26 package sun.security.tools.keytool; |
26 package sun.security.tools.keytool; |
27 |
27 |
28 import java.io.*; |
28 import java.io.*; |
29 import java.nio.file.Files; |
29 import java.nio.file.Files; |
30 import java.nio.file.Path; |
30 import java.nio.file.Path; |
|
31 import java.security.AlgorithmParameters; |
31 import java.security.CodeSigner; |
32 import java.security.CodeSigner; |
32 import java.security.CryptoPrimitive; |
33 import java.security.CryptoPrimitive; |
33 import java.security.KeyStore; |
34 import java.security.KeyStore; |
34 import java.security.KeyStoreException; |
35 import java.security.KeyStoreException; |
35 import java.security.MessageDigest; |
36 import java.security.MessageDigest; |
36 import java.security.Key; |
37 import java.security.Key; |
37 import java.security.NoSuchProviderException; |
|
38 import java.security.PublicKey; |
38 import java.security.PublicKey; |
39 import java.security.PrivateKey; |
39 import java.security.PrivateKey; |
40 import java.security.Signature; |
40 import java.security.Signature; |
41 import java.security.Timestamp; |
41 import java.security.Timestamp; |
42 import java.security.UnrecoverableEntryException; |
42 import java.security.UnrecoverableEntryException; |
66 import java.security.cert.X509CRLEntry; |
66 import java.security.cert.X509CRLEntry; |
67 import java.security.cert.X509CRLSelector; |
67 import java.security.cert.X509CRLSelector; |
68 import javax.security.auth.x500.X500Principal; |
68 import javax.security.auth.x500.X500Principal; |
69 import java.util.Base64; |
69 import java.util.Base64; |
70 |
70 |
|
71 import sun.security.util.ECKeySizeParameterSpec; |
71 import sun.security.util.KeyUtil; |
72 import sun.security.util.KeyUtil; |
72 import sun.security.util.ObjectIdentifier; |
73 import sun.security.util.ObjectIdentifier; |
73 import sun.security.pkcs10.PKCS10; |
74 import sun.security.pkcs10.PKCS10; |
74 import sun.security.pkcs10.PKCS10Attribute; |
75 import sun.security.pkcs10.PKCS10Attribute; |
75 import sun.security.provider.X509Factory; |
76 import sun.security.provider.X509Factory; |
114 private Command command = null; |
115 private Command command = null; |
115 private String sigAlgName = null; |
116 private String sigAlgName = null; |
116 private String keyAlgName = null; |
117 private String keyAlgName = null; |
117 private boolean verbose = false; |
118 private boolean verbose = false; |
118 private int keysize = -1; |
119 private int keysize = -1; |
|
120 private String groupName = null; |
119 private boolean rfc = false; |
121 private boolean rfc = false; |
120 private long validity = (long)90; |
122 private long validity = (long)90; |
121 private String alias = null; |
123 private String alias = null; |
122 private String dname = null; |
124 private String dname = null; |
123 private String dest = null; |
125 private String dest = null; |
200 EXPORTCERT("Exports.certificate", |
202 EXPORTCERT("Exports.certificate", |
201 RFC, ALIAS, FILEOUT, KEYSTORE, CACERTS, STOREPASS, |
203 RFC, ALIAS, FILEOUT, KEYSTORE, CACERTS, STOREPASS, |
202 STORETYPE, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, |
204 STORETYPE, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, |
203 PROVIDERPATH, V, PROTECTED), |
205 PROVIDERPATH, V, PROTECTED), |
204 GENKEYPAIR("Generates.a.key.pair", |
206 GENKEYPAIR("Generates.a.key.pair", |
205 ALIAS, KEYALG, KEYSIZE, SIGALG, DESTALIAS, DNAME, |
207 ALIAS, KEYALG, KEYSIZE, CURVENAME, SIGALG, DESTALIAS, DNAME, |
