From cbe29b7b72f02cdf21f51695d6cf87c51383bc60 Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Fri, 4 Oct 2013 16:05:55 +0100 Subject: [PATCH] 8008296: keytool utility doesn't support '-importpassword' command Reviewed-by: weijun --- .../sun/security/tools/keytool/Main.java | 115 +++++++++-- .../sun/security/tools/keytool/Resources.java | 11 +- .../tools/keytool/StorePasswords.java | 186 ++++++++++++++++++ .../tools/keytool/StorePasswordsByShell.sh | 140 +++++++++++++ 4 files changed, 440 insertions(+), 12 deletions(-) create mode 100644 jdk/test/sun/security/tools/keytool/StorePasswords.java create mode 100644 jdk/test/sun/security/tools/keytool/StorePasswordsByShell.sh diff --git a/jdk/src/share/classes/sun/security/tools/keytool/Main.java b/jdk/src/share/classes/sun/security/tools/keytool/Main.java index 02ea1d0497f..c5e0fe7d627 100644 --- a/jdk/src/share/classes/sun/security/tools/keytool/Main.java +++ b/jdk/src/share/classes/sun/security/tools/keytool/Main.java @@ -72,6 +72,8 @@ import sun.security.provider.certpath.CertStoreHelper; import sun.security.util.Password; import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; import sun.security.pkcs.PKCS9Attribute; import sun.security.tools.KeyStoreUtil; @@ -190,6 +192,10 @@ public final class Main { KEYPASS, KEYSTORE, STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V), + IMPORTPASS("Imports.a.password", + ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE, + STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, + PROVIDERARG, PROVIDERPATH, V, PROTECTED), IMPORTKEYSTORE("Imports.one.or.all.entries.from.another.keystore", SRCKEYSTORE, DESTKEYSTORE, SRCSTORETYPE, DESTSTORETYPE, SRCSTOREPASS, DESTSTOREPASS, @@ -409,6 +415,8 @@ public final class Main { command = GENKEYPAIR; } else if (collator.compare(flags, "-import") == 0) { command = IMPORTCERT; + } else if (collator.compare(flags, "-importpassword") == 0) { + command = IMPORTPASS; } /* * Help @@ -727,6 +735,7 @@ public final class Main { command != GENSECKEY && command != IDENTITYDB && command != IMPORTCERT && + command != IMPORTPASS && command != IMPORTKEYSTORE && command != PRINTCRL) { throw new Exception(rb.getString @@ -808,6 +817,7 @@ public final class Main { command == GENKEYPAIR || command == GENSECKEY || command == IMPORTCERT || + command == IMPORTPASS || command == IMPORTKEYSTORE || command == KEYCLONE || command == CHANGEALIAS || @@ -958,6 +968,13 @@ public final class Main { } doGenSecretKey(alias, keyAlgName, keysize); kssave = true; + } else if (command == IMPORTPASS) { + if (keyAlgName == null) { + keyAlgName = "PBE"; + } + // password is stored as a secret key + doGenSecretKey(alias, keyAlgName, keysize); + kssave = true; } else if (command == IDENTITYDB) { if (filename != null) { try (InputStream inStream = new FileInputStream(filename)) { @@ -1419,6 +1436,43 @@ public final class Main { } return null; // PKCS11, MSCAPI, or -protected } + + /* + * Prompt the user for the password credential to be stored. + */ + private char[] promptForCredential() throws Exception { + // Handle password supplied via stdin + if (System.console() == null) { + char[] importPass = Password.readPassword(System.in); + passwords.add(importPass); + return importPass; + } + + int count; + for (count = 0; count < 3; count++) { + System.err.print( + rb.getString("Enter.the.password.to.be.stored.")); + System.err.flush(); + char[] entered = Password.readPassword(System.in); + passwords.add(entered); + System.err.print(rb.getString("Re.enter.password.")); + char[] passAgain = Password.readPassword(System.in); + passwords.add(passAgain); + if (!Arrays.equals(entered, passAgain)) { + System.err.println(rb.getString("They.don.t.match.Try.again")); + continue; + } + return entered; + } + + if (count == 3) { + throw new Exception(rb.getString + ("Too.many.failures.key.not.added.to.keystore")); + } + + return null; + } + /** * Creates a new secret key. */ @@ -1436,24 +1490,63 @@ public final class Main { throw new Exception(form.format(source)); } + // Use the