Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/mobile
 Path: blob/master/test/jdk/sun/security/pkcs12/ParamsTest.java
41149 views
1
/*

2
 * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.

8
 *

9
 * This code is distributed in the hope that it will be useful, but WITHOUT

10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

12
 * version 2 for more details (a copy is included in the LICENSE file that

13
 * accompanied this code).

14
 *

15
 * You should have received a copy of the GNU General Public License version

16
 * 2 along with this work; if not, write to the Free Software Foundation,

17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

18
 *

19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

20
 * or visit www.oracle.com if you need additional information or have any

21
 * questions.

22
 */

23


24
/*

25
 * @test

26
 * @bug 8076190 8242151 8153005

27
 * @library /test/lib

28
 * @modules java.base/sun.security.pkcs

29
 *          java.base/sun.security.util

30
 * @summary Customizing the generation of a PKCS12 keystore

31
 */

32


33
import jdk.test.lib.Asserts;

34
import jdk.test.lib.SecurityTools;

35
import jdk.test.lib.process.OutputAnalyzer;

36


37
import java.io.File;

38
import java.io.FileInputStream;

39
import java.io.FileOutputStream;

40
import java.io.IOException;

41
import java.io.InputStream;

42
import java.io.OutputStream;

43
import java.io.UncheckedIOException;

44
import java.nio.file.DirectoryStream;

45
import java.nio.file.Files;

46
import java.nio.file.Path;

47
import java.security.KeyStore;

48
import java.util.Base64;

49
import java.util.Objects;

50


51
import static jdk.test.lib.security.DerUtils.*;

52
import static sun.security.util.KnownOIDs.*;

53
import static sun.security.pkcs.ContentInfo.*;

54


55
public class ParamsTest  {

56


57
    public static void main(String[] args) throws Throwable {

58


59
        // De-BASE64 textual files in ./params to `pwd`

60
        try (DirectoryStream<Path> stream = Files.newDirectoryStream(

61
                Path.of(System.getProperty("test.src"), "params"),

62
                p -> !p.getFileName().toString().equals("README"))) {

63
            stream.forEach(p -> {

64
                try (InputStream is = Files.newInputStream(p);

65
                     OutputStream os = Files.newOutputStream(p.getFileName())) {

66
                    Base64.getMimeDecoder().wrap(is).transferTo(os);

67
                } catch (IOException e) {

68
                    throw new UncheckedIOException(e);

69
                }

70
            });

71
        }

72


73
        byte[] data;

74


75
        // openssl -> keytool interop check

76


77
        // os2. no cert pbe, no mac.

78
        check("os2", "a", null, "changeit", true, true, true);

79
        check("os2", "a", "changeit", "changeit", true, true, true);

80
        // You can even load it with a wrong storepass, controversial

81
        check("os2", "a", "wrongpass", "changeit", true, true, true);

82


83
        // os3. no cert pbe, has mac. just like JKS

84
        check("os3", "a", null, "changeit", true, true, true);

85
        check("os3", "a", "changeit", "changeit", true, true, true);

86
        // Cannot load with a wrong storepass, same as JKS

87
        check("os3", "a", "wrongpass", "-", IOException.class, "-", "-");

88


89
        // os4. non default algs

90
        check("os4", "a", "changeit", "changeit", true, true, true);

91
        check("os4", "a", "wrongpass", "-", IOException.class, "-", "-");

92
        // no storepass no cert

93
        check("os4", "a", null, "changeit", true, false, true);

94


95
        // os5. strong non default algs

96
        check("os5", "a", "changeit", "changeit", true, true, true);

97
        check("os5", "a", "wrongpass", "-", IOException.class, "-", "-");

98
        // no storepass no cert

99
        check("os5", "a", null, "changeit", true, false, true);

100


101
        // keytool

102


103
        // Current default pkcs12 setting

104
        keytool("-importkeystore -srckeystore ks -srcstorepass changeit "

105
                + "-destkeystore ksnormal -deststorepass changeit");

106


107
        data = Files.readAllBytes(Path.of("ksnormal"));

108
        checkInt(data, "22", 10000); // Mac ic

109
        checkAlg(data, "2000", SHA_256); // Mac alg

110
        checkAlg(data, "110c010c01000", PBES2); // key alg

111
        checkInt(data, "110c010c01001011", 10000); // key ic

112
        checkAlg(data, "110c10", ENCRYPTED_DATA_OID);

113
        checkAlg(data, "110c110110", PBES2); // cert alg

114
        check("ksnormal", "a", "changeit", "changeit", true, true, true);

