stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8074018: Named extension not recognized in keytool -ext honored after 8073182

Browse Source 
Reviewed-by: mullan
This commit is contained in:
Weijun Wang 2015-02-28 10:47:07 +08:00
parent 03088bb6e6
commit 2bcc0c7789
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
View File

@ -3790,6 +3790,17 @@ public final class Main {
PublicKey pkey, PublicKey pkey,
PublicKey akey) throws Exception { PublicKey akey) throws Exception {
// By design, inside a CertificateExtensions object, all known
// extensions uses name (say, "BasicConstraints") as key and
// a child Extension type (say, "BasicConstraintsExtension")
// as value, unknown extensions uses OID as key and bare
// Extension object as value. This works fine inside JDK.
//
// However, in keytool, there is no way to prevent people
// using OID in -ext, either as a new extension, or in a
// honored value. Thus here we (ab)use CertificateExtensions
// by always using OID as key and value can be of any type.
if (existingEx != null && requestedEx != null) { if (existingEx != null && requestedEx != null) {
// This should not happen // This should not happen
throw new Exception("One of request and original should be null."); throw new Exception("One of request and original should be null.");
@ -3805,13 +3816,19 @@ public final class Main {
// name{:critical}{=value} // name{:critical}{=value}
// Honoring requested extensions // Honoring requested extensions
if (requestedEx != null) { if (requestedEx != null) {
// The existing requestedEx might use names as keys,
// translate to all-OID first.
CertificateExtensions request2 = new CertificateExtensions();
for (sun.security.x509.Extension ex: requestedEx.getAllExtensions()) {
request2.set(ex.getId(), ex);
}
for(String extstr: extstrs) { for(String extstr: extstrs) {
if (extstr.toLowerCase(Locale.ENGLISH).startsWith("honored=")) { if (extstr.toLowerCase(Locale.ENGLISH).startsWith("honored=")) {
List<String> list = Arrays.asList( List<String> list = Arrays.asList(
extstr.toLowerCase(Locale.ENGLISH).substring(8).split(",")); extstr.toLowerCase(Locale.ENGLISH).substring(8).split(","));
// First check existence of "all" // First check existence of "all"
if (list.contains("all")) { if (list.contains("all")) {
for (Extension ex: requestedEx.getAllExtensions()) { for (Extension ex: request2.getAllExtensions()) {
setExt(result, ex); setExt(result, ex);
} }
} }
@ -3844,7 +3861,7 @@ public final class Main {
} }
String n = findOidForExtName(type).toString(); String n = findOidForExtName(type).toString();
if (add) { if (add) {
Extension e = requestedEx.get(n); Extension e = request2.get(n);
if (!e.isCritical() && action == 0 if (!e.isCritical() && action == 0
|| e.isCritical() && action == 1) { || e.isCritical() && action == 1) {
e = Extension.newExtension( e = Extension.newExtension(

2
jdk/test/sun/security/tools/keytool/KeyToolTest.java
View File

@ -1612,7 +1612,7 @@ public class KeyToolTest {
// 8073181: keytool -ext honored not working correctly // 8073181: keytool -ext honored not working correctly
testOK("", simple+"-gencert -alias ca -infile test.req -ext " + testOK("", simple+"-gencert -alias ca -infile test.req -ext " +
"honored=1.2.3,1.2.4:critical " + "honored=1.2.3,KU,1.2.4:critical " +
"-debug -rfc -outfile test2.cert"); "-debug -rfc -outfile test2.cert");
testOK("", simple+"-importcert -file test2.cert -alias b"); testOK("", simple+"-importcert -file test2.cert -alias b");
ks = loadStore("x.jks", "changeit", "JKS"); ks = loadStore("x.jks", "changeit", "JKS");