1
/*
2
 * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/*
25
 * @test
26
 * @bug 8008296
27
 * @summary Store and retrieve user passwords using PKCS#12 keystore
28
 * @library /test/lib
29
 */
30

31
import jdk.test.lib.SecurityTools;
32
import jdk.test.lib.process.OutputAnalyzer;
33

34
import java.io.*;
35
import java.security.*;
36
import java.util.*;
37
import javax.crypto.*;
38
import javax.crypto.spec.*;
39

40
/*
41
 * Store and retrieve passwords protected by a selection of PBE algorithms,
42
 * using a PKCS#12 keystore.
43
 */
44
public class StorePasswords {
45

46
    private static final String[] PBE_ALGORITHMS = new String[] {
47
        "default PBE algorithm",
48
        "PBEWithMD5AndDES",
49
        "PBEWithSHA1AndDESede",
50
        "PBEWithSHA1AndRC2_40",
51
        "PBEWithSHA1AndRC2_128",
52
        "PBEWithSHA1AndRC4_40",
53
        "PBEWithSHA1AndRC4_128",
54
        "PBEWithHmacSHA1AndAES_128",
55
        "PBEWithHmacSHA224AndAES_128",
56
        "PBEWithHmacSHA256AndAES_128",
57
        "PBEWithHmacSHA384AndAES_128",
58
        "PBEWithHmacSHA512AndAES_128",
59
        "PBEWithHmacSHA1AndAES_256",
60
        "PBEWithHmacSHA224AndAES_256",
61
        "PBEWithHmacSHA256AndAES_256",
62
        "PBEWithHmacSHA384AndAES_256",
63
        "PBEWithHmacSHA512AndAES_256"
64
    };
65

66
    private static final String KEYSTORE = "mykeystore.p12";
67
    private static final char[] KEYSTORE_PWD = "changeit".toCharArray();
68
    private static final char[] ENTRY_PWD = "protectit".toCharArray();
69
    private static final char[] USER_PWD = "hello1".toCharArray();
70

71
    public static void main(String[] args) throws Exception {
72

73
        new File(KEYSTORE).delete();
74

75
        int storeCount = store();
76
        int recoverCount = recover();
77

78
        if (recoverