304 lines
12 KiB
Java
304 lines
12 KiB
Java
/*
|
|
* Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @bug 8044445 8194307 8207318
|
|
* @summary test new methods from JEP-229: Create PKCS12 Keystores by Default
|
|
*/
|
|
|
|
import java.io.*;
|
|
import java.security.*;
|
|
import java.security.KeyStore.*;
|
|
import java.security.cert.*;
|
|
import javax.crypto.*;
|
|
import javax.security.auth.callback.*;
|
|
|
|
public class ProbeKeystores {
|
|
private static final char[] PASSWORD = "changeit".toCharArray();
|
|
private static final char[] BAD_PASSWORD = "badpasword".toCharArray();
|
|
private static final LoadStoreParameter LOAD_STORE_PARAM =
|
|
new MyLoadStoreParameter(new PasswordProtection(PASSWORD));
|
|
private static final LoadStoreParameter BAD_LOAD_STORE_PARAM =
|
|
new MyLoadStoreParameter(new PasswordProtection(BAD_PASSWORD));
|
|
private static final String DIR = System.getProperty("test.src", ".");
|
|
private static final String CERT_FILE = "trusted.pem";
|
|
|
|
private static class MyLoadStoreParameter implements LoadStoreParameter {
|
|
|
|
private ProtectionParameter protection;
|
|
|
|
MyLoadStoreParameter(ProtectionParameter protection) {
|
|
this.protection = protection;
|
|
}
|
|
|
|
public ProtectionParameter getProtectionParameter() {
|
|
return protection;
|
|
}
|
|
}
|
|
|
|
public static final void main(String[] args) throws Exception {
|
|
|
|
// Testing empty keystores
|
|
|
|
init("empty.jks", "JKS");
|
|
init("empty.jceks", "JCEKS");
|
|
init("empty.p12", "PKCS12");
|
|
|
|
load("empty.jks", "JKS");
|
|
load("empty.jceks", "JCEKS");
|
|
load("empty.p12", "PKCS12");
|
|
load("empty.jks", "PKCS12"); // test compatibility mode
|
|
load("empty.p12", "JKS"); // test compatibility mode
|
|
load("empty.jks", "PKCS12", true); // test without compatibility mode
|
|
load("empty.jks", "JKS", false); // test without compatibility mode
|
|
load("empty.p12", "JKS", true); // test without compatibility mode
|
|
load("empty.p12", "PKCS12", false); // test without compatibility mode
|
|
|
|
probe("empty.jks", "JKS");
|
|
probe("empty.jceks", "JCEKS");
|
|
probe("empty.p12", "PKCS12");
|
|
|
|
build("empty.jks", "JKS", true);
|
|
build("empty.jks", "JKS", false);
|
|
build("empty.jceks", "JCEKS", true);
|
|
build("empty.jceks", "JCEKS", false);
|
|
build("empty.p12", "PKCS12", true);
|
|
build("empty.p12", "PKCS12", false);
|
|
|
|
// Testing keystores containing an X.509 certificate
|
|
|
|
X509Certificate cert = loadCertificate(CERT_FILE);
|
|
init("onecert.jks", "JKS", cert);
|
|
init("onecert.jceks", "JCEKS", cert);
|
|
init("onecert.p12", "PKCS12", cert);
|
|
|
|
load("onecert.jks", "JKS");
|
|
load("onecert.jceks", "JCEKS");
|
|
load("onecert.p12", "PKCS12");
|
|
load("onecert.jks", "PKCS12"); // test compatibility mode
|
|
load("onecert.p12", "JKS"); // test compatibility mode
|
|
load("onecert.jks", "PKCS12", true); // test without compatibility mode
|
|
load("onecert.jks", "JKS", false); // test without compatibility mode
|
|
load("onecert.p12", "JKS", true); // test without compatibility mode
|
|
load("onecert.p12", "PKCS12", false); // test without compatibility mode
|
|
|
|
probe("onecert.jks", "JKS");
|
|
probe("onecert.jceks", "JCEKS");
|
|
probe("onecert.p12", "PKCS12");
|
|
|
|
build("onecert.jks", "JKS", true);
|
|
build("onecert.jks", "JKS", false);
|
|
build("onecert.jceks", "JCEKS", true);
|
|
build("onecert.jceks", "JCEKS", false);
|
|
build("onecert.p12", "PKCS12", true);
|
|
build("onecert.p12", "PKCS12", false);
