jdk-sandbox: comparison src/java.base/share/classes/sun/security/tools/keytool/Main.java

equal deleted inserted replaced

-:3b91496409fc
+:ddcbc20e8c6a
 package sun.security.tools.keytool;
 import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.AlgorithmParameters;
 import java.security.CodeSigner;
 import java.security.CryptoPrimitive;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.MessageDigest;
 import java.security.Key;
-import java.security.NoSuchProviderException;
 import java.security.PublicKey;
 import java.security.PrivateKey;
 import java.security.Signature;
 import java.security.Timestamp;
 import java.security.UnrecoverableEntryException;
 import java.security.cert.X509CRLEntry;
 import java.security.cert.X509CRLSelector;
 import javax.security.auth.x500.X500Principal;
 import java.util.Base64;
+import sun.security.util.ECKeySizeParameterSpec;
 import sun.security.util.KeyUtil;
 import sun.security.util.ObjectIdentifier;
 import sun.security.pkcs10.PKCS10;
 import sun.security.pkcs10.PKCS10Attribute;
 import sun.security.provider.X509Factory;
 private Command command = null;
 private String sigAlgName = null;
 private String keyAlgName = null;
 private boolean verbose = false;
 private int keysize = -1;
+private String groupName = null;
 private boolean rfc = false;
 private long validity = (long)90;
 private String alias = null;
 private String dname = null;
 private String dest = null;
 EXPORTCERT("Exports.certificate",
 RFC, ALIAS, FILEOUT, KEYSTORE, CACERTS, STOREPASS,
 STORETYPE, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
 PROVIDERPATH, V, PROTECTED),
 GENKEYPAIR("Generates.a.key.pair",
-ALIAS, KEYALG, KEYSIZE, SIGALG, DESTALIAS, DNAME,
+ALIAS, KEYALG, KEYSIZE, CURVENAME, SIGALG, DESTALIAS, DNAME,
 STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
 STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
 PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
 GENSECKEY("Generates.a.secret.key",
 ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE,
 // If an option is allowed multiple times, remember to record it
 // in the optionsSet.contains() block in parseArgs().
 enum Option {
 ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"),
+CURVENAME("groupname", "<name>", "groupname.option.help"),
 DESTALIAS("destalias", "<alias>", "destination.alias"),
 DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"),
 DESTKEYSTORE("destkeystore", "<keystore>", "destination.keystore.name"),
 DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"),
 DESTPROVIDERNAME("destprovidername", "<name>", "destination.keystore.provider.name"),
 dest = args[++i];
 } else if (collator.compare(flags, "-dname") == 0) {
 dname = args[++i];
 } else if (collator.compare(flags, "-keysize") == 0) {
 keysize = Integer.parseInt(args[++i]);
+} else if (collator.compare(flags, "-groupname") == 0) {
+groupName = args[++i];
 } else if (collator.compare(flags, "-keyalg") == 0) {
 keyAlgName = args[++i];
 } else if (collator.compare(flags, "-sigalg") == 0) {
 sigAlgName = args[++i];
 } else if (collator.compare(flags, "-startdate") == 0) {
 }
 } else if (command == GENKEYPAIR) {
 if (keyAlgName == null) {
 keyAlgName = "DSA";
 }
-doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
+doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
 kssave = true;
 } else if (command == GENSECKEY) {
 if (keyAlgName == null) {
 keyAlgName = "DES";
 }
 /**
 * Creates a new key pair and self-signed certificate.
 */
 private void doGenKeyPair(String alias, String dname, String keyAlgName,
-int keysize, String sigAlgName)
+int keysize, String groupName, String sigAlgName)
 throws Exception
 {
-if (keysize == -1) {
+if (groupName != null) {
-if ("EC".equalsIgnoreCase(keyAlgName)) {
+if (keysize != -1) {
-keysize = SecurityProviderConstants.DEF_EC_KEY_SIZE;
+throw new Exception(rb.getString("groupname.keysize.coexist"));
-} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+}
-keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE;
+} else {
-} else if ("DSA".equalsIgnoreCase(keyAlgName)) {
+if (keysize == -1) {
-keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE;
+if ("EC".equalsIgnoreCase(keyAlgName)) {
+keysize = SecurityProviderConstants.DEF_EC_KEY_SIZE;
+} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE;
+} else if ("DSA".equalsIgnoreCase(keyAlgName)) {
+keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE;
+}
+} else {
+if ("EC".equalsIgnoreCase(keyAlgName)) {
+weakWarnings.add(String.format(
+rb.getString("deprecate.keysize.for.ec"),
+ecGroupNameForSize(keysize)));
+}
 }
 }
 if (alias == null) {
 alias = keyAlias;
 x500Name = getX500Name();
 } else {
 x500Name = new X500Name(dname);
 }
-keypair.generate(keysize);
+if (groupName != null) {
+keypair.generate(groupName);
+} else {
+// This covers keysize both specified and unspecified
+keypair.generate(keysize);
+}
 PrivateKey privKey = keypair.getPrivateKey();
 CertificateExtensions ext = createV3Extensions(
 null,
 null,
 if (keyPass == null) {
 keyPass = promptForKeyPass(alias, null, storePass);
 }
 checkWeak(rb.getString("the.generated.certificate"), chain[0]);
 keyStore.setKeyEntry(alias, privKey, keyPass, chain);
+}
+private String ecGroupNameForSize(int size) throws Exception {
+AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
+ap.init(new ECKeySizeParameterSpec(size));
+// The following line assumes the toString value is "name (oid)"
+return ap.toString().split(" ")[0];
 }
 /**
 * Clones an entry
 * @param orig original alias

changeset 52511	ddcbc20e8c6a
parent 51373	514035618c1d
child 52598	0379b618ec46