 2 | 1217 |
// 4. keytool -list -v Type "a" for the keystore password. Check error (wrong keystore password). |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1218 |
testFail("a\n", "-list -v -keystore x.jks -storetype JKS");
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1219 |
assertTrue(ex.indexOf("password was incorrect") != -1);
|
| 2 | 1220 |
// 5. keytool -genkey -v -keysize 512 Enter "password" as the password. Check error (alias 'mykey' already exists). |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1221 |
testFail("password\n", "-genkey -v -keysize 512 -keystore x.jks -storetype JKS");
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1222 |
assertTrue(ex.indexOf("alias <mykey> already exists") != -1);
|
| 2 | 1223 |
// 6. keytool -genkey -v -keysize 512 -alias mykey2 -storepass password Hit 'return' for "first and last name", "organizational unit", "City", "State", and "Country Code". Type "yes" when they ask you if everything is correct. Type 'return' for new key password. |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1224 |
testOK("\n\n\n\n\n\nyes\n\n", "-genkey -v -keysize 512 -alias mykey2 -storepass password -keystore x.jks -storetype JKS");
|
| 2 | 1225 |
// 7. keytool -list -v Type 'password' for the store password. |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1226 |
testOK("password\n", "-list -v -keystore x.jks -storetype JKS");
|
| 2 | 1227 |
// 8. keytool -keypasswd -v -alias mykey2 -storepass password Type "a" for the new key password. Type "aaaaaa" for the new key password. Type "bbbbbb" when re-entering the new key password. Type "a" for the new key password. Check Error (too many failures). |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1228 |
testFail("a\naaaaaa\nbbbbbb\na\n", "-keypasswd -v -alias mykey2 -storepass password -keystore x.jks -storetype JKS");
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1229 |
assertTrue(ex.indexOf("Too many failures - try later") != -1);
|
| 2 | 1230 |
// 9. keytool -keypasswd -v -alias mykey2 -storepass password Type "aaaaaa" for the new key password. Type "aaaaaa" when re-entering the new key password. |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1231 |
testOK("aaaaaa\naaaaaa\n", "-keypasswd -v -alias mykey2 -storepass password -keystore x.jks -storetype JKS");
|
| 2 | 1232 |
// 10. keytool -selfcert -v -alias mykey -storepass password |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1233 |
testOK("", "-selfcert -v -alias mykey -storepass password -keystore x.jks -storetype JKS");
|
| 2 | 1234 |
// 11. keytool -list -v -storepass password |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1235 |
testOK("", "-list -v -storepass password -keystore x.jks -storetype JKS");
|
| 2 | 1236 |
// 12. keytool -export -v -alias mykey -file cert -storepass password |
1237 |
remove("cert");
|
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1238 |
testOK("", "-export -v -alias mykey -file cert -storepass password -keystore x.jks -storetype JKS");
|
| 2 | 1239 |
// 13. keytool -import -v -file cert -storepass password Check error (Certificate reply and cert are the same) |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1240 |
testFail("", "-import -v -file cert -storepass password -keystore x.jks -storetype JKS");
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1241 |