|
|
|
|
// Testing keystores containing a secret key
|
|
|
|
SecretKey key = generateSecretKey("AES", 128);
|
|
init("onekey.jceks", "JCEKS", key);
|
|
init("onekey.p12", "PKCS12", key);
|
|
|
|
load("onekey.jceks", "JCEKS");
|
|
load("onekey.p12", "PKCS12");
|
|
load("onekey.p12", "JKS"); // test compatibility mode
|
|
load("onekey.p12", "JKS", true); // test without compatibility mode
|
|
load("onekey.p12", "PKCS12", false); // test without compatibility mode
|
|
|
|
probe("onekey.jceks", "JCEKS");
|
|
probe("onekey.p12", "PKCS12");
|
|
|
|
build("onekey.jceks", "JCEKS", true);
|
|
build("onekey.jceks", "JCEKS", false);
|
|
build("onekey.p12", "PKCS12", true);
|
|
build("onekey.p12", "PKCS12", false);
|
|
|
|
System.out.println("OK.");
|
|
}
|
|
|
|
// Instantiate an empty keystore using the supplied keystore type
|
|
private static void init(String file, String type) throws Exception {
|
|
KeyStore ks = KeyStore.getInstance(type);
|
|
ks.load(null, null);
|
|
try (OutputStream stream = new FileOutputStream(file)) {
|
|
ks.store(stream, PASSWORD);
|
|
}
|
|
System.out.println("Created a " + type + " keystore named '" + file + "'");
|
|
}
|
|
|
|
// Instantiate a keystore using the supplied keystore type & create an entry
|
|
private static void init(String file, String type, X509Certificate cert)
|
|
throws Exception {
|
|
KeyStore ks = KeyStore.getInstance(type);
|
|
ks.load(null, null);
|
|
ks.setEntry("mycert", new KeyStore.TrustedCertificateEntry(cert), null);
|
|
try (OutputStream stream = new FileOutputStream(file)) {
|
|
ks.store(stream, PASSWORD);
|
|
}
|
|
System.out.println("Created a " + type + " keystore named '" + file + "'");
|
|
}
|
|
|
|
// Instantiate a keystore using the supplied keystore type & create an entry
|
|
private static void init(String file, String type, SecretKey key)
|
|
throws Exception {
|
|
KeyStore ks = KeyStore.getInstance(type);
|
|
ks.load(null, null);
|
|
ks.setEntry("mykey", new KeyStore.SecretKeyEntry(key),
|
|
new PasswordProtection(PASSWORD));
|
|
try (OutputStream stream = new FileOutputStream(file)) {
|
|
ks.store(stream, PASSWORD);
|
|
}
|
|
System.out.println("Created a " + type + " keystore named '" + file + "'");
|
|
}
|
|
|
|
// Instantiate a keystore by probing the supplied file for the keystore type
|
|
private static void probe(String file, String type) throws Exception {
|
|
// First try with the correct password
|
|
KeyStore ks = KeyStore.getInstance(new File(file), PASSWORD);
|
|
if (!type.equalsIgnoreCase(ks.getType())) {
|
|
throw new Exception("ERROR: expected a " + type + " keystore, " +
|
|
"got a " + ks.getType() + " keystore instead");
|
|
} else {
|
|
System.out.println("Probed a " + type + " keystore named '" + file
|
|
+ "' with " + ks.size() + " entries");
|
|
}
|
|
|
|
// Next try with an incorrect password
|
|
try {
|
|
ks = KeyStore.getInstance(new File(file), BAD_PASSWORD);
|
|
throw new Exception("ERROR: expected an exception but got success");
|
|
} catch (IOException e) {
|
|
System.out.println("Failed to load a " + type + " keystore named '" + file + "' (as expected)");
|
|
}
|
|
|
|
// Now try with the correct password within a LoadStoreParameter
|
|
ks = KeyStore.getInstance(new File(file), LOAD_STORE_PARAM);
|
|
if (!type.equalsIgnoreCase(ks.getType())) {
|
|
throw new Exception("ERROR: expected a " + type + " keystore, " +
|
|
"got a " + ks.getType() + " keystore instead");
|
|
} else {
|
|
System.out.println("Probed a " + type + " keystore named '" + file
|
|
