/* * Copyright (c) 2001, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.security.KeyFactory; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.security.spec.KeySpec; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Base64; /* * @test * @bug 8048621 8133090 8167371 8236671 * @summary Test basic operations with keystores (jks, jceks, pkcs12) * @author Yu-Ching Valerie PENG */ public class TestKeyStoreBasic { private static final String PRIVATE_KEY_PKCS8_BASE64 = "" + "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpyz97liuWPDYcLH9TX8BiT78o" + "lCmAfmevvch6ncXUVuCzbdaKuKXwn4EVbDszsVJLoK5zdtP+X3iDhutj+IgKmLhuczF3M9VIcWr+" + "JJUyTH4+3h/RT8cjCDZOmk9iXkb5ifruVsLqzb9g+Vp140Oz7leikne7KmclHvTfvFd0WDI7Gb9v" + "o4f5rT717BXJ/n+M6pNk8DLpLiEu6eziYvXRv5x+t5Go3x0eCXdaxEQUf2j876Wfr2qHRJK7lDfF" + "e1DDsMg/KpKGiILYZ+g2qtVMZSxtp5BZEtfB5qV/IE5kWO+mCIAGpXSZIdbERR6pZUq8GLEe1T9e" + "+sO6H24w2F19AgMBAAECggEBAId/12187dO6wUPCjumuJA1QrrBnbKdKONyai36uoc1Od4s5QFj7" + "+hEIeS7rbGNYQuBvnkgusAbzkW0FIpxpHce3EJez/emux6pEOKoP77BwMt9gy+txyu0+BHi91FQg" + "AGvrnQDO5EYVY4Cz/WjOsJzKu8zVLg+DS0Toa2qRFwmUe9mVAXPNOCZ3Oae/Q6tCDsaINNw0fmjj" + "jn6uohPbS+n6xENG3FkQXB36getXy310xTGED2J27cmAQH6gLR6Kl2iROzNPbbpBqbuemI9kbcld" + "EwBS1jRfZWeaPstYA1niVrE9UgUBzemnoh4TDkG076sYthHMr5QFGjPswnwtJ4ECgYEA0sURQ5+v" + "baH4tdaemI3qpnknXTlzSpuZZmAoyvY0Id0mlduwKwmZ3Y5989wHfnnhFfyNO4IkTKjI2Wp97qP5" + "4eqUNpA7FtNU7KUzMcFDTtwtNZuRYMrKlqo2lLbA+gVrAYpYZFL4b7tcwtX4DnYorDsmude6W8sG" + "4Mx2VdFJC9UCgYEAzjsdXCYH5doWUHb0dvn9ID7IikffEMRM720MRjrnnnVbpzx6ACntkPDNZg7p" + "TRE/mx7iBz81ZaUWE+V0wd0JvCHEdpAz3mksyvDFhU4Bgs6xzf2pSul5muhsx3hHcvvPezz5Bnxs" + "faJlzkxfwotyGmvWN15GA/pyfsZjsbbTpwkCgYAO6NnbysQCIV8SnegCKqfatt9N/O5m7LLhRxQb" + "p2bwrlA4cZ34rWkw/w9x3LK7A6wkfgUPnJkswxPSLXJTG05l6M4rPfCwIKr1Qopojp9QSMr569NQ" + "4YeLOOc7heIIzbFQHpU6I5Rncv2Q2sn9W+ZsqJKIuvX34FjQNiZ406EzMQKBgHSxOGS61D84DuZK" + "2Ps1awhC3kB4eHzJRms3vflDPWoJJ+pSKwpKrzUTPHXiPBqyhtYkPGszVeiE6CAr9sv3YZnFVaBs" + "6hyQUJsob+uE/w/gGvXe8VsFDx0bJOodYfhrCbTHBHWqE81nBcocpxayxsayfAzqWB3KKd0YLrMR" + "K2PZAoGAcZa8915R2m0KZ6HVJUt/JDR85jCbN71kcVDFY2XSFkOJvOdFoHNfRckfLzjq9Y2MSSTV" + "+QDWbDo2doUQCejJUTaN8nP79tfyir24X5uVPvQaeVoGTKYb+LfUqK0F60lStmjuddIGSZH55y3v" + "+9XjmxbVERtd1lqgQg3VlmKlEXY="; /* * Certificate: * Data: * Version: 3 (0x2) * Serial Number: 7 (0x7) * Signature Algorithm: sha512WithRSAEncryption * Issuer: CN=Root * Validity * Not Before: Sep 1 18:03:59 2015 GMT * Not After : Jan 17 18:03:59 2043 GMT * Subject: CN=EE */ private static final String CERTIFICATE = "" + "-----BEGIN CERTIFICATE-----\n" + "MIIDHTCCAgWgAwIBAgIBBzANBgkqhkiG9w0BAQ0FADAPMQ0wCwYDVQQDDARSb290\n" + "MB4XDTE1MDkwMTE4MDM1OVoXDTQzMDExNzE4MDM1OVowDTELMAkGA1UEAwwCRUUw\n" + "ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpyz97liuWPDYcLH9TX8Bi\n" + "T78olCmAfmevvch6ncXUVuCzbdaKuKXwn4EVbDszsVJLoK5zdtP+X3iDhutj+IgK\n" + "mLhuczF3M9VIcWr+JJUyTH4+3h/RT8cjCDZOmk9iXkb5ifruVsLqzb9g+Vp140Oz\n" + "7leikne7KmclHvTfvFd0WDI7Gb9vo4f5rT717BXJ/n+M6pNk8DLpLiEu6eziYvXR\n" + "v5x+t5Go3x0eCXdaxEQUf2j876Wfr2qHRJK7lDfFe1DDsMg/KpKGiILYZ+g2qtVM\n" + "ZSxtp5BZEtfB5qV/IE5kWO+mCIAGpXSZIdbERR6pZUq8GLEe1T9e+sO6H24w2F19\n" + "AgMBAAGjgYUwgYIwNAYDVR0fBC0wKzApoCegJYYjbGRhcDovL2xkYXAuaG9zdC5m\n" + "b3IuY3JsZHAvbWFpbi5jcmwwSgYIKwYBBQUHAQEEPjA8MDoGCCsGAQUFBzAChi5s\n" + "ZGFwOi8vbGRhcC5ob3N0LmZvci5haWEvZGM9Um9vdD9jQUNlcnRpZmljYXRlMA0G\n" + "CSqGSIb3DQEBDQUAA4IBAQBWDfZHpuUx0yn5d3+BuztFqoks1MkGdk+USlH0TB1/\n" + "gWWBd+4S4PCKlpSur0gj2rMW4fP5HQfNlHci8JV8/bG4KuKRAXW56dg1818Hl3pc\n" + "iIrUSRn8uUjH3p9qb+Rb/u3mmVQRyJjN2t/zceNsO8/+Dd808OB9aEwGs8lMT0nn\n" + "ZYaaAqYz1GIY/Ecyx1vfEZEQ1ljo6i/r70C3igbypBUShxSiGsleiVTLOGNA+MN1\n" + "/a/Qh0bkaQyTGqK3bwvzzMeQVqWu2EWTBD/PmND5ExkpRICdv8LBVXfLnpoBr4lL\n" + "hnxn9+e0Ah+t8dS5EKfn44w5bI5PCu2bqxs6RCTxNjcY\n" + "-----END CERTIFICATE-----\n"; private static final char[] PASSWD2 = new char[] { 'b', 'o', 'r', 'e', 'd' }; private static final char[] PASSWDK = "cannot be null" .toCharArray(); private static final String[] KS_Type = { "jks", "jceks", "pkcs12", "PKCS11KeyStore" }; private static final String[] PROVIDERS = { "SUN", "SunJCE", "SunJSSE" }; private static final String ALIAS_HEAD = "test"; private static final String CRYPTO_ALG = "PBEWithHmacSHA256AndAES_128"; public static void main(String args[]) throws Exception { TestKeyStoreBasic jstest = new TestKeyStoreBasic(); jstest.run(); } public void run() throws Exception { for (String provider : PROVIDERS) { runTest(provider); System.out.println("Test with provider " + provider + " passed"); } } public void runTest(String provider) throws Exception { // load private key // all keystore types should support private keys KeySpec spec = new PKCS8EncodedKeySpec( Base64.getMimeDecoder().decode(PRIVATE_KEY_PKCS8_BASE64)); PrivateKey privateKey = KeyFactory.getInstance("RSA") .generatePrivate(spec); // load x509 certificate Certificate cert; try (InputStream is = new BufferedInputStream( new ByteArrayInputStream(CERTIFICATE.getBytes()))) { cert = CertificateFactory.getInstance("X.509") .generateCertificate(is); } int numEntries = 5; String type = null; for (int i = 0; i < PROVIDERS.length; i++) { if (provider.compareTo(PROVIDERS[i]) == 0) { type = KS_Type[i]; break; } } System.out.printf("Test %s provider and %s keystore%n", provider, type); KeyStore ks = KeyStore.getInstance(type, provider); KeyStore ks2 = KeyStore.getInstance(type, ks.getProvider().getName()); // create an empty key store ks.load(null, null); // unit test - test with null password try { ks.setKeyEntry(ALIAS_HEAD, privateKey, null, new Certificate[] { cert }); } catch (KeyStoreException e) { if (!e.getMessage().contains("password can\'t be null")) { throw new RuntimeException("Unexpected message:" + e.getMessage()); } // expected } // store the secret keys for (int j = 0; j < numEntries; j++) { ks.setKeyEntry(ALIAS_HEAD + j, privateKey, PASSWDK, new Certificate[] { cert }); } // initialize the 2nd key store object with the 1st one ByteArrayOutputStream baos = new ByteArrayOutputStream(); ks.store(baos, PASSWDK); byte[] bArr = baos.toByteArray(); ByteArrayInputStream bais = new ByteArrayInputStream(bArr); ks2.load(bais, null); // check 2nd key store type checkType(ks2, type); // check the existing aliases for the 2nd key store checkAlias(ks2, numEntries); // compare the creation date of the 2 key stores for all aliases compareCreationDate(ks, ks2, numEntries); // remove the last entry from the 2nd key store numEntries--; ks2.deleteEntry(ALIAS_HEAD + numEntries); // re-initialize