112 check("ksnormal", "a", "changeit", "changeit", true, true, true); |
112 check("ksnormal", "a", "changeit", "changeit", true, true, true); |
113 check("ksnormal", "a", null, "changeit", true, false, true); |
113 check("ksnormal", "a", null, "changeit", true, false, true); |
114 check("ksnormal", "a", "wrongpass", "-", IOException.class, "-", "-"); |
114 check("ksnormal", "a", "wrongpass", "-", IOException.class, "-", "-"); |
115 |
115 |
116 // Add a new entry with password-less settings, still has a storepass |
116 // Add a new entry with password-less settings, still has a storepass |
117 keytool("-keystore ksnormal -genkeypair -storepass changeit -alias b -dname CN=b " |
117 keytool("-keystore ksnormal -genkeypair -keyalg DSA " |
|
118 + "-storepass changeit -alias b -dname CN=b " |
118 + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE " |
119 + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE " |
119 + "-J-Dkeystore.pkcs12.macAlgorithm=NONE"); |
120 + "-J-Dkeystore.pkcs12.macAlgorithm=NONE"); |
120 data = Files.readAllBytes(Path.of("ksnormal")); |
121 data = Files.readAllBytes(Path.of("ksnormal")); |
121 checkInt(data, "22", 100000); // Mac ic |
122 checkInt(data, "22", 100000); // Mac ic |
122 checkAlg(data, "2000", SHA_oid); // Mac alg |
123 checkAlg(data, "2000", SHA_oid); // Mac alg |
144 check("ksnopass", "a", null, "changeit", true, true, true); |
145 check("ksnopass", "a", null, "changeit", true, true, true); |
145 check("ksnopass", "a", "changeit", "changeit", true, true, true); |
146 check("ksnopass", "a", "changeit", "changeit", true, true, true); |
146 check("ksnopass", "a", "wrongpass", "changeit", true, true, true); |
147 check("ksnopass", "a", "wrongpass", "changeit", true, true, true); |
147 |
148 |
148 // Add a new entry with normal settings, still password-less |
149 // Add a new entry with normal settings, still password-less |
149 keytool("-keystore ksnopass -genkeypair -storepass changeit -alias b -dname CN=B"); |
150 keytool("-keystore ksnopass -genkeypair -keyalg DSA " |
|
151 + "-storepass changeit -alias b -dname CN=B"); |
150 data = Files.readAllBytes(Path.of("ksnopass")); |
152 data = Files.readAllBytes(Path.of("ksnopass")); |
151 shouldNotExist(data, "2"); // no Mac |
153 shouldNotExist(data, "2"); // no Mac |
152 checkAlg(data, "110c010c01000", pbeWithSHA1AndRC4_128_oid); |
154 checkAlg(data, "110c010c01000", pbeWithSHA1AndRC4_128_oid); |
153 checkInt(data, "110c010c010011", 50000); |
155 checkInt(data, "110c010c010011", 50000); |
154 checkAlg(data, "110c010c11000", pbeWithSHA1AndDESede_oid); |
156 checkAlg(data, "110c010c11000", pbeWithSHA1AndDESede_oid); |
169 checkInt(data, "110c010c010011", 7777); // key ic |
171 checkInt(data, "110c010c010011", 7777); // key ic |
170 checkAlg(data, "110c110110", pbeWithSHA1AndRC2_40_oid); // cert alg |
172 checkAlg(data, "110c110110", pbeWithSHA1AndRC2_40_oid); // cert alg |
171 checkInt(data, "110c1101111", 6666); // cert ic |
173 checkInt(data, "110c1101111", 6666); // cert ic |
172 |
174 |
173 // keypbe alg cannot be NONE |
175 // keypbe alg cannot be NONE |
174 keytool("-keystore ksnewic -genkeypair -storepass changeit -alias b -dname CN=B " |
176 keytool("-keystore ksnewic -genkeypair -keyalg DSA " |
|
177 + "-storepass changeit -alias b -dname CN=B " |
