jdk-sandbox: comparison jdk/src/share/classes/sun/security/tools/KeyTool.java

equal deleted inserted replaced

-:fd16c54261b3
+:90ce3da70b43
+/*
+* Copyright 1997-2006 Sun Microsystems, Inc.  All Rights Reserved.
+* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+*
+* This code is free software; you can redistribute it and/or modify it
+* under the terms of the GNU General Public License version 2 only, as
+* published by the Free Software Foundation.  Sun designates this
+* particular file as subject to the "Classpath" exception as provided
+* by Sun in the LICENSE file that accompanied this code.
+*
+* This code is distributed in the hope that it will be useful, but WITHOUT
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+* version 2 for more details (a copy is included in the LICENSE file that
+* accompanied this code).
+*
+* You should have received a copy of the GNU General Public License version
+* 2 along with this work; if not, write to the Free Software Foundation,
+* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+*
+* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+* CA 95054 USA or visit www.sun.com if you need additional information or
+* have any questions.
+*/
+package sun.security.tools;
+import java.io.*;
+import java.math.BigInteger;
+import java.security.GeneralSecurityException;
+import java.security.InvalidParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.UnrecoverableEntryException;
+import java.security.UnrecoverableKeyException;
+import java.security.Principal;
+import java.security.Provider;
+import java.security.Identity;
+import java.security.Signer;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPrivateKey;
+import java.security.interfaces.DSAPublicKey;
+import java.security.interfaces.RSAPrivateCrtKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.text.Collator;
+import java.text.MessageFormat;
+import java.util.*;
+import java.lang.reflect.Constructor;
+import java.net.URL;
+import java.net.URLClassLoader;
+import sun.misc.BASE64Decoder;
+import sun.misc.BASE64Encoder;
+import sun.security.util.ObjectIdentifier;
+import sun.security.pkcs.PKCS10;
+import sun.security.provider.IdentityDatabase;
+import sun.security.provider.SystemSigner;
+import sun.security.provider.SystemIdentity;
+import sun.security.provider.X509Factory;
+import sun.security.util.DerOutputStream;
+import sun.security.util.Password;
+import sun.security.util.Resources;
+import sun.security.util.PathList;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import sun.security.x509.*;
+import static java.security.KeyStore.*;
+/**
+* This tool manages keystores.
+*
+* @author Jan Luehe
+*
+*
+* @see java.security.KeyStore
+* @see sun.security.provider.KeyProtector
+* @see sun.security.provider.JavaKeyStore
+*
+* @since 1.2
+*/
+public final class KeyTool {
+private boolean debug = false;
+private int command = -1;
+private String sigAlgName = null;
+private String keyAlgName = null;
+private boolean verbose = false;
+private int keysize = -1;
+private boolean rfc = false;
+private long validity = (long)90;
+private String alias = null;
+private String dname = null;
+private String dest = null;
+private String filename = null;
+private String srcksfname = null;
+// User-specified providers are added before any command is called.
+// However, they are not removed before the end of the main() method.
+// If you're calling KeyTool.main() directly in your own Java program,
+// please programtically add any providers you need and do not specify
+// them through the command line.
+private Set<Pair <String, String>> providers = null;
+private String storetype = null;
+private String srcProviderName = null;
+private String providerName = null;
+private String pathlist = null;
+private char[] storePass = null;
+private char[] storePassNew = null;
+private char[] keyPass = null;
+private char[] keyPassNew = null;
+private char[] oldPass = null;
+private char[] newPass = null;
+private char[] destKeyPass = null;
+private char[] srckeyPass = null;
+private String ksfname = null;
+private File ksfile = null;
+private InputStream ksStream = null; // keystore stream
+private KeyStore keyStore = null;
+private boolean token = false;
+private boolean nullStream = false;
+private boolean kssave = false;
+private boolean noprompt = false;
+private boolean trustcacerts = false;
+private boolean protectedPath = false;
+private boolean srcprotectedPath = false;
+private CertificateFactory cf = null;
+private KeyStore caks = null; // "cacerts" keystore
+private char[] srcstorePass = null;
+private String srcstoretype = null;
+private Set<char[]> passwords = new HashSet<char[]> ();
+private String startDate = null;
+private static final int CERTREQ = 1;
+private static final int CHANGEALIAS = 2;
+private static final int DELETE = 3;
+private static final int EXPORTCERT = 4;
+private static final int GENKEYPAIR = 5;
+private static final int GENSECKEY = 6;
+// there is no HELP
+private static final int IDENTITYDB = 7;
+private static final int IMPORTCERT = 8;
+private static final int IMPORTKEYSTORE = 9;
+private static final int KEYCLONE = 10;
+private static final int KEYPASSWD = 11;
+private static final int LIST = 12;
+private static final int PRINTCERT = 13;
+private static final int SELFCERT = 14;
+private static final int STOREPASSWD = 15;
+private static final Class[] PARAM_STRING = { String.class };
+private static final String JKS = "jks";
+private static final String NONE = "NONE";
+private static final String P11KEYSTORE = "PKCS11";
+private static final String P12KEYSTORE = "PKCS12";
+private final String keyAlias = "mykey";
+// for i18n
+private static final java.util.ResourceBundle rb =
+java.util.ResourceBundle.getBundle("sun.security.util.Resources");
+private static final Collator collator = Collator.getInstance();
+static {
+// this is for case insensitive string comparisons
+collator.setStrength(Collator.PRIMARY);
+};
+private KeyTool() { }
+public static void main(String[] args) throws Exception {
+KeyTool kt = new KeyTool();
+kt.run(args, System.out);
+}
+private void run(String[] args, PrintStream out) throws Exception {
+try {
+parseArgs(args);
+doCommands(out);
+} catch (Exception e) {
+System.out.println(rb.getString("keytool error: ") + e);
+if (verbose) {
+e.printStackTrace(System.out);
+}
+if (!debug) {
+System.exit(1);
+} else {
+throw e;
+}
+} finally {
+for (char[] pass : passwords) {
+if (pass != null) {
+Arrays.fill(pass, ' ');
+pass = null;
+}
+}
+if (ksStream != null) {
+ksStream.close();
+}
+}
+}
+/**
+* Parse command line arguments.
+*/
+void parseArgs(String[] args) {
+if (args.length == 0) usage();
+int i=0;
+for (i=0; (i < args.length) && args[i].startsWith("-"); i++) {
+String flags = args[i];
+/*
+* command modes
+*/
+if (collator.compare(flags, "-certreq") == 0) {
+command = CERTREQ;
+} else if (collator.compare(flags, "-delete") == 0) {
+command = DELETE;
+} else if (collator.compare(flags, "-export") == 0 ||
+collator.compare(flags, "-exportcert") == 0) {
+command = EXPORTCERT;
+} else if (collator.compare(flags, "-genkey") == 0 ||
+collator.compare(flags, "-genkeypair") == 0) {
+command = GENKEYPAIR;
+} else if (collator.compare(flags, "-help") == 0) {
+usage();
+return;
+} else if (collator.compare(flags, "-identitydb") == 0) { // obsolete
+command = IDENTITYDB;
+} else if (collator.compare(flags, "-import") == 0 ||
+collator.compare(flags, "-importcert") == 0) {
+command = IMPORTCERT;
+} else if (collator.compare(flags, "-keyclone") == 0) { // obsolete
+command = KEYCLONE;
+} else if (collator.compare(flags, "-changealias") == 0) {
+command = CHANGEALIAS;
+} else if (collator.compare(flags, "-keypasswd") == 0) {
+command = KEYPASSWD;
+} else if (collator.compare(flags, "-list") == 0) {
+command = LIST;
+} else if (collator.compare(flags, "-printcert") == 0) {
+command = PRINTCERT;
+} else if (collator.compare(flags, "-selfcert") == 0) {     // obsolete
+command = SELFCERT;
+} else if (collator.compare(flags, "-storepasswd") == 0) {
+command = STOREPASSWD;
+} else if (collator.compare(flags, "-importkeystore") == 0) {
+command = IMPORTKEYSTORE;
+} else if (collator.compare(flags, "-genseckey") == 0) {
+command = GENSECKEY;
+}
+/*
+* specifiers
+*/
+else if (collator.compare(flags, "-keystore") == 0 ||
+collator.compare(flags, "-destkeystore") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+ksfname = args[i];
+} else if (collator.compare(flags, "-storepass") == 0 ||
+collator.compare(flags, "-deststorepass") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+storePass = args[i].toCharArray();
+passwords.add(storePass);
+} else if (collator.compare(flags, "-storetype") == 0 ||
+collator.compare(flags, "-deststoretype") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+storetype = args[i];
+} else if (collator.compare(flags, "-srcstorepass") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+srcstorePass = args[i].toCharArray();
+passwords.add(srcstorePass);
+} else if (collator.compare(flags, "-srcstoretype") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+srcstoretype = args[i];
+} else if (collator.compare(flags, "-srckeypass") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+srckeyPass = args[i].toCharArray();
+passwords.add(srckeyPass);
+} else if (collator.compare(flags, "-srcprovidername") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+srcProviderName = args[i];
+} else if (collator.compare(flags, "-providername") == 0 ||
+collator.compare(flags, "-destprovidername") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+providerName = args[i];
+} else if (collator.compare(flags, "-providerpath") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+pathlist = args[i];
+} else if (collator.compare(flags, "-keypass") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+keyPass = args[i].toCharArray();
+passwords.add(keyPass);
+} else if (collator.compare(flags, "-new") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+newPass = args[i].toCharArray();
+passwords.add(newPass);
+} else if (collator.compare(flags, "-destkeypass") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+destKeyPass = args[i].toCharArray();
+passwords.add(destKeyPass);
+} else if (collator.compare(flags, "-alias") == 0 ||
+collator.compare(flags, "-srcalias") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+alias = args[i];
+} else if (collator.compare(flags, "-dest") == 0 ||
+collator.compare(flags, "-destalias") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+dest = args[i];
+} else if (collator.compare(flags, "-dname") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+dname = args[i];
+} else if (collator.compare(flags, "-keysize") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+keysize = Integer.parseInt(args[i]);
+} else if (collator.compare(flags, "-keyalg") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+keyAlgName = args[i];
+} else if (collator.compare(flags, "-sigalg") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+sigAlgName = args[i];
+} else if (collator.compare(flags, "-startdate") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+startDate = args[i];
+} else if (collator.compare(flags, "-validity") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+validity = Long.parseLong(args[i]);
+} else if (collator.compare(flags, "-file") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+filename = args[i];
+} else if (collator.compare(flags, "-srckeystore") == 0) {
+if (++i == args.length) errorNeedArgument(flags);
+srcksfname = args[i];
+} else if ((collator.compare(flags, "-provider") == 0) ||
+(collator.compare(flags, "-providerclass") == 0)) {
+if (++i == args.length) errorNeedArgument(flags);
+if (providers == null) {
+providers = new HashSet<Pair <String, String>> (3);
+}
+String providerClass = args[i];
+String providerArg = null;
+if (args.length > (i+1)) {
+flags = args[i+1];
+if (collator.compare(flags, "-providerarg") == 0) {
+if (args.length == (i+2)) errorNeedArgument(flags);
+providerArg = args[i+2];
+i += 2;
+}
+}
+providers.add(
+new Pair<String, String>(providerClass, providerArg));
+}
+/*
+* options
+*/
+else if (collator.compare(flags, "-v") == 0) {
+verbose = true;
+} else if (collator.compare(flags, "-debug") == 0) {
+debug = true;
+} else if (collator.compare(flags, "-rfc") == 0) {
+rfc = true;
+} else if (collator.compare(flags, "-noprompt") == 0) {
+noprompt = true;
+} else if (collator.compare(flags, "-trustcacerts") == 0) {
+trustcacerts = true;
+} else if (collator.compare(flags, "-protected") == 0 ||
+collator.compare(flags, "-destprotected") == 0) {
+protectedPath = true;
+} else if (collator.compare(flags, "-srcprotected") == 0) {
+srcprotectedPath = true;
+} else  {
+System.err.println(rb.getString("Illegal option:  ") + flags);
+tinyHelp();
+}
+}
+if (i<args.length) {
+MessageFormat form = new MessageFormat
+(rb.getString("Usage error, <arg> is not a legal command"));
+Object[] source = {args[i]};
+throw new RuntimeException(form.format(source));
+}
+if (command == -1) {
+System.err.println(rb.getString("Usage error: no command provided"));
+tinyHelp();
+}
+}
+/**
+* Execute the commands.
