6847026: keytool should be able to generate certreq and cert without subject name
Reviewed-by: xuelei
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java Wed Jul 22 16:39:34 2009 +0800
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java Wed Jul 22 16:40:04 2009 +0800
@@ -1052,7 +1052,7 @@
X509CertImpl signerCertImpl = new X509CertImpl(encoded);
X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
X509CertImpl.NAME + "." + X509CertImpl.INFO);
- X500Name owner = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
+ X500Name issuer = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
CertificateSubjectName.DN_NAME);
Date firstDate = getStartDate(startDate);
@@ -1068,7 +1068,7 @@
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privateKey);
- X500Signer signer = new X500Signer(signature, owner);
+ X500Signer signer = new X500Signer(signature, issuer);
X509CertInfo info = new X509CertInfo();
info.set(X509CertInfo.VALIDITY, interval);
@@ -1102,7 +1102,8 @@
PKCS10 req = new PKCS10(rawReq);
info.set(X509CertInfo.KEY, new CertificateX509Key(req.getSubjectPublicKeyInfo()));
- info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(req.getSubjectName()));
+ info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(
+ dname==null?req.getSubjectName():new X500Name(dname)));
CertificateExtensions reqex = null;
Iterator<PKCS10Attribute> attrs = req.getAttributes().getAttributes().iterator();
while (attrs.hasNext()) {
@@ -1160,8 +1161,9 @@
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privKey);
- X500Name subject =
- new X500Name(((X509Certificate)cert).getSubjectDN().toString());
+ X500Name subject = dname == null?
+ new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
+ new X500Name(dname);
X500Signer signer = new X500Signer(signature, subject);
// Sign the request and base-64 encode it
@@ -3428,7 +3430,7 @@
int colonpos = name.indexOf(':');
if (colonpos >= 0) {
- if (name.substring(colonpos+1).equalsIgnoreCase("critical")) {
+ if (oneOf(name.substring(colonpos+1), "critical") == 0) {
isCritical = true;
}
name = name.substring(0, colonpos);
@@ -3689,6 +3691,8 @@
System.err.println(rb.getString
("\t [-alias <alias>] [-sigalg <sigalg>]"));
System.err.println(rb.getString
+ ("\t [-dname <dname>]"));
+ System.err.println(rb.getString
("\t [-file <csr_file>] [-keypass <keypass>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
@@ -3771,6 +3775,8 @@
System.err.println(rb.getString
("\t [-alias <alias>]"));
System.err.println(rb.getString
+ ("\t [-dname <dname>]"));
+ System.err.println(rb.getString
("\t [-sigalg <sigalg>]"));
System.err.println(rb.getString
("\t [-startdate <startdate>]"));
--- a/jdk/src/share/classes/sun/security/util/Resources.java Wed Jul 22 16:39:34 2009 +0800
+++ b/jdk/src/share/classes/sun/security/util/Resources.java Wed Jul 22 16:40:04 2009 +0800
@@ -301,6 +301,7 @@
"-certreq [-v] [-protected]"},
{"\t [-alias <alias>] [-sigalg <sigalg>]",
"\t [-alias <alias>] [-sigalg <sigalg>]"},
+ {"\t [-dname <dname>]", "\t [-dname <dname>]"},
{"\t [-file <csr_file>] [-keypass <keypass>]",
"\t [-file <csr_file>] [-keypass <keypass>]"},
{"\t [-keystore <keystore>] [-storepass <storepass>]",
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/keytool/emptysubject.sh Wed Jul 22 16:40:04 2009 +0800
@@ -0,0 +1,68 @@
+#
+# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6847026
+# @summary keytool should be able to generate certreq and cert without subject name
+#
+# @run shell emptysubject.sh
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+ JAVAC_CMD=`which javac`
+ TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+KS=emptysubject.jks
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS"
+
+rm $KS
+
+$KT -alias ca -dname CN=CA -genkeypair
+$KT -alias me -dname CN=Me -genkeypair
+
+# When -dname is recognized, SAN must be specfied, otherwise, -printcert fails.
+$KT -alias me -certreq -dname "" | \
+ $KT -alias ca -gencert | $KT -printcert && exit 1
+$KT -alias me -certreq | \
+ $KT -alias ca -gencert -dname "" | $KT -printcert && exit 2
+$KT -alias me -certreq -dname "" | \
+ $KT -alias ca -gencert -ext san:c=email:me@me.com | \
+ $KT -printcert || exit 3
+$KT -alias me -certreq | \
+ $KT -alias ca -gencert -dname "" -ext san:c=email:me@me.com | \
+ $KT -printcert || exit 4
+
+exit 0
+