372 lines
18 KiB
Java
372 lines
18 KiB
Java
/*
|
|
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
import static java.lang.System.out;
|
|
|
|
import java.io.ByteArrayInputStream;
|
|
import java.io.File;
|
|
import java.io.FileNotFoundException;
|
|
import java.io.FileOutputStream;
|
|
import java.io.IOException;
|
|
import java.nio.file.Files;
|
|
import java.nio.file.Paths;
|
|
import java.security.Key;
|
|
import java.security.KeyStore;
|
|
import java.security.KeyStoreException;
|
|
import java.security.NoSuchAlgorithmException;
|
|
import java.security.NoSuchProviderException;
|
|
import java.security.UnrecoverableKeyException;
|
|
import java.security.cert.Certificate;
|
|
import java.security.cert.CertificateException;
|
|
import java.security.cert.CertificateFactory;
|
|
import java.security.cert.X509Certificate;
|
|
import java.util.Arrays;
|
|
import java.util.Base64;
|
|
import java.util.Enumeration;
|
|
|
|
/*
|
|
* @test
|
|
* @bug 8048618
|
|
* @summary Write different types p12 key store to Check the write related
|
|
* APIs.
|
|
* @run main WriteP12Test
|
|
*/
|
|
|
|
public class WriteP12Test {
|
|
|
|
private static final String IN_KEYSTORE_TYPE = "jks";
|
|
private static final String IN_KEYSTORE_PRV = "SUN";
|
|
|
|
private static final String IN_KEYSTORE_ENDUSER = "keystoreEU.jks.data";
|
|
private static final String IN_KEYSTORE_CA = "keystoreCA.jks.data";
|
|
private static final String OUT_KEYSTORE = "outKeyStore.p12";
|
|
|
|
private static final String IN_STORE_PASS = "storepass";
|
|
private static final String IN_KEY_PASS = "keypass";
|
|
|
|
private static final String CERT_PATH = System.getProperty("test.src", ".")
|
|
+ File.separator + "certs" + File.separator + "writeP12"
|
|
+ File.separator;
|
|
|
|
private static final String CA_CERT_STR = "-----BEGIN CERTIFICATE-----\n"
|
|
+ "MIIDFzCCAf8CBD8+0nAwDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMCV\n"
|
|
+ "VMxETAPBgNVBAoTCEphdmFTb2Z0MRUwEwYDVQQLEwxTZWN1cml0eSBTUU\n"
|
|
+ "UxFzAVBgNVBAMTDlBLQ1MxMiBUZXN0IENBMB4XDTAzMDgxNzAwNTUxMlo\n"
|
|
+ "XDTEzMDgxNDAwNTUxMlowUDELMAkGA1UEBhMCVVMxETAPBgNVBAoTCEph\n"
|
|
+ "dmFTb2Z0MRUwEwYDVQQLEwxTZWN1cml0eSBTUUUxFzAVBgNVBAMTDlBLQ\n"
|
|
+ "1MxMiBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ\n"
|
|
+ "EAk7Sh+K/yGsmJacZnjfkZfuWxGNJCPW0q69exwoRP+eBHMQwG00yi9aL\n"
|
|
+ "SsZAqNpJSCDvpgySOAUmBd+f8WFhHqJfRVREVfv3mradDKZCjhqtsUI7I\n"
|
|
+ "wRTYYy9clFkeeK4dHaxbuFMPpUu7yQfwSTXgvOA/UJ4kJuGtaYAdTJI4e\n"
|
|
+ "f1mUASo6+dea0UZA/FHCuV7O6z3hr5VHlyhJL2/o/8M5tGBTBISODJSnn\n"
|
|