175 + "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=NONE") |
178 + "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=NONE") |
176 .shouldContain("NONE AlgorithmParameters not available") |
179 .shouldContain("NONE AlgorithmParameters not available") |
177 .shouldHaveExitValue(1); |
180 .shouldHaveExitValue(1); |
178 |
181 |
179 // new entry new keypbe alg (and default ic), else unchanged |
182 // new entry new keypbe alg (and default ic), else unchanged |
180 keytool("-keystore ksnewic -genkeypair -storepass changeit -alias b -dname CN=B " |
183 keytool("-keystore ksnewic -genkeypair -keyalg DSA " |
|
184 + "-storepass changeit -alias b -dname CN=B " |
181 + "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithSHA1AndRC4_128"); |
185 + "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithSHA1AndRC4_128"); |
182 data = Files.readAllBytes(Path.of("ksnewic")); |
186 data = Files.readAllBytes(Path.of("ksnewic")); |
183 checkInt(data, "22", 5555); // Mac ic |
187 checkInt(data, "22", 5555); // Mac ic |
184 checkAlg(data, "2000", SHA_oid); // Mac alg |
188 checkAlg(data, "2000", SHA_oid); // Mac alg |
185 checkAlg(data, "110c010c01000", pbeWithSHA1AndDESede_oid); // key alg |
189 checkAlg(data, "110c010c01000", pbeWithSHA1AndDESede_oid); // key alg |
334 + "-J-Dkeystore.pkcs12.macAlgorithm=NONE") |
338 + "-J-Dkeystore.pkcs12.macAlgorithm=NONE") |
335 .shouldNotContain("Enter keystore password:"); |
339 .shouldNotContain("Enter keystore password:"); |
336 |
340 |
337 // still prompt for keypass for genkeypair and certreq |
341 // still prompt for keypass for genkeypair and certreq |
338 SecurityTools.setResponse("changeit", "changeit"); |
342 SecurityTools.setResponse("changeit", "changeit"); |
339 keytool("-keystore ksnopassnew -genkeypair -alias a -dname CN=A " |
343 keytool("-keystore ksnopassnew -genkeypair -keyalg DSA " |
|
344 + "-alias a -dname CN=A " |
340 + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE " |
345 + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE " |
341 + "-J-Dkeystore.pkcs12.macAlgorithm=NONE") |
346 + "-J-Dkeystore.pkcs12.macAlgorithm=NONE") |
342 .shouldNotContain("Enter keystore password:") |
347 .shouldNotContain("Enter keystore password:") |
343 .shouldContain("Enter key password for <a>"); |
348 .shouldContain("Enter key password for <a>"); |
344 keytool("-keystore ksnopassnew -certreq -alias a") |
349 keytool("-keystore ksnopassnew -certreq -alias a") |
349 .shouldNotContain("Enter key password for <a>"); |
354 .shouldNotContain("Enter key password for <a>"); |
350 |
355 |
351 // params only read on demand |
356 // params only read on demand |
352 |
357 |
353 // keyPbeIterationCount is used by -genkeypair |
358 // keyPbeIterationCount is used by -genkeypair |
354 keytool("-keystore ksgenbadkeyic -genkeypair -alias a -dname CN=A " |
359 keytool("-keystore ksgenbadkeyic -genkeypair -keyalg DSA " |
|
360 + "-alias a -dname CN=A " |
355 + "-storepass changeit " |
361 + "-storepass changeit " |
356 + "-J-Dkeystore.pkcs12.keyPbeIterationCount=abc") |
362 + "-J-Dkeystore.pkcs12.keyPbeIterationCount=abc") |
357 .shouldContain("keyPbeIterationCount is not a number: abc") |
363 .shouldContain("keyPbeIterationCount is not a number: abc") |
358 .shouldHaveExitValue(1); |
364 .shouldHaveExitValue(1); |
359 |
365 |