assertTrue(ex.indexOf("Certificate reply and certificate in keystore are identical") != -1);
|
| 2 | 1242 |
// 14. keytool -printcert -file cert |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1243 |
testOK("", "-printcert -file cert -keystore x.jks -storetype JKS");
|
| 2 | 1244 |
remove("cert");
|
1245 |
// 15. keytool -list -storepass password -provider sun.security.provider.Sun |
|
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1246 |
testOK("", "-list -storepass password -provider sun.security.provider.Sun -keystore x.jks -storetype JKS");
|
| 2 | 1247 |
|
1248 |
//Error tests |
|
1249 |
||
1250 |
// 1. keytool -storepasswd -storepass password -new abc Check error (password too short) |
|
1251 |
testFail("", "-storepasswd -storepass password -new abc");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1252 |
assertTrue(ex.indexOf("New password must be at least 6 characters") != -1);
|
| 2 | 1253 |
// Changed, no NONE needed now |
1254 |
// 2. keytool -list -storetype PKCS11 Check error (-keystore must be NONE) |
|
1255 |
//testFail("", "-list -storetype PKCS11");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1256 |
//assertTrue(err.indexOf("keystore must be NONE") != -1);
|
| 2 | 1257 |
// 3. keytool -storepasswd -storetype PKCS11 -keystore NONE Check error (unsupported operation) |
1258 |
testFail("", "-storepasswd -storetype PKCS11 -keystore NONE");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1259 |
assertTrue(ex.indexOf("UnsupportedOperationException") != -1);
|
| 2 | 1260 |
// 4. keytool -keypasswd -storetype PKCS11 -keystore NONE Check error (unsupported operation) |
1261 |
testFail("", "-keypasswd -storetype PKCS11 -keystore NONE");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1262 |
assertTrue(ex.indexOf("UnsupportedOperationException") != -1);
|
| 2 | 1263 |
// 5. keytool -list -protected -storepass password Check error (password can not be specified with -protected) |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1264 |
testFail("", "-list -protected -storepass password -keystore x.jks -storetype JKS");
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1265 |
assertTrue(ex.indexOf("if -protected is specified, then") != -1);
|
| 2 | 1266 |
// 6. keytool -keypasswd -protected -keypass password Check error (password can not be specified with -protected) |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1267 |
testFail("", "-keypasswd -protected -keypass password -keystore x.jks -storetype JKS");
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1268 |
assertTrue(ex.indexOf("if -protected is specified, then") != -1);
|
| 2 | 1269 |
// 7. keytool -keypasswd -protected -new password Check error (password can not be specified with -protected) |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
27344
diff
changeset
|
1270 |
testFail("", "-keypasswd -protected -new password -keystore x.jks -storetype JKS");
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1271 |
assertTrue(ex.indexOf("if -protected is specified, then") != -1);
|
| 2 | 1272 |
remove("x.jks");
|
1273 |
} |
|
1274 |
||
1275 |
void i18nPKCS11Test() throws Exception {
|
|
1276 |
//PKCS#11 tests |
|
1277 |
||
1278 |
// 1. sccs edit cert8.db key3.db |
|
1279 |
//Runtime.getRuntime().exec("/usr/ccs/bin/sccs edit cert8.db key3.db");
|
|
1280 |
testOK("", p11Arg + "-storepass test12 -genkey -alias genkey -dname cn=genkey -keysize 512 -keyalg rsa");
