diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/src/java.base/share/classes/sun/security/tools/keytool/Main.java index 36d9c438d66..c1f4b58fada 100644 --- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java +++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java @@ -37,12 +37,10 @@ import java.security.cert.CertStoreException; import java.security.cert.CRL; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; -import java.security.cert.CertificateParsingException; import java.security.cert.TrustAnchor; import java.security.cert.URICertStoreParameters; -import java.security.spec.ECParameterSpec; import java.text.Collator; import java.text.MessageFormat; import java.util.*; @@ -66,7 +64,6 @@ import sun.security.provider.certpath.CertPathConstraintsParameters; import sun.security.util.ConstraintsParameters; import sun.security.util.ECKeySizeParameterSpec; import sun.security.util.KeyUtil; -import sun.security.util.NamedCurve; import sun.security.util.ObjectIdentifier; import sun.security.pkcs10.PKCS10; import sun.security.pkcs10.PKCS10Attribute; @@ -3731,11 +3728,13 @@ public final class Main { String userInput = null; int maxRetry = 20; + boolean needRepeat; do { if (maxRetry-- < 0) { throw new RuntimeException(rb.getString( "Too.many.retries.program.terminated")); } + System.err.println(rb.getString("enter.dname.components")); commonName = inputString(in, rb.getString("What.is.your.first.and.last.name."), commonName); @@ -3756,20 +3755,32 @@ public final class Main { rb.getString ("What.is.the.two.letter.country.code.for.this.unit."), country); - name = new X500Name(commonName, organizationalUnit, organization, - city, state, country); - MessageFormat form = new MessageFormat - (rb.getString("Is.name.correct.")); - Object[] source = {name}; - userInput = inputString - (in, form.format(source), rb.getString("no")); - } while (collator.compare(userInput, rb.getString("yes")) != 0 && - collator.compare(userInput, rb.getString("y")) != 0); + name = new X500Name( + dotToNull(commonName), dotToNull(organizationalUnit), + dotToNull(organization), dotToNull(city), + dotToNull(state), dotToNull(country)); + if (name.isEmpty()) { + System.err.println(rb.getString("no.field.in.dname")); + needRepeat = true; + } else { + MessageFormat form = new MessageFormat + (rb.getString("Is.name.correct.")); + Object[] source = {name}; + userInput = inputString + (in, form.format(source), rb.getString("no")); + needRepeat = collator.compare(userInput, rb.getString("yes")) != 0 && + collator.compare(userInput, rb.getString("y")) != 0; + } + } while (needRepeat); System.err.println(); return name; } + private static String dotToNull(String input) { + return ".".equals(input) ? null : input; + } + private String inputString(BufferedReader in, String prompt, String defaultValue) throws IOException @@ -3777,7 +3788,7 @@ public final class Main { System.err.println(prompt); MessageFormat form = new MessageFormat (rb.getString(".defaultValue.")); - Object[] source = {defaultValue}; + Object[] source = { ".".equals(defaultValue) ? "" : defaultValue }; System.err.print(form.format(source)); System.err.flush(); diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Resources.java b/src/java.base/share/classes/sun/security/tools/keytool/Resources.java index 395a1c89af6..3865c97dd85 100644 --- a/src/java.base/share/classes/sun/security/tools/keytool/Resources.java +++ b/src/java.base/share/classes/sun/security/tools/keytool/Resources.java @@ -374,6 +374,8 @@ public class Resources extends java.util.ListResourceBundle { {"Enter.alias.name.", "Enter alias name: "}, {".RETURN.if.same.as.for.otherAlias.", "\t(RETURN if same as for <{0}>)"}, + {"enter.dname.components", + "Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces."}, {"What.is.your.first.and.last.name.", "What is your first and last name?"}, {"What.is.the.name.of.your.organizational.unit.", @@ -386,6 +388,8 @@ public class Resources extends java.util.ListResourceBundle { "What is the name of your State or Province?"