+*/
+void doCommands(PrintStream out) throws Exception {
+if (storetype == null) {
+storetype = KeyStore.getDefaultType();
+}
+storetype = KeyStoreUtil.niceStoreTypeName(storetype);
+if (srcstoretype == null) {
+srcstoretype = KeyStore.getDefaultType();
+}
+srcstoretype = KeyStoreUtil.niceStoreTypeName(srcstoretype);
+if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
+KeyStoreUtil.isWindowsKeyStore(storetype)) {
+token = true;
+if (ksfname == null) {
+ksfname = NONE;
+}
+}
+if (NONE.equals(ksfname)) {
+nullStream = true;
+}
+if (token && !nullStream) {
+System.err.println(MessageFormat.format(rb.getString
+("-keystore must be NONE if -storetype is {0}"), storetype));
+System.err.println();
+tinyHelp();
+}
+if (token &&
+(command == KEYPASSWD || command == STOREPASSWD)) {
+throw new UnsupportedOperationException(MessageFormat.format(rb.getString
+("-storepasswd and -keypasswd commands not supported " +
+"if -storetype is {0}"), storetype));
+}
+if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) {
+throw new UnsupportedOperationException(rb.getString
+("-keypasswd commands not supported " +
+"if -storetype is PKCS12"));
+}
+if (token && (keyPass != null || newPass != null || destKeyPass != null)) {
+throw new IllegalArgumentException(MessageFormat.format(rb.getString
+("-keypass and -new " +
+"can not be specified if -storetype is {0}"), storetype));
+}
+if (protectedPath) {
+if (storePass != null || keyPass != null ||
+newPass != null || destKeyPass != null) {
+throw new IllegalArgumentException(rb.getString
+("if -protected is specified, " +
+"then -storepass, -keypass, and -new " +
+"must not be specified"));
+}
+}
+if (srcprotectedPath) {
+if (srcstorePass != null || srckeyPass != null) {
+throw new IllegalArgumentException(rb.getString
+("if -srcprotected is specified, " +
+"then -srcstorepass and -srckeypass " +
+"must not be specified"));
+}
+}
+if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
+if (storePass != null || keyPass != null ||
+newPass != null || destKeyPass != null) {
+throw new IllegalArgumentException(rb.getString
+("if keystore is not password protected, " +
+"then -storepass, -keypass, and -new " +
+"must not be specified"));
+}
+}
+if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
+if (srcstorePass != null || srckeyPass != null) {
+throw new IllegalArgumentException(rb.getString
+("if source keystore is not password protected, " +
+"then -srcstorepass and -srckeypass " +
+"must not be specified"));
+}
+}
+if (validity <= (long)0) {
+throw new Exception
+(rb.getString("Validity must be greater than zero"));
+}
+// Try to load and install specified provider
+if (providers != null) {
+ClassLoader cl = null;
+if (pathlist != null) {
+String path = null;
+path = PathList.appendPath(
+path, System.getProperty("java.class.path"));
+path = PathList.appendPath(
+path, System.getProperty("env.class.path"));
+path = PathList.appendPath(path, pathlist);
+URL[] urls = PathList.pathToURLs(path);
+cl = new URLClassLoader(urls);
+} else {
+cl = ClassLoader.getSystemClassLoader();
+}
+for (Pair <String, String> provider: providers) {
+String provName = provider.fst;
+Class<?> provClass;
+if (cl != null) {
+provClass = cl.loadClass(provName);
+} else {
+provClass = Class.forName(provName);
+}
+String provArg = provider.snd;
+Object obj;
+if (provArg == null) {
+obj = provClass.newInstance();
+} else {
+Constructor<?> c = provClass.getConstructor(PARAM_STRING);
+obj = c.newInstance(provArg);
+}
+if (!(obj instanceof Provider)) {
+MessageFormat form = new MessageFormat
+(rb.getString("provName not a provider"));
+Object[] source = {provName};
+throw new Exception(form.format(source));
+}
+Security.addProvider((Provider)obj);
+}
+}
+if (command == LIST && verbose && rfc) {
+System.err.println(rb.getString
+("Must not specify both -v and -rfc with 'list' command"));
+tinyHelp();
+}
+// Make sure provided passwords are at least 6 characters long
+if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) {
+throw new Exception(rb.getString
+("Key password must be at least 6 characters"));
+}
+if (newPass != null && newPass.length < 6) {
+throw new Exception(rb.getString
+("New password must be at least 6 characters"));
+}
+if (destKeyPass != null && destKeyPass.length < 6) {
+throw new Exception(rb.getString
+("New password must be at least 6 characters"));
+}
+// Check if keystore exists.
+// If no keystore has been specified at the command line, try to use
+// the default, which is located in $HOME/.keystore.
+// If the command is "genkey", "identitydb", "import", or "printcert",
+// it is OK not to have a keystore.
+if (command != PRINTCERT) {
+if (ksfname == null) {
+ksfname = System.getProperty("user.home") + File.separator
++ ".keystore";
+}
+if (!nullStream) {
+try {
+ksfile = new File(ksfname);
+// Check if keystore file is empty
+if (ksfile.exists() && ksfile.length() == 0) {
+throw new Exception(rb.getString
+("Keystore file exists, but is empty: ") + ksfname);
+}
+ksStream = new FileInputStream(ksfile);
+} catch (FileNotFoundException e) {
+if (command != GENKEYPAIR &&
+command != GENSECKEY &&
+command != IDENTITYDB &&
+command != IMPORTCERT &&
+command != IMPORTKEYSTORE) {
+throw new Exception(rb.getString
+("Keystore file does not exist: ") + ksfname);
+}
+}
+}
+}
+if ((command == KEYCLONE || command == CHANGEALIAS)
+&& dest == null) {
+dest = getAlias("destination");
+if ("".equals(dest)) {
+throw new Exception(rb.getString
+("Must specify destination alias"));
+}
+}
+if (command == DELETE && alias == null) {
+alias = getAlias(null);
+if ("".equals(alias)) {
+throw new Exception(rb.getString("Must specify alias"));
+}
+}
+// Create new keystore
+if (providerName == null) {
+keyStore = KeyStore.getInstance(storetype);
+} else {
+keyStore = KeyStore.getInstance(storetype, providerName);
+}
+/*
+* Load the keystore data.
+*
+* At this point, it's OK if no keystore password has been provided.
+* We want to make sure that we can load the keystore data, i.e.,
+* the keystore data has the right format. If we cannot load the
+* keystore, why bother asking the user for his or her password?
+* Only if we were able to load the keystore, and no keystore
+* password has been provided, will we prompt the user for the
+* keystore password to verify the keystore integrity.
+* This means that the keystore is loaded twice: first load operation
+* checks the keystore format, second load operation verifies the
+* keystore integrity.
+*
+* If the keystore password has already been provided (at the
+* command line), however, the keystore is loaded only once, and the
+* keystore format and integrity are checked "at the same time".
+*
+* Null stream keystores are loaded later.
+*/
+if (!nullStream) {
+keyStore.load(ksStream, storePass);
+if (ksStream != null) {
+ksStream.close();
+}
+}
+// All commands that create or modify the keystore require a keystore
+// password.
+if (nullStream && storePass != null) {
+keyStore.load(null, storePass);
+} else if (!nullStream && storePass != null) {
+// If we are creating a new non nullStream-based keystore,
+// insist that the password be at least 6 characters
+if (ksStream == null && storePass.length < 6) {
+throw new Exception(rb.getString
+("Keystore password must be at least 6 characters"));
+}
+} else if (storePass == null) {
+// only prompt if (protectedPath == false)
+if (!protectedPath && !KeyStoreUtil.isWindowsKeyStore(storetype) &&
+(command == CERTREQ ||
+command == DELETE ||
+command == GENKEYPAIR ||
+command == GENSECKEY ||
+command == IMPORTCERT ||
+command == IMPORTKEYSTORE ||
+command == KEYCLONE ||
+command == CHANGEALIAS ||
+command == SELFCERT ||
+command == STOREPASSWD ||
+command == KEYPASSWD ||
+command == IDENTITYDB)) {
+int count = 0;
+do {
+if (command == IMPORTKEYSTORE) {
+System.err.print
+(rb.getString("Enter destination keystore password:  "));
+} else {
+System.err.print
+(rb.getString("Enter keystore password:  "));
+}
+System.err.flush();
+storePass = Password.readPassword(System.in);
+passwords.add(storePass);
+// If we are creating a new non nullStream-based keystore,
+// insist that the password be at least 6 characters
+if (!nullStream && (storePass == null || storePass.length < 6)) {
+System.err.println(rb.getString
+("Keystore password is too short - " +
+"must be at least 6 characters"));
+storePass = null;
+}
+// If the keystore file does not exist and needs to be
+// created, the storepass should be prompted twice.
