Path: blob/master/test/jdk/sun/security/tools/keytool/GenKeyPairSigner.java
41152 views
/*1* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 826069326* @summary Test for keytool -genkeypair with -signer and -signerkeypass options27* @library /test/lib28* @modules java.base/sun.security.util29*/3031import jdk.test.lib.SecurityTools;32import jdk.test.lib.process.OutputAnalyzer;3334import java.io.*;35import java.security.cert.Certificate;36import java.security.cert.X509Certificate;37import java.security.KeyStore;38import java.security.PublicKey;39import java.util.Arrays;40import sun.security.util.DerValue;41import sun.security.util.KeyUtil;42import sun.security.util.KnownOIDs;43import static sun.security.util.KnownOIDs.*;4445public class GenKeyPairSigner {4647static OutputAnalyzer kt(String cmd, String ks) throws Exception {48return SecurityTools.keytool("-storepass changeit " + cmd +49" -keystore " + ks);50}5152static OutputAnalyzer ktjks(String cmd, String ks, String kpass) throws Exception {53return SecurityTools.keytool("-storepass changeit " + cmd +54" -keystore " + ks + " -storetype jks" + " -keypass " +55kpass);56}5758public static void main(String[] args) throws Exception {59testSignerPKCS12();60testSignerJKS();61testSignerOpt();62}6364static void testSignerPKCS12() throws Exception {65KeyStore kstore;66X509Certificate cert;67String sigName, pKeyAlg;68PublicKey pKey;69int keyLen;7071/*72* The signer alias is stored in the PKCS12 keystore73*/74System.out.println("Testing the signer alias that is stored in the PKCS12 keystore");75System.out.println("Generating a root cert with SubjectKeyIdentifier extension");76SecurityTools.keytool("-keystore ks -storepass changeit " +77"-genkeypair -keyalg EdDSA -alias ca -dname CN=CA -ext bc:c " +78"-ext 2.5.29.14=04:14:00:01:02:03:04:05:06:07:08:09:10:11:12:13:14:15:16:17:18:19")79.shouldContain("Generating 255 bit Ed25519 key pair and self-signed certificate (Ed25519) with a validity of 90 days")80.shouldContain("for: CN=CA")81.shouldHaveExitValue(0);8283System.out.println("Generating an XDH cert with -signer option");84SecurityTools.keytool("-keystore ks -storepass changeit " +85"-genkeypair -keyalg XDH -alias e1 -dname CN=E1 -signer ca")86.shouldContain("Generating 255 bit XDH key pair and a certificate (Ed25519) issued by <ca> with a validity of 90 days")87.shouldContain("for: CN=E1")88.shouldHaveExitValue(0);8990// examine the resulting cert91kstore = KeyStore.getInstance(new File("ks"), "changeit".toCharArray());92cert = (X509Certificate)kstore.getCertificate("e1");9394Certificate[] certChain = kstore.getCertificateChain("e1");95if (certChain.length != 2) {96throw new Exception("Generated cert chain is in error");97}9899sigName = cert.getSigAlgName();100if (sigName != "Ed25519") {101throw new Exception("Signature algorithm name is in error");102}103104pKey = cert.getPublicKey();105keyLen = KeyUtil.getKeySize(pKey);106if (keyLen != 255) {107throw new Exception("Key size is in error");108}109110pKeyAlg = pKey.getAlgorithm();111if (pKeyAlg != "XDH") {112throw new Exception("Subject Public Key Algorithm is in error");113}114115SecurityTools.keytool("-keystore ks -storepass changeit " +116"-list -v")117.shouldContain("Alias name: e1")118.shouldContain("Certificate chain length: 2")119.shouldContain("Signature algorithm name: Ed25519")120.shouldContain("Subject Public Key Algorithm: 255-bit XDH key")121.shouldHaveExitValue(0);122123// check to make sure that cert's AKID is created from the SKID of the signing cert124byte[] expectedId = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,1250x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19};126127byte[] authorityKeyIdExt = cert.getExtensionValue(128KnownOIDs.AuthorityKeyID.value());129130byte[] authorityKeyId = null;131if (authorityKeyIdExt == null) {132throw new Exception("Failed to get AKID extension from the cert");133} else {134try {135authorityKeyId = new DerValue(authorityKeyIdExt).getOctetString();136} catch (IOException e) {137throw new Exception("Failed to get AKID encoded OctetString in the cert");138}139}140141authorityKeyId = Arrays.copyOfRange(authorityKeyId, 4, authorityKeyId.length);142if (!Arrays.equals(authorityKeyId, expectedId)) {143throw new Exception("Failed due to AKID mismatch");144}145146kt("-genkeypair -keyalg RSA -alias ca2 -dname CN=CA2 -ext bc:c ",147"ks");148149System.out.println("Generating an X448 cert with -signer option");150SecurityTools.keytool("-keystore ks -storepass changeit " +151"-genkeypair -keyalg X448 -alias e2 -dname CN=E2 -sigalg SHA384withRSA -signer ca2")152.shouldContain("Generating 448 bit XDH key pair and a certificate (SHA384withRSA) issued by <ca2> with a validity of 90 days")153.shouldContain("for: CN=E2")154.shouldHaveExitValue(0);155156// examine the resulting cert157kstore = KeyStore.getInstance(new File("ks"), "changeit".toCharArray());158cert = (X509Certificate)kstore.getCertificate("e2");159sigName = cert.getSigAlgName();160if (sigName != "SHA384withRSA") {161throw new Exception("Signature algorithm name is in error");162}163164pKey = cert.getPublicKey();165keyLen = KeyUtil.getKeySize(pKey);166if (keyLen != 448) {167throw new Exception("Key size is in error");168}169170pKeyAlg = pKey.getAlgorithm();171if (pKeyAlg != "XDH") {172throw new Exception("Subject Public Key Algorithm is in error");173}174175SecurityTools.keytool("-keystore ks -storepass changeit " +176"-list -v")177.shouldContain("Alias name: e2")178.shouldContain("Signature algorithm name: SHA384withRSA")179.shouldContain("Subject Public Key Algorithm: 448-bit XDH key")180.shouldHaveExitValue(0);181182kt("-genkeypair -keyalg DSA -alias ca3 -dname CN=CA3 -ext bc:c ",183"ks");184185System.out.println("Generating a DH cert with -signer option");186SecurityTools.keytool("-keystore ks -storepass changeit " +187"-genkeypair -keyalg DH -alias e3 -dname CN=E3 -signer ca3")188.shouldContain("Generating 2,048 bit DH key pair and a certificate (SHA256withDSA) issued by <ca3> with a validity of 90 days")189.shouldContain("for: CN=E3")190.shouldHaveExitValue(0);191192// examine the resulting cert193kstore = KeyStore.getInstance(new File("ks"), "changeit".toCharArray());194cert = (X509Certificate)kstore.getCertificate("e3");195sigName = cert.getSigAlgName();196if (sigName != "SHA256withDSA") {197throw new Exception("Signature algorithm name is in error");198}199200pKey = cert.getPublicKey();201keyLen = KeyUtil.getKeySize(pKey);202if (keyLen != 2048) {203throw new Exception("Key size is in error");204}205206pKeyAlg = pKey.getAlgorithm();207if (pKeyAlg != "DH") {208throw new Exception("Subject Public Key Algorithm is in error");209}210211SecurityTools.keytool("-keystore ks -storepass changeit " +212"-list -v")213.shouldContain("Alias name: e3")214.shouldContain("Signature algorithm name: SHA256withRSA")215.shouldContain("Subject Public Key Algorithm: 2048-bit DH key")216.shouldHaveExitValue(0);217}218219static void testSignerJKS() throws Exception {220KeyStore kstore;221X509Certificate cert;222String sigName, pKeyAlg;223PublicKey pKey;224int keyLen;225226/*227* The signer alias is stored in the JKS keystore228* Using JKS