keystore's default PBE algorithm for entry protection + boolean useDefaultPBEAlgorithm = true; SecretKey secKey = null; - KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName); - if (keysize != -1) { - keygen.init(keysize); - } else if ("DES".equalsIgnoreCase(keyAlgName)) { - keygen.init(56); - } else if ("DESede".equalsIgnoreCase(keyAlgName)) { - keygen.init(168); + + if (keyAlgName.toUpperCase().startsWith("PBE")) { + SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE"); + + // User is prompted for PBE credential + secKey = + factory.generateSecret(new PBEKeySpec(promptForCredential())); + + // Check whether a specific PBE algorithm was specified + if (!"PBE".equalsIgnoreCase(keyAlgName)) { + useDefaultPBEAlgorithm = false; + } + + if (verbose) { + MessageFormat form = new MessageFormat(rb.getString( + "Generated.keyAlgName.secret.key")); + Object[] source = + {useDefaultPBEAlgorithm ? "PBE" : secKey.getAlgorithm()}; + System.err.println(form.format(source)); + } } else { - throw new Exception(rb.getString - ("Please.provide.keysize.for.secret.key.generation")); + KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName); + if (keysize == -1) { + if ("DES".equalsIgnoreCase(keyAlgName)) { + keysize = 56; + } else if ("DESede".equalsIgnoreCase(keyAlgName)) { + keysize = 168; + } else { + throw new Exception(rb.getString + ("Please.provide.keysize.for.secret.key.generation")); + } + } + keygen.init(keysize); + secKey = keygen.generateKey(); + + if (verbose) { + MessageFormat form = new MessageFormat(rb.getString + ("Generated.keysize.bit.keyAlgName.secret.key")); + Object[] source = {new Integer(keysize), + secKey.getAlgorithm()}; + System.err.println(form.format(source)); + } } - secKey = keygen.generateKey(); if (keyPass == null) { keyPass = promptForKeyPass(alias, null, storePass); } - keyStore.setKeyEntry(alias, secKey, keyPass, null); + + if (useDefaultPBEAlgorithm) { + keyStore.setKeyEntry(alias, secKey, keyPass, null); + } else { + keyStore.setEntry(alias, new KeyStore.SecretKeyEntry(secKey), + new KeyStore.PasswordProtection(keyPass, keyAlgName, null)); + } } /** diff --git a/jdk/src/share/classes/sun/security/tools/keytool/Resources.java b/jdk/src/share/classes/sun/security/tools/keytool/Resources.java index 393aa3babe1..6199927ee44 100644 --- a/jdk/src/share/classes/sun/security/tools/keytool/Resources.java +++ b/jdk/src/share/classes/sun/security/tools/keytool/Resources.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -65,10 +65,16 @@ public class Resources extends java.util.ListResourceBundle { {"Generates.certificate.from.a.certificate.request", "Generates certificate from a certificate request"}, //-gencert {"Generates.CRL", "Generates CRL"}, //-gencrl + {"Generated.keyAlgName.secret.key", + "Generated {0} secret key"}, //-genseckey + {"Generated.keysize.bit.keyAlgName.secret.key", + "Generated {0}-bit {1} secret key"}, //-genseckey {"Imports.entries.from.a.JDK.1.1.x.style.identity.database", "Imports entries from a JDK 1.1.x-style identity database"}, //-identitydb {"Imports.a.certificate.or.a.certificate.chain", "Imports a certificate or a certificate chain"}, //-importcert + {"Imports.a.password", + "Imports a password"}, //-importpass {"Imports.one.or.all.entries.from.another.keystore", "Imports one or all entries from another keystore"}, //-importkeystore {"Clones.a.key.entry", @@ -220,6 +226,8 @@ public class Resources extends java.util.ListResourceBundle { {"Must.specify.alias", "Must specify alias"}, {"Keystore.password.must.be.at.least.6.characters", "Keystore password must be at least 6 characters"}, + {"Enter.the.password.to.be.stored.", + "Enter the password to be stored: "}, {"Enter.keystore.password.", "Enter keystore password: "}, {"Enter.source.keystore.password.", "Enter source keystore password: "}, {"Enter.destination.keystore.password.", "Enter destination keystore password: "}, @@ -328,6 +336,7 @@ public class Resources extends java.util.ListResourceBundle { {"New.prompt.", "New {0}: "}, {"Passwords.must.differ", "Passwords