/* * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ import jdk.test.lib.SecurityTools; import sun.security.util.ObjectIdentifier; import java.nio.file.Files; import java.nio.file.Path; import java.util.ArrayList; import java.util.List; import static jdk.test.lib.security.DerUtils.*; import static sun.security.pkcs.ContentInfo.DATA_OID; import static sun.security.pkcs.ContentInfo.ENCRYPTED_DATA_OID; import sun.security.util.ObjectIdentifier; import sun.security.util.KnownOIDs; /* * @test * @bug 8076190 8242151 * @library /test/lib * @modules java.base/sun.security.pkcs * java.base/sun.security.util * @summary Checks the preferences order of pkcs12 params */ public class ParamsPreferences { public static final void main(String[] args) throws Exception { int c = 0; // with storepass test(c++, "-", "-", oid(KnownOIDs.PBEWithSHA1AndRC2_40), 50000, oid(KnownOIDs.PBEWithSHA1AndDESede), 50000, oid(KnownOIDs.SHA_1), 100000); // password-less with system property test(c++, "keystore.pkcs12.certProtectionAlgorithm", "NONE", "keystore.pkcs12.macAlgorithm", "NONE", "-", "-", null, 0, oid(KnownOIDs.PBEWithSHA1AndDESede), 50000, null, 0); // password-less with security property test(c++, "-", "keystore.pkcs12.certProtectionAlgorithm", "NONE", "keystore.pkcs12.macAlgorithm", "NONE", "-", null, 0, oid(KnownOIDs.PBEWithSHA1AndDESede), 50000, null, 0); // back to with storepass by overriding security property with system property test(c++, "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", "-", "keystore.pkcs12.certProtectionAlgorithm", "NONE", "keystore.pkcs12.macAlgorithm", "NONE", "-", oid(KnownOIDs.PBEWithSHA1AndDESede), 50000, oid(KnownOIDs.PBEWithSHA1AndDESede), 50000, oid(KnownOIDs.SHA_256), 100000); // back to with storepass by using "" to force hardcoded default test(c++, "keystore.pkcs12.certProtectionAlgorithm", "", "keystore.pkcs12.keyProtectionAlgorithm", "", "keystore.pkcs12.macAlgorithm", "", "-", "keystore.pkcs12.certProtectionAlgorithm", "NONE", "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "keystore.pkcs12.macAlgorithm", "NONE", "-", oid(KnownOIDs.PBEWithSHA1AndRC2_40), 50000, oid(KnownOIDs.PBEWithSHA1AndDESede), 50000, oid(KnownOIDs.SHA_1), 100000); // change everything with system property test(c++, "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", "keystore.pkcs12.certPbeIterationCount", 3000, "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "keystore.pkcs12.keyPbeIterationCount", 4000, "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", "keystore.pkcs12.macIterationCount", 2000, "-", "-", oid(KnownOIDs.PBEWithSHA1AndDESede), 3000, oid(KnownOIDs.PBEWithSHA1AndRC2_40), 4000, oid(KnownOIDs.SHA_256), 2000); // change everything with security property test(c++, "-", "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", "keystore.pkcs12.certPbeIterationCount", 3000, "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "keystore.pkcs12.keyPbeIterationCount", 4000, "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", "keystore.pkcs12.macIterationCount", 2000, "-", oid(KnownOIDs.PBEWithSHA1AndDESede), 3000, oid(KnownOIDs.PBEWithSHA1AndRC2_40), 4000, oid(KnownOIDs.SHA_256), 2000); // override security property with system property test(c++, "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", "keystore.pkcs12.certPbeIterationCount", 13000, "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "keystore.pkcs12.keyPbeIterationCount", 14000, "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", "keystore.pkcs12.macIterationCount", 12000, "-", "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "keystore.pkcs12.certPbeIterationCount", 3000, "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndDESede", "keystore.pkcs12.keyPbeIterationCount", 4000, "keystore.pkcs12.macAlgorithm", "HmacPBESHA1", "keystore.pkcs12.macIterationCount", 2000, "-", oid(KnownOIDs.PBEWithSHA1AndDESede), 13000, oid(KnownOIDs.PBEWithSHA1AndRC2_40), 14000, oid(KnownOIDs.SHA_256), 12000); // check keyProtectionAlgorithm old behavior. Preferences of // 4 different settings. test(c++, "-", "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", "-", oid(KnownOIDs.PBEWithSHA1AndRC2_40), 50000, oid(KnownOIDs.PBEWithSHA1AndRC2_128), 50000, oid(KnownOIDs.SHA_1), 100000); test(c++, "-", "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "-", oid(KnownOIDs.PBEWithSHA1AndRC2_40), 50000, oid(KnownOIDs.PBEWithSHA1AndRC2_40), 50000, oid(KnownOIDs.SHA_1), 100000); test(c++, "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_128", "-", "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "-", oid(KnownOIDs.PBEWithSHA1AndRC2_40), 50000, oid(KnownOIDs.PBEWithSHA1AndRC4_128), 50000, oid(KnownOIDs.SHA_1), 100000); test(c++, "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_128", "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_40", "-", "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", "-", oid(KnownOIDs.PBEWithSHA1AndRC2_40), 50000, oid(KnownOIDs.PBEWithSHA1AndRC4_40), 50000, oid(KnownOIDs.SHA_1), 100000); } private static ObjectIdentifier oid(KnownOIDs o) { return ObjectIdentifier.of(o); } /** * Run once. * * @param args an array containing system properties and values, "-", * security properties and values, "-", expected certPbeAlg, * certPbeIC, keyPbeAlg, keyPbeIc, macAlg, macIC. */ static void test(int n, Object... args) throws Exception { boolean isSysProp = true; String cmd = "-keystore ks" + n + " -genkeypair -keyalg EC " + "-alias a -dname CN=A -storepass changeit " + "-J-Djava.security.properties=" + n + ".conf"; List jsConf = new ArrayList<>(); for (int i = 0; i < args.length; i++) { if (isSysProp) { if (args[i].equals("-")) { isSysProp = false; } else { cmd += " -J-D" + args[i] + "=" + args[++i]; } } else { if (args[i] == "-") { Files.write(Path.of(n + ".conf"), jsConf); System.out.println("--------- test starts ----------"); System.out.println(jsConf); SecurityTools.keytool(cmd).shouldHaveExitValue(0); byte[] data = Files.readAllBytes(Path.of("ks" + n)); // cert pbe alg + ic if (args[i+1] == null) { checkAlg(data, "110c10", DATA_OID); } else { checkAlg(data, "110c10", ENCRYPTED_DATA_OID); checkAlg(data, "110c110110", (ObjectIdentifier)args[i+1]); checkInt(data, "110c1101111", (int)args[i+2]); } // key pbe alg + ic checkAlg(data, "110c010c01000", (ObjectIdentifier)args[i+3]); checkInt(data, "110c010c010011", (int)args[i+4]); // mac alg + ic if (args[i+5] == null) { shouldNotExist(data, "2"); } else { checkAlg(data, "2000", (ObjectIdentifier)args[i+5]); checkInt(data, "22", (int)args[i+6]); } } else { jsConf.add(args[i] + "=" + args[++i]); } } } } }