stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

Browse Source 
Reviewed-by: weijun, jjiang
This commit is contained in:
Hai-May Chao 2020-06-23 16:30:38 +08:00
parent 8d9826e4d1
commit e3eb38f4d2
12 changed files with 459 additions and 50 deletions
src/java.base/share/classes/sun/security
ssl
TrustStoreManager.java
tools
KeyStoreUtil.java
keytool
Main.javaResources.java
util
AnchorCertificates.javaFilePaths.java
test
jdk/sun/security
tools/keytool
WeakAlg.java
fakecacerts
MyOwnCacerts.javaTrustedCRL.javaTrustedCert.java
util/module_patch/java.base/sun/security/util
FilePaths.java
lib/jdk/test/lib/security
KeyStoreUtils.java

6
src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -32,6 +32,7 @@ import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import sun.security.action.*;
import sun.security.util.FilePaths;
import sun.security.validator.TrustStoreUtil;
/**
@ -76,8 +77,7 @@ final class TrustStoreManager {
private static final String defaultStorePath =
GetPropertyAction.privilegedGetProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore =
defaultStorePath + fileSep + "cacerts";
private static final String defaultStore = FilePaths.cacerts();
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";

6
src/java.base/share/classes/sun/security/tools/KeyStoreUtil.java

@ -51,6 +51,7 @@ import java.util.Properties;
import java.util.ResourceBundle;
import java.util.ServiceLoader;
import sun.security.util.FilePaths;
import sun.security.util.PropertyExpander;
/**
@ -110,10 +111,7 @@ public class KeyStoreUtil {
* Returns the file name of the keystore with the configured CA certificates.
*/
public static String getCacerts() {
String sep = File.separator;
return System.getProperty("java.home") + sep
+ "lib" + sep + "security" + sep
+ "cacerts";
return FilePaths.cacerts();
}
/**

56
src/java.base/share/classes/sun/security/tools/keytool/Main.java

@ -260,12 +260,15 @@ public final class Main {
PROVIDERPATH, V, PROTECTED),
PRINTCERT("Prints.the.content.of.a.certificate",
RFC, FILEIN, SSLSERVER, JARFILE,
KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS,
PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
PROVIDERPATH, V),
PROVIDERPATH, V, PROTECTED),
PRINTCERTREQ("Prints.the.content.of.a.certificate.request",
FILEIN, V),
PRINTCRL("Prints.the.content.of.a.CRL.file",
FILEIN, V),
FILEIN, KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS,
PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH,
V, PROTECTED),
STOREPASSWD("Changes.the.store.password.of.a.keystore",
NEW, KEYSTORE, CACERTS, STOREPASS, STORETYPE, PROVIDERNAME,
ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, V),
@ -719,7 +722,7 @@ public final class Main {
}
boolean isKeyStoreRelated(Command cmd) {
return cmd != PRINTCERT && cmd != PRINTCERTREQ && cmd != SHOWINFO;
return cmd != PRINTCERTREQ && cmd != SHOWINFO;
}
/**
@ -904,14 +907,15 @@ public final class Main {
} catch (FileNotFoundException e) {
// These commands do not need the keystore to be existing.
// Either it will create a new one or the keystore is
// optional (i.e. PRINTCRL).
// optional (i.e. PRINTCRL and PRINTCERT).
if (command != GENKEYPAIR &&
command != GENSECKEY &&
command != IDENTITYDB &&
command != IMPORTCERT &&
command != IMPORTPASS &&
command != IMPORTKEYSTORE &&
command != PRINTCRL) {
command != PRINTCRL &&
command != PRINTCERT) {
throw new Exception(rb.getString
("Keystore.file.does.not.exist.") + ksfname);
}
@ -1073,7 +1077,7 @@ public final class Main {
}
} else {
// here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
if (command != PRINTCRL) {
if (command != PRINTCRL && command != PRINTCERT) {
System.err.print(rb.getString("Enter.keystore.password."));
System.err.flush();
storePass = Password.readPassword(System.in);
@ -1108,10 +1112,10 @@ public final class Main {
}
}
// -trustcacerts can only be specified on -importcert.
// Reset it so that warnings on CA cert will remain for
// -printcert, etc.
if (command != IMPORTCERT) {
// -trustcacerts can be specified on -importcert, -printcert or -printcrl.
// Reset it so that warnings on CA cert will remain for other command.
if (command != IMPORTCERT && command != PRINTCERT
&& command != PRINTCRL) {
trustcacerts = false;
}
@ -2442,27 +2446,6 @@ public final class Main {
}
}
private static <T> Iterable<T> e2i(final Enumeration<T> e) {
return new Iterable<T>() {
@Override
public Iterator<T> iterator() {
return new Iterator<T>() {
@Override
public boolean hasNext() {
return e.hasMoreElements();
}
@Override
public T next() {
return e.nextElement();
}
public void remove() {
throw new UnsupportedOperationException("Not supported yet.");
}
};
}
};
}
/**
* Loads CRLs from a source. This method is also called in JarSigner.
* @param src the source, which means System.in if null, or a URI,
@ -2556,7 +2539,7 @@ public final class Main {
throws Exception {
X509CRLImpl xcrl = (X509CRLImpl)crl;
X500Principal issuer = xcrl.getIssuerX500Principal();
for (String s: e2i(ks.aliases())) {
for (String s: Collections.list(ks.aliases())) {
Certificate cert = ks.getCertificate(s);
if (cert instanceof X509Certificate) {
X509Certificate xcert = (X509Certificate)cert;
@ -2605,8 +2588,13 @@ public final class Main {
if (issuer == null) {
out.println(rb.getString
("STAR"));
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct"));
if (trustcacerts) {
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct"));
} else {
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts"));
}
out.println(rb.getString
("STARNN"));
}