|
|
1281 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
1282 |
testOK("", p11Arg + "-storepass test12 -list -alias genkey");
|
|
1283 |
testOK("", p11Arg + "-storepass test12 -certreq -alias genkey -file genkey.certreq");
|
|
1284 |
testOK("", p11Arg + "-storepass test12 -export -alias genkey -file genkey.cert");
|
|
1285 |
testOK("", "-printcert -file genkey.cert");
|
|
1286 |
testOK("", p11Arg + "-storepass test12 -selfcert -alias genkey -dname cn=selfCert");
|
|
1287 |
testOK("", p11Arg + "-storepass test12 -list -alias genkey -v");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1288 |
assertTrue(out.indexOf("Owner: CN=selfCert") != -1);
|
| 2 | 1289 |
//(check that cert subject DN is [cn=selfCert]) |
1290 |
testOK("", p11Arg + "-storepass test12 -delete -alias genkey");
|
|
1291 |
testOK("", p11Arg + "-storepass test12 -list");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1292 |
assertTrue(out.indexOf("Your keystore contains 0 entries") != -1);
|
| 2 | 1293 |
//(check for empty database listing) |
1294 |
//Runtime.getRuntime().exec("/usr/ccs/bin/sccs unedit cert8.db key3.db");
|
|
1295 |
remove("genkey.cert");
|
|
1296 |
remove("genkey.certreq");
|
|
1297 |
// 12. sccs unedit cert8.db key3.db |
|
1298 |
} |
|
1299 |
||
1300 |
// tesing new option -srcProviderName |
|
1301 |
void sszzTest() throws Exception {
|
|
1302 |
testAnyway("", NSS_P11_ARG+"-delete -alias nss -storepass test12");
|
|
1303 |
testAnyway("", NZZ_P11_ARG+"-delete -alias nss -storepass test12");
|
|
1304 |
testOK("", NSS_P11_ARG+"-genkeypair -dname CN=NSS -alias nss -storepass test12");
|
|
1305 |
testOK("", NSS_SRC_P11_ARG + NZZ_P11_ARG +
|
|
1306 |
"-importkeystore -srcstorepass test12 -deststorepass test12"); |
|
1307 |
testAnyway("", NSS_P11_ARG+"-delete -alias nss -storepass test12");
|
|
1308 |
testAnyway("", NZZ_P11_ARG+"-delete -alias nss -storepass test12");
|
|
1309 |
} |
|
1310 |
||
1311 |
public static void main(String[] args) throws Exception {
|
|
| 10138 | 1312 |
Locale reservedLocale = Locale.getDefault(); |
1313 |
try {
|
|
1314 |
// first test if HumanInputStream really acts like a human being |
|
1315 |
HumanInputStream.test(); |
|
1316 |
KeyToolTest t = new KeyToolTest(); |
|
| 2 | 1317 |
|
| 10138 | 1318 |
if (System.getProperty("file") != null) {
|
1319 |
t.sqeTest(); |
|
1320 |
t.testAll(); |
|
1321 |
t.i18nTest(); |
|
1322 |
t.v3extTest("RSA");
|
|
1323 |
t.v3extTest("DSA");
|
|
1324 |
boolean testEC = true; |
|
1325 |
try {
|
|
1326 |
KeyPairGenerator.getInstance("EC");
|
|
1327 |
} catch (NoSuchAlgorithmException nae) {
|
|
1328 |
testEC = false; |
|
1329 |
} |
|
1330 |
if (testEC) t.v3extTest("EC");
|
|
|
2067
6f9db5f305cd
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
weijun
parents:
2
diff
changeset
|
1331 |
} |
| 2 | 1332 |
|
| 10138 | 1333 |
if (System.getProperty("nss") != null) {
|
1334 |
t.srcP11Arg = NSS_SRC_P11_ARG; |
|
1335 |
t.p11Arg = NSS_P11_ARG; |
|
| 2 | 1336 |
|
| 10138 | 1337 |
t.testPKCS11(); |
1338 |
||
1339 |
// FAIL: |
|
1340 |
// 1. we still don't have srcprovidername yet |
|
1341 |
// 2. cannot store privatekey into NSS keystore |
|
1342 |
// java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCOMPLETE. |
|
1343 |
//t.testPKCS11ImportKeyStore(); |
|
1344 |
||
1345 |
t.i18nPKCS11Test(); |
|
1346 |
//FAIL: currently PKCS11-NSS does not support 2 NSS KeyStores to be loaded at the same time |