}, {"What.is.the.two.letter.country.code.for.this.unit.", "What is the two-letter country code for this unit?"}, + {"no.field.in.dname", + "At least one field must be provided. Enter again."}, {"Is.name.correct.", "Is {0} correct?"}, {"no", "no"}, {"yes", "yes"}, diff --git a/src/java.base/share/classes/sun/security/x509/X500Name.java b/src/java.base/share/classes/sun/security/x509/X500Name.java index 210f32545e4..0b4811724bd 100644 --- a/src/java.base/share/classes/sun/security/x509/X500Name.java +++ b/src/java.base/share/classes/sun/security/x509/X500Name.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -241,29 +241,45 @@ public class X500Name implements GeneralNameInterface, Principal { String organizationName, String localityName, String stateName, String country) throws IOException { - names = new RDN[6]; - /* - * NOTE: it's only on output that little-endian - * ordering is used. - */ - names[5] = new RDN(1); - names[5].assertion[0] = new AVA(commonName_oid, - new DerValue(commonName)); - names[4] = new RDN(1); - names[4].assertion[0] = new AVA(orgUnitName_oid, - new DerValue(organizationUnit)); - names[3] = new RDN(1); - names[3].assertion[0] = new AVA(orgName_oid, - new DerValue(organizationName)); - names[2] = new RDN(1); - names[2].assertion[0] = new AVA(localityName_oid, - new DerValue(localityName)); - names[1] = new RDN(1); - names[1].assertion[0] = new AVA(stateName_oid, - new DerValue(stateName)); - names[0] = new RDN(1); - names[0].assertion[0] = new AVA(countryName_oid, - new DerValue(country)); + RDN name; + List list = new ArrayList<>(6); + if (country != null) { + name = new RDN(1); + name.assertion[0] = new AVA(countryName_oid, + new DerValue(country)); + list.add(name); + } + if (stateName != null) { + name = new RDN(1); + name.assertion[0] = new AVA(stateName_oid, + new DerValue(stateName)); + list.add(name); + } + if (localityName != null) { + name = new RDN(1); + name.assertion[0] = new AVA(localityName_oid, + new DerValue(localityName)); + list.add(name); + } + if (organizationName != null) { + name = new RDN(1); + name.assertion[0] = new AVA(orgName_oid, + new DerValue(organizationName)); + list.add(name); + } + if (organizationUnit != null) { + name = new RDN(1); + name.assertion[0] = new AVA(orgUnitName_oid, + new DerValue(organizationUnit)); + list.add(name); + } + if (commonName != null) { + name = new RDN(1); + name.assertion[0] = new AVA(commonName_oid, + new DerValue(commonName)); + list.add(name); + } + names = list.toArray(new RDN[0]); } /** diff --git a/test/jdk/sun/security/tools/keytool/EmptyField.java b/test/jdk/sun/security/tools/keytool/EmptyField.java new file mode 100644 index 00000000000..4d228e4c9b0 --- /dev/null +++ b/test/jdk/sun/security/tools/keytool/EmptyField.java @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8284194 + * @summary Allow empty subject fields in keytool + * @library /test/lib + */ + +import jdk.test.lib.Asserts; +import jdk.test.lib.SecurityTools; + +import java.io.File; +import java.security.KeyStore; +import java.security.cert.X509Certificate; + +public class EmptyField { + + public static void main(String[] args) throws Exception { + // All "." in first round, "Me" as name in 2nd round. + SecurityTools.setResponse( + ".\n.\n.\n.\n.\n.\n" // all empty, must retry + + "Me\n\n\n\n\n\nno\n" // one non-empty, ask yes/no + + "\n\n\n\n\n\nyes\n"); // remember input + SecurityTools.keytool("-genkeypair -keystore ks -storepass changeit -alias b -keyalg EC") + .shouldContain("[Unknown]") // old default + .shouldContain("At least one field must be provided. Enter again.") + .shouldContain("[]") // new value in 2nd round + .shouldContain("[Me]") // new value in 3nd round + .shouldContain("Is CN=Me correct?") + .shouldHaveExitValue(0); + var ks = KeyStore.getInstance(new File("ks"), "changeit".toCharArray()); + var cert = (X509Certificate) ks.getCertificate("b"); + Asserts.assertEQ(cert.getSubjectX500Principal().toString(), "CN=Me"); + } +}