115
        check("ksnormal", "a", null, "changeit", true, false, true);

116
        check("ksnormal", "a", "wrongpass", "-", IOException.class, "-", "-");

117


118
        // Import it into a new keystore with legacy algorithms

119
        keytool("-importkeystore -srckeystore ksnormal -srcstorepass changeit "

120
                + "-destkeystore kslegacyimp -deststorepass changeit "

121
                + "-J-Dkeystore.pkcs12.legacy");

122
        data = Files.readAllBytes(Path.of("kslegacyimp"));

123
        checkInt(data, "22", 100000); // Mac ic

124
        checkAlg(data, "2000", SHA_1); // Mac alg

125
        checkAlg(data, "110c010c01000", PBEWithSHA1AndDESede); // key alg

126
        checkInt(data, "110c010c010011", 50000); // key ic

127
        checkAlg(data, "110c110110", PBEWithSHA1AndRC2_40); // cert alg

128
        checkInt(data, "110c1101111", 50000); // cert ic

129


130
        // Add a new entry with password-less settings, still has a storepass

131
        keytool("-keystore ksnormal -genkeypair -keyalg DSA "

132
                + "-storepass changeit -alias b -dname CN=b "

133
                + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "

134
                + "-J-Dkeystore.pkcs12.macAlgorithm=NONE");

135
        data = Files.readAllBytes(Path.of("ksnormal"));

136
        checkInt(data, "22", 10000); // Mac ic

137
        checkAlg(data, "2000", SHA_256); // Mac alg

138
        checkAlg(data, "110c010c01000", PBES2); // key alg

139
        checkInt(data, "110c010c01001011", 10000); // key ic

140
        checkAlg(data, "110c010c11000", PBES2); // new key alg

141
        checkInt(data, "110c010c11001011", 10000); // new key ic

142
        checkAlg(data, "110c10", ENCRYPTED_DATA_OID);

143
        checkAlg(data, "110c110110", PBES2); // cert alg

144
        check("ksnormal", "b", null, "changeit", true, false, true);

145
        check("ksnormal", "b", "changeit", "changeit", true, true, true);

146


147
        // Different keypbe alg, no cert pbe and no mac

148
        keytool("-importkeystore -srckeystore ks -srcstorepass changeit "

149
                + "-destkeystore ksnopass -deststorepass changeit "

150
                + "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithSHA1AndRC4_128 "

151
                + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "

152
                + "-J-Dkeystore.pkcs12.macAlgorithm=NONE");

153
        data = Files.readAllBytes(Path.of("ksnopass"));

154
        shouldNotExist(data, "2"); // no Mac

155
        checkAlg(data, "110c010c01000", PBEWithSHA1AndRC4_128);

156
        checkInt(data, "110c010c010011", 10000);

157
        checkAlg(data, "110c10", DATA_OID);

158
        check("ksnopass", "a", null, "changeit", true, true, true);

159
        check("ksnopass", "a", "changeit", "changeit", true, true, true);

160
        check("ksnopass", "a", "wrongpass", "changeit", true, true, true);

161


162
        // Add a new entry with normal settings, still password-less

163
        keytool("-keystore ksnopass -genkeypair -keyalg DSA "

164
                + "-storepass changeit -alias b -dname CN=B");

165
        data = Files.readAllBytes(Path.of("ksnopass"));

166
        shouldNotExist(data, "2"); // no Mac

167
        checkAlg(data, "110c010c01000", PBEWithSHA1AndRC4_128);

168
        checkInt(data, "110c010c010011", 10000);

169
        checkAlg(data, "110c010c11000", PBES2);

170
        checkInt(data, "110c010c11001011", 10000);

171
        checkAlg(data, "110c10", DATA_OID);

172
        check("ksnopass", "a", null, "changeit", true, true, true);

173
        check("ksnopass", "b", null, "changeit", true, true, true);

174


175
        keytool("-importkeystore -srckeystore ks -srcstorepass changeit "

176
                + "-destkeystore ksnewic -deststorepass changeit "

177
                + "-J-Dkeystore.pkcs12.macIterationCount=5555 "

178
                + "-J-Dkeystore.pkcs12.certPbeIterationCount=6666 "

179
                + "-J-Dkeystore.pkcs12.keyPbeIterationCount=7777");

180
        data = Files.readAllBytes(Path.of("ksnewic"));