|
1347 |
//t.sszzTest(); |
|
1348 |
} |
|
| 2 | 1349 |
|
| 10138 | 1350 |
if (System.getProperty("solaris") != null) {
|
1351 |
// For Solaris Cryptography Framework |
|
1352 |
t.srcP11Arg = SUN_SRC_P11_ARG; |
|
1353 |
t.p11Arg = SUN_P11_ARG; |
|
1354 |
t.testPKCS11(); |
|
1355 |
t.testPKCS11ImportKeyStore(); |
|
1356 |
t.i18nPKCS11Test(); |
|
1357 |
} |
|
| 2 | 1358 |
|
| 10138 | 1359 |
System.out.println("Test pass!!!");
|
1360 |
} finally {
|
|
1361 |
// restore the reserved locale |
|
1362 |
Locale.setDefault(reservedLocale); |
|
| 2 | 1363 |
} |
1364 |
} |
|
1365 |
} |
|
1366 |
||
1367 |
class TestException extends Exception {
|
|
1368 |
public TestException(String e) {
|
|
1369 |
super(e); |
|
1370 |
} |
|
1371 |
} |
|
1372 |
||
1373 |
/** |
|
1374 |
* HumanInputStream tries to act like a human sitting in front of a computer |
|
1375 |
* terminal typing on the keyboard while the keytool program is running. |
|
1376 |
* |
|
1377 |
* keytool has called InputStream.read() and BufferedReader.readLine() in |
|
1378 |
* various places. a call to B.readLine() will try to buffer as much input as |
|
1379 |
* possible. Thus, a trivial InputStream will find it impossible to feed |
|
1380 |
* anything to I.read() after a B.readLine() call. |
|
1381 |
* |
|
1382 |
* This is why i create HumanInputStream, which will only send a single line |
|
1383 |
* to B.readLine(), no more, no less, and the next I.read() can have a chance |
|
1384 |
* to read the exact character right after "\n". |
|
1385 |
* |
|
1386 |
* I don't know why HumanInputStream works. |
|
1387 |
*/ |
|
1388 |
class HumanInputStream extends InputStream {
|
|
1389 |
byte[] src; |
|
1390 |
int pos; |
|
1391 |
int length; |
|
1392 |
boolean inLine; |
|
1393 |
int stopIt; |
|
1394 |
||
1395 |
public HumanInputStream(String input) {
|
|
1396 |
src = input.getBytes(); |
|
1397 |
pos = 0; |
|
1398 |
length = src.length; |
|
1399 |
stopIt = 0; |
|
1400 |
inLine = false; |
|
1401 |
} |
|
1402 |
||
1403 |
// the trick: when called through read(byte[], int, int), |
|
1404 |
// return -1 twice after "\n" |
|
1405 |
||
1406 |
@Override public int read() throws IOException {
|
|
1407 |
int re; |
|
1408 |
if(pos < length) {
|
|
1409 |
re = src[pos]; |
|
1410 |
if(inLine) {
|
|
1411 |
if(stopIt > 0) {
|
|
1412 |
stopIt--; |
|
1413 |
re = -1; |
|
1414 |
} else {
|
|
1415 |
if(re == '\n') {
|
|
1416 |
stopIt = 2; |
|
1417 |
} |
|
1418 |
pos++; |
|
1419 |
} |
|
1420 |
} else {
|
|
1421 |
pos++; |
|
1422 |
} |
|
1423 |
} else {
|
|
1424 |
re = -1;//throw new IOException("NO MORE TO READ");
|
|
1425 |
} |
|
1426 |
//if (re < 32) System.err.printf("[%02d]", re);
|
|
1427 |
//else System.err.printf("[%c]", (char)re);
|
|
1428 |
return re; |
|
1429 |
} |
|
1430 |
@Override public int read(byte[] buffer, int offset, int len) {
|
|
1431 |
inLine = true; |
|
1432 |
try {
|
|
1433 |
int re = super.read(buffer, offset, len); |
|
1434 |
return re; |
|
1435 |
} catch(Exception e) {
|
|
1436 |
throw new RuntimeException("HumanInputStream error");
|
|
1437 |
} finally {
|
|
1438 |
inLine = false; |
|
1439 |
} |
|
1440 |
} |
|
1441 |
@Override public int available() {
|
|
1442 |
if(pos < length) return 1; |
|
1443 |
return 0; |
|
1444 |
} |
|
1445 |
||
1446 |
// test part |
|
1447 |
static void assertTrue(boolean bool) {
|
|
1448 |
if(!bool) |
|
1449 |
throw new RuntimeException(); |
|
1450 |
} |
|
1451 |