2
src/java.base/share/classes/sun/security/tools/keytool/Resources.java

@ -429,6 +429,8 @@ public class Resources extends java.util.ListResourceBundle {
{"warning.not.verified.make.sure.keystore.is.correct",
"WARNING: not verified. Make sure -keystore is correct."},
{"warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts",
"WARNING: not verified. Make sure -keystore is correct or specify -trustcacerts."},
{"Extensions.", "Extensions: "},
{".Empty.value.", "(Empty value)"},

8
src/java.base/share/classes/sun/security/util/AnchorCertificates.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -36,7 +36,6 @@ import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import jdk.internal.util.StaticProperty;
import sun.security.x509.X509CertImpl;
/**
@ -53,10 +52,9 @@ public class AnchorCertificates {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
File f = new File(StaticProperty.javaHome(),
"lib/security/cacerts");
KeyStore cacerts;
File f = new File(FilePaths.cacerts());
try {
KeyStore cacerts;
cacerts = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream(f)) {
cacerts.load(fis, null);

37
src/java.base/share/classes/sun/security/util/FilePaths.java Normal file

@ -0,0 +1,37 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import jdk.internal.util.StaticProperty;
import java.io.File;
public class FilePaths {
public static String cacerts() {
return StaticProperty.javaHome() + File.separator + "lib"
+ File.separator + "security" + File.separator + "cacerts";
}
}

8
test/jdk/sun/security/tools/keytool/WeakAlg.java

@ -259,8 +259,8 @@ public class WeakAlg {
.shouldContain("JKS keystore uses a proprietary format");
kt("-exportcert -alias a -file a.crt")
.shouldContain("JKS keystore uses a proprietary format");
kt("-printcert -file a.crt") // no warning if keystore not touched
.shouldNotContain("Warning:");
kt("-printcert -file a.crt") // warning since -keystore option is supported
.shouldContain("JKS keystore uses a proprietary format");
kt("-certreq -alias a -file a.req")
.shouldContain("JKS keystore uses a proprietary format");
kt("-printcertreq -file a.req") // no warning if keystore not touched
@ -283,8 +283,8 @@ public class WeakAlg {
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-exportcert -alias a -file a.crt")
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-printcert -file a.crt")
.shouldNotContain("Warning:");
kt("-printcert -file a.crt") // warning since -keystore option is supported
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-certreq -alias a -file a.req")
.shouldContain("JCEKS keystore uses a proprietary format");
kt("-printcertreq -file a.req")

