stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7be94d043d
jdk-24/test/jdk/sun/security/tools/keytool/fakecacerts/TrustedCert.java
Hai-May Chao e3eb38f4d2 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options 
Reviewed-by: weijun, jjiang
2020-06-23 16:30:38 +08:00

162 lines
6.2 KiB
Java
Raw Blame History

/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8244148
* @summary Test keytool -printcert with -keystore and -trustcacerts options
* @library /test/lib
* @library /test/jdk/sun/security/util/module_patch
* @build java.base/sun.security.util.FilePaths
* @modules java.base/sun.security.util
* java.base/jdk.internal.misc
* @run main TrustedCert
*/
import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;
import jdk.test.lib.security.KeyStoreUtils;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
public class TrustedCert {
// The --patch-module must be explicitly specified on the keytool
// command line because it's in a separate process
private static final String PATCH_OPTION;
static {
String tmp = "";
for (String a : jdk.internal.misc.VM.getRuntimeArguments()) {
if (a.startsWith("--patch-module")) {
tmp = "-J" + a + " ";
break;
}
}
PATCH_OPTION = tmp;
}
static OutputAnalyzer kt(String cmd, String ks) throws Exception {
return SecurityTools.keytool(cmd + " -keystore " + ks
+ " -storepass changeit")
.shouldHaveExitValue(0);
}
static OutputAnalyzer kt1(String cmd, String ks) throws Exception {
return SecurityTools.keytool(cmd + " -keystore " + ks
+ " -storepass changeit")
.shouldNotHaveExitValue(0);
}
static OutputAnalyzer patchcmd(String cmd, String options, String ks,
boolean nonzero) throws Exception {
if (nonzero) {
return kt1(PATCH_OPTION + " -" + cmd + " " + options, ks);
} else {
return kt(PATCH_OPTION + " -" + cmd + " " + options, ks);
}
}
static void rm(String s) throws IOException {
System.out.println("---------------------------------------------");
System.out.println("$ rm " + s);
Files.deleteIfExists(Paths.get(s));
}
private static void cat(String dest, String... src) throws IOException {
System.out.println("---------------------------------------------");
System.out.printf("$ cat ");
ByteArrayOutputStream bout = new ByteArrayOutputStream();
for (String s : src) {
System.out.printf(s + " ");
bout.write(Files.readAllBytes(Paths.get(s)));
}
Files.write(Paths.get(dest), bout.toByteArray());
System.out.println("> " + dest);
}
public static void main(String[] args) throws Exception {
// Test -printcert with root CA in local keystore
kt("-genkeypair -keyalg rsa -keysize 1024 -sigalg SHA1withRSA " +
"-dname CN=ROOT -ext bc:c", "root.jks");
kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks");
kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks");
kt("-exportcert -rfc -file root.pem", "root.jks");
kt("-importcert -alias root -file root.pem -noprompt", "ca.jks");
kt("-importcert -alias root -file root.pem -noprompt", "server.jks");
kt("-certreq -file ca.req", "ca.jks");
kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks");
kt("-importcert -file ca.pem", "ca.jks");
kt("-certreq -file server.req", "server.jks");
kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " +
"-outfile server.pem", "ca.jks");
kt("-importcert -file server.pem", "server.jks");
cat("fullchain.pem", "server.pem", "root.pem");
kt("-printcert -file fullchain.pem ", "server.jks")
.shouldNotMatch("SHA1withRSA signature algorithm.*security risk")
.shouldMatch("1024-bit RSA key.*security risk");
rm("ca.jks");
rm("server.jks");
rm("mycacerts");
// Test -printcert with root CA in cacerts keystore
kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks");
kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks");
// import root CA to mycacerts keystore
KeyStoreUtils.createCacerts("mycacerts", "root.pem");
kt("-certreq -file ca.req", "ca.jks");
kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks");
patchcmd("importcert", "-file ca.pem", "ca.jks", true);
patchcmd("importcert", "-file ca.pem -trustcacerts", "ca.jks", false);
kt("-certreq -file server.req", "server.jks");
kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " +
"-outfile server.pem", "ca.jks");
kt("-importcert -file server.pem -noprompt", "server.jks");
cat("fullchain.pem", "server.pem", "root.pem");
patchcmd("-printcert", "-file fullchain.pem -trustcacerts", "server.jks", false)
.shouldNotMatch("SHA1withRSA signature algorithm.*security risk")
.shouldMatch("1024-bit RSA key.*security risk");
patchcmd("-printcert", "-file fullchain.pem", "server.jks", false)
.shouldMatch("SHA1withRSA signature algorithm.*security risk")
.shouldMatch("1024-bit RSA key.*security risk");
}
}
Reference in New Issue View Git Blame Copy Permalink