||
1452 |
public static void test() throws Exception {
|
|
1453 |
||
1454 |
class Tester {
|
|
1455 |
HumanInputStream is; |
|
1456 |
BufferedReader reader; |
|
1457 |
Tester(String s) {
|
|
1458 |
is = new HumanInputStream(s); |
|
1459 |
reader = new BufferedReader(new InputStreamReader(is)); |
|
1460 |
} |
|
1461 |
||
1462 |
// three kinds of test method |
|
1463 |
// 1. read byte by byte from InputStream |
|
1464 |
void testStreamReadOnce(int expection) throws Exception {
|
|
1465 |
assertTrue(is.read() == expection); |
|
1466 |
} |
|
1467 |
void testStreamReadMany(String expection) throws Exception {
|
|
1468 |
char[] keys = expection.toCharArray(); |
|
1469 |
for(int i=0; i<keys.length; i++) {
|
|
1470 |
assertTrue(is.read() == keys[i]); |
|
1471 |
} |
|
1472 |
} |
|
1473 |
// 2. read a line with a newly created Reader |
|
1474 |
void testReaderReadline(String expection) throws Exception {
|
|
1475 |
String s = new BufferedReader(new InputStreamReader(is)).readLine(); |
|
1476 |
if(s == null) assertTrue(expection == null); |
|
1477 |
else assertTrue(s.equals(expection)); |
|
1478 |
} |
|
1479 |
// 3. read a line with the old Reader |
|
1480 |
void testReaderReadline2(String expection) throws Exception {
|
|
1481 |
String s = reader.readLine(); |
|
1482 |
if(s == null) assertTrue(expection == null); |
|
1483 |
else assertTrue(s.equals(expection)); |
|
1484 |
} |
|
1485 |
} |
|
1486 |
||
1487 |
Tester test; |
|
1488 |
||
1489 |
test = new Tester("111\n222\n\n444\n\n");
|
|
1490 |
test.testReaderReadline("111");
|
|
1491 |
test.testReaderReadline("222");
|
|
1492 |
test.testReaderReadline("");
|
|
1493 |
test.testReaderReadline("444");
|
|
1494 |
test.testReaderReadline("");
|
|
1495 |
test.testReaderReadline(null); |
|
1496 |
||
1497 |
test = new Tester("111\n222\n\n444\n\n");
|
|
1498 |
test.testReaderReadline2("111");
|
|
1499 |
test.testReaderReadline2("222");
|
|
1500 |
test.testReaderReadline2("");
|
|
1501 |
test.testReaderReadline2("444");
|
|
1502 |
test.testReaderReadline2("");
|
|
1503 |
test.testReaderReadline2(null); |
|
1504 |
||
1505 |
test = new Tester("111\n222\n\n444\n\n");
|
|
1506 |
test.testReaderReadline2("111");
|
|
1507 |
test.testReaderReadline("222");
|
|
1508 |
test.testReaderReadline2("");
|
|
1509 |
test.testReaderReadline2("444");
|
|
1510 |
test.testReaderReadline("");
|
|
1511 |
test.testReaderReadline2(null); |
|
1512 |
||
1513 |
test = new Tester("1\n2");
|
|
1514 |
test.testStreamReadMany("1\n2");
|
|
1515 |
test.testStreamReadOnce(-1); |
|
1516 |
||
1517 |
test = new Tester("12\n234");
|
|
1518 |
test.testStreamReadOnce('1');
|
|
1519 |
test.testReaderReadline("2");
|
|
1520 |
test.testStreamReadOnce('2');
|
|
1521 |
test.testReaderReadline2("34");
|
|
1522 |
test.testReaderReadline2(null); |
|
1523 |
||
1524 |
test = new Tester("changeit\n");
|
|
1525 |
test.testStreamReadMany("changeit\n");
|
|
1526 |
test.testReaderReadline(null); |
|
1527 |
||
1528 |
test = new Tester("changeit\nName\nCountry\nYes\n");
|
|
1529 |
test.testStreamReadMany("changeit\n");
|
|
1530 |
test.testReaderReadline("Name");
|
|
1531 |
test.testReaderReadline("Country");
|
|
1532 |
test.testReaderReadline("Yes");
|
|
1533 |
test.testReaderReadline(null); |
|
1534 |
||
1535 |
test = new Tester("Me\nHere\n");
|
|
1536 |
test.testReaderReadline2("Me");
|
|
1537 |
test.testReaderReadline2("Here");
|
|
1538 |
} |
|
1539 |
} |