+ "GNBvtQLNHnWYvs470UAE2BtuCGYh1V/3HAH1tRirS3MBBcb1XnIkiiXR3\n"
|
|
+ "tjaBSB+XhoCfuG8KtInXXFaAnvKfY9mYFw6VJt9JYQpY2VDC7281/Pbz0\n"
|
|
+ "dQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBzXZ8zHWrnC8/E+N/n2Czhx\n"
|
|
+ "i18YQc2LPWBDLYTTxoFEazWmYLv1k/JT7Nta1qu1quvxXJ4uV1XHbd9NF\n"
|
|
+ "AJWKwtFQEpfv4o6I7qWUPoxnfA+jyqKXxv27z25tzt+Y4xOEhqvO03G0Q\n"
|
|
+ "imhkiNt9MF7L69y2U0/U73+uFNGzdAEDiI9EibvICiOnr1TeQ5GekK3Yb\n"
|
|
+ "k5qe3lviMZPkkSXepTJI8m0AiXCji+eXj97jVLeH+RxeBchBY+uELrqUr\n"
|
|
+ "sVOVWh7IBCqC/V7FqUTkmD1IFlzkkinatpl42s1MbhJId2yQkzaeBRc\n"
|
|
+ "suE63bDEtuRWp9ynMO3QA4Yu85uBRWGzQ1Di\n"
|
|
+ "-----END CERTIFICATE-----";
|
|
private static final String LEAD_CERT = "-----BEGIN CERTIFICATE-----\n"
|
|
+ "MIICwDCCAaigAwIBAgIEPz7S1jANBgkqhkiG9w0BAQQFADBQMQswCQYDV\n"
|
|
+ "QQGEwJVUzERMA8GA1UEChMISmF2YVNvZnQxFTATBgNVBAsTDFNlY3VyaX\n"
|
|
+ "R5IFNRRTEXMBUGA1UEAxMOUEtDUzEyIFRlc3QgQ0EwHhcNMDAwODA5MDc\n"
|
|
+ "wMDAwWhcNMTAwODA3MDcwMDAwWjBSMQswCQYDVQQGEwJVUzERMA8GA1UE\n"
|
|
+ "ChMISmF2YVNvZnQxFTATBgNVBAsTDFNlY3VyaXR5IFNRRTEZMBcGA1UEA\n"
|
|
+ "xMQUEtDUzEyIFRlc3QgTGVhZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgY\n"
|
|
+ "kCgYEAzq9X2USz/WjDhT+jUyZWqB5h4A33tS11YqH5qYvqjTXjcUI6gOp\n"
|
|
+ "moXMafDG9RHRlIccvp51xLp7Ap3WMrv411lWBttqtZi5c1/DEC1cEM/Sl\n"
|
|
+ "PCk1r2zFbkJu7QKieXeMcrjZEo6LcBHMwQjIpI+up9cr3VjuyqG/olQkU\n"
|
|
+ "mXVuS0CAwEAAaMkMCIwDwYDVR0PAQH/BAUDAweAADAPBgNVHRMBAf8EBT\n"
|
|
+ "ADAQH/MA0GCSqGSIb3DQEBBAUAA4IBAQBhbuim98TWmtv9vSldRE7RvQ8\n"
|
|
+ "FlS0TyZVO7kcSNtfCUE4R76J1ElN74Koc5pQnUtduLeQJs2ao/mEcCZsE\n"
|
|
+ "zVcwI3mSZrSzPhc8s7w5gOQA4TUwVLSSjKgBCaZ7R3+qJ3QeqPJ5O6sFz\n"
|
|
+ "pvBYkgSa4MWptK41jbmT8cwZQJXFCi8WxFFJ+p97F1Ppm3LgmYmtiUP4M\n"
|
|
+ "ZQwOBvpTZWXU0WrqFXpzWQx0mg4SX19fZm4nLcJAerCEUphf8ILagtpQM\n"
|
|
+ "EErT3/jg6mfCdT3Rj055QXPfF4OiRFevPF5a1fZgrCePCukRQZcd7s8K5\n"
|
|
+ "OBIaryuM0MdFtlzxi6XWeUNpVFFHURcy\n"
|
|
+ "-----END CERTIFICATE-----";
|
|
private static final String END_CERT = "-----BEGIN CERTIFICATE-----\n"
|
|
+ "MIICNjCCAZ+gAwIBAgIEPz7WtzANBgkqhkiG9w0BAQQFADBSMQswCQYDV\n"
|
|
+ "QQGEwJVUzERMA8GA1UEChMISmF2YVNvZnQxFTATBgNVBAsTDFNlY3VyaX\n"
|
|
+ "R5IFNRRTEZMBcGA1UEAxMQUEtDUzEyIFRlc3QgTGVhZDAeFw0wMDA4MDk\n"
|
|
+ "wNzAwMDBaFw0xMDA4MDcwNzAwMDBaMFgxCzAJBgNVBAYTAlVTMREwDwYD\n"
|
|
+ "VQQKEwhKYXZhU29mdDEVMBMGA1UECxMMU2VjdXJpdHkgU1FFMR8wHQYDV\n"
|
|
+ "QQDExZQS0NTMTIgVGVzdCBFbmQgVXNlciAxMIGfMA0GCSqGSIb3DQEBAQ\n"
|
|
+ "UAA4GNADCBiQKBgQDIKomSYomDzH/V63eDQEG7od0DLcnnVZ81pbWhDss\n"
|
|
+ "8gHV2m8pADdRqdihBmnSQEaMW4D3uZ4sFE1LtkQls6hjd7SdOsG5Y24L8\n"
|
|
+ "15jot9a2JcB73H8H0VKirrObL5BZdt7BtASPDnYtW4Spt++YjDoJFxyF0\n"
|
|