+if (storePass != null && !nullStream && ksStream == null) {
+System.err.print(rb.getString("Re-enter new password: "));
+char[] storePassAgain = Password.readPassword(System.in);
+passwords.add(storePassAgain);
+if (!Arrays.equals(storePass, storePassAgain)) {
+System.err.println
+(rb.getString("They don't match. Try again"));
+storePass = null;
+}
+}
+count++;
+} while ((storePass == null) && count < 3);
+if (storePass == null) {
+System.err.println
+(rb.getString("Too many failures - try later"));
+return;
+}
+} else if (!protectedPath
+&& !KeyStoreUtil.isWindowsKeyStore(storetype)
+&& !(command == PRINTCERT)) {
+// here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
+System.err.print(rb.getString("Enter keystore password:  "));
+System.err.flush();
+storePass = Password.readPassword(System.in);
+passwords.add(storePass);
+}
+// Now load a nullStream-based keystore,
+// or verify the integrity of an input stream-based keystore
+if (nullStream) {
+keyStore.load(null, storePass);
+} else if (ksStream != null) {
+ksStream = new FileInputStream(ksfile);
+keyStore.load(ksStream, storePass);
+ksStream.close();
+}
+}
+if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) {
+MessageFormat form = new MessageFormat(rb.getString(
+"Warning:  Different store and key passwords not supported " +
+"for PKCS12 KeyStores. Ignoring user-specified <command> value."));
+if (keyPass != null && !Arrays.equals(storePass, keyPass)) {
+Object[] source = {"-keypass"};
+System.err.println(form.format(source));
+keyPass = storePass;
+}
+if (newPass != null && !Arrays.equals(storePass, newPass)) {
+Object[] source = {"-new"};
+System.err.println(form.format(source));
+newPass = storePass;
+}
+if (destKeyPass != null && !Arrays.equals(storePass, destKeyPass)) {
+Object[] source = {"-destkeypass"};
+System.err.println(form.format(source));
+destKeyPass = storePass;
+}
+}
+// Create a certificate factory
+if (command == PRINTCERT || command == IMPORTCERT
+|| command == IDENTITYDB) {
+cf = CertificateFactory.getInstance("X509");
+}
+if (trustcacerts) {
+caks = getCacertsKeyStore();
+}
+// Perform the specified command
+if (command == CERTREQ) {
+PrintStream ps = null;
+if (filename != null) {
+ps = new PrintStream(new FileOutputStream
+(filename));
+out = ps;
+}
+try {
+doCertReq(alias, sigAlgName, out);
+} finally {
+if (ps != null) {
+ps.close();
+}
+}
+if (verbose && filename != null) {
+MessageFormat form = new MessageFormat(rb.getString
+("Certification request stored in file <filename>"));
+Object[] source = {filename};
+System.err.println(form.format(source));
+System.err.println(rb.getString("Submit this to your CA"));
+}
+} else if (command == DELETE) {
+doDeleteEntry(alias);
+kssave = true;
+} else if (command == EXPORTCERT) {
+PrintStream ps = null;
+if (filename != null) {
+ps = new PrintStream(new FileOutputStream
+(filename));
+out = ps;
+}
+try {
+doExportCert(alias, out);
+} finally {
+if (ps != null) {
+ps.close();
+}
+}
+if (filename != null) {
+MessageFormat form = new MessageFormat(rb.getString
+("Certificate stored in file <filename>"));
+Object[] source = {filename};
+System.err.println(form.format(source));
+}
+} else if (command == GENKEYPAIR) {
+if (keyAlgName == null) {
+keyAlgName = "DSA";
+}
+doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
+kssave = true;
+} else if (command == GENSECKEY) {
+if (keyAlgName == null) {
+keyAlgName = "DES";
+}
+doGenSecretKey(alias, keyAlgName, keysize);
+kssave = true;
+} else if (command == IDENTITYDB) {
+InputStream inStream = System.in;
+if (filename != null) {
+inStream = new FileInputStream(filename);
+}
+try {
+doImportIdentityDatabase(inStream);
+} finally {
+if (inStream != System.in) {
+inStream.close();
+}
+}
+} else if (command == IMPORTCERT) {
+InputStream inStream = System.in;
+if (filename != null) {
+inStream = new FileInputStream(filename);
+}
+try {
+String importAlias = (alias!=null)?alias:keyAlias;
+if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) {
+kssave = installReply(importAlias, inStream);
+if (kssave) {
+System.err.println(rb.getString
+("Certificate reply was installed in keystore"));
+} else {
+System.err.println(rb.getString
+("Certificate reply was not installed in keystore"));
+}
+} else if (!keyStore.containsAlias(importAlias) ||
+keyStore.entryInstanceOf(importAlias,
+KeyStore.TrustedCertificateEntry.class)) {
+kssave = addTrustedCert(importAlias, inStream);
+if (kssave) {
+System.err.println(rb.getString
+("Certificate was added to keystore"));
+} else {
+System.err.println(rb.getString
+("Certificate was not added to keystore"));
+}
+}
+} finally {
+if (inStream != System.in) {
+inStream.close();
+}
+}
+} else if (command == IMPORTKEYSTORE) {
+doImportKeyStore();
+kssave = true;
+} else if (command == KEYCLONE) {
+keyPassNew = newPass;
+// added to make sure only key can go thru
+if (alias == null) {
+alias = keyAlias;
+}
+if (keyStore.containsAlias(alias) == false) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> does not exist"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
+MessageFormat form = new MessageFormat(rb.getString(
+"Alias <alias> references an entry type that is not a private key entry.  " +
+"The -keyclone command only supports cloning of private key entries"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+doCloneEntry(alias, dest, true);  // Now everything can be cloned
+kssave = true;
+} else if (command == CHANGEALIAS) {
+if (alias == null) {
+alias = keyAlias;
+}
+doCloneEntry(alias, dest, false);
+// in PKCS11, clone a PrivateKeyEntry will delete the old one
+if (keyStore.containsAlias(alias)) {
+doDeleteEntry(alias);
+}
+kssave = true;
+} else if (command == KEYPASSWD) {
+keyPassNew = newPass;
+doChangeKeyPasswd(alias);
+kssave = true;
+} else if (command == LIST) {
+if (alias != null) {
+doPrintEntry(alias, out, true);
+} else {
+doPrintEntries(out);
+}
+} else if (command == PRINTCERT) {
+InputStream inStream = System.in;
+if (filename != null) {
+inStream = new FileInputStream(filename);
+}
+try {
+doPrintCert(inStream, out);
+} finally {
+if (inStream != System.in) {
+inStream.close();
+}
+}
+} else if (command == SELFCERT) {
+doSelfCert(alias, dname, sigAlgName);
+kssave = true;
+} else if (command == STOREPASSWD) {
+storePassNew = newPass;
+if (storePassNew == null) {
+storePassNew = getNewPasswd("keystore password", storePass);
+}
+kssave = true;
+}
+// If we need to save the keystore, do so.
+if (kssave) {
+if (verbose) {
+MessageFormat form = new MessageFormat
+(rb.getString("[Storing ksfname]"));
+Object[] source = {nullStream ? "keystore" : ksfname};
+System.err.println(form.format(source));
+}
+if (token) {
+keyStore.store(null, null);
+} else {
+FileOutputStream fout = null;
+try {
+fout = (nullStream ?
+(FileOutputStream)null :
+new FileOutputStream(ksfname));
+keyStore.store
+(fout,
+(storePassNew!=null) ? storePassNew : storePass);
+} finally {
+if (fout != null) {
+fout.close();
+}
+}
+}
+}
+}
+/**
+* Creates a PKCS#10 cert signing request, corresponding to the
+* keys (and name) associated with a given alias.
+*/
+private void doCertReq(String alias, String sigAlgName, PrintStream out)
+throws Exception
+{
+if (alias == null) {
+alias = keyAlias;
+}
+Object[] objs = recoverKey(alias, storePass, keyPass);
+PrivateKey privKey = (PrivateKey)objs[0];
+if (keyPass == null) {
+keyPass = (char[])objs[1];
+}
+Certificate cert = keyStore.getCertificate(alias);
+if (cert == null) {
+MessageFormat form = new MessageFormat
+(rb.getString("alias has no public key (certificate)"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+PKCS10 request = new PKCS10(cert.getPublicKey());
+// Construct an X500Signer object, so that we can sign the request
+if (sigAlgName == null) {
+// If no signature algorithm was specified at the command line,
+// we choose one that is compatible with the selected private key
+String keyAlgName = privKey.getAlgorithm();
+if ("DSA".equalsIgnoreCase(keyAlgName)
+|| "DSS".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1WithDSA";
+} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1WithRSA";
+} else {
+throw new Exception(rb.getString
+("Cannot derive signature algorithm"));
+}
+}
+Signature signature = Signature.getInstance(sigAlgName);
+signature.initSign(privKey);
+X500Name subject =
+new X500Name(((X509Certificate)cert).getSubjectDN().toString());
+X500Signer signer = new X500Signer(signature, subject);
+// Sign the request and base-64 encode it
+request.encodeAndSign(signer);
+request.print(out);
+}
+/**
+* Deletes an entry from the keystore.
+*/
+private void doDeleteEntry(String alias) throws Exception {
+if (keyStore.containsAlias(alias) == false) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> does not exist"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+keyStore.deleteEntry(alias);
+}
+/**
+* Exports a certificate from the keystore.
+*/
+private void doExportCert(String alias, PrintStream out)
+throws Exception
+{
+if (storePass == null
+&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
+printWarning();
+}
+if (alias == null) {
+alias = keyAlias;
+}
+if (keyStore.containsAlias(alias) == false) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> does not exist"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias);
+if (cert == null) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> has no certificate"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+dumpCert(cert, out);
+}
+/**
+* Prompt the user for a keypass when generating a key entry.
+* @param alias the entry we will set password for
+* @param orig the original entry of doing a dup, null if generate new
+* @param origPass the password to copy from if user press ENTER
+*/
+private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{
+if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
+return origPass;
+} else if (!token) {
+// Prompt for key password
+int count;
+for (count = 0; count < 3; count++) {
+MessageFormat form = new MessageFormat(rb.getString
+("Enter key password for <alias>"));
+Object[] source = {alias};
+System.err.println(form.format(source));
+if (orig == null) {
+System.err.print(rb.getString
+("\t(RETURN if same as keystore password):  "));
+} else {
+form = new MessageFormat(rb.getString
+("\t(RETURN if same as for <otherAlias>)"));
+Object[] src = {orig};
+System.err.print(form.format(src));
+}
+System.err.flush();
+char[] entered = Password.readPassword(System.in);
+passwords.add(entered);
+if (entered == null) {
+return origPass;
+} else if (entered.length >= 6) {
+System.err.print(rb.getString("Re-enter new password: "));
+char[] passAgain = Password.readPassword(System.in);
+passwords.add(passAgain);
+if (!Arrays.equals(entered, passAgain)) {
+System.err.println
+(rb.getString("They don't match. Try again"));
+continue;
+}
+return entered;
+} else {
+System.err.println(rb.getString
+("Key password is too short - must be at least 6 characters"));
+}
+}
+if (count == 3) {
+if (command == KEYCLONE) {
+throw new Exception(rb.getString
+("Too many failures. Key entry not cloned"));
+} else {
+throw new Exception(rb.getString
+("Too many failures - key not added to keystore"));
+}
+}
+}
+return null;    // PKCS11
+}
+/**
+* Creates a new secret key.
+*/
+private void doGenSecretKey(String alias, String keyAlgName,
+int keysize)
+throws Exception
+{
+if (alias == null) {
+alias = keyAlias;
+}
+if (keyStore.containsAlias(alias)) {
+MessageFormat form = new MessageFormat(rb.getString
+("Secret key not generated, alias <alias> already exists"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+SecretKey secKey = null;
+KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName);
+if (keysize != -1) {
+keygen.init(keysize);
+} else if ("DES".equalsIgnoreCase(keyAlgName)) {
+keygen.init(56);
+} else if ("DESede".equalsIgnoreCase(keyAlgName)) {
+keygen.init(168);
+} else {
+throw new Exception(rb.getString
+("Please provide -keysize for secret key generation"));
+}
+secKey = keygen.generateKey();
+if (keyPass == null) {
+keyPass = promptForKeyPass(alias, null, storePass);
+}
+keyStore.setKeyEntry(alias, secKey, keyPass, null);
+}
+/**
+* Creates a new key pair and self-signed certificate.
+*/
+private void doGenKeyPair(String alias, String dname, String keyAlgName,
+int keysize, String sigAlgName)
+throws Exception
+{
+if (keysize == -1) {
+if ("EC".equalsIgnoreCase(keyAlgName)) {
+keysize = 256;
+} else {
+keysize = 1024;
+}
+}
+if (alias == null) {
+alias = keyAlias;
+}
+if (keyStore.containsAlias(alias)) {
+MessageFormat form = new MessageFormat(rb.getString
+("Key pair not generated, alias <alias> already exists"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+if (sigAlgName == null) {
+if ("DSA".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1WithDSA";
+} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1WithRSA";
+} else if ("EC".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1withECDSA";
+} else {
+throw new Exception(rb.getString
+("Cannot derive signature algorithm"));
+}
+}
+CertAndKeyGen keypair =
+new CertAndKeyGen(keyAlgName, sigAlgName, providerName);
+// If DN is provided, parse it. Otherwise, prompt the user for it.
