Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files
8244148: keytool -printcert and -printcrl should support the -trustca…
…certs and -keystore options

Reviewed-by: weijun, jjiang
  • Loading branch information
Hai-May Chao committed Jun 23, 2020
1 parent 8d9826e commit e3eb38f4d2fbff9a68f2b4fd5be24f082f949510
Show file tree
Hide file tree
Showing 12 changed files with 459 additions and 50 deletions.
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import sun.security.action.*;
import sun.security.util.FilePaths;
import sun.security.validator.TrustStoreUtil;

/**
@@ -76,8 +77,7 @@ private static final class TrustStoreDescriptor {
private static final String defaultStorePath =
GetPropertyAction.privilegedGetProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore =
defaultStorePath + fileSep + "cacerts";
private static final String defaultStore = FilePaths.cacerts();
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";

@@ -51,6 +51,7 @@
import java.util.ResourceBundle;
import java.util.ServiceLoader;

import sun.security.util.FilePaths;
import sun.security.util.PropertyExpander;

/**
@@ -110,10 +111,7 @@ public static String niceStoreTypeName(String storetype) {
* Returns the file name of the keystore with the configured CA certificates.
*/
public static String getCacerts() {
String sep = File.separator;
return System.getProperty("java.home") + sep
+ "lib" + sep + "security" + sep
+ "cacerts";
return FilePaths.cacerts();
}

/**
@@ -260,12 +260,15 @@ enum Command {
PROVIDERPATH, V, PROTECTED),
PRINTCERT("Prints.the.content.of.a.certificate",
RFC, FILEIN, SSLSERVER, JARFILE,
KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS,
PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
PROVIDERPATH, V),
PROVIDERPATH, V, PROTECTED),
PRINTCERTREQ("Prints.the.content.of.a.certificate.request",
FILEIN, V),
PRINTCRL("Prints.the.content.of.a.CRL.file",
FILEIN, V),
FILEIN, KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS,
PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH,
V, PROTECTED),
STOREPASSWD("Changes.the.store.password.of.a.keystore",
NEW, KEYSTORE, CACERTS, STOREPASS, STORETYPE, PROVIDERNAME,
ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, V),
@@ -719,7 +722,7 @@ else if (collator.compare(flags, "-v") == 0) {
}

boolean isKeyStoreRelated(Command cmd) {
return cmd != PRINTCERT && cmd != PRINTCERTREQ && cmd != SHOWINFO;
return cmd != PRINTCERTREQ && cmd != SHOWINFO;
}

/**
@@ -904,14 +907,15 @@ void doCommands(PrintStream out) throws Exception {
} catch (FileNotFoundException e) {
// These commands do not need the keystore to be existing.
// Either it will create a new one or the keystore is
// optional (i.e. PRINTCRL).
// optional (i.e. PRINTCRL and PRINTCERT).
if (command != GENKEYPAIR &&
command != GENSECKEY &&
command != IDENTITYDB &&
command != IMPORTCERT &&
command != IMPORTPASS &&
command != IMPORTKEYSTORE &&
command != PRINTCRL) {
command != PRINTCRL &&
command != PRINTCERT) {
throw new Exception(rb.getString
("Keystore.file.does.not.exist.") + ksfname);
}
@@ -1073,7 +1077,7 @@ && isKeyStoreRelated(command)
}
} else {
// here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
if (command != PRINTCRL) {
if (command != PRINTCRL && command != PRINTCERT) {
System.err.print(rb.getString("Enter.keystore.password."));
System.err.flush();
storePass = Password.readPassword(System.in);
@@ -1108,10 +1112,10 @@ && isKeyStoreRelated(command)
}
}

// -trustcacerts can only be specified on -importcert.
// Reset it so that warnings on CA cert will remain for
// -printcert, etc.
if (command != IMPORTCERT) {
// -trustcacerts can be specified on -importcert, -printcert or -printcrl.
// Reset it so that warnings on CA cert will remain for other command.
if (command != IMPORTCERT && command != PRINTCERT
&& command != PRINTCRL) {
trustcacerts = false;
}

@@ -2442,27 +2446,6 @@ private void doPrintEntries(PrintStream out)
}
}

private static <T> Iterable<T> e2i(final Enumeration<T> e) {
return new Iterable<T>() {
@Override
public Iterator<T> iterator() {
return new Iterator<T>() {
@Override
public boolean hasNext() {
return e.hasMoreElements();
}
@Override
public T next() {
return e.nextElement();
}
public void remove() {
throw new UnsupportedOperationException("Not supported yet.");
}
};
}
};
}