65
test/jdk/sun/security/tools/keytool/fakecacerts/MyOwnCacerts.java Normal file

@ -0,0 +1,65 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8244148
* @library /test/lib
* @library /test/jdk/sun/security/util/module_patch
* @build java.base/sun.security.util.FilePaths
* @modules java.base/jdk.internal.misc
* @run main MyOwnCacerts
*/
import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;
public class MyOwnCacerts {
// The --patch-module must be explicitly specified on the keytool
// command line because it's in a separate process
private static final String PATCH_OPTION;
static {
String tmp = "";
for (String a : jdk.internal.misc.VM.getRuntimeArguments()) {
if (a.startsWith("--patch-module")) {
tmp = "-J" + a + " ";
break;
}
}
PATCH_OPTION = tmp;
}
public static void main(String[] args) throws Exception {
kt("-keystore mycacerts -genkeypair -alias a" +
" -dname CN=root -keyalg EC -storepass changeit")
.shouldContain("Warning: use -cacerts option");
kt("-list -cacerts -storepass changeit")
.shouldContain("Your keystore contains 1 entry");
}
static OutputAnalyzer kt(String s) throws Exception {
return SecurityTools.keytool(PATCH_OPTION + s);
}
}

101
test/jdk/sun/security/tools/keytool/fakecacerts/TrustedCRL.java Normal file

@ -0,0 +1,101 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8244148
* @summary Test keytool -printcrl with -keystore and -trustcacerts options
* @library /test/lib
* @library /test/jdk/sun/security/util/module_patch
* @build java.base/sun.security.util.FilePaths
* @modules java.base/sun.security.util
* java.base/jdk.internal.misc
* @run main TrustedCRL
*/
import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;
import jdk.test.lib.security.KeyStoreUtils;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
public class TrustedCRL {
// The --patch-module must be explicitly specified on the keytool
// command line because it's in a separate process
private static final String PATCH_OPTION;
static {
String tmp = "";
for (String a : jdk.internal.misc.VM.getRuntimeArguments()) {
if (a.startsWith("--patch-module")) {
tmp = "-J" + a + " ";
break;
}
}
PATCH_OPTION = tmp;
}
static OutputAnalyzer kt(String cmd) throws Exception {
return SecurityTools.keytool(cmd + " -keystore ks"
+ " -storepass changeit")
.shouldHaveExitValue(0);
}
static OutputAnalyzer patchcmd(String cmd, String options)
throws Exception {
return kt(PATCH_OPTION + " -" + cmd + " " + options);
}
static void rm(String s) throws IOException {
System.out.println("---------------------------------------------");
System.out.println("$ rm " + s);
Files.deleteIfExists(Paths.get(s));
}
public static void main(String[] args) throws Exception {
// Test -printcrl with root CA in cacerts keystore
kt("-genkeypair -alias myca -dname CN=CA -keyalg RSA"
+ " -keysize 1024 -sigalg SHA1withRSA");
kt("-exportcert -alias myca -rfc -file ca.pem");
// import root CA to mycacerts keystore
KeyStoreUtils.createCacerts("mycacerts", "ca.pem");
kt("-gencrl -alias myca -id 0 -file ca.crl -sigalg MD5withRSA");
patchcmd("printcrl", "-file ca.crl -trustcacerts")
.shouldMatch("Verified by.*in cacerts");
// Test -printcrl with root CA in local keystore
kt("-gencrl -alias myca -id 0 -file ca.crl");
kt("-printcrl -file ca.crl")
.shouldMatch("Verified by.*in keystore");
}
}