must differ"}, {"Re.enter.new.prompt.", "Re-enter new {0}: "}, + {"Re.enter.passpword.", "Re-enter password: "}, {"Re.enter.new.password.", "Re-enter new password: "}, {"They.don.t.match.Try.again", "They don't match. Try again"}, {"Enter.prompt.alias.name.", "Enter {0} alias name: "}, diff --git a/jdk/test/sun/security/tools/keytool/StorePasswords.java b/jdk/test/sun/security/tools/keytool/StorePasswords.java new file mode 100644 index 00000000000..e1f0c275b94 --- /dev/null +++ b/jdk/test/sun/security/tools/keytool/StorePasswords.java @@ -0,0 +1,186 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8008296 + * @summary Store and retrieve user passwords using PKCS#12 keystore + */ + +import java.io.*; +import java.security.*; +import java.util.*; +import javax.crypto.*; +import javax.crypto.spec.*; + +/* + * Store and retrieve passwords protected by a selection of PBE algorithms, + * using a PKCS#12 keystore. + */ +public class StorePasswords { + + private static final String[] PBE_ALGORITHMS = new String[] { + "default PBE algorithm", + "PBEWithMD5AndDES", + "PBEWithSHA1AndDESede", + "PBEWithSHA1AndRC2_40", + "PBEWithSHA1AndRC2_128", + "PBEWithSHA1AndRC4_40", + "PBEWithSHA1AndRC4_128", + "PBEWithHmacSHA1AndAES_128", + "PBEWithHmacSHA224AndAES_128", + "PBEWithHmacSHA256AndAES_128", + "PBEWithHmacSHA384AndAES_128", + "PBEWithHmacSHA512AndAES_128", + "PBEWithHmacSHA1AndAES_256", + "PBEWithHmacSHA224AndAES_256", + "PBEWithHmacSHA256AndAES_256", + "PBEWithHmacSHA384AndAES_256", + "PBEWithHmacSHA512AndAES_256" + }; + + private static final String KEYSTORE = "mykeystore.p12"; + private static final char[] KEYSTORE_PWD = "changeit".toCharArray(); + private static final char[] ENTRY_PWD = "protectit".toCharArray(); + private static final char[] USER_PWD = "hello1".toCharArray(); + + public static void main(String[] args) throws Exception { + + new File(KEYSTORE).delete(); + + int storeCount = store(); + int recoverCount = recover(); + + if (recoverCount != storeCount) { + throw new Exception("Stored " + storeCount + " user passwords, " + + "recovered " + recoverCount + " user passwords"); + } + System.out.println("\nStored " + storeCount + " user passwords, " + + "recovered " + recoverCount + " user passwords"); + } + + private static int store() throws Exception { + int count = 0; + // Load an empty PKCS#12 keystore + KeyStore keystore = KeyStore.getInstance("PKCS12"); + System.out.println("\nLoading PKCS#12 keystore..."); + keystore.load(null, null); + + // Derive a PBE key from the password + PBEKeySpec keySpec = new PBEKeySpec(USER_PWD); + SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE"); + SecretKey key = factory.generateSecret(keySpec); + PBEParameterSpec specWithEightByteSalt = + new PBEParameterSpec("NaClNaCl".getBytes(), 1024); + + // Store the user password in a keystore entry (for each algorithm) + for (String algorithm : PBE_ALGORITHMS) { + + try { + System.out.println("Storing user password '" + + new String(USER_PWD) + "' (protected by " + algorithm + + ")"); + + if (algorithm.equals("default PBE algorithm")) { + keystore.setKeyEntry( + "this entry is protected by " + algorithm, key, + ENTRY_PWD, null); + } else { + keystore.setEntry( + "this entry is protected by " + algorithm, + new KeyStore.SecretKeyEntry(key), + new KeyStore.PasswordProtection(ENTRY_PWD, algorithm, + null)); + } + count++; + + } catch (KeyStoreException e) { + Throwable inner = e.getCause(); + if (inner instanceof UnrecoverableKeyException) { + Throwable inner2 = inner.getCause(); + if (inner2 instanceof InvalidAlgorithmParameterException) { + System.out.println("...re-trying due to: " + + inner2.getMessage()); + + // Some PBE algorithms demand an 8-byte salt + keystore.setEntry( + "this entry is protected by " + algorithm, + new KeyStore.SecretKeyEntry(key), + new KeyStore.PasswordProtection(ENTRY_PWD, + algorithm, specWithEightByteSalt)); + count++; + + } else if (inner2 instanceof InvalidKeyException) { + System.out.println("...skipping due to: " + + inner2.getMessage()); + // Unsupported