/**
* Loads CRLs from a source. This method is also called in JarSigner.
* @param src the source, which means System.in if null, or a URI,
@@ -2556,7 +2539,7 @@ private static String verifyCRL(KeyStore ks, CRL crl)
throws Exception {
X509CRLImpl xcrl = (X509CRLImpl)crl;
X500Principal issuer = xcrl.getIssuerX500Principal();
for (String s: e2i(ks.aliases())) {
for (String s: Collections.list(ks.aliases())) {
Certificate cert = ks.getCertificate(s);
if (cert instanceof X509Certificate) {
X509Certificate xcert = (X509Certificate)cert;
@@ -2605,8 +2588,13 @@ private void doPrintCRL(String src, PrintStream out)
if (issuer == null) {
out.println(rb.getString
("STAR"));
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct"));
if (trustcacerts) {
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct"));
} else {
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts"));
}
out.println(rb.getString
("STARNN"));
}
@@ -429,6 +429,8 @@ public class Resources extends java.util.ListResourceBundle {

{"warning.not.verified.make.sure.keystore.is.correct",
"WARNING: not verified. Make sure -keystore is correct."},
{"warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts",
"WARNING: not verified. Make sure -keystore is correct or specify -trustcacerts."},

{"Extensions.", "Extensions: "},
{".Empty.value.", "(Empty value)"},
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -36,7 +36,6 @@
import java.util.HashSet;
import java.util.Set;

import jdk.internal.util.StaticProperty;
import sun.security.x509.X509CertImpl;

/**
@@ -53,10 +52,9 @@ public class AnchorCertificates {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
File f = new File(StaticProperty.javaHome(),
"lib/security/cacerts");
KeyStore cacerts;
File f = new File(FilePaths.cacerts());
try {
KeyStore cacerts;
cacerts = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream(f)) {
cacerts.load(fis, null);
@@ -0,0 +1,37 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

package sun.security.util;

import jdk.internal.util.StaticProperty;

import java.io.File;

public class FilePaths {
public static String cacerts() {
return StaticProperty.javaHome() + File.separator + "lib"
+ File.separator + "security" + File.separator + "cacerts";
}
}
@@ -259,8 +259,8 @@ static void jksTypeCheck() throws Exception {
.shouldContain("JKS keystore uses a proprietary format");
kt("-exportcert -alias a -file a.crt")
.shouldContain("JKS keystore uses a proprietary format");
kt("-printcert -file a.crt") // no warning if keystore not touched
.shouldNotContain("Warning:");
kt("-printcert -file a.crt") // warning since -keystore option is supported
.shouldContain("JKS keystore uses a proprietary format");
kt("-certreq -alias a -file a.req")
.shouldContain("JKS keystore uses a proprietary format");
kt("-printcertreq -file a.req") // no warning if keystore not touched
@@ -283,8 +283,8 @@ static void jksTypeCheck() throws Exception {
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-exportcert -alias a -file a.crt")
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-printcert -file a.crt")
.shouldNotContain("Warning:");
kt("-printcert -file a.crt") // warning since -keystore option is supported
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-certreq -alias a -file a.req")
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-printcertreq -file a.req")
@@ -0,0 +1,65 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @bug 8244148
* @library /test/lib
* @library /test/jdk/sun/security/util/module_patch
* @build java.base/sun.security.util.FilePaths
* @modules java.base/jdk.internal.misc
* @run main MyOwnCacerts
*/

import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;

public class MyOwnCacerts {

// The --patch-module must be explicitly specified on the keytool
// command line because it's in a separate process
private static final String PATCH_OPTION;

static {
String tmp = "";
for (String a : jdk.internal.misc.VM.getRuntimeArguments()) {
if (a.startsWith("--patch-module")) {
tmp = "-J" + a + " ";
break;
}
}
PATCH_OPTION = tmp;
}

public static void main(String[] args) throws Exception {
kt("-keystore mycacerts -genkeypair -alias a" +
" -dname CN=root -keyalg EC -storepass changeit")
.shouldContain("Warning: use -cacerts option");
kt("-list -cacerts -storepass changeit")
.shouldContain("Your keystore contains 1 entry");
}

static OutputAnalyzer kt(String s) throws Exception {
return SecurityTools.keytool(PATCH_OPTION + s);
}
}

0 comments on commit e3eb38f

Please sign in to comment.