206 STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE, |
208 STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE, |
207 STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER, |
209 STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER, |
208 PROVIDERCLASS, PROVIDERPATH, V, PROTECTED), |
210 PROVIDERCLASS, PROVIDERPATH, V, PROTECTED), |
209 GENSECKEY("Generates.a.secret.key", |
211 GENSECKEY("Generates.a.secret.key", |
210 ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE, |
212 ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE, |
312 |
314 |
313 // If an option is allowed multiple times, remember to record it |
315 // If an option is allowed multiple times, remember to record it |
314 // in the optionsSet.contains() block in parseArgs(). |
316 // in the optionsSet.contains() block in parseArgs(). |
315 enum Option { |
317 enum Option { |
316 ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"), |
318 ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"), |
|
319 CURVENAME("groupname", "<name>", "groupname.option.help"), |
317 DESTALIAS("destalias", "<alias>", "destination.alias"), |
320 DESTALIAS("destalias", "<alias>", "destination.alias"), |
318 DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"), |
321 DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"), |
319 DESTKEYSTORE("destkeystore", "<keystore>", "destination.keystore.name"), |
322 DESTKEYSTORE("destkeystore", "<keystore>", "destination.keystore.name"), |
320 DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"), |
323 DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"), |
321 DESTPROVIDERNAME("destprovidername", "<name>", "destination.keystore.provider.name"), |
324 DESTPROVIDERNAME("destprovidername", "<name>", "destination.keystore.provider.name"), |
584 dest = args[++i]; |
587 dest = args[++i]; |
585 } else if (collator.compare(flags, "-dname") == 0) { |
588 } else if (collator.compare(flags, "-dname") == 0) { |
586 dname = args[++i]; |
589 dname = args[++i]; |
587 } else if (collator.compare(flags, "-keysize") == 0) { |
590 } else if (collator.compare(flags, "-keysize") == 0) { |
588 keysize = Integer.parseInt(args[++i]); |
591 keysize = Integer.parseInt(args[++i]); |
|
592 } else if (collator.compare(flags, "-groupname") == 0) { |
|
593 groupName = args[++i]; |
589 } else if (collator.compare(flags, "-keyalg") == 0) { |
594 } else if (collator.compare(flags, "-keyalg") == 0) { |
590 keyAlgName = args[++i]; |
595 keyAlgName = args[++i]; |
591 } else if (collator.compare(flags, "-sigalg") == 0) { |
596 } else if (collator.compare(flags, "-sigalg") == 0) { |
592 sigAlgName = args[++i]; |
597 sigAlgName = args[++i]; |
593 } else if (collator.compare(flags, "-startdate") == 0) { |
598 } else if (collator.compare(flags, "-startdate") == 0) { |
1117 } |
1122 } |
1118 } else if (command == GENKEYPAIR) { |
1123 } else if (command == GENKEYPAIR) { |
1119 if (keyAlgName == null) { |
1124 if (keyAlgName == null) { |
1120 keyAlgName = "DSA"; |
1125 keyAlgName = "DSA"; |
1121 } |
1126 } |
1122 doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName); |
1127 doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName); |
1123 kssave = true; |
1128 kssave = true; |
1124 } else if (command == GENSECKEY) { |
1129 } else if (command == GENSECKEY) { |
1125 if (keyAlgName == null) { |
1130 if (keyAlgName == null) { |
1126 keyAlgName = "DES"; |
1131 keyAlgName = "DES"; |
1127 } |
1132 } |
1791 |
1796 |