+ "HchkavzXaVTlexakwIDAQABoxMwETAPBgNVHQ8BAf8EBQMDB4AAMA0GCS\n"
|
|
+ "qGSIb3DQEBBAUAA4GBAIFA3JXEmb9AXn3RD7t+Mn6DoyVDIy5jsn6xOKT\n"
|
|
+ "JV25I0obpDUzgw4QaAMmM0ZvusOmZ2wZNS8MtyTUgdANyakbzn5SdxbTy\n"
|
|
+ "TLEqQsFbX8UVC38fx5ZM6ExA5YSAvgmXudZpOVC0ATccoZS3JFU8CxSfW\n"
|
|
+ "+Q3IC2MLh+QTg3hUJ5b\n-----END CERTIFICATE-----";
|
|
|
|
private final Certificate testerCert;
|
|
private final Certificate testLeadCert;
|
|
private final Certificate caCert;
|
|
|
|
WriteP12Test() throws CertificateException {
|
|
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
|
caCert = cf.generateCertificate(new ByteArrayInputStream(CA_CERT_STR
|
|
.getBytes()));
|
|
testLeadCert = cf.generateCertificate(new ByteArrayInputStream(
|
|
LEAD_CERT.getBytes()));
|
|
testerCert = cf.generateCertificate(new ByteArrayInputStream(END_CERT
|
|
.getBytes()));
|
|
}
|
|
|
|
public static void main(String[] args) throws CertificateException,
|
|
UnrecoverableKeyException, KeyStoreException,
|
|
NoSuchProviderException, NoSuchAlgorithmException, IOException {
|
|
WriteP12Test jstest = new WriteP12Test();
|
|
out.println("test WriteP12CertChain");
|
|
/*
|
|
* WriteP12CertChain: This test creates a p12 keystore contains one
|
|
* entry with private key and a certificate chains contains three
|
|
* certificates in the order of user->lead->ca. This case expects to
|
|
* pass.
|
|
*/
|
|
jstest.test(new Certificate[] { jstest.testerCert, jstest.testLeadCert,
|
|
jstest.caCert }, IN_KEYSTORE_ENDUSER, "pkcs12testenduser1",
|
|
"pass", "pass");
|
|
|
|
/*
|
|
* WriteP12CertChainBad: same as WriteP12CertChain but chains order is
|
|
* user-ca-lead, the order is wrong so expects to fail.
|
|
*/
|
|
out.println("test WriteP12CertChainBad");
|
|
try {
|
|
jstest.test(new Certificate[] { jstest.testerCert, jstest.caCert,
|
|
jstest.testLeadCert }, IN_KEYSTORE_ENDUSER,
|
|
"pkcs12testenduser1", "pass", "pass");
|
|
throw new RuntimeException(
|
|
" Certificate chain is not valid, test should not pass."
|
|
+ " Test failed.");
|
|
} catch (KeyStoreException e) {
|
|
e.printStackTrace();
|
|
out.println(" Certificate chain is not valid,exception is"
|
|
+ " expected. Test passed.");
|
|
}
|
|
/*
|
|
* WriteP12PrivateKey:This test creates a p12 contains a self-signed
|
|
* cert and private key,expects no exception
|
|
*/
|
|
out.println("test WriteP12PrivateKey");
|
|
jstest.test(null, IN_KEYSTORE_ENDUSER, "pkcs12testenduser1", "pass",
|
|
"pass");
|
|
|
|
/*
|
|
* WriteP12TwoEntry: This test creates a p12 keystore with different
|
|
* storepass and keypass, and contains two entries.