181
        checkInt(data, "22", 5555); // Mac ic

182
        checkAlg(data, "2000", SHA_256); // Mac alg

183
        checkAlg(data, "110c010c01000", PBES2); // key alg

184
        checkInt(data, "110c010c01001011", 7777); // key ic

185
        checkAlg(data, "110c110110", PBES2); // cert alg

186
        checkInt(data, "110c110111011", 6666); // cert ic

187


188
        // keypbe alg cannot be NONE

189
        keytool("-keystore ksnewic -genkeypair -keyalg DSA "

190
                + "-storepass changeit -alias b -dname CN=B "

191
                + "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=NONE")

192
                .shouldContain("NONE AlgorithmParameters not available")

193
                .shouldHaveExitValue(1);

194


195
        // new entry new keypbe alg (and default ic), else unchanged

196
        keytool("-keystore ksnewic -genkeypair -keyalg DSA "

197
                + "-storepass changeit -alias b -dname CN=B "

198
                + "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithSHA1AndRC4_128");

199
        data = Files.readAllBytes(Path.of("ksnewic"));

200
        checkInt(data, "22", 5555); // Mac ic

201
        checkAlg(data, "2000", SHA_256); // Mac alg

202
        checkAlg(data, "110c010c01000", PBES2); // key alg

203
        checkInt(data, "110c010c01001011", 7777); // key ic

204
        checkAlg(data, "110c010c11000", PBEWithSHA1AndRC4_128); // new key alg

205
        checkInt(data, "110c010c110011", 10000); // new key ic

206
        checkAlg(data, "110c110110", PBES2); // cert alg

207
        checkInt(data, "110c110111011", 6666); // cert ic

208


209
        // Check KeyStore loading multiple keystores

210
        KeyStore ks = KeyStore.getInstance("pkcs12");

211
        try (FileInputStream fis = new FileInputStream("ksnormal");

212
                FileOutputStream fos = new FileOutputStream("ksnormaldup")) {

213
            ks.load(fis, "changeit".toCharArray());

214
            ks.store(fos, "changeit".toCharArray());

215
        }

216
        data = Files.readAllBytes(Path.of("ksnormaldup"));

217
        checkInt(data, "22", 10000); // Mac ic

218
        checkAlg(data, "2000", SHA_256); // Mac alg

219
        checkAlg(data, "110c010c01000", PBES2); // key alg

220
        checkInt(data, "110c010c01001011", 10000); // key ic

221
        checkAlg(data, "110c010c11000", PBES2); // new key alg

222
        checkInt(data, "110c010c11001011", 10000); // new key ic

223
        checkAlg(data, "110c10", ENCRYPTED_DATA_OID);

224
        checkAlg(data, "110c110110", PBES2); // cert alg

225
        checkInt(data, "110c110111011", 10000); // cert ic

226


227
        try (FileInputStream fis = new FileInputStream("ksnopass");

228
             FileOutputStream fos = new FileOutputStream("ksnopassdup")) {

229
            ks.load(fis, "changeit".toCharArray());

230
            ks.store(fos, "changeit".toCharArray());

231
        }

232
        data = Files.readAllBytes(Path.of("ksnopassdup"));

233
        shouldNotExist(data, "2"); // no Mac

234
        checkAlg(data, "110c010c01000", PBEWithSHA1AndRC4_128);

235
        checkInt(data, "110c010c010011", 10000);

236
        checkAlg(data, "110c010c11000", PBES2);

237
        checkInt(data, "110c010c11001011", 10000);

238
        checkAlg(data, "110c10", DATA_OID);

239


240
        try (FileInputStream fis = new FileInputStream("ksnewic");

241
             FileOutputStream fos = new FileOutputStream("ksnewicdup")) {

242
            ks.load(fis, "changeit".toCharArray());

243
            ks.store(fos, "changeit".toCharArray());

244
        }

245
        data = Files.readAllBytes(Path.of("ksnewicdup"));

246
        checkInt(data, "22", 5555); // Mac ic

247
        checkAlg(data, "2000", SHA_256); // Mac alg

248
        checkAlg(data, "110c010c01000", PBES2); // key alg

249
        checkInt(data, "110c010c01001011", 7777); // key ic

250
        checkAlg(data, "110c010c11000", PBEWithSHA1AndRC4_128); // new key alg

251
        checkInt(data, "110c010c110011", 10000); // new key ic

252
        checkAlg(data, "110c110110", PBES2); // cert alg

253
        checkInt(data, "110c110111011", 6666); // cert ic

254


255
        // Check keytool behavior

256


257
        // ksnormal has password

258


259
        keytool("-list -keystore ksnormal")