161
test/jdk/sun/security/tools/keytool/fakecacerts/TrustedCert.java Normal file

@ -0,0 +1,161 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8244148
* @summary Test keytool -printcert with -keystore and -trustcacerts options
* @library /test/lib
* @library /test/jdk/sun/security/util/module_patch
* @build java.base/sun.security.util.FilePaths
* @modules java.base/sun.security.util
* java.base/jdk.internal.misc
* @run main TrustedCert
*/
import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;
import jdk.test.lib.security.KeyStoreUtils;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
public class TrustedCert {
// The --patch-module must be explicitly specified on the keytool
// command line because it's in a separate process
private static final String PATCH_OPTION;
static {
String tmp = "";
for (String a : jdk.internal.misc.VM.getRuntimeArguments()) {
if (a.startsWith("--patch-module")) {
tmp = "-J" + a + " ";
break;
}
}
PATCH_OPTION = tmp;
}
static OutputAnalyzer kt(String cmd, String ks) throws Exception {
return SecurityTools.keytool(cmd + " -keystore " + ks
+ " -storepass changeit")
.shouldHaveExitValue(0);
}
static OutputAnalyzer kt1(String cmd, String ks) throws Exception {
return SecurityTools.keytool(cmd + " -keystore " + ks
+ " -storepass changeit")
.shouldNotHaveExitValue(0);
}
static OutputAnalyzer patchcmd(String cmd, String options, String ks,
boolean nonzero) throws Exception {
if (nonzero) {
return kt1(PATCH_OPTION + " -" + cmd + " " + options, ks);
} else {
return kt(PATCH_OPTION + " -" + cmd + " " + options, ks);
}
}
static void rm(String s) throws IOException {
System.out.println("---------------------------------------------");
System.out.println("$ rm " + s);
Files.deleteIfExists(Paths.get(s));
}
private static void cat(String dest, String... src) throws IOException {
System.out.println("---------------------------------------------");
System.out.printf("$ cat ");
ByteArrayOutputStream bout = new ByteArrayOutputStream();
for (String s : src) {
System.out.printf(s + " ");
bout.write(Files.readAllBytes(Paths.get(s)));
}
Files.write(Paths.get(dest), bout.toByteArray());
System.out.println("> " + dest);
}
public static void main(String[] args) throws Exception {
// Test -printcert with root CA in local keystore
kt("-genkeypair -keyalg rsa -keysize 1024 -sigalg SHA1withRSA " +
"-dname CN=ROOT -ext bc:c", "root.jks");
kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks");
kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks");
kt("-exportcert -rfc -file root.pem", "root.jks");
kt("-importcert -alias root -file root.pem -noprompt", "ca.jks");
kt("-importcert -alias root -file root.pem -noprompt", "server.jks");
kt("-certreq -file ca.req", "ca.jks");
kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks");
kt("-importcert -file ca.pem", "ca.jks");
kt("-certreq -file server.req", "server.jks");
kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " +
"-outfile server.pem", "ca.jks");
kt("-importcert -file server.pem", "server.jks");
cat("fullchain.pem", "server.pem", "root.pem");
kt("-printcert -file fullchain.pem ", "server.jks")
.shouldNotMatch("SHA1withRSA signature algorithm.*security risk")
.shouldMatch("1024-bit RSA key.*security risk");
rm("ca.jks");
rm("server.jks");
rm("mycacerts");
// Test -printcert with root CA in cacerts keystore
kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks");
kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks");
// import root CA to mycacerts keystore
KeyStoreUtils.createCacerts("mycacerts", "root.pem");
kt("-certreq -file ca.req", "ca.jks");
kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks");
patchcmd("importcert", "-file ca.pem", "ca.jks", true);
patchcmd("importcert", "-file ca.pem -trustcacerts", "ca.jks", false);
kt("-certreq -file server.req", "server.jks");
kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " +
"-outfile server.pem", "ca.jks");
kt("-importcert -file server.pem -noprompt", "server.jks");
cat("fullchain.pem", "server.pem", "root.pem");
patchcmd("-printcert", "-file fullchain.pem -trustcacerts", "server.jks", false)
.shouldNotMatch("SHA1withRSA signature algorithm.*security risk")
.shouldMatch("1024-bit RSA key.*security risk");
patchcmd("-printcert", "-file fullchain.pem", "server.jks", false)
.shouldMatch("SHA1withRSA signature algorithm.*security risk")
.shouldMatch("1024-bit RSA key.*security risk");
}
}

35
test/jdk/sun/security/util/module_patch/java.base/sun/security/util/FilePaths.java Normal file

@ -0,0 +1,35 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import jdk.internal.util.StaticProperty;
import java.io.File;
// This is a patched version
public class FilePaths {
public static String cacerts() {
return System.getProperty("test.cacerts", "mycacerts");
}
}

24
test/lib/jdk/test/lib/security/KeyStoreUtils.java

@ -23,12 +23,15 @@
package jdk.test.lib.security;
import java.io.*;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
@ -289,4 +292,25 @@ public class KeyStoreUtils {
new String[] { CertUtils.DSA_CERT }));
return createKeyStore(entries.toArray(new KeyEntry[entries.size()]));
}
/**
* Creates cacerts keystore with the trusted certificate(s)
* @param args arguments to cacerts keystore name and trusted certificates
* @throws Exception if there is an error
*
*/
public static void createCacerts(String ks, String... crts) throws Exception {
try (OutputStream os = new FileOutputStream(ks)) {
KeyStore k = KeyStore.getInstance("JKS");
k.load(null, null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (int pos = 0; pos < crts.length; pos++) {
try (InputStream is = new FileInputStream(crts[pos])) {
k.setCertificateEntry("root" + pos,
cf.generateCertificate(is));
}
}
k.store(os, "changeit".toCharArray());
}
}
}