+X500Name x500Name;
+if (dname == null) {
+x500Name = getX500Name();
+} else {
+x500Name = new X500Name(dname);
+}
+keypair.generate(keysize);
+PrivateKey privKey = keypair.getPrivateKey();
+X509Certificate[] chain = new X509Certificate[1];
+chain[0] = keypair.getSelfCertificate(
+x500Name, getStartDate(startDate), validity*24L*60L*60L);
+if (verbose) {
+MessageFormat form = new MessageFormat(rb.getString
+("Generating keysize bit keyAlgName key pair and self-signed certificate " +
+"(sigAlgName) with a validity of validality days\n\tfor: x500Name"));
+Object[] source = {new Integer(keysize),
+privKey.getAlgorithm(),
+chain[0].getSigAlgName(),
+new Long(validity),
+x500Name};
+System.err.println(form.format(source));
+}
+if (keyPass == null) {
+keyPass = promptForKeyPass(alias, null, storePass);
+}
+keyStore.setKeyEntry(alias, privKey, keyPass, chain);
+}
+/**
+* Clones an entry
+* @param orig original alias
+* @param dest destination alias
+* @changePassword if the password can be changed
+*/
+private void doCloneEntry(String orig, String dest, boolean changePassword)
+throws Exception
+{
+if (orig == null) {
+orig = keyAlias;
+}
+if (keyStore.containsAlias(dest)) {
+MessageFormat form = new MessageFormat
+(rb.getString("Destination alias <dest> already exists"));
+Object[] source = {dest};
+throw new Exception(form.format(source));
+}
+Object[] objs = recoverEntry(keyStore, orig, storePass, keyPass);
+Entry entry = (Entry)objs[0];
+keyPass = (char[])objs[1];
+PasswordProtection pp = null;
+if (keyPass != null) {  // protected
+if (!changePassword || P12KEYSTORE.equalsIgnoreCase(storetype)) {
+keyPassNew = keyPass;
+} else {
+if (keyPassNew == null) {
+keyPassNew = promptForKeyPass(dest, orig, keyPass);
+}
+}
+pp = new PasswordProtection(keyPassNew);
+}
+keyStore.setEntry(dest, entry, pp);
+}
+/**
+* Changes a key password.
+*/
+private void doChangeKeyPasswd(String alias) throws Exception
+{
+if (alias == null) {
+alias = keyAlias;
+}
+Object[] objs = recoverKey(alias, storePass, keyPass);
+Key privKey = (Key)objs[0];
+if (keyPass == null) {
+keyPass = (char[])objs[1];
+}
+if (keyPassNew == null) {
+MessageFormat form = new MessageFormat
+(rb.getString("key password for <alias>"));
+Object[] source = {alias};
+keyPassNew = getNewPasswd(form.format(source), keyPass);
+}
+keyStore.setKeyEntry(alias, privKey, keyPassNew,
+keyStore.getCertificateChain(alias));
+}
+/**
+* Imports a JDK 1.1-style identity database. We can only store one
+* certificate per identity, because we use the identity's name as the
+* alias (which references a keystore entry), and aliases must be unique.
+*/
+private void doImportIdentityDatabase(InputStream in)
+throws Exception
+{
+byte[] encoded;
+ByteArrayInputStream bais;
+java.security.cert.X509Certificate newCert;
+java.security.cert.Certificate[] chain = null;
+PrivateKey privKey;
+boolean modified = false;
+IdentityDatabase idb = IdentityDatabase.fromStream(in);
+for (Enumeration<Identity> enum_ = idb.identities();
+enum_.hasMoreElements();) {
+Identity id = enum_.nextElement();
+newCert = null;
+// only store trusted identities in keystore
+if ((id instanceof SystemSigner && ((SystemSigner)id).isTrusted())
+|| (id instanceof SystemIdentity
+&& ((SystemIdentity)id).isTrusted())) {
+// ignore if keystore entry with same alias name already exists
+if (keyStore.containsAlias(id.getName())) {
+MessageFormat form = new MessageFormat
+(rb.getString("Keystore entry for <id.getName()> already exists"));
+Object[] source = {id.getName()};
+System.err.println(form.format(source));
+continue;
+}
+java.security.Certificate[] certs = id.certificates();
+if (certs!=null && certs.length>0) {
+// we can only store one user cert per identity.
+// convert old-style to new-style cert via the encoding
+DerOutputStream dos = new DerOutputStream();
+certs[0].encode(dos);
+encoded = dos.toByteArray();
+bais = new ByteArrayInputStream(encoded);
+newCert = (X509Certificate)cf.generateCertificate(bais);
+bais.close();
+// if certificate is self-signed, make sure it verifies
+if (isSelfSigned(newCert)) {
+PublicKey pubKey = newCert.getPublicKey();
+try {
+newCert.verify(pubKey);
+} catch (Exception e) {
+// ignore this cert
+continue;
+}
+}
+if (id instanceof SystemSigner) {
+MessageFormat form = new MessageFormat(rb.getString
+("Creating keystore entry for <id.getName()> ..."));
+Object[] source = {id.getName()};
+System.err.println(form.format(source));
+if (chain==null) {
+chain = new java.security.cert.Certificate[1];
+}
+chain[0] = newCert;
+privKey = ((SystemSigner)id).getPrivateKey();
+keyStore.setKeyEntry(id.getName(), privKey, storePass,
+chain);
+} else {
+keyStore.setCertificateEntry(id.getName(), newCert);
+}
+kssave = true;
+}
+}
+}
+if (!kssave) {
+System.err.println(rb.getString
+("No entries from identity database added"));
+}
+}
+/**
+* Prints a single keystore entry.
+*/
+private void doPrintEntry(String alias, PrintStream out,
+boolean printWarning)
+throws Exception
+{
+if (storePass == null && printWarning
+&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
+printWarning();
+}
+if (keyStore.containsAlias(alias) == false) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> does not exist"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+if (verbose || rfc || debug) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias name: alias"));
+Object[] source = {alias};
+out.println(form.format(source));
+if (!token) {
+form = new MessageFormat(rb.getString
+("Creation date: keyStore.getCreationDate(alias)"));
+Object[] src = {keyStore.getCreationDate(alias)};
+out.println(form.format(src));
+}
+} else {
+if (!token) {
+MessageFormat form = new MessageFormat
+(rb.getString("alias, keyStore.getCreationDate(alias), "));
+Object[] source = {alias, keyStore.getCreationDate(alias)};
+out.print(form.format(source));
+} else {
+MessageFormat form = new MessageFormat
+(rb.getString("alias, "));
+Object[] source = {alias};
+out.print(form.format(source));
+}
+}
+if (keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
+if (verbose || rfc || debug) {
+Object[] source = {"SecretKeyEntry"};
+out.println(new MessageFormat(
+rb.getString("Entry type: <type>")).format(source));
+} else {
+out.println("SecretKeyEntry, ");
+}
+} else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
+if (verbose || rfc || debug) {
+Object[] source = {"PrivateKeyEntry"};
+out.println(new MessageFormat(
+rb.getString("Entry type: <type>")).format(source));
+} else {
+out.println("PrivateKeyEntry, ");
+}
+// Get the chain
+Certificate[] chain = keyStore.getCertificateChain(alias);
+if (chain != null) {
+if (verbose || rfc || debug) {
+out.println(rb.getString
+("Certificate chain length: ") + chain.length);
+for (int i = 0; i < chain.length; i ++) {
+MessageFormat form = new MessageFormat
+(rb.getString("Certificate[(i + 1)]:"));
+Object[] source = {new Integer((i + 1))};
+out.println(form.format(source));
+if (verbose && (chain[i] instanceof X509Certificate)) {
+printX509Cert((X509Certificate)(chain[i]), out);
+} else if (debug) {
+out.println(chain[i].toString());
+} else {
+dumpCert(chain[i], out);
+}
+}
+} else {
+// Print the digest of the user cert only
+out.println
+(rb.getString("Certificate fingerprint (MD5): ") +
+getCertFingerPrint("MD5", chain[0]));
+}
+}
+} else if (keyStore.entryInstanceOf(alias,
+KeyStore.TrustedCertificateEntry.class)) {
+// We have a trusted certificate entry
+Certificate cert = keyStore.getCertificate(alias);
+if (verbose && (cert instanceof X509Certificate)) {
+out.println(rb.getString("Entry type: trustedCertEntry\n"));
+printX509Cert((X509Certificate)cert, out);
+} else if (rfc) {
+out.println(rb.getString("Entry type: trustedCertEntry\n"));
+dumpCert(cert, out);
+} else if (debug) {
+out.println(cert.toString());
+} else {
+out.println(rb.getString("trustedCertEntry,"));
+out.println(rb.getString("Certificate fingerprint (MD5): ")
++ getCertFingerPrint("MD5", cert));
+}
+} else {
+out.println(rb.getString("Unknown Entry Type"));
+}
+}
+/**
+* Load the srckeystore from a stream, used in -importkeystore
+* @returns the src KeyStore
+*/
+KeyStore loadSourceKeyStore() throws Exception {
+boolean isPkcs11 = false;
+InputStream is = null;
+if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) ||
+KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
+if (!NONE.equals(srcksfname)) {
+System.err.println(MessageFormat.format(rb.getString
+("-keystore must be NONE if -storetype is {0}"), srcstoretype));
+System.err.println();
+tinyHelp();
+}
+isPkcs11 = true;
+} else {
+if (srcksfname != null) {
+File srcksfile = new File(srcksfname);
+if (srcksfile.exists() && srcksfile.length() == 0) {
+throw new Exception(rb.getString
+("Source keystore file exists, but is empty: ") +
+srcksfname);
+}
+is = new FileInputStream(srcksfile);
+} else {
+throw new Exception(rb.getString
+("Please specify -srckeystore"));
+}
+}
+KeyStore store;
+try {
+if (srcProviderName == null) {
+store = KeyStore.getInstance(srcstoretype);
+} else {
+store = KeyStore.getInstance(srcstoretype, srcProviderName);
+}
+if (srcstorePass == null
+&& !srcprotectedPath
+&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
+System.err.print(rb.getString("Enter source keystore password:  "));
+System.err.flush();
+srcstorePass = Password.readPassword(System.in);
+passwords.add(srcstorePass);
+}
+// always let keypass be storepass when using pkcs12
+if (P12KEYSTORE.equalsIgnoreCase(srcstoretype)) {
+if (srckeyPass != null && srcstorePass != null &&
+!Arrays.equals(srcstorePass, srckeyPass)) {
+MessageFormat form = new MessageFormat(rb.getString(
+"Warning:  Different store and key passwords not supported " +
+"for PKCS12 KeyStores. Ignoring user-specified <command> value."));
+Object[] source = {"-srckeypass"};
+System.err.println(form.format(source));
+srckeyPass = srcstorePass;
+}
+}
+store.load(is, srcstorePass);   // "is" already null in PKCS11
+} finally {
+if (is != null) {
+is.close();
+}
+}
+if (srcstorePass == null
+&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
+// anti refactoring, copied from printWarning(),
+// but change 2 lines
+System.err.println();
+System.err.println(rb.getString
+("*****************  WARNING WARNING WARNING  *****************"));
+System.err.println(rb.getString
+("* The integrity of the information stored in the srckeystore*"));
+System.err.println(rb.getString
+("* has NOT been verified!  In order to verify its integrity, *"));
+System.err.println(rb.getString
+("* you must provide the srckeystore password.                *"));
+System.err.println(rb.getString
+("*****************  WARNING WARNING WARNING  *****************"));
+System.err.println();
+}
+return store;
+}
+/**
+* import all keys and certs from importkeystore.