|
|
*/
|
|
out.println("test WriteP12TwoEntry");
|
|
jstest.testTwoEntry(IN_KEYSTORE_ENDUSER, IN_KEYSTORE_CA,
|
|
"pkcs12testenduser1", "pass", "pass");
|
|
/*
|
|
* WriteP12TwoPass: This test creates a p12 keystore with different
|
|
* storepass and keypass, and contains one entry with private key and a
|
|
* certificate
|
|
*/
|
|
out.println("test WriteP12TwoPass");
|
|
jstest.test(null, IN_KEYSTORE_CA, "pkcs12testCA", "storepass",
|
|
"keypass");
|
|
}
|
|
|
|
private void test(Certificate certs[], String inKeyStorePath,
|
|
String userAlias, String outStorePass, String outKeyPass)
|
|
throws KeyStoreException, NoSuchProviderException, IOException,
|
|
CertificateException, UnrecoverableKeyException,
|
|
NoSuchAlgorithmException {
|
|
// init output key store
|
|
KeyStore outputKeyStore = KeyStore.getInstance("pkcs12", "SunJSSE");
|
|
outputKeyStore.load(null, null);
|
|
try (FileOutputStream fout = new FileOutputStream(OUT_KEYSTORE)) {
|
|
// KeyStore have encoded by Base64.getMimeEncoder().encode(),need
|
|
// decode first.
|
|
byte[] input = Files.readAllBytes(Paths.get(CERT_PATH,
|
|
inKeyStorePath));
|
|
ByteArrayInputStream arrayIn = new ByteArrayInputStream(Base64
|
|
.getMimeDecoder().decode(input));
|
|
// input key store
|
|
KeyStore inputKeyStore = KeyStore.getInstance(IN_KEYSTORE_TYPE,
|
|
IN_KEYSTORE_PRV);
|
|
inputKeyStore.load(arrayIn, IN_STORE_PASS.toCharArray());
|
|
// add key/certificate to output key store
|
|
Key key = inputKeyStore
|
|
.getKey(userAlias, IN_KEY_PASS.toCharArray());
|
|
out.println("Input Key Algorithm " + key.getAlgorithm());
|
|
out.println("====Input Certs=====");
|
|
if (certs == null) {
|
|
certs = new Certificate[] { inputKeyStore
|
|
.getCertificate(userAlias) };
|
|
}
|
|
for (Certificate cert : certs) {
|
|
out.println(((X509Certificate) cert).getSubjectDN());
|
|
}
|
|
outputKeyStore.setKeyEntry(userAlias, key,
|
|
outKeyPass.toCharArray(), certs);
|
|
Certificate retCerts[] = outputKeyStore
|
|
.getCertificateChain(userAlias);
|
|
out.println("====Output Certs=====");
|
|
for (Certificate retCert : retCerts) {
|
|
out.println(((X509Certificate) retCert).getSubjectDN());
|
|
}
|
|
out.println("====Output Key Algorithm=====");
|
|
Key outKey = outputKeyStore.getKey(userAlias,
|
|
outKeyPass.toCharArray());
|
|
out.println(outKey.getAlgorithm());
|
|
|
|
if (!key.equals(outKey)) {
|
|
throw new RuntimeException("key don't match");
|
|
}
|
|
if (!Arrays.equals(certs, retCerts)) {
|
|
throw new RuntimeException("certs don't match");
|
|
}
|
|
// save output
|
|
outputKeyStore.store(fout, outStorePass.toCharArray());
|
|
// test output
|
|
testKeyStore(outputKeyStore, outKeyPass.toCharArray());
|
|
}
|
|
}
|
|
|
|
private void testTwoEntry(String inKeyStoreOnePath,
|
|
String inKeyStoreTwoPath, String userAlias, String outStorePass,
|
|
String outKeyPass) throws KeyStoreException,
|
|
NoSuchProviderException, NoSuchAlgorithmException,
|
|
CertificateException, IOException, UnrecoverableKeyException {
|
|
// initial KeyStore
|
|
KeyStore outputKeyStore = KeyStore.getInstance("pkcs12", "SunJSSE");
|
|
try (FileOutputStream fout = new FileOutputStream(OUT_KEYSTORE);) {
|
|
outputKeyStore.load(null, null);
|
|
KeyStore inputKeyStoreOne, inputKeyStoreTwo;
|
|
inputKeyStoreOne = KeyStore.getInstance(IN_KEYSTORE_TYPE,
|
|
IN_KEYSTORE_PRV);
|
|
// KeyStore have encoded by Base64.getMimeEncoder().encode(),need
|
|
// decode first.