1792 /** |
1797 /** |
1793 * Creates a new key pair and self-signed certificate. |
1798 * Creates a new key pair and self-signed certificate. |
1794 */ |
1799 */ |
1795 private void doGenKeyPair(String alias, String dname, String keyAlgName, |
1800 private void doGenKeyPair(String alias, String dname, String keyAlgName, |
1796 int keysize, String sigAlgName) |
1801 int keysize, String groupName, String sigAlgName) |
1797 throws Exception |
1802 throws Exception |
1798 { |
1803 { |
1799 if (keysize == -1) { |
1804 if (groupName != null) { |
1800 if ("EC".equalsIgnoreCase(keyAlgName)) { |
1805 if (keysize != -1) { |
1801 keysize = SecurityProviderConstants.DEF_EC_KEY_SIZE; |
1806 throw new Exception(rb.getString("groupname.keysize.coexist")); |
1802 } else if ("RSA".equalsIgnoreCase(keyAlgName)) { |
1807 } |
1803 keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE; |
1808 } else { |
1804 } else if ("DSA".equalsIgnoreCase(keyAlgName)) { |
1809 if (keysize == -1) { |
1805 keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE; |
1810 if ("EC".equalsIgnoreCase(keyAlgName)) { |
|
1811 keysize = SecurityProviderConstants.DEF_EC_KEY_SIZE; |
|
1812 } else if ("RSA".equalsIgnoreCase(keyAlgName)) { |
|
1813 keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE; |
|
1814 } else if ("DSA".equalsIgnoreCase(keyAlgName)) { |
|
1815 keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE; |
|
1816 } |
|
1817 } else { |
|
1818 if ("EC".equalsIgnoreCase(keyAlgName)) { |
|
1819 weakWarnings.add(String.format( |
|
1820 rb.getString("deprecate.keysize.for.ec"), |
|
1821 ecGroupNameForSize(keysize))); |
|
1822 } |
1806 } |
1823 } |
1807 } |
1824 } |
1808 |
1825 |
1809 if (alias == null) { |
1826 if (alias == null) { |
1810 alias = keyAlias; |
1827 alias = keyAlias; |
1827 x500Name = getX500Name(); |
1844 x500Name = getX500Name(); |
1828 } else { |
1845 } else { |
1829 x500Name = new X500Name(dname); |
1846 x500Name = new X500Name(dname); |
1830 } |
1847 } |
1831 |
1848 |
1832 keypair.generate(keysize); |
1849 if (groupName != null) { |
|
1850 keypair.generate(groupName); |
|
1851 } else { |
|
1852 // This covers keysize both specified and unspecified |
|
1853 keypair.generate(keysize); |
|
1854 } |
|
1855 |
1833 PrivateKey privKey = keypair.getPrivateKey(); |
1856 PrivateKey privKey = keypair.getPrivateKey(); |
1834 |
1857 |
1835 CertificateExtensions ext = createV3Extensions( |
1858 CertificateExtensions ext = createV3Extensions( |
1836 null, |
1859 null, |
1837 null, |
1860 null, |
1857 if (keyPass == null) { |
1880 if (keyPass == null) { |
1858 keyPass = promptForKeyPass(alias, null, storePass); |
1881 keyPass = promptForKeyPass(alias, null, storePass); |
1859 } |
1882 } |
1860 checkWeak(rb.getString("the.generated.certificate"), chain[0]); |
1883 checkWeak(rb.getString("the.generated.certificate"), chain[0]); |
1861 keyStore.setKeyEntry(alias, privKey, keyPass, chain); |
1884 keyStore.setKeyEntry(alias, privKey, keyPass, chain); |
|
1885 } |
|
1886 |
|
1887 private String ecGroupNameForSize(int size) throws Exception { |
|
1888 AlgorithmParameters ap = AlgorithmParameters.getInstance("EC"); |
|
1889 ap.init(new ECKeySizeParameterSpec(size)); |
|
1890 // The following line assumes the toString value is "name (oid)" |
|
1891 return ap.toString().split(" ")[0]; |
1862 } |
1892 } |
1863 |
1893 |
1864 /** |
1894 /** |
1865 * Clones an entry |
1895 * Clones an entry |
1866 * @param orig original alias |
1896 * @param orig original alias |