+* keep alias unchanged if no name conflict, otherwise, prompt.
+* keep keypass unchanged for keys
+*/
+private void doImportKeyStore() throws Exception {
+if (alias != null) {
+doImportKeyStoreSingle(loadSourceKeyStore(), alias);
+} else {
+if (dest != null || srckeyPass != null || destKeyPass != null) {
+throw new Exception(rb.getString(
+"if alias not specified, destalias, srckeypass, " +
+"and destkeypass must not be specified"));
+}
+doImportKeyStoreAll(loadSourceKeyStore());
+}
+/*
+* Information display rule of -importkeystore
+* 1. inside single, shows failure
+* 2. inside all, shows sucess
+* 3. inside all where there is a failure, prompt for continue
+* 4. at the final of all, shows summary
+*/
+}
+/**
+* Import a single entry named alias from srckeystore
+* @returns 1 if the import action succeed
+*          0 if user choose to ignore an alias-dumplicated entry
+*          2 if setEntry throws Exception
+*/
+private int doImportKeyStoreSingle(KeyStore srckeystore, String alias)
+throws Exception {
+String newAlias = (dest==null) ? alias : dest;
+if (keyStore.containsAlias(newAlias)) {
+Object[] source = {alias};
+if (noprompt) {
+System.err.println(new MessageFormat(rb.getString(
+"Warning: Overwriting existing alias <alias> in destination keystore")).format(source));
+} else {
+String reply = getYesNoReply(new MessageFormat(rb.getString(
+"Existing entry alias <alias> exists, overwrite? [no]:  ")).format(source));
+if ("NO".equals(reply)) {
+newAlias = inputStringFromStdin(rb.getString
+("Enter new alias name\t(RETURN to cancel import for this entry):  "));
+if ("".equals(newAlias)) {
+System.err.println(new MessageFormat(rb.getString(
+"Entry for alias <alias> not imported.")).format(
+source));
+return 0;
+}
+}
+}
+}
+Object[] objs = recoverEntry(srckeystore, alias, srcstorePass, srckeyPass);
+Entry entry = (Entry)objs[0];
+PasswordProtection pp = null;
+// According to keytool.html, "The destination entry will be protected
+// using destkeypass. If destkeypass is not provided, the destination
+// entry will be protected with the source entry password."
+// so always try to protect with destKeyPass.
+if (destKeyPass != null) {
+pp = new PasswordProtection(destKeyPass);
+} else if (objs[1] != null) {
+pp = new PasswordProtection((char[])objs[1]);
+}
+try {
+keyStore.setEntry(newAlias, entry, pp);
+return 1;
+} catch (KeyStoreException kse) {
+Object[] source2 = {alias, kse.toString()};
+MessageFormat form = new MessageFormat(rb.getString(
+"Problem importing entry for alias <alias>: <exception>.\nEntry for alias <alias> not imported."));
+System.err.println(form.format(source2));
+return 2;
+}
+}
+private void doImportKeyStoreAll(KeyStore srckeystore) throws Exception {
+int ok = 0;
+int count = srckeystore.size();
+for (Enumeration<String> e = srckeystore.aliases();
+e.hasMoreElements(); ) {
+String alias = e.nextElement();
+int result = doImportKeyStoreSingle(srckeystore, alias);
+if (result == 1) {
+ok++;
+Object[] source = {alias};
+MessageFormat form = new MessageFormat(rb.getString("Entry for alias <alias> successfully imported."));
+System.err.println(form.format(source));
+} else if (result == 2) {
+if (!noprompt) {
+String reply = getYesNoReply("Do you want to quit the import process? [no]:  ");
+if ("YES".equals(reply)) {
+break;
+}
+}
+}
+}
+Object[] source = {ok, count-ok};
+MessageFormat form = new MessageFormat(rb.getString(
+"Import command completed:  <ok> entries successfully imported, <fail> entries failed or cancelled"));
+System.err.println(form.format(source));
+}
+/**
+* Prints all keystore entries.
+*/
+private void doPrintEntries(PrintStream out)
+throws Exception
+{
+if (storePass == null
+&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
+printWarning();
+} else {
+out.println();
+}
+out.println(rb.getString("Keystore type: ") + keyStore.getType());
+out.println(rb.getString("Keystore provider: ") +
+keyStore.getProvider().getName());
+out.println();
+MessageFormat form;
+form = (keyStore.size() == 1) ?
+new MessageFormat(rb.getString
+("Your keystore contains keyStore.size() entry")) :
+new MessageFormat(rb.getString
+("Your keystore contains keyStore.size() entries"));
+Object[] source = {new Integer(keyStore.size())};
+out.println(form.format(source));
+out.println();
+for (Enumeration<String> e = keyStore.aliases();
+e.hasMoreElements(); ) {
+String alias = e.nextElement();
+doPrintEntry(alias, out, false);
+if (verbose || rfc) {
+out.println(rb.getString("\n"));
+out.println(rb.getString
+("*******************************************"));
+out.println(rb.getString
+("*******************************************\n\n"));
+}
+}
+}
+/**
+* Reads a certificate (or certificate chain) and prints its contents in
+* a human readbable format.
+*/
+private void doPrintCert(InputStream in, PrintStream out)
+throws Exception
+{
+Collection<? extends Certificate> c = null;
+try {
+c = cf.generateCertificates(in);
+} catch (CertificateException ce) {
+throw new Exception(rb.getString("Failed to parse input"), ce);
+}
+if (c.isEmpty()) {
+throw new Exception(rb.getString("Empty input"));
+}
+Certificate[] certs = c.toArray(new Certificate[c.size()]);
+for (int i=0; i<certs.length; i++) {
+X509Certificate x509Cert = null;
+try {
+x509Cert = (X509Certificate)certs[i];
+} catch (ClassCastException cce) {
+throw new Exception(rb.getString("Not X.509 certificate"));
+}
+if (certs.length > 1) {
+MessageFormat form = new MessageFormat
+(rb.getString("Certificate[(i + 1)]:"));
+Object[] source = {new Integer(i + 1)};
+out.println(form.format(source));
+}
+printX509Cert(x509Cert, out);
+if (i < (certs.length-1)) {
+out.println();
+}
+}
+}
+/**
+* Creates a self-signed certificate, and stores it as a single-element
+* certificate chain.
+*/
+private void doSelfCert(String alias, String dname, String sigAlgName)
+throws Exception
+{
+if (alias == null) {
+alias = keyAlias;
+}
+Object[] objs = recoverKey(alias, storePass, keyPass);
+PrivateKey privKey = (PrivateKey)objs[0];
+if (keyPass == null)
+keyPass = (char[])objs[1];
+// Determine the signature algorithm
+if (sigAlgName == null) {
+// If no signature algorithm was specified at the command line,
+// we choose one that is compatible with the selected private key
+String keyAlgName = privKey.getAlgorithm();
+if ("DSA".equalsIgnoreCase(keyAlgName)
+|| "DSS".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1WithDSA";
+} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1WithRSA";
+} else if ("EC".equalsIgnoreCase(keyAlgName)) {
+sigAlgName = "SHA1withECDSA";
+} else {
+throw new Exception
+(rb.getString("Cannot derive signature algorithm"));
+}
+}
+// Get the old certificate
+Certificate oldCert = keyStore.getCertificate(alias);
+if (oldCert == null) {
+MessageFormat form = new MessageFormat
+(rb.getString("alias has no public key"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+if (!(oldCert instanceof X509Certificate)) {
+MessageFormat form = new MessageFormat
+(rb.getString("alias has no X.509 certificate"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+// convert to X509CertImpl, so that we can modify selected fields
+// (no public APIs available yet)
+byte[] encoded = oldCert.getEncoded();
+X509CertImpl certImpl = new X509CertImpl(encoded);
+X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME
++ "." +
+X509CertImpl.INFO);
+// Extend its validity
+Date firstDate = getStartDate(startDate);
+Date lastDate = new Date();
+lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
+CertificateValidity interval = new CertificateValidity(firstDate,
+lastDate);
+certInfo.set(X509CertInfo.VALIDITY, interval);
+// Make new serial number
+certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber
+((int)(firstDate.getTime()/1000)));
+// Set owner and issuer fields
+X500Name owner;
+if (dname == null) {
+// Get the owner name from the certificate
+owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." +
+CertificateSubjectName.DN_NAME);
+} else {
+// Use the owner name specified at the command line
+owner = new X500Name(dname);
+certInfo.set(X509CertInfo.SUBJECT + "." +
+CertificateSubjectName.DN_NAME, owner);
+}
+// Make issuer same as owner (self-signed!)
+certInfo.set(X509CertInfo.ISSUER + "." +
+CertificateIssuerName.DN_NAME, owner);
+// The inner and outer signature algorithms have to match.
+// The way we achieve that is really ugly, but there seems to be no
+// other solution: We first sign the cert, then retrieve the
+// outer sigalg and use it to set the inner sigalg
+X509CertImpl newCert = new X509CertImpl(certInfo);
+newCert.sign(privKey, sigAlgName);
+AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG);
+certInfo.set(CertificateAlgorithmId.NAME + "." +
+CertificateAlgorithmId.ALGORITHM, sigAlgid);
+// first upgrade to version 3
+certInfo.set(X509CertInfo.VERSION,
+new CertificateVersion(CertificateVersion.V3));
+// Sign the new certificate
+newCert = new X509CertImpl(certInfo);
+newCert.sign(privKey, sigAlgName);
+// Store the new certificate as a single-element certificate chain
+keyStore.setKeyEntry(alias, privKey,
+(keyPass != null) ? keyPass : storePass,
+new Certificate[] { newCert } );
+if (verbose) {
+System.err.println(rb.getString("New certificate (self-signed):"));
+System.err.print(newCert.toString());
+System.err.println();
+}
+}
+/**
+* Processes a certificate reply from a certificate authority.
+*
+* <p>Builds a certificate chain on top of the certificate reply,
+* using trusted certificates from the keystore. The chain is complete
+* after a self-signed certificate has been encountered. The self-signed
+* certificate is considered a root certificate authority, and is stored
+* at the end of the chain.
+*
+* <p>The newly generated chain replaces the old chain associated with the
+* key entry.
+*
+* @return true if the certificate reply was installed, otherwise false.
+*/
+private boolean installReply(String alias, InputStream in)
+throws Exception
+{
+if (alias == null) {
+alias = keyAlias;
+}
+Object[] objs = recoverKey(alias, storePass, keyPass);
+PrivateKey privKey = (PrivateKey)objs[0];
+if (keyPass == null) {
+keyPass = (char[])objs[1];
+}
+Certificate userCert = keyStore.getCertificate(alias);
+if (userCert == null) {
+MessageFormat form = new MessageFormat
+(rb.getString("alias has no public key (certificate)"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+// Read the certificates in the reply
+Collection<? extends Certificate> c = cf.generateCertificates(in);
+if (c.isEmpty()) {
+throw new Exception(rb.getString("Reply has no certificates"));
+}
+Certificate[] replyCerts = c.toArray(new Certificate[c.size()]);
+Certificate[] newChain;
+if (replyCerts.length == 1) {
+// single-cert reply
+newChain = establishCertChain(userCert, replyCerts[0]);
+} else {
+// cert-chain reply (e.g., PKCS#7)
+newChain = validateReply(alias, userCert, replyCerts);
+}
+// Now store the newly established chain in the keystore. The new
+// chain replaces the old one.
+if (newChain != null) {
+keyStore.setKeyEntry(alias, privKey,
+(keyPass != null) ? keyPass : storePass,
+newChain);
+return true;
+} else {
+return false;
+}
+}
+/**
+* Imports a certificate and adds it to the list of trusted certificates.
