|
1 /* |
|
2 * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. |
|
8 * |
|
9 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 * version 2 for more details (a copy is included in the LICENSE file that |
|
13 * accompanied this code). |
|
14 * |
|
15 * You should have received a copy of the GNU General Public License version |
|
16 * 2 along with this work; if not, write to the Free Software Foundation, |
|
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 * |
|
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
20 * or visit www.oracle.com if you need additional information or have any |
|
21 * questions. |
|
22 */ |
|
23 |
|
24 /* |
|
25 * @test |
|
26 * @bug 6405536 |
|
27 * @summary Verify that we can parse ECPrivateKeys from PKCS#12 and use them |
|
28 * @author Andreas Sterbenz |
|
29 * @library .. |
|
30 * @library ../../../../java/security/testlibrary |
|
31 * @key randomness |
|
32 * @modules jdk.crypto.cryptoki |
|
33 * @run main/othervm ReadPKCS12 |
|
34 * @run main/othervm ReadPKCS12 sm policy |
|
35 */ |
|
36 |
|
37 import java.io.BufferedReader; |
|
38 import java.io.File; |
|
39 import java.io.FileInputStream; |
|
40 import java.io.FileOutputStream; |
|
41 import java.io.FileReader; |
|
42 import java.io.InputStream; |
|
43 import java.io.OutputStream; |
|
44 import java.security.KeyStore; |
|
45 import java.security.PrivateKey; |
|
46 import java.security.Provider; |
|
47 import java.security.PublicKey; |
|
48 import java.security.Signature; |
|
49 import java.security.cert.Certificate; |
|
50 import java.security.cert.CertificateException; |
|
51 import java.security.cert.CertificateFactory; |
|
52 import java.security.cert.X509Certificate; |
|
53 import java.util.Collections; |
|
54 import java.util.HashMap; |
|
55 import java.util.List; |
|
56 import java.util.Map; |
|
57 import java.util.Random; |
|
58 |
|
59 public class ReadPKCS12 extends PKCS11Test { |
|
60 |
|
61 private final static boolean COPY = false; |
|
62 |
|
63 public static void main(String[] args) throws Exception { |
|
64 main(new ReadPKCS12(), args); |
|
65 } |
|
66 |
|
67 @Override |
|
68 public void main(Provider p) throws Exception { |
|
69 if (p.getService("Signature", "SHA1withECDSA") == null) { |
|
70 System.out.println("Provider does not support ECDSA, skipping..."); |
|
71 return; |
|
72 } |
|
73 |
|
74 /* |
|
75 * PKCS11Test.main will remove this provider if needed |
|
76 */ |
|
77 Providers.setAt(p, 1); |
|
78 |
|
79 CertificateFactory factory = CertificateFactory.getInstance("X.509"); |
|
80 try { |
|
81 // undocumented way to clear the Sun internal certificate cache |
|
82 factory.generateCertificate(null); |
|
83 } catch (CertificateException e) { |
|
84 // ignore |
|
85 } |
|
86 |
|
87 KeyStore ks2; |
|
88 if (COPY) { |
|
89 ks2 = KeyStore.getInstance("JKS"); |
|
90 try (InputStream in = new FileInputStream("keystore.old")) { |
|
91 ks2.load(in, "passphrase".toCharArray()); |
|
92 } |
|
93 } |
|
94 |
|
95 File dir = new File(BASE, "pkcs12"); |
|
96 File closedDir = new File(CLOSED_BASE, "pkcs12"); |
|
97 |
|
98 Map<String,char[]> passwords = new HashMap<>(); |
|
99 try (BufferedReader reader = new BufferedReader( |
|
100 new FileReader(new File(BASE, "p12passwords.txt")))) { |
|
101 while (true) { |
|
102 String line = reader.readLine(); |
|
103 if (line == null) { |
|
104 break; |
|
105 } |
|
106 line = line.trim(); |
|
107 if ((line.length() == 0) || line.startsWith("#")) { |
|
108 continue; |
|
109 } |
|
110 String[] s = line.split(" "); |
|
111 passwords.put(s[0], s[1].toCharArray()); |
|
112 } |
|
113 } |
|
114 |
|
115 for (File file : concat(dir.listFiles(), closedDir.listFiles())) { |
|
116 String name = file.getName(); |
|
117 if (file.isFile() == false) { |
|
118 continue; |
|
119 } |
|
120 System.out.println(); |
|
121 System.out.println("Reading " + name + "..."); |
|
122 |
|
123 char[] password = passwords.get(name); |
|
124 if (password == null) { |
|
125 password = passwords.get("*"); |
|
126 } |
|
127 |
|
128 KeyStore ks; |
|
129 try (InputStream in = new FileInputStream(file)) { |
|
130 ks = KeyStore.getInstance("PKCS12"); |
|
131 ks.load(in, password); |
|
132 } |
|
133 List<String> aliases = Collections.list(ks.aliases()); |
|
134 System.out.println("Aliases: " + aliases); |
|
135 |
|
136 for (String alias : aliases) { |
|
137 PrivateKey privateKey = (PrivateKey)ks.getKey(alias, password); |
|
138 Certificate[] certs = ks.getCertificateChain(alias); |
|
139 PublicKey publicKey = certs[0].getPublicKey(); |
|
140 System.out.println("Certificates: " + certs.length); |
|
141 System.out.println(privateKey); |
|
142 System.out.println(publicKey); |
|
143 if (COPY) { |
|
144 ks2.setKeyEntry(alias, privateKey, "passphrase".toCharArray(), certs); |
|
145 } |
|
146 |
|
147 verifyCerts(certs); |
|
148 |
|
149 Random random = new Random(); |
|
150 byte[] data = new byte[1024]; |
|
151 random.nextBytes(data); |
|
152 |
|
153 Signature s = Signature.getInstance("SHA1withECDSA"); |
|
154 s.initSign(privateKey); |
|
155 s.update(data); |
|
156 byte[] sig = s.sign(); |
|
157 |
|
158 s.initVerify(publicKey); |
|
159 s.update(data); |
|
160 if (s.verify(sig) == false) { |
|
161 throw new Exception("Signature does not verify"); |
|
162 } |
|
163 System.out.println("Verified public/private key match"); |
|
164 } |
|
165 } |
|
166 |
|
167 if (COPY) { |
|
168 try (OutputStream out = new FileOutputStream("keystore.new")) { |
|
169 ks2.store(out, "passphrase".toCharArray()); |
|
170 } |
|
171 } |
|
172 |
|
173 System.out.println("OK"); |
|
174 } |
|
175 |
|
176 private static void verifyCerts(Certificate[] certs) throws Exception { |
|
177 int n = certs.length; |
|
178 for (int i = 0; i < n - 1; i++) { |
|
179 X509Certificate cert = (X509Certificate)certs[i]; |
|
180 X509Certificate issuer = (X509Certificate)certs[i + 1]; |
|
181 if (cert.getIssuerX500Principal().equals(issuer.getSubjectX500Principal()) == false) { |
|
182 throw new Exception("Certificates do not chain"); |
|
183 } |
|
184 cert.verify(issuer.getPublicKey()); |
|
185 System.out.println("Verified: " + cert.getSubjectX500Principal()); |
|
186 } |
|
187 X509Certificate last = (X509Certificate)certs[n - 1]; |
|
188 // if self-signed, verify the final cert |
|
189 if (last.getIssuerX500Principal().equals(last.getSubjectX500Principal())) { |
|
190 last.verify(last.getPublicKey()); |
|
191 System.out.println("Verified: " + last.getSubjectX500Principal()); |
|
192 } |
|
193 } |
|
194 |
|
195 } |