1209 signerCert.getPublicKey()); |
1209 signerCert.getPublicKey()); |
1210 info.set(X509CertInfo.EXTENSIONS, ext); |
1210 info.set(X509CertInfo.EXTENSIONS, ext); |
1211 X509CertImpl cert = new X509CertImpl(info); |
1211 X509CertImpl cert = new X509CertImpl(info); |
1212 cert.sign(privateKey, sigAlgName); |
1212 cert.sign(privateKey, sigAlgName); |
1213 dumpCert(cert, out); |
1213 dumpCert(cert, out); |
|
1214 for (Certificate ca: keyStore.getCertificateChain(alias)) { |
|
1215 if (ca instanceof X509Certificate) { |
|
1216 X509Certificate xca = (X509Certificate)ca; |
|
1217 if (!isSelfSigned(xca)) { |
|
1218 dumpCert(xca, out); |
|
1219 } |
|
1220 } |
|
1221 } |
1214 } |
1222 } |
1215 |
1223 |
1216 /** |
1224 /** |
1217 * Creates a PKCS#10 cert signing request, corresponding to the |
1225 * Creates a PKCS#10 cert signing request, corresponding to the |
1218 * keys (and name) associated with a given alias. |
1226 * keys (and name) associated with a given alias. |
2638 return false; |
2646 return false; |
2639 } |
2647 } |
2640 } |
2648 } |
2641 |
2649 |
2642 /** |
2650 /** |
2643 * Returns true if the given certificate is trusted, false otherwise. |
2651 * Locates a signer for a given certificate from a given keystore and |
2644 */ |
2652 * returns the signer's certificate. |
2645 private boolean isTrusted(Certificate cert) |
2653 * @param cert the certificate whose signer is searched, not null |
2646 throws Exception |
2654 * @param ks the keystore to search with, not null |
2647 { |
2655 * @return <code>cert</code> itself if it's already inside <code>ks</code>, |
2648 if (keyStore.getCertificateAlias(cert) != null) { |
2656 * or a certificate inside <code>ks</code> who signs <code>cert</code>, |
2649 return true; // found in own keystore |
2657 * or null otherwise. |
2650 } |
2658 */ |
2651 if (trustcacerts && (caks != null) && |
2659 private static Certificate getTrustedSigner(Certificate cert, KeyStore ks) |
2652 (caks.getCertificateAlias(cert) != null)) { |
2660 throws Exception { |
2653 return true; // found in CA keystore |
2661 if (ks.getCertificateAlias(cert) != null) { |
2654 } |
2662 return cert; |
2655 return false; |
2663 } |
|
2664 for (Enumeration<String> aliases = ks.aliases(); |
|
2665 aliases.hasMoreElements(); ) { |
|
2666 String name = aliases.nextElement(); |
|
2667 Certificate trustedCert = ks.getCertificate(name); |
|
2668 if (trustedCert != null) { |
|
2669 try { |
|
2670 cert.verify(trustedCert.getPublicKey()); |
|
2671 return trustedCert; |
|
2672 } catch (Exception e) { |
|
2673 // Not verified, skip to the next one |
|
2674 } |
|
2675 } |
|
2676 } |
|
2677 return null; |
2656 } |
2678 } |
2657 |
2679 |
2658 /** |
2680 /** |
2659 * Gets an X.500 name suitable for inclusion in a certification request. |
2681 * Gets an X.500 name suitable for inclusion in a certification request. |
2660 */ |
2682 */ |
2983 |
3005 |
2984 if (noprompt) { |
3006 if (noprompt) { |
2985 return replyCerts; |
3007 return replyCerts; |
2986 } |
3008 } |
2987 |
3009 |
2988 // do we trust the (root) cert at the top? |
3010 // do we trust the cert at the top? |
2989 Certificate topCert = replyCerts[replyCerts.length-1]; |
3011 Certificate topCert = replyCerts[replyCerts.length-1]; |
2990 if (!isTrusted(topCert)) { |
3012 Certificate root = getTrustedSigner(topCert, keyStore); |
2991 boolean verified = false; |
3013 if (root == null && trustcacerts && caks != null) { |
2992 Certificate rootCert = null; |
3014 root = getTrustedSigner(topCert, caks); |
2993 if (trustcacerts && (caks!= null)) { |
3015 } |
2994 for (Enumeration<String> aliases = caks.aliases(); |
3016 if (root == null) { |
2995 aliases.hasMoreElements(); ) { |
3017 System.err.println(); |
2996 String name = aliases.nextElement(); |
3018 System.err.println |
2997 rootCert = caks.getCertificate(name); |
3019 (rb.getString("Top-level certificate in reply:\n")); |
2998 if (rootCert != null) { |
3020 printX509Cert((X509Certificate)topCert, System.out); |
2999 try { |
3021 System.err.println(); |
3000 topCert.verify(rootCert.getPublicKey()); |
3022 System.err.print(rb.getString("... is not trusted. ")); |
3001 verified = true; |
3023 String reply = getYesNoReply |
3002 break; |
3024 (rb.getString("Install reply anyway? [no]: ")); |
3003 } catch (Exception e) { |
3025 if ("NO".equals(reply)) { |
3004 } |
3026 return null; |
3005 } |
3027 } |
3006 } |
3028 } else { |
3007 } |
3029 if (root != topCert) { |
3008 if (!verified) { |
3030 // append the root CA cert to the chain |
3009 System.err.println(); |
3031 Certificate[] tmpCerts = |
3010 System.err.println |
3032 new Certificate[replyCerts.length+1]; |
3011 (rb.getString("Top-level certificate in reply:\n")); |
3033 System.arraycopy(replyCerts, 0, tmpCerts, 0, |
3012 printX509Cert((X509Certificate)topCert, System.out); |
3034 replyCerts.length); |
3013 System.err.println(); |
3035 tmpCerts[tmpCerts.length-1] = root; |
3014 System.err.print(rb.getString("... is not trusted. ")); |
3036 replyCerts = tmpCerts; |
3015 String reply = getYesNoReply |
|
3016 (rb.getString("Install reply anyway? [no]: ")); |
|
3017 if ("NO".equals(reply)) { |
|
3018 return null; |
|
3019 } |
|
3020 } else { |
|
3021 if (!isSelfSigned((X509Certificate)topCert)) { |
|
3022 // append the (self-signed) root CA cert to the chain |
|
3023 Certificate[] tmpCerts = |
|
3024 new Certificate[replyCerts.length+1]; |
|
3025 System.arraycopy(replyCerts, 0, tmpCerts, 0, |
|
3026 replyCerts.length); |
|
3027 tmpCerts[tmpCerts.length-1] = rootCert; |
|
3028 replyCerts = tmpCerts; |
|
3029 } |
|
3030 } |
3037 } |
3031 } |
3038 } |
3032 |
3039 |
3033 return replyCerts; |
3040 return replyCerts; |
3034 } |
3041 } |