260
                .shouldContain("WARNING WARNING WARNING")

261
                .shouldContain("Certificate chain length: 0");

262


263
        SecurityTools.setResponse("changeit");

264
        keytool("-list -keystore ksnormal")

265
                .shouldNotContain("WARNING WARNING WARNING")

266
                .shouldContain("Certificate fingerprint");

267


268
        // ksnopass is password-less

269


270
        keytool("-list -keystore ksnopass")

271
                .shouldNotContain("WARNING WARNING WARNING")

272
                .shouldContain("Certificate fingerprint");

273


274
        // -certreq prompts for keypass

275
        SecurityTools.setResponse("changeit");

276
        keytool("-certreq -alias a -keystore ksnopass")

277
                .shouldContain("Enter key password for <a>")

278
                .shouldContain("-----BEGIN NEW CERTIFICATE REQUEST-----")

279
                .shouldHaveExitValue(0);

280


281
        // -certreq -storepass works fine

282
        keytool("-certreq -alias a -keystore ksnopass -storepass changeit")

283
                .shouldNotContain("Enter key password for <a>")

284
                .shouldContain("-----BEGIN NEW CERTIFICATE REQUEST-----")

285
                .shouldHaveExitValue(0);

286


287
        // -certreq -keypass also works fine

288
        keytool("-certreq -alias a -keystore ksnopass -keypass changeit")

289
                .shouldNotContain("Enter key password for <a>")

290
                .shouldContain("-----BEGIN NEW CERTIFICATE REQUEST-----")

291
                .shouldHaveExitValue(0);

292


293
        // -importkeystore prompts for srckeypass

294
        SecurityTools.setResponse("changeit", "changeit");

295
        keytool("-importkeystore -srckeystore ksnopass "

296
                + "-destkeystore jks3 -deststorepass changeit")

297
                .shouldContain("Enter key password for <a>")

298
                .shouldContain("Enter key password for <b>")

299
                .shouldContain("2 entries successfully imported");

300


301
        // ksnopass2 is ksnopass + 2 cert entries

302


303
        ks = KeyStore.getInstance(new File("ksnopass"), (char[])null);

304
        ks.setCertificateEntry("aa", ks.getCertificate("a"));

305
        ks.setCertificateEntry("bb", ks.getCertificate("b"));

306
        try (FileOutputStream fos = new FileOutputStream("ksnopass2")) {

307
            ks.store(fos, null);

308
        }

309


310
        // -importkeystore prompts for srckeypass for private keys

311
        // and no prompt for certs

312
        SecurityTools.setResponse("changeit", "changeit");

313
        keytool("-importkeystore -srckeystore ksnopass2 "

314
                + "-destkeystore jks5 -deststorepass changeit")

315
                .shouldContain("Enter key password for <a>")

316
                .shouldContain("Enter key password for <b>")

317
                .shouldNotContain("Enter key password for <aa>")

318
                .shouldNotContain("Enter key password for <bb>")

319
                .shouldContain("4 entries successfully imported");

320


321
        // ksonlycert has only cert entries

322


323
        ks.deleteEntry("a");

324
        ks.deleteEntry("b");

325
        try (FileOutputStream fos = new FileOutputStream("ksonlycert")) {

326
            ks.store(fos, null);

327
        }

328


329
        // -importkeystore does not prompt at all

330
        keytool("-importkeystore -srckeystore ksonlycert "

331
                + "-destkeystore jks6 -deststorepass changeit")

332
                .shouldNotContain("Enter key password for <aa>")

333
                .shouldNotContain("Enter key password for <bb>")

334
                .shouldContain("2 entries successfully imported");

335


336
        // create a new password-less keystore

337
        keytool("-keystore ksnopass -exportcert -alias a -file a.cert -rfc");

338


339
        // Normally storepass is prompted for

340
        keytool("-keystore kscert1 -importcert -alias a -file a.cert -noprompt")

341
                .shouldContain("Enter keystore password:");

342
        keytool("-keystore kscert2 -importcert -alias a -file a.cert -noprompt "

343
                + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE")

344
                .shouldContain("Enter keystore password:");

345
        keytool("-keystore kscert3 -importcert -alias a -file a.cert -noprompt "

346
                + "-J-Dkeystore.pkcs12.macAlgorithm=NONE")

347
                .shouldContain("Enter keystore password:");

348
        // ... but not if it's password-less

349
        keytool("-keystore kscert4 -importcert -alias a -file a.cert -noprompt "