the 1st key store with the 2nd key store baos.reset(); ks2.store(baos, PASSWD2); bais = new ByteArrayInputStream(baos.toByteArray()); try { // expect an exception since the password is incorrect ks.load(bais, PASSWDK); throw new RuntimeException( "ERROR: passed the loading with incorrect password"); } catch (IOException ex) { System.out.println("Expected exception: " + ex); if (!causedBy(ex, UnrecoverableKeyException.class)) { ex.printStackTrace(System.out); throw new RuntimeException("Unexpected cause"); } System.out.println("Expected cause: " + UnrecoverableKeyException.class.getName()); bais.reset(); ks.load(bais, PASSWD2); bais.reset(); ks.load(bais, null); } // check key store type checkType(ks, type); // check the existing aliases checkAlias(ks, numEntries); // compare the creation date of the 2 key stores for all aliases compareCreationDate(ks, ks2, numEntries); // check setEntry/getEntry with a password protection algorithm if ("PKCS12".equalsIgnoreCase(ks.getType())) { System.out.println( "Skipping the setEntry/getEntry check for PKCS12 keystore..."); return; } String alias = ALIAS_HEAD + ALIAS_HEAD; KeyStore.PasswordProtection pw = new KeyStore.PasswordProtection(PASSWD2, CRYPTO_ALG, null); KeyStore.PrivateKeyEntry entry = new KeyStore.PrivateKeyEntry(privateKey, new Certificate[]{ cert }); checkSetEntry(ks, alias, pw, entry); ks.setEntry(alias, entry, new KeyStore.PasswordProtection(PASSWD2)); checkGetEntry(ks, alias, pw); } // check setEntry with a password protection algorithm private void checkSetEntry(KeyStore ks, String alias, KeyStore.PasswordProtection pw, KeyStore.Entry entry) throws Exception { try { ks.setEntry(alias, entry, pw); throw new Exception( "ERROR: expected KeyStore.setEntry to throw an exception"); } catch (KeyStoreException e) { // ignore the expected exception } } // check getEntry with a password protection algorithm private void checkGetEntry(KeyStore ks, String alias, KeyStore.PasswordProtection pw) throws Exception { try { ks.getEntry(alias, pw); throw new Exception( "ERROR: expected KeyStore.getEntry to throw an exception"); } catch (KeyStoreException e) { // ignore the expected exception } } // check key store type private void checkType(KeyStore obj, String type) { if (!obj.getType().equals(type)) { throw new RuntimeException("ERROR: wrong key store type"); } } // check the existing aliases private void checkAlias(KeyStore obj, int range) throws KeyStoreException { for (int k = 0; k < range; k++) { if (!obj.containsAlias(ALIAS_HEAD + k)) { throw new RuntimeException("ERROR: alias (" + k + ") should exist"); } } } // compare the creation dates - true if all the same private void compareCreationDate(KeyStore o1, KeyStore o2, int range) throws KeyStoreException { String alias; for (int k = 0; k < range; k++) { alias = ALIAS_HEAD + k; if (!o1.getCreationDate(alias).equals(o2.getCreationDate(alias))) { throw new RuntimeException("ERROR: entry creation time (" + k + ") differs"); } } } // checks if an exception was caused by specified exception class private static boolean causedBy(Exception e, Class klass) { Throwable cause = e; while ((cause = cause.getCause()) != null) { if (cause.getClass().equals(klass)) { return true; } } return false; } }