crypto keysize + continue; + } + } else { + throw e; + } + } + } + + // Store the PKCS#12 keystore + System.out.println("Storing PKCS#12 keystore to: " + KEYSTORE); + keystore.store(new FileOutputStream(KEYSTORE), KEYSTORE_PWD); + + return count; + } + + private static int recover() throws Exception { + int count = 0; + // Load the PKCS#12 keystore + KeyStore keystore = KeyStore.getInstance("PKCS12"); + System.out.println("\nLoading PKCS#12 keystore from: " + KEYSTORE); + keystore.load(new FileInputStream(KEYSTORE), KEYSTORE_PWD); + + SecretKey key; + SecretKeyFactory factory; + PBEKeySpec keySpec; + + // Retrieve each user password from the keystore + for (String algorithm : PBE_ALGORITHMS) { + key = (SecretKey) keystore.getKey("this entry is protected by " + + algorithm, ENTRY_PWD); + + if (key != null) { + count++; + factory = SecretKeyFactory.getInstance(key.getAlgorithm()); + keySpec = + (PBEKeySpec) factory.getKeySpec(key, PBEKeySpec.class); + char[] pwd = keySpec.getPassword(); + System.out.println("Recovered user password '" + + new String(pwd) + "' (protected by " + algorithm + ")"); + + if (!Arrays.equals(USER_PWD, pwd)) { + throw new Exception("Failed to recover the user password " + + "protected by " + algorithm); + } + } + } + + return count; + } +} diff --git a/jdk/test/sun/security/tools/keytool/StorePasswordsByShell.sh b/jdk/test/sun/security/tools/keytool/StorePasswordsByShell.sh new file mode 100644 index 00000000000..7347f345878 --- /dev/null +++ b/jdk/test/sun/security/tools/keytool/StorePasswordsByShell.sh @@ -0,0 +1,140 @@ +# +# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 8008296 +# @summary confirm that keytool correctly imports user passwords +# +# @run shell StorePasswordsByShell.sh + +# set a few environment variables so that the shell-script can run stand-alone +# in the source directory +if [ "${TESTSRC}" = "" ] ; then + TESTSRC="." +fi + +if [ "${TESTCLASSES}" = "" ] ; then + TESTCLASSES="." +fi + +if [ "${TESTJAVA}" = "" ] ; then + echo "TESTJAVA not set. Test cannot execute." + echo "FAILED!!!" + exit 1 +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + SunOS ) + PATHSEP=":" + FILESEP="/" + ;; + Linux ) + PATHSEP=":" + FILESEP="/" + ;; + Darwin ) + PATHSEP=":" + FILESEP="/" + ;; + CYGWIN* ) + PATHSEP=";" + FILESEP="/" + ;; + Windows* ) + PATHSEP=";" + FILESEP="\\" + ;; + * ) + echo "Unrecognized system!" + exit 1; + ;; +esac + +PBE_ALGORITHMS="\ + default-PBE-algorithm \ + PBEWithMD5AndDES \ + PBEWithSHA1AndDESede \ + PBEWithSHA1AndRC2_40 \ + PBEWithSHA1AndRC2_128 + PBEWithSHA1AndRC4_40 \ + PBEWithSHA1AndRC4_128 \ + PBEWithHmacSHA1AndAES_128 \ + PBEWithHmacSHA224AndAES_128 \ + PBEWithHmacSHA256AndAES_128 \ + PBEWithHmacSHA384AndAES_128 \ + PBEWithHmacSHA512AndAES_128 \ + PBEWithHmacSHA1AndAES_256 \ + PBEWithHmacSHA224AndAES_256 \ + PBEWithHmacSHA256AndAES_256 \ + PBEWithHmacSHA384AndAES_256 \ + PBEWithHmacSHA512AndAES_256" + +USER_PWD="hello1\n" +ALIAS_PREFIX="this entry is protected by " +COUNTER=0 + +# cleanup +rm mykeystore.p12 > /dev/null 2>&1 + +echo +for i in $PBE_ALGORITHMS; do + + if [ $i = "default-PBE-algorithm" ]; then + KEYALG="" + else + KEYALG="-keyalg ${i}" + fi + + if [ $COUNTER -lt 5 ]; then + IMPORTPASSWORD="-importpassword" + else + IMPORTPASSWORD="-importpass" + fi + + echo "Storing user password (protected by ${i})" + echo "${USER_PWD}" | \ + ${TESTJAVA}${FILESEP}bin${FILESEP}keytool ${IMPORTPASSWORD} \ + -storetype pkcs12 -keystore mykeystore.p12 -storepass changeit \ + -alias "${ALIAS_PREFIX}${i}" ${KEYALG} > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo Error + else + echo OK + COUNTER=`expr ${COUNTER} + 1` + fi +done +echo + +COUNTER2=`${TESTJAVA}${FILESEP}bin${FILESEP}keytool -list -storetype pkcs12 \ + -keystore mykeystore.p12 -storepass changeit | grep -c "${ALIAS_PREFIX}"` + +RESULT="stored ${COUNTER} user passwords, detected ${COUNTER2} user passwords" +if [ $COUNTER -ne $COUNTER2 -o $COUNTER -lt 11 ]; then + echo "ERROR: $RESULT" + exit 1 +else + echo "OK: $RESULT" + exit 0 +fi