350
                + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "

351
                + "-J-Dkeystore.pkcs12.macAlgorithm=NONE")

352
                .shouldNotContain("Enter keystore password:");

353


354
        // still prompt for keypass for genkeypair and certreq

355
        SecurityTools.setResponse("changeit", "changeit");

356
        keytool("-keystore ksnopassnew -genkeypair -keyalg DSA "

357
                + "-alias a -dname CN=A "

358
                + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "

359
                + "-J-Dkeystore.pkcs12.macAlgorithm=NONE")

360
                .shouldNotContain("Enter keystore password:")

361
                .shouldContain("Enter key password for <a>");

362
        keytool("-keystore ksnopassnew -certreq -alias a")

363
                .shouldNotContain("Enter keystore password:")

364
                .shouldContain("Enter key password for <a>");

365
        keytool("-keystore ksnopassnew -list -v -alias a")

366
                .shouldNotContain("Enter keystore password:")

367
                .shouldNotContain("Enter key password for <a>");

368


369
        // params only read on demand

370


371
        // keyPbeIterationCount is used by -genkeypair

372
        keytool("-keystore ksgenbadkeyic -genkeypair -keyalg DSA "

373
                + "-alias a -dname CN=A "

374
                + "-storepass changeit "

375
                + "-J-Dkeystore.pkcs12.keyPbeIterationCount=abc")

376
                .shouldContain("keyPbeIterationCount is not a number: abc")

377
                .shouldHaveExitValue(1);

378


379
        keytool("-keystore ksnopassnew -exportcert -alias a -file a.cert");

380


381
        // but not used by -importcert

382
        keytool("-keystore ksimpbadkeyic -importcert -alias a -file a.cert "

383
                + "-noprompt -storepass changeit "

384
                + "-J-Dkeystore.pkcs12.keyPbeIterationCount=abc")

385
                .shouldHaveExitValue(0);

386


387
        // None is used by -list

388
        keytool("-keystore ksnormal -storepass changeit -list "

389
                + "-J-Dkeystore.pkcs12.keyPbeIterationCount=abc "

390
                + "-J-Dkeystore.pkcs12.certPbeIterationCount=abc "

391
                + "-J-Dkeystore.pkcs12.macIterationCount=abc")

392
                .shouldHaveExitValue(0);

393
    }

394


395
    /**

396
     * Check keystore loading and key/cert reading.

397
     *

398
     * @param keystore the file name of keystore

399
     * @param alias the key/cert to read

400
     * @param storePass store pass to try out, can be null

401
     * @param keypass key pass to try, can not be null

402
     * @param expectedLoad expected result of keystore loading, true if non

403
     *                     null, false if null, exception class if exception

404
     * @param expectedCert expected result of cert reading

405
     * @param expectedKey expected result of key reading

406
     */

407
    private static void check(

408
            String keystore,

409
            String alias,

410
            String storePass,

411
            String keypass,

412
            Object expectedLoad,

413
            Object expectedCert,

414
            Object expectedKey) {

415
        KeyStore ks = null;

416
        Object actualLoad, actualCert, actualKey;

417
        String label = keystore + "-" + alias + "-" + storePass + "-" + keypass;

418
        try {

419
            ks = KeyStore.getInstance(new File(keystore),

420
                    storePass == null ? null : storePass.toCharArray());

421
            actualLoad = ks != null;

422
        } catch (Exception e) {

423
            e.printStackTrace(System.out);

424
            actualLoad = e.getClass();

425
        }

426
        Asserts.assertEQ(expectedLoad, actualLoad, label + "-load");

427


428
        // If not loaded correctly, skip cert/key reading

429
        if (!Objects.equals(actualLoad, true)) {

430
            return;

431
        }

432


433
        try {

434
            actualCert = (ks.getCertificate(alias) != null);

435
        } catch (Exception e) {

436
            e.printStackTrace(System.out);

437
            actualCert = e.getClass();

438
        }

439
        Asserts.assertEQ(expectedCert, actualCert, label + "-cert");

440


441
        try {

442
            actualKey = (ks.getKey(alias, keypass.toCharArray()) != null);

443
        } catch (Exception e) {

444
            e.printStackTrace(System.out);

445
            actualKey = e.getClass();

446
        }

447
        Asserts.assertEQ(expectedKey, actualKey, label + "-key");

448
    }

449


450
    static OutputAnalyzer keytool(String s) throws Throwable {

451
        return SecurityTools.keytool(s);

452
    }

453
}

454


455