+*
+* @return true if the certificate was added, otherwise false.
+*/
+private boolean addTrustedCert(String alias, InputStream in)
+throws Exception
+{
+if (alias == null) {
+throw new Exception(rb.getString("Must specify alias"));
+}
+if (keyStore.containsAlias(alias)) {
+MessageFormat form = new MessageFormat(rb.getString
+("Certificate not imported, alias <alias> already exists"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+// Read the certificate
+X509Certificate cert = null;
+try {
+cert = (X509Certificate)cf.generateCertificate(in);
+} catch (ClassCastException cce) {
+throw new Exception(rb.getString("Input not an X.509 certificate"));
+} catch (CertificateException ce) {
+throw new Exception(rb.getString("Input not an X.509 certificate"));
+}
+// if certificate is self-signed, make sure it verifies
+boolean selfSigned = false;
+if (isSelfSigned(cert)) {
+cert.verify(cert.getPublicKey());
+selfSigned = true;
+}
+if (noprompt) {
+keyStore.setCertificateEntry(alias, cert);
+return true;
+}
+// check if cert already exists in keystore
+String reply = null;
+String trustalias = keyStore.getCertificateAlias(cert);
+if (trustalias != null) {
+MessageFormat form = new MessageFormat(rb.getString
+("Certificate already exists in keystore under alias <trustalias>"));
+Object[] source = {trustalias};
+System.err.println(form.format(source));
+reply = getYesNoReply
+(rb.getString("Do you still want to add it? [no]:  "));
+} else if (selfSigned) {
+if (trustcacerts && (caks != null) &&
+((trustalias=caks.getCertificateAlias(cert)) != null)) {
+MessageFormat form = new MessageFormat(rb.getString
+("Certificate already exists in system-wide CA keystore under alias <trustalias>"));
+Object[] source = {trustalias};
+System.err.println(form.format(source));
+reply = getYesNoReply
+(rb.getString("Do you still want to add it to your own keystore? [no]:  "));
+}
+if (trustalias == null) {
+// Print the cert and ask user if they really want to add
+// it to their keystore
+printX509Cert(cert, System.out);
+reply = getYesNoReply
+(rb.getString("Trust this certificate? [no]:  "));
+}
+}
+if (reply != null) {
+if ("YES".equals(reply)) {
+keyStore.setCertificateEntry(alias, cert);
+return true;
+} else {
+return false;
+}
+}
+// Try to establish trust chain
+try {
+Certificate[] chain = establishCertChain(null, cert);
+if (chain != null) {
+keyStore.setCertificateEntry(alias, cert);
+return true;
+}
+} catch (Exception e) {
+// Print the cert and ask user if they really want to add it to
+// their keystore
+printX509Cert(cert, System.out);
+reply = getYesNoReply
+(rb.getString("Trust this certificate? [no]:  "));
+if ("YES".equals(reply)) {
+keyStore.setCertificateEntry(alias, cert);
+return true;
+} else {
+return false;
+}
+}
+return false;
+}
+/**
+* Prompts user for new password. New password must be different from
+* old one.
+*
+* @param prompt the message that gets prompted on the screen
+* @param oldPasswd the current (i.e., old) password
+*/
+private char[] getNewPasswd(String prompt, char[] oldPasswd)
+throws Exception
+{
+char[] entered = null;
+char[] reentered = null;
+for (int count = 0; count < 3; count++) {
+MessageFormat form = new MessageFormat
+(rb.getString("New prompt: "));
+Object[] source = {prompt};
+System.err.print(form.format(source));
+entered = Password.readPassword(System.in);
+passwords.add(entered);
+if (entered == null || entered.length < 6) {
+System.err.println(rb.getString
+("Password is too short - must be at least 6 characters"));
+} else if (Arrays.equals(entered, oldPasswd)) {
+System.err.println(rb.getString("Passwords must differ"));
+} else {
+form = new MessageFormat
+(rb.getString("Re-enter new prompt: "));
+Object[] src = {prompt};
+System.err.print(form.format(src));
+reentered = Password.readPassword(System.in);
+passwords.add(reentered);
+if (!Arrays.equals(entered, reentered)) {
+System.err.println
+(rb.getString("They don't match. Try again"));
+} else {
+Arrays.fill(reentered, ' ');
+return entered;
+}
+}
+if (entered != null) {
+Arrays.fill(entered, ' ');
+entered = null;
+}
+if (reentered != null) {
+Arrays.fill(reentered, ' ');
+reentered = null;
+}
+}
+throw new Exception(rb.getString("Too many failures - try later"));
+}
+/**
+* Prompts user for alias name.
+* @param prompt the {0} of "Enter {0} alias name:  " in prompt line
+* @returns the string entered by the user, without the \n at the end
+*/
+private String getAlias(String prompt) throws Exception {
+if (prompt != null) {
+MessageFormat form = new MessageFormat
+(rb.getString("Enter prompt alias name:  "));
+Object[] source = {prompt};
+System.err.print(form.format(source));
+} else {
+System.err.print(rb.getString("Enter alias name:  "));
+}
+return (new BufferedReader(new InputStreamReader(
+System.in))).readLine();
+}
+/**
+* Prompts user for an input string from the command line (System.in)
+* @prompt the prompt string printed
+* @returns the string entered by the user, without the \n at the end
+*/
+private String inputStringFromStdin(String prompt) throws Exception {
+System.err.print(prompt);
+return (new BufferedReader(new InputStreamReader(
+System.in))).readLine();
+}
+/**
+* Prompts user for key password. User may select to choose the same
+* password (<code>otherKeyPass</code>) as for <code>otherAlias</code>.
+*/
+private char[] getKeyPasswd(String alias, String otherAlias,
+char[] otherKeyPass)
+throws Exception
+{
+int count = 0;
+char[] keyPass = null;
+do {
+if (otherKeyPass != null) {
+MessageFormat form = new MessageFormat(rb.getString
+("Enter key password for <alias>"));
+Object[] source = {alias};
+System.err.println(form.format(source));
+form = new MessageFormat(rb.getString
+("\t(RETURN if same as for <otherAlias>)"));
+Object[] src = {otherAlias};
+System.err.print(form.format(src));
+} else {
+MessageFormat form = new MessageFormat(rb.getString
+("Enter key password for <alias>"));
+Object[] source = {alias};
+System.err.print(form.format(source));
+}
+System.err.flush();
+keyPass = Password.readPassword(System.in);
+passwords.add(keyPass);
+if (keyPass == null) {
+keyPass = otherKeyPass;
+}
+count++;
+} while ((keyPass == null) && count < 3);
+if (keyPass == null) {
+throw new Exception(rb.getString("Too many failures - try later"));
+}
+return keyPass;
+}
+/**
+* Prints a certificate in a human readable format.
+*/
+private void printX509Cert(X509Certificate cert, PrintStream out)
+throws Exception
+{
+/*
+out.println("Owner: "
++ cert.getSubjectDN().toString()
++ "\n"
++ "Issuer: "
++ cert.getIssuerDN().toString()
++ "\n"
++ "Serial number: " + cert.getSerialNumber().toString(16)
++ "\n"
++ "Valid from: " + cert.getNotBefore().toString()
++ " until: " + cert.getNotAfter().toString()
++ "\n"
++ "Certificate fingerprints:\n"
++ "\t MD5:  " + getCertFingerPrint("MD5", cert)
++ "\n"
++ "\t SHA1: " + getCertFingerPrint("SHA1", cert));
+*/
+MessageFormat form = new MessageFormat
+(rb.getString("*PATTERN* printX509Cert"));
+Object[] source = {cert.getSubjectDN().toString(),
+cert.getIssuerDN().toString(),
+cert.getSerialNumber().toString(16),
+cert.getNotBefore().toString(),
+cert.getNotAfter().toString(),
+getCertFingerPrint("MD5", cert),
+getCertFingerPrint("SHA1", cert),
+cert.getSigAlgName(),
+cert.getVersion()
+};
+out.println(form.format(source));
+int extnum = 0;
+if (cert instanceof X509CertImpl) {
+X509CertImpl impl = (X509CertImpl)cert;
+if (cert.getCriticalExtensionOIDs() != null) {
+for (String extOID : cert.getCriticalExtensionOIDs()) {
+if (extnum == 0) {
+out.println();
+out.println(rb.getString("Extensions: "));
+out.println();
+}
+out.println("#"+(++extnum)+": "+
+impl.getExtension(new ObjectIdentifier(extOID)));
+}
+}
+if (cert.getNonCriticalExtensionOIDs() != null) {
+for (String extOID : cert.getNonCriticalExtensionOIDs()) {
+if (extnum == 0) {
+out.println();
+out.println(rb.getString("Extensions: "));
+out.println();
+}
+Extension ext = impl.getExtension(new ObjectIdentifier(extOID));
+if (ext != null) {
+out.println("#"+(++extnum)+": "+ ext);
+} else {
+out.println("#"+(++extnum)+": "+
+impl.getUnparseableExtension(new ObjectIdentifier(extOID)));
+}
+}
+}
+}
+}
+/**
+* Returns true if the certificate is self-signed, false otherwise.
+*/
+private boolean isSelfSigned(X509Certificate cert) {
+return cert.getSubjectDN().equals(cert.getIssuerDN());
+}
+/**
+* Returns true if the given certificate is trusted, false otherwise.
+*/
+private boolean isTrusted(Certificate cert)
+throws Exception
+{
+if (keyStore.getCertificateAlias(cert) != null) {
+return true; // found in own keystore
+}
+if (trustcacerts && (caks != null) &&
+(caks.getCertificateAlias(cert) != null)) {
+return true; // found in CA keystore
+}
+return false;
+}
+/**
+* Gets an X.500 name suitable for inclusion in a certification request.
+*/
+private X500Name getX500Name() throws IOException {
+BufferedReader in;
+in = new BufferedReader(new InputStreamReader(System.in));
+String commonName = "Unknown";
+String organizationalUnit = "Unknown";
+String organization = "Unknown";
+String city = "Unknown";
+String state = "Unknown";
+String country = "Unknown";
+X500Name name;
+String userInput = null;
+int maxRetry = 20;
+do {
+if (maxRetry-- < 0) {
+throw new RuntimeException(rb.getString(
+"Too may retries, program terminated"));
+}
+commonName = inputString(in,
+rb.getString("What is your first and last name?"),
+commonName);
+organizationalUnit = inputString(in,
+rb.getString
+("What is the name of your organizational unit?"),
+organizationalUnit);
+organization = inputString(in,
+rb.getString("What is the name of your organization?"),
+organization);
+city = inputString(in,
+rb.getString("What is the name of your City or Locality?"),
+city);
+state = inputString(in,
+rb.getString("What is the name of your State or Province?"),
+state);
+country = inputString(in,
+rb.getString
+("What is the two-letter country code for this unit?"),
+country);
+name = new X500Name(commonName, organizationalUnit, organization,
+city, state, country);
+MessageFormat form = new MessageFormat
+(rb.getString("Is <name> correct?"));
+Object[] source = {name};
+userInput = inputString
+(in, form.format(source), rb.getString("no"));
+} while (collator.compare(userInput, rb.getString("yes")) != 0 &&
+collator.compare(userInput, rb.getString("y")) != 0);
+System.err.println();
+return name;
+}
+private String inputString(BufferedReader in, String prompt,
+String defaultValue)
+throws IOException
+{
+System.err.println(prompt);
+MessageFormat form = new MessageFormat
+(rb.getString("  [defaultValue]:  "));
+Object[] source = {defaultValue};
+System.err.print(form.format(source));
+System.err.flush();
+String value = in.readLine();
+if (value == null || collator.compare(value, "") == 0) {
+value = defaultValue;
+}
+return value;
+}
+/**
+* Writes an X.509 certificate in base64 or binary encoding to an output
+* stream.
