6968542: keytool -importcert cannot deal with duplicate certs
authorweijun
Fri, 17 Jun 2016 09:46:27 +0800
changeset 39046 db1dddd32a8f
parent 39045 35d9f2f302ad
child 39047 cf08ea56b4de
6968542: keytool -importcert cannot deal with duplicate certs Reviewed-by: xuelei
jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
jdk/test/sun/security/tools/keytool/DupImport.java
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java	Fri Jun 17 09:46:03 2016 +0800
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java	Fri Jun 17 09:46:27 2016 +0800
@@ -3274,6 +3274,11 @@
         // we parsed them using an X.509 certificate factory
         int i;
         PublicKey userPubKey = userCert.getPublicKey();
+
+        // Remove duplicated certificates.
+        HashSet<Certificate> nodup = new HashSet<>(Arrays.asList(replyCerts));
+        replyCerts = nodup.toArray(new Certificate[nodup.size()]);
+
         for (i=0; i<replyCerts.length; i++) {
             if (userPubKey.equals(replyCerts[i].getPublicKey())) {
                 break;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/keytool/DupImport.java	Fri Jun 17 09:46:27 2016 +0800
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 6968542
+ * @summary keytool -importcert cannot deal with duplicate certs
+ * @modules java.base/sun.security.tools.keytool
+ * @compile -XDignore.symbol.file DupImport.java
+ * @run main DupImport pkcs12
+ * @run main DupImport jks
+ */
+
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class DupImport {
+
+    static String storeType = null;
+
+    public static void main(String[] args) throws Exception {
+
+        storeType = args[0];
+        Files.deleteIfExists(Paths.get("dup.ks"));
+
+        // Create chain: root -> int -> me
+        run("-genkeypair -alias me -dname CN=Me");
+        run("-genkeypair -alias int -dname CN=Int");
+        run("-genkeypair -alias root -dname CN=Root");
+
+        run("-certreq -alias int -file int.req");
+        run("-gencert -infile int.req -alias root -rfc -outfile int.resp");
+        run("-importcert -file int.resp -alias int");
+
+        run("-certreq -alias me -file me.req");
+        run("-gencert -infile me.req -alias int -rfc -outfile me.resp");
+        run("-importcert -file me.resp -alias me");
+
+        // Export certs
+        run("-exportcert -alias me -file me -rfc");
+        run("-exportcert -alias int -file int -rfc");
+        run("-exportcert -alias root -file root -rfc");
+
+        // test 1: just the 3 certs
+        test("me", "int", "root");
+
+        // test 2: 3 chains (without root) concatenated
+        test("me", "int", "int", "root");
+
+        // test 3: 3 full chains concatenated
+        test("me", "int", "root", "int", "root", "root");
+
+        // test 4: a mess
+        test("root", "me", "int", "int", "me", "me", "root", "int");
+    }
+
+    // Run keytool command with common options
+    static void run(String s) throws Exception {
+        sun.security.tools.keytool.Main.main((
+                "-keystore dup.ks -storepass changeit -keypass changeit "
+                        + "-storetype " + storeType + " -debug "
+                        + s).split(" "));
+    }
+
+    // Test "cat files... | keytool -import"
+    static void test(String... files) throws Exception {
+
+        System.out.println("Testing " + Arrays.toString(files));
+
+        List<String> all = new ArrayList<>();
+        for (String file : files) {
+            all.addAll(Files.readAllLines(Paths.get(file)));
+        }
+        Files.write(Paths.get("reply"), all);
+
+        run("-importcert -file reply -alias me");
+        KeyStore ks = KeyStore.getInstance(
+                new File("dup.ks"), "changeit".toCharArray());
+        Certificate[] chain = ks.getCertificateChain("me");
+        if (chain.length != 3) {
+            throw new Exception("Length is " + chain.length);
+        }
+
+        checkName(chain[0], "CN=Me");
+        checkName(chain[1], "CN=Int");
+        checkName(chain[2], "CN=Root");
+    }
+
+    // Check if c's dname is expected
+    static void checkName(Certificate c, String expected) throws Exception {
+        X509Certificate x = (X509Certificate)c;
+        String name = x.getSubjectX500Principal().toString();
+        if (!expected.equals(name)) {
+            throw new Exception("Expected " + expected + ", but " + name);
+        }
+    }
+}