keystore here is to test the scenario when the private key229* of the signer entry is protected by a password different from the230* store password, and -signerkeypass option needs to be specified231* along with -signer option.232*/233System.out.println("Testing the signer alias that is stored in the JKS keystore");234ktjks("-genkeypair -keyalg RSA -keysize 1024 -alias ca -dname CN=CA -ext bc:c",235"ksjks", "cakeypass");236237System.out.println("Generating an DSA cert with -signer and -signerkeypass options");238SecurityTools.keytool("-keystore ksjks -storepass changeit -storetype jks " +239"-genkeypair -keyalg DSA -keysize 1024 -alias ca1 -dname CN=CA1 " +240"-keypass ca1keypass -signer ca -signerkeypass cakeypass")241.shouldContain("Generating 1,024 bit DSA key pair and a certificate (SHA256withRSA) issued by <ca> with a validity of 90 days")242.shouldContain("for: CN=CA1")243.shouldContain("The generated certificate #1 of 2 uses a 1024-bit DSA key which is considered a security risk")244.shouldContain("The generated certificate #2 of 2 uses a 1024-bit RSA key which is considered a security risk")245.shouldHaveExitValue(0);246247System.out.println("Generating an XDH cert with -signer and -signerkeypass options");248SecurityTools.keytool("-keystore ksjks -storepass changeit -storetype jks " +249"-genkeypair -keyalg XDH -alias e1 -dname CN=E1 " +250"-keypass e1keypass -signer ca1 -signerkeypass ca1keypass")251.shouldContain("Generating 255 bit XDH key pair and a certificate (SHA256withDSA) issued by <ca1> with a validity of 90 days")252.shouldContain("for: CN=E1")253.shouldContain("The generated certificate #2 of 3 uses a 1024-bit DSA key which is considered a security risk")254.shouldContain("The generated certificate #3 of 3 uses a 1024-bit RSA key which is considered a security risk")255.shouldHaveExitValue(0);256257// examine the resulting cert258kstore = KeyStore.getInstance(new File("ksjks"), "changeit".toCharArray());259cert = (X509Certificate)kstore.getCertificate("e1");260261Certificate[] certChain = kstore.getCertificateChain("e1");262if (certChain.length != 3) {263throw new Exception("Generated cert chain is in error");264}265266sigName = cert.getSigAlgName();267if (sigName != "SHA256withDSA") {268throw new Exception("Signature algorithm name is in error");269}270271pKey = cert.getPublicKey();272keyLen = KeyUtil.getKeySize(pKey);273if (keyLen != 255) {274throw new Exception("Key size is in error");275}276277pKeyAlg = pKey.getAlgorithm();278if (pKeyAlg != "XDH") {279throw new Exception("Subject Public Key Algorithm is in error");280}281282SecurityTools.keytool("-keystore ksjks -storepass changeit " +283"-list -v")284.shouldContain("Alias name: e1")285.shouldContain("Certificate chain length: 3")286.shouldContain("Signature algorithm name: SHA256withDSA")287.shouldContain("Subject Public Key Algorithm: 255-bit XDH key")288.shouldHaveExitValue(0);289}290291static void testSignerOpt() throws Exception {292293SecurityTools.keytool("-keystore ks -storepass changeit " +294"-genkeypair -keyalg X25519 -alias e4 -dname CN=E4")295.shouldContain("Cannot derive signature algorithm from XDH")296.shouldHaveExitValue(1);297298SecurityTools.keytool("-keystore ks -storepass changeit " +299"-genkeypair -keyalg X448 -alias e4 -dname CN=E4 -signer noca")300.shouldContain("Alias <noca> does not exist")301.shouldHaveExitValue(1);302303SecurityTools.keytool("-genkeypair --help")304.shouldContain("-signer <alias> signer alias")305.shouldContain("-signerkeypass <arg> signer key password")306.shouldHaveExitValue(0);307}308}309310311