|
|
byte[] inputBytes = Files.readAllBytes(Paths.get(CERT_PATH,
|
|
inKeyStoreOnePath));
|
|
ByteArrayInputStream arrayIn = new ByteArrayInputStream(Base64
|
|
.getMimeDecoder().decode(inputBytes));
|
|
// input key store
|
|
inputKeyStoreOne.load(arrayIn, IN_STORE_PASS.toCharArray());
|
|
|
|
inputBytes = Files.readAllBytes(Paths.get(CERT_PATH,
|
|
inKeyStoreTwoPath));
|
|
arrayIn = new ByteArrayInputStream(Base64.getMimeDecoder().decode(
|
|
inputBytes));
|
|
inputKeyStoreTwo = KeyStore.getInstance(IN_KEYSTORE_TYPE,
|
|
IN_KEYSTORE_PRV);
|
|
inputKeyStoreTwo.load(arrayIn, IN_STORE_PASS.toCharArray());
|
|
|
|
// add key/certificate to output key store
|
|
out.println("====First Entry=====");
|
|
Key inputKey = inputKeyStoreOne.getKey(userAlias,
|
|
IN_KEY_PASS.toCharArray());
|
|
Certificate cert = inputKeyStoreOne.getCertificate(userAlias);
|
|
Certificate certs[] = new Certificate[1];
|
|
certs[0] = cert;
|
|
|
|
out.println("====Input1 Key=====");
|
|
out.println(inputKey.getAlgorithm());
|
|
out.println("====Input1 Certs=====");
|
|
out.println("Certificate :");
|
|
out.println(((X509Certificate) cert).getSubjectDN());
|
|
outputKeyStore.setKeyEntry("USER", inputKey,
|
|
outKeyPass.toCharArray(), certs);
|
|
out.println("====Second Entry=====");
|
|
String caAlias = "pkcs12testca";
|
|
inputKey = inputKeyStoreTwo.getKey(caAlias,
|
|
IN_KEY_PASS.toCharArray());
|
|
cert = inputKeyStoreTwo.getCertificate(caAlias);
|
|
certs[0] = cert;
|
|
out.println("====Input2 Key=====");
|
|
out.println(inputKey.getAlgorithm());
|
|
out.println("====Input2 Certs=====");
|
|
out.println("Certificate :");
|
|
out.println(((X509Certificate) cert).getSubjectDN());
|
|
outputKeyStore.setKeyEntry("CA", inputKey,
|
|
outKeyPass.toCharArray(), certs);
|
|
// save output
|
|
outputKeyStore.store(fout, outStorePass.toCharArray());
|
|
// test output
|
|
testKeyStore(outputKeyStore, outKeyPass.toCharArray());
|
|
}
|
|
}
|
|
|
|
private void testKeyStore(KeyStore inputKeyStore, char[] keypass)
|
|
throws KeyStoreException, UnrecoverableKeyException,
|
|
NoSuchAlgorithmException {
|
|
out.println("========== Key Store ==========");
|
|
out.println("getProvider : " + inputKeyStore.getProvider());
|
|
out.println("getType : " + inputKeyStore.getType());
|
|
out.println("getDefaultType : " + KeyStore.getDefaultType());
|
|
|
|
int idx = 0;
|
|
Enumeration<String> e = inputKeyStore.aliases();
|
|
String alias;
|
|
while (e.hasMoreElements()) {
|
|
alias = e.nextElement();
|
|
if (!inputKeyStore.containsAlias(alias)) {
|
|
throw new RuntimeException("Alias not found");
|
|
}
|
|
out.println("Alias " + idx + " : " + alias);
|
|
out.println("getCreationDate : "
|
|
+ inputKeyStore.getCreationDate(alias));
|
|
X509Certificate cert = (X509Certificate) inputKeyStore
|
|
.getCertificate(alias);
|
|
out.println("getCertificate : " + cert.getSubjectDN());
|
|
String retAlias = inputKeyStore.getCertificateAlias(cert);
|
|
if (!retAlias.equals(alias)) {
|
|
throw new RuntimeException("Alias mismatch, actually "
|
|
+ retAlias + ", expected " + alias);
|
|
}
|
|
out.println("getCertificateAlias : " + retAlias);
|
|
Certificate[] certs = inputKeyStore.getCertificateChain(alias);
|
|
int i = 0;
|
|
for (Certificate certification : certs) {
|
|
out.println("getCertificateChain " + i
|
|
+ ((X509Certificate) certification).getSubjectDN());
|
|
i++;
|
|
}
|
|
if (inputKeyStore.isCertificateEntry(alias)) {
|
|
throw new RuntimeException(
|
|
"inputKeystore should not be certEntry because this"
|
|
+ " keystore only contain key pair entries.");
|
|
}
|
|
if (!inputKeyStore.isKeyEntry(alias)) {
|
|
throw new RuntimeException("Entry type unknown.");
|
|
}
|
|
idx++;
|
|
}
|
|
int size = inputKeyStore.size();
|
|
if (idx != size) {
|
|
throw new RuntimeException("Size not match, actually " + idx
|
|
+ ", expected " + size);
|
|
}
|
|
}
|
|
|
|
}
|