54 * |
54 * |
55 * ATTENTION: |
55 * ATTENTION: |
56 * NSS PKCS11 config file are changed, DSA not supported now. |
56 * NSS PKCS11 config file are changed, DSA not supported now. |
57 */ |
57 */ |
58 |
58 |
|
59 import java.nio.file.Files; |
|
60 import java.nio.file.Paths; |
59 import java.security.KeyStore; |
61 import java.security.KeyStore; |
60 import sun.security.x509.*; |
62 import sun.security.x509.*; |
61 import java.io.*; |
63 import java.io.*; |
62 import java.security.KeyPairGenerator; |
64 import java.security.KeyPairGenerator; |
63 import java.security.NoSuchAlgorithmException; |
65 import java.security.NoSuchAlgorithmException; |
1218 FileInputStream fin = new FileInputStream("mykey.cert"); |
1220 FileInputStream fin = new FileInputStream("mykey.cert"); |
1219 testOK(fin, "-printcert"); |
1221 testOK(fin, "-printcert"); |
1220 fin.close(); |
1222 fin.close(); |
1221 remove("x.jks"); |
1223 remove("x.jks"); |
1222 remove("mykey.cert"); |
1224 remove("mykey.cert"); |
|
1225 } |
|
1226 |
|
1227 // 8074935: jdk8 keytool doesn't validate pem files for RFC 1421 correctness |
|
1228 static void checkPem(String file) throws Exception { |
|
1229 boolean maybeLast = false; |
|
1230 for (String s: Files.readAllLines(Paths.get(file))) { |
|
1231 if (s.isEmpty()) continue; |
|
1232 if (s.startsWith("---")) continue; |
|
1233 if (maybeLast) { |
|
1234 throw new Exception("Last line already seen"); |
|
1235 } |
|
1236 if (s.length() > 64) { |
|
1237 throw new Exception(s); |
|
1238 } |
|
1239 if (s.length() < 64) { |
|
1240 maybeLast = true; |
|
1241 } |
|
1242 } |
1223 } |
1243 } |
1224 |
1244 |
1225 void v3extTest(String keyAlg) throws Exception { |
1245 void v3extTest(String keyAlg) throws Exception { |
1226 KeyStore ks; |
1246 KeyStore ks; |
1227 remove("x.jks"); |
1247 remove("x.jks"); |
1586 "-ext BC=1 -ext KU=crl " + |
1606 "-ext BC=1 -ext KU=crl " + |
1587 "-ext 1.2.3=01 -ext 1.2.4:critical=0102 -ext 1.2.5=010203 " + |
1607 "-ext 1.2.3=01 -ext 1.2.4:critical=0102 -ext 1.2.5=010203 " + |
1588 "-rfc -file test.req"); |
1608 "-rfc -file test.req"); |
1589 // printcertreq |
1609 // printcertreq |
1590 testOK("", "-printcertreq -file test.req"); |
1610 testOK("", "-printcertreq -file test.req"); |
|
1611 checkPem("test.req"); |
1591 // issue: deny KU, change criticality of 1.2.3 and 1.2.4, |
1612 // issue: deny KU, change criticality of 1.2.3 and 1.2.4, |
1592 // change content of BC, add 2.3.4 |
1613 // change content of BC, add 2.3.4 |
1593 testOK("", simple+"-gencert -alias ca -infile test.req -ext " + |
1614 testOK("", simple+"-gencert -alias ca -infile test.req -ext " + |
1594 "honored=all,-KU,1.2.3:critical,1.2.4:non-critical " + |
1615 "honored=all,-KU,1.2.3:critical,1.2.4:non-critical " + |
1595 "-ext BC=2 -ext 2.3.4=01020304 " + |
1616 "-ext BC=2 -ext 2.3.4=01020304 " + |
1596 "-debug -rfc -outfile test.cert"); |
1617 "-debug -rfc -outfile test.cert"); |
|
1618 checkPem("test.cert"); |
1597 testOK("", simple+"-importcert -file test.cert -alias a"); |
1619 testOK("", simple+"-importcert -file test.cert -alias a"); |
1598 ks = loadStore("x.jks", "changeit", "JKS"); |
1620 ks = loadStore("x.jks", "changeit", "JKS"); |
1599 X509CertImpl a = (X509CertImpl)ks.getCertificate("a"); |
1621 X509CertImpl a = (X509CertImpl)ks.getCertificate("a"); |
1600 assertTrue(a.getAuthorityKeyIdentifierExtension() != null); |
1622 assertTrue(a.getAuthorityKeyIdentifierExtension() != null); |
1601 assertTrue(a.getSubjectKeyIdentifierExtension() != null); |
1623 assertTrue(a.getSubjectKeyIdentifierExtension() != null); |