+*/
+private void dumpCert(Certificate cert, PrintStream out)
+throws IOException, CertificateException
+{
+if (rfc) {
+BASE64Encoder encoder = new BASE64Encoder();
+out.println(X509Factory.BEGIN_CERT);
+encoder.encodeBuffer(cert.getEncoded(), out);
+out.println(X509Factory.END_CERT);
+} else {
+out.write(cert.getEncoded()); // binary
+}
+}
+/**
+* Converts a byte to hex digit and writes to the supplied buffer
+*/
+private void byte2hex(byte b, StringBuffer buf) {
+char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
+'9', 'A', 'B', 'C', 'D', 'E', 'F' };
+int high = ((b & 0xf0) >> 4);
+int low = (b & 0x0f);
+buf.append(hexChars[high]);
+buf.append(hexChars[low]);
+}
+/**
+* Converts a byte array to hex string
+*/
+private String toHexString(byte[] block) {
+StringBuffer buf = new StringBuffer();
+int len = block.length;
+for (int i = 0; i < len; i++) {
+byte2hex(block[i], buf);
+if (i < len-1) {
+buf.append(":");
+}
+}
+return buf.toString();
+}
+/**
+* Recovers (private) key associated with given alias.
+*
+* @return an array of objects, where the 1st element in the array is the
+* recovered private key, and the 2nd element is the password used to
+* recover it.
+*/
+private Object[] recoverKey(String alias, char[] storePass,
+char[] keyPass)
+throws Exception
+{
+Key key = null;
+if (keyStore.containsAlias(alias) == false) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> does not exist"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class) &&
+!keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> has no key"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+if (keyPass == null) {
+// Try to recover the key using the keystore password
+try {
+key = keyStore.getKey(alias, storePass);
+keyPass = storePass;
+passwords.add(keyPass);
+} catch (UnrecoverableKeyException e) {
+// Did not work out, so prompt user for key password
+if (!token) {
+keyPass = getKeyPasswd(alias, null, null);
+key = keyStore.getKey(alias, keyPass);
+} else {
+throw e;
+}
+}
+} else {
+key = keyStore.getKey(alias, keyPass);
+}
+return new Object[] {key, keyPass};
+}
+/**
+* Recovers entry associated with given alias.
+*
+* @return an array of objects, where the 1st element in the array is the
+* recovered entry, and the 2nd element is the password used to
+* recover it (null if no password).
+*/
+private Object[] recoverEntry(KeyStore ks,
+String alias,
+char[] pstore,
+char[] pkey) throws Exception {
+if (ks.containsAlias(alias) == false) {
+MessageFormat form = new MessageFormat
+(rb.getString("Alias <alias> does not exist"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+PasswordProtection pp = null;
+Entry entry;
+try {
+// First attempt to access entry without key password
+// (PKCS11 entry or trusted certificate entry, for example)
+entry = ks.getEntry(alias, pp);
+pkey = null;
+} catch (UnrecoverableEntryException une) {
+if(P11KEYSTORE.equalsIgnoreCase(ks.getType()) ||
+KeyStoreUtil.isWindowsKeyStore(ks.getType())) {
+// should not happen, but a possibility
+throw une;
+}
+// entry is protected
+if (pkey != null) {
+// try provided key password
+pp = new PasswordProtection(pkey);
+entry = ks.getEntry(alias, pp);
+} else {
+// try store pass
+try {
+pp = new PasswordProtection(pstore);
+entry = ks.getEntry(alias, pp);
+pkey = pstore;
+} catch (UnrecoverableEntryException une2) {
+if (P12KEYSTORE.equalsIgnoreCase(ks.getType())) {
+// P12 keystore currently does not support separate
+// store and entry passwords
+throw une2;
+} else {
+// prompt for entry password
+pkey = getKeyPasswd(alias, null, null);
+pp = new PasswordProtection(pkey);
+entry = ks.getEntry(alias, pp);
+}
+}
+}
+}
+return new Object[] {entry, pkey};
+}
+/**
+* Gets the requested finger print of the certificate.
+*/
+private String getCertFingerPrint(String mdAlg, Certificate cert)
+throws Exception
+{
+byte[] encCertInfo = cert.getEncoded();
+MessageDigest md = MessageDigest.getInstance(mdAlg);
+byte[] digest = md.digest(encCertInfo);
+return toHexString(digest);
+}
+/**
+* Prints warning about missing integrity check.
+*/
+private void printWarning() {
+System.err.println();
+System.err.println(rb.getString
+("*****************  WARNING WARNING WARNING  *****************"));
+System.err.println(rb.getString
+("* The integrity of the information stored in your keystore  *"));
+System.err.println(rb.getString
+("* has NOT been verified!  In order to verify its integrity, *"));
+System.err.println(rb.getString
+("* you must provide your keystore password.                  *"));
+System.err.println(rb.getString
+("*****************  WARNING WARNING WARNING  *****************"));
+System.err.println();
+}
+/**
+* Validates chain in certification reply, and returns the ordered
+* elements of the chain (with user certificate first, and root
+* certificate last in the array).
+*
+* @param alias the alias name
+* @param userCert the user certificate of the alias
+* @param replyCerts the chain provided in the reply
+*/
+private Certificate[] validateReply(String alias,
+Certificate userCert,
+Certificate[] replyCerts)
+throws Exception
+{
+// order the certs in the reply (bottom-up).
+// we know that all certs in the reply are of type X.509, because
+// we parsed them using an X.509 certificate factory
+int i;
+PublicKey userPubKey = userCert.getPublicKey();
+for (i=0; i<replyCerts.length; i++) {
+if (userPubKey.equals(replyCerts[i].getPublicKey())) {
+break;
+}
+}
+if (i == replyCerts.length) {
+MessageFormat form = new MessageFormat(rb.getString
+("Certificate reply does not contain public key for <alias>"));
+Object[] source = {alias};
+throw new Exception(form.format(source));
+}
+Certificate tmpCert = replyCerts[0];
+replyCerts[0] = replyCerts[i];
+replyCerts[i] = tmpCert;
+Principal issuer = ((X509Certificate)replyCerts[0]).getIssuerDN();
+for (i=1; i < replyCerts.length-1; i++) {
+// find a cert in the reply whose "subject" is the same as the
+// given "issuer"
+int j;
+for (j=i; j<replyCerts.length; j++) {
+Principal subject;
+subject = ((X509Certificate)replyCerts[j]).getSubjectDN();
+if (subject.equals(issuer)) {
+tmpCert = replyCerts[i];
+replyCerts[i] = replyCerts[j];
+replyCerts[j] = tmpCert;
+issuer = ((X509Certificate)replyCerts[i]).getIssuerDN();
+break;
+}
+}
+if (j == replyCerts.length) {
+throw new Exception
+(rb.getString("Incomplete certificate chain in reply"));
+}
+}
+// now verify each cert in the ordered chain
+for (i=0; i<replyCerts.length-1; i++) {
+PublicKey pubKey = replyCerts[i+1].getPublicKey();
+try {
+replyCerts[i].verify(pubKey);
+} catch (Exception e) {
+throw new Exception(rb.getString
+("Certificate chain in reply does not verify: ") +
+e.getMessage());
+}
+}
+if (noprompt) {
+return replyCerts;
+}
+// do we trust the (root) cert at the top?
+Certificate topCert = replyCerts[replyCerts.length-1];
+if (!isTrusted(topCert)) {
+boolean verified = false;
+Certificate rootCert = null;
+if (trustcacerts && (caks!= null)) {
+for (Enumeration<String> aliases = caks.aliases();
+aliases.hasMoreElements(); ) {
+String name = aliases.nextElement();
+rootCert = caks.getCertificate(name);
+if (rootCert != null) {
+try {
+topCert.verify(rootCert.getPublicKey());
+verified = true;
+break;
+} catch (Exception e) {
+}
+}
+}
+}
+if (!verified) {
+System.err.println();
+System.err.println
+(rb.getString("Top-level certificate in reply:\n"));
+printX509Cert((X509Certificate)topCert, System.out);
+System.err.println();
+System.err.print(rb.getString("... is not trusted. "));
+String reply = getYesNoReply
+(rb.getString("Install reply anyway? [no]:  "));
+if ("NO".equals(reply)) {
+return null;
+}
+} else {
+if (!isSelfSigned((X509Certificate)topCert)) {
+// append the (self-signed) root CA cert to the chain
+Certificate[] tmpCerts =
+new Certificate[replyCerts.length+1];
+System.arraycopy(replyCerts, 0, tmpCerts, 0,
+replyCerts.length);
+tmpCerts[tmpCerts.length-1] = rootCert;
+replyCerts = tmpCerts;
+}
+}
+}
+return replyCerts;
+}
+/**
+* Establishes a certificate chain (using trusted certificates in the
+* keystore), starting with the user certificate
+* and ending at a self-signed certificate found in the keystore.
+*
+* @param userCert the user certificate of the alias
+* @param certToVerify the single certificate provided in the reply
+*/
+private Certificate[] establishCertChain(Certificate userCert,
+Certificate certToVerify)
+throws Exception
+{
+if (userCert != null) {
+// Make sure that the public key of the certificate reply matches
+// the original public key in the keystore
+PublicKey origPubKey = userCert.getPublicKey();
+PublicKey replyPubKey = certToVerify.getPublicKey();
+if (!origPubKey.equals(replyPubKey)) {
+throw new Exception(rb.getString
+("Public keys in reply and keystore don't match"));
+}
+// If the two certs are identical, we're done: no need to import
+// anything
+if (certToVerify.equals(userCert)) {
+throw new Exception(rb.getString
+("Certificate reply and certificate in keystore are identical"));
+}
+}
+// Build a hash table of all certificates in the keystore.
+// Use the subject distinguished name as the key into the hash table.
+// All certificates associated with the same subject distinguished
+// name are stored in the same hash table entry as a vector.
+Hashtable<Principal, Vector<Certificate>> certs = null;
+if (keyStore.size() > 0) {
+certs = new Hashtable<Principal, Vector<Certificate>>(11);
+keystorecerts2Hashtable(keyStore, certs);
+}
+if (trustcacerts) {
+if (caks!=null && caks.size()>0) {
+if (certs == null) {
+certs = new Hashtable<Principal, Vector<Certificate>>(11);
+}
+keystorecerts2Hashtable(caks, certs);
+}
+}
+// start building chain
+Vector<Certificate> chain = new Vector<Certificate>(2);
+if (buildChain((X509Certificate)certToVerify, chain, certs)) {
+Certificate[] newChain = new Certificate[chain.size()];
+// buildChain() returns chain with self-signed root-cert first and
+// user-cert last, so we need to invert the chain before we store
+// it
+int j=0;
+for (int i=chain.size()-1; i>=0; i--) {
+newChain[j] = chain.elementAt(i);
+j++;
+}
+return newChain;
+} else {
+throw new Exception
+(rb.getString("Failed to establish chain from reply"));
+}
+}
+/**
+* Recursively tries to establish chain from pool of trusted certs.
+*
+* @param certToVerify the cert that needs to be verified.
+* @param chain the chain that's being built.
+* @param certs the pool of trusted certs
+*
+* @return true if successful, false otherwise.
