179 lines
6.4 KiB
Java
179 lines
6.4 KiB
Java
/*
|
|
* Copyright (c) 2017, 2021, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @bug 8192988 8266220
|
|
* @summary keytool should support -storepasswd for pkcs12 keystores
|
|
* @library /test/lib
|
|
* @build jdk.test.lib.SecurityTools
|
|
* jdk.test.lib.Utils
|
|
* jdk.test.lib.Asserts
|
|
* jdk.test.lib.JDKToolFinder
|
|
* jdk.test.lib.JDKToolLauncher
|
|
* jdk.test.lib.Platform
|
|
* jdk.test.lib.process.*
|
|
* @run main PKCS12Passwd
|
|
*/
|
|
|
|
import jdk.test.lib.Asserts;
|
|
import jdk.test.lib.SecurityTools;
|
|
import jdk.test.lib.process.OutputAnalyzer;
|
|
|
|
import java.io.File;
|
|
import java.security.KeyStore;
|
|
import java.util.Collections;
|
|
|
|
public class PKCS12Passwd {
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
|
|
// A PrivateKeyEntry
|
|
kt("-genkeypair -alias a -dname CN=A -keyalg DSA")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// A TrustedCertificateEntry (genkeypair, export, delete, import)
|
|
kt("-genkeypair -alias b -dname CN=B -keyalg DSA")
|
|
.shouldHaveExitValue(0);
|
|
kt("-exportcert -alias b -file b.cert")
|
|
.shouldHaveExitValue(0);
|
|
kt("-delete -alias b")
|
|
.shouldHaveExitValue(0);
|
|
kt("-list -alias b")
|
|
.shouldHaveExitValue(1);
|
|
kt("-importcert -alias b -file b.cert -noprompt")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// A SecretKeyEntry
|
|
kt("-genseckey -keyalg AES -keysize 256 -alias c")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// Change password
|
|
|
|
// 1. Using -importkeystore
|
|
ktFull("-importkeystore -srckeystore ks -destkeystore ks2 "
|
|
+ "-srcstoretype pkcs12 -deststoretype pkcs12 "
|
|
+ "-srcstorepass changeit -deststorepass newpass")
|
|
.shouldHaveExitValue(0);
|
|
|
|
check("ks2", "newpass", "newpass");
|
|
|
|
// 2. Using -storepasswd
|
|
kt("-storepasswd -new newpass")
|
|
.shouldHaveExitValue(0)
|
|
.shouldNotContain("Ignoring user-specified");
|
|
|
|
check("ks", "newpass", "newpass");
|
|
|
|
// Other facts. Not necessarily the correct thing.
|
|
|
|
// A PKCS12 keystore can be loaded as a JKS, and it follows JKS rules
|
|
// which means the storepass and keypass can be changed separately!
|
|
|
|
ktFull("-genkeypair -alias a -dname CN=A -storetype pkcs12 -keyalg DSA "
|
|
+ "-storepass changeit -keypass changeit -keystore p12")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// Only storepass is changed
|
|
ktFull("-storepasswd -storepass changeit -new newpass "
|
|
+ "-keystore p12 -storetype jks")
|
|
.shouldHaveExitValue(0);
|
|
|
|
check("p12", "newpass", "changeit");
|
|
|
|
// Only keypass is changed
|
|
ktFull("-keypasswd -storepass newpass -keypass changeit -new newpass "
|
|
+ "-keystore p12 -storetype jks -alias a")
|
|
.shouldHaveExitValue(0);
|
|
|
|
check("p12", "newpass", "newpass");
|
|
|
|
// Conversely, a JKS keystore can be loaded as a PKCS12, and it follows
|
|
// PKCS12 rules that both passwords are changed at the same time and
|
|
// some commands are rejected.
|
|
|
|
ktFull("-genkeypair -alias a -dname CN=A -storetype jks -keyalg DSA "
|
|
+ "-storepass changeit -keypass changeit -keystore jks")
|
|
.shouldHaveExitValue(0);
|
|
|
|
// Both storepass and keypass changed.
|
|
ktFull("-storepasswd -storepass changeit -new newpass "
|
|
+ "-keystore jks -storetype pkcs12")
|
|
.shouldHaveExitValue(0);
|
|
|
|
check("jks", "newpass", "newpass");
|
|
|
|
// -keypasswd is not available for pkcs12
|
|
ktFull("-keypasswd -storepass newpass -keypass newpass -new newerpass "
|
|
+ "-keystore jks -storetype pkcs12 -alias a")
|
|
.shouldHaveExitValue(1);
|
|
|
|
// but available for JKS
|
|
ktFull("-keypasswd -storepass newpass -keypass newpass -new newerpass "
|
|
+ "-keystore jks -alias a")
|
|
.shouldHaveExitValue(0);
|
|
|
|
check("jks", "newpass", "newerpass");
|
|
|
|
// A password-less keystore
|
|
ktFull("-keystore nopass -genkeypair -keyalg EC "
|
|
+ "-storepass changeit -alias no -dname CN=no "
|
|
+ "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "
|
|
+ "-J-Dkeystore.pkcs12.macAlgorithm=NONE")
|
|
.shouldHaveExitValue(0);
|
|
|
|
ktFull("-keystore nopass -list")
|
|
.shouldHaveExitValue(0)
|
|
.shouldNotContain("Enter keystore password:");
|
|
|
|
ktFull("-keystore nopass -list -storetype pkcs12")
|
|
.shouldHaveExitValue(0)
|
|
.shouldNotContain("Enter keystore password:");
|
|
}
|
|
|
|
// Makes sure we can load entries in a keystore
|
|
static void check(String file, String storePass, String keyPass)
|
|
throws Exception {
|
|
|
|
KeyStore ks = KeyStore.getInstance(
|
|
new File(file), storePass.toCharArray());
|
|
|
|
for (String a : Collections.list(ks.aliases())) {
|
|
if (ks.isCertificateEntry(a)) {
|
|
ks.getCertificate(a);
|
|
} else {
|
|
ks.getEntry(a,
|
|
new KeyStore.PasswordProtection(keyPass.toCharArray()));
|
|
}
|
|
}
|
|
}
|
|
|
|
static OutputAnalyzer kt(String arg) throws Exception {
|
|
return ktFull("-keystore ks -storepass changeit " + arg);
|
|
}
|
|
|
|
static OutputAnalyzer ktFull(String arg) throws Exception {
|
|
return SecurityTools.keytool("-debug " + arg);
|
|
}
|
|
}
|