+ "' with " + ks.size() + " entries");
|
|
}
|
|
|
|
// Next try with an incorrect password within a LoadStoreParameter
|
|
try {
|
|
ks = KeyStore.getInstance(new File(file), BAD_LOAD_STORE_PARAM);
|
|
throw new Exception("ERROR: expected an exception but got success");
|
|
} catch (IOException e) {
|
|
System.out.println("Failed to load a " + type + " keystore named '" + file + "' (as expected)");
|
|
}
|
|
}
|
|
|
|
// Instantiate a keystore by probing the supplied file for the keystore type
|
|
private static void build(String file, String type, boolean usePassword)
|
|
throws Exception {
|
|
|
|
Builder builder;
|
|
if (usePassword) {
|
|
builder = Builder.newInstance(new File(file),
|
|
new PasswordProtection(PASSWORD));
|
|
} else {
|
|
builder = Builder.newInstance(new File(file),
|
|
new CallbackHandlerProtection(new DummyHandler()));
|
|
}
|
|
KeyStore ks = builder.getKeyStore();
|
|
if (!type.equalsIgnoreCase(ks.getType())) {
|
|
throw new Exception("ERROR: expected a " + type + " keystore, " +
|
|
"got a " + ks.getType() + " keystore instead");
|
|
} else {
|
|
System.out.println("Built a " + type + " keystore named '" + file + "'");
|
|
}
|
|
}
|
|
|
|
// Load the keystore entries
|
|
private static void load(String file, String type) throws Exception {
|
|
KeyStore ks = KeyStore.getInstance(type);
|
|
try (InputStream stream = new FileInputStream(file)) {
|
|
ks.load(stream, PASSWORD);
|
|
}
|
|
if (!type.equalsIgnoreCase(ks.getType())) {
|
|
throw new Exception("ERROR: expected a " + type + " keystore, " +
|
|
"got a " + ks.getType() + " keystore instead");
|
|
} else {
|
|
System.out.println("Loaded a " + type + " keystore named '" + file + "'");
|
|
}
|
|
}
|
|
|
|
// Load the keystore entries (with compatibility mode disabled)
|
|
private static void load(String file, String type, boolean expectFailure)
|
|
throws Exception {
|
|
Security.setProperty("keystore.type.compat", "false");
|
|
try {
|
|
load(file, type);
|
|
if (expectFailure) {
|
|
throw new Exception("ERROR: expected load to fail but it didn't");
|
|
}
|
|
} catch (IOException e) {
|
|
if (expectFailure) {
|
|
System.out.println("Failed to load a " + type + " keystore named '" + file + "' (as expected)");
|
|
} else {
|
|
throw e;
|
|
}
|
|
} finally {
|
|
Security.setProperty("keystore.type.compat", "true");
|
|
}
|
|
}
|
|
|
|
// Read an X.509 certificate from the supplied file
|
|
private static X509Certificate loadCertificate(String certFile)
|
|
throws Exception {
|
|
X509Certificate cert = null;
|
|
try (FileInputStream certStream =
|
|
new FileInputStream(DIR + "/" + certFile)) {
|
|
CertificateFactory factory =
|
|
CertificateFactory.getInstance("X.509");
|
|
return (X509Certificate) factory.generateCertificate(certStream);
|
|
}
|
|
}
|
|
|
|
// Generate a secret key using the supplied algorithm name and key size
|
|
private static SecretKey generateSecretKey(String algorithm, int size)
|
|
throws NoSuchAlgorithmException {
|
|
KeyGenerator generator = KeyGenerator.getInstance(algorithm);
|
|
generator.init(size);
|
|
return generator.generateKey();
|
|
}
|
|
|
|
private static class DummyHandler implements CallbackHandler {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
System.out.println("** Callbackhandler invoked");
|
|
for (int i = 0; i < callbacks.length; i++) {
|
|
Callback cb = callbacks[i];
|
|
if (cb instanceof PasswordCallback) {
|
|
PasswordCallback pcb = (PasswordCallback)cb;
|
|
pcb.setPassword(PASSWORD);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|