+*/
+private boolean buildChain(X509Certificate certToVerify,
+Vector<Certificate> chain,
+Hashtable<Principal, Vector<Certificate>> certs) {
+Principal subject = certToVerify.getSubjectDN();
+Principal issuer = certToVerify.getIssuerDN();
+if (subject.equals(issuer)) {
+// reached self-signed root cert;
+// no verification needed because it's trusted.
+chain.addElement(certToVerify);
+return true;
+}
+// Get the issuer's certificate(s)
+Vector<Certificate> vec = certs.get(issuer);
+if (vec == null) {
+return false;
+}
+// Try out each certificate in the vector, until we find one
+// whose public key verifies the signature of the certificate
+// in question.
+for (Enumeration<Certificate> issuerCerts = vec.elements();
+issuerCerts.hasMoreElements(); ) {
+X509Certificate issuerCert
+= (X509Certificate)issuerCerts.nextElement();
+PublicKey issuerPubKey = issuerCert.getPublicKey();
+try {
+certToVerify.verify(issuerPubKey);
+} catch (Exception e) {
+continue;
+}
+if (buildChain(issuerCert, chain, certs)) {
+chain.addElement(certToVerify);
+return true;
+}
+}
+return false;
+}
+/**
+* Prompts user for yes/no decision.
+*
+* @return the user's decision, can only be "YES" or "NO"
+*/
+private String getYesNoReply(String prompt)
+throws IOException
+{
+String reply = null;
+int maxRetry = 20;
+do {
+if (maxRetry-- < 0) {
+throw new RuntimeException(rb.getString(
+"Too may retries, program terminated"));
+}
+System.err.print(prompt);
+System.err.flush();
+reply = (new BufferedReader(new InputStreamReader
+(System.in))).readLine();
+if (collator.compare(reply, "") == 0 ||
+collator.compare(reply, rb.getString("n")) == 0 ||
+collator.compare(reply, rb.getString("no")) == 0) {
+reply = "NO";
+} else if (collator.compare(reply, rb.getString("y")) == 0 ||
+collator.compare(reply, rb.getString("yes")) == 0) {
+reply = "YES";
+} else {
+System.err.println(rb.getString("Wrong answer, try again"));
+reply = null;
+}
+} while (reply == null);
+return reply;
+}
+/**
+* Returns the keystore with the configured CA certificates.
+*/
+private KeyStore getCacertsKeyStore()
+throws Exception
+{
+String sep = File.separator;
+File file = new File(System.getProperty("java.home") + sep
++ "lib" + sep + "security" + sep
++ "cacerts");
+if (!file.exists()) {
+return null;
+}
+FileInputStream fis = null;
+KeyStore caks = null;
+try {
+fis = new FileInputStream(file);
+caks = KeyStore.getInstance(JKS);
+caks.load(fis, null);
+} finally {
+if (fis != null) {
+fis.close();
+}
+}
+return caks;
+}
+/**
+* Stores the (leaf) certificates of a keystore in a hashtable.
+* All certs belonging to the same CA are stored in a vector that
+* in turn is stored in the hashtable, keyed by the CA's subject DN
+*/
+private void keystorecerts2Hashtable(KeyStore ks,
+Hashtable<Principal, Vector<Certificate>> hash)
+throws Exception {
+for (Enumeration<String> aliases = ks.aliases();
+aliases.hasMoreElements(); ) {
+String alias = aliases.nextElement();
+Certificate cert = ks.getCertificate(alias);
+if (cert != null) {
+Principal subjectDN = ((X509Certificate)cert).getSubjectDN();
+Vector<Certificate> vec = hash.get(subjectDN);
+if (vec == null) {
+vec = new Vector<Certificate>();
+vec.addElement(cert);
+} else {
+if (!vec.contains(cert)) {
+vec.addElement(cert);
+}
+}
+hash.put(subjectDN, vec);
+}
+}
+}
+/**
+* Returns the issue time that's specified the -startdate option
+* @param s the value of -startdate option
+*/
+private static Date getStartDate(String s) throws IOException {
+Calendar c = new GregorianCalendar();
+if (s != null) {
+IOException ioe = new IOException(
+rb.getString("Illegal startdate value"));
+int len = s.length();
+if (len == 0) {
+throw ioe;
+}
+if (s.charAt(0) == '-' || s.charAt(0) == '+') {
+// Form 1: ([+-]nnn[ymdHMS])+
+int start = 0;
+while (start < len) {
+int sign = 0;
+switch (s.charAt(start)) {
+case '+': sign = 1; break;
+case '-': sign = -1; break;
+default: throw ioe;
+}
+int i = start+1;
+for (; i<len; i++) {
+char ch = s.charAt(i);
+if (ch < '0' || ch > '9') break;
+}
+if (i == start+1) throw ioe;
+int number = Integer.parseInt(s.substring(start+1, i));
+if (i >= len) throw ioe;
+int unit = 0;
+switch (s.charAt(i)) {
+case 'y': unit = Calendar.YEAR; break;
+case 'm': unit = Calendar.MONTH; break;
+case 'd': unit = Calendar.DATE; break;
+case 'H': unit = Calendar.HOUR; break;
+case 'M': unit = Calendar.MINUTE; break;
+case 'S': unit = Calendar.SECOND; break;
+default: throw ioe;
+}
+c.add(unit, sign * number);
+start = i + 1;
+}
+} else  {
+// Form 2: [yyyy/mm/dd] [HH:MM:SS]
+String date = null, time = null;
+if (len == 19) {
+date = s.substring(0, 10);
+time = s.substring(11);
+if (s.charAt(10) != ' ')
+throw ioe;
+} else if (len == 10) {
+date = s;
+} else if (len == 8) {
+time = s;
+} else {
+throw ioe;
+}
+if (date != null) {
+if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) {
+c.set(Integer.valueOf(date.substring(0, 4)),
+Integer.valueOf(date.substring(5, 7))-1,
+Integer.valueOf(date.substring(8, 10)));
+} else {
+throw ioe;
+}
+}
+if (time != null) {
+if (time.matches("\\d\\d:\\d\\d:\\d\\d")) {
+c.set(Calendar.HOUR_OF_DAY, Integer.valueOf(time.substring(0, 2)));
+c.set(Calendar.MINUTE, Integer.valueOf(time.substring(0, 2)));
+c.set(Calendar.SECOND, Integer.valueOf(time.substring(0, 2)));
+c.set(Calendar.MILLISECOND, 0);
+} else {
+throw ioe;
+}
+}
+}
+}
+return c.getTime();
+}
+/**
+* Prints the usage of this tool.
+*/
+private void usage() {
+System.err.println(rb.getString("keytool usage:\n"));
+System.err.println(rb.getString
+("-certreq     [-v] [-protected]"));
+System.err.println(rb.getString
+("\t     [-alias <alias>] [-sigalg <sigalg>]"));
+System.err.println(rb.getString
+("\t     [-file <csr_file>] [-keypass <keypass>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-changealias [-v] [-protected] -alias <alias> -destalias <destalias>"));
+System.err.println(rb.getString
+("\t     [-keypass <keypass>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-delete      [-v] [-protected] -alias <alias>"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-exportcert  [-v] [-rfc] [-protected]"));
+System.err.println(rb.getString
+("\t     [-alias <alias>] [-file <cert_file>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-genkeypair  [-v] [-protected]"));
+System.err.println(rb.getString
+("\t     [-alias <alias>]"));
+System.err.println(rb.getString
+("\t     [-keyalg <keyalg>] [-keysize <keysize>]"));
+System.err.println(rb.getString
+("\t     [-sigalg <sigalg>] [-dname <dname>]"));
+System.err.println(rb.getString
+("\t     [-startdate <startdate>]"));
+System.err.println(rb.getString
+("\t     [-validity <valDays>] [-keypass <keypass>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-genseckey   [-v] [-protected]"));
+System.err.println(rb.getString
+("\t     [-alias <alias>] [-keypass <keypass>]"));
+System.err.println(rb.getString
+("\t     [-keyalg <keyalg>] [-keysize <keysize>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString("-help"));
+System.err.println();
+System.err.println(rb.getString
+("-importcert  [-v] [-noprompt] [-trustcacerts] [-protected]"));
+System.err.println(rb.getString
+("\t     [-alias <alias>]"));
+System.err.println(rb.getString
+("\t     [-file <cert_file>] [-keypass <keypass>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-importkeystore [-v] "));
+System.err.println(rb.getString
+("\t     [-srckeystore <srckeystore>] [-destkeystore <destkeystore>]"));
+System.err.println(rb.getString
+("\t     [-srcstoretype <srcstoretype>] [-deststoretype <deststoretype>]"));
+System.err.println(rb.getString
+("\t     [-srcstorepass <srcstorepass>] [-deststorepass <deststorepass>]"));
+System.err.println(rb.getString
+("\t     [-srcprotected] [-destprotected]"));
+System.err.println(rb.getString
+("\t     [-srcprovidername <srcprovidername>]\n\t     [-destprovidername <destprovidername>]"));
+System.err.println(rb.getString
+("\t     [-srcalias <srcalias> [-destalias <destalias>]"));
+System.err.println(rb.getString
+("\t       [-srckeypass <srckeypass>] [-destkeypass <destkeypass>]]"));
+System.err.println(rb.getString
+("\t     [-noprompt]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-keypasswd   [-v] [-alias <alias>]"));
+System.err.println(rb.getString
+("\t     [-keypass <old_keypass>] [-new <new_keypass>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-list        [-v | -rfc] [-protected]"));
+System.err.println(rb.getString
+("\t     [-alias <alias>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+System.err.println();
+System.err.println(rb.getString
+("-printcert   [-v] [-file <cert_file>]"));
+System.err.println();
+System.err.println(rb.getString
+("-storepasswd [-v] [-new <new_storepass>]"));
+System.err.println(rb.getString
+("\t     [-keystore <keystore>] [-storepass <storepass>]"));
+System.err.println(rb.getString
+("\t     [-storetype <storetype>] [-providername <name>]"));
+System.err.println(rb.getString
+("\t     [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
+System.err.println(rb.getString
+("\t     [-providerpath <pathlist>]"));
+if (debug) {
+throw new RuntimeException("NO ERROR, SORRY");
+} else {
+System.exit(1);
+}
+}
+private void tinyHelp() {
+System.err.println(rb.getString("Try keytool -help"));
+// do not drown user with the help lines.
+if (debug) {
+throw new RuntimeException("NO BIG ERROR, SORRY");
+} else {
+System.exit(1);
+}
+}
+private void errorNeedArgument(String flag) {
+Object[] source = {flag};
+System.err.println(new MessageFormat(
+rb.getString("Command option <flag> needs an argument.")).format(source));
+tinyHelp();
+}
+}
+// This class is exactly the same as com.sun.tools.javac.util.Pair,
+// it's copied here since the original one is not included in JRE.
+class Pair<A, B> {
+public final A fst;
+public final B snd;
+public Pair(A fst, B snd) {
+this.fst = fst;
+this.snd = snd;
+}
+public String toString() {
+return "Pair[" + fst + "," + snd + "]";
+}
+private static boolean equals(Object x, Object y) {
+return (x == null && y == null) || (x != null && x.equals(y));
+}
+public boolean equals(Object other) {
+return
+other instanceof Pair &&
+equals(fst, ((Pair)other).fst) &&
+equals(snd, ((Pair)other).snd);
+}
+public int hashCode() {
+if (fst == null) return (snd == null) ? 0 : snd.hashCode() + 1;
+else if (snd == null) return fst.hashCode() + 2;
+else return fst.hashCode() * 17 + snd.hashCode();
+}
+}

changeset 2	90ce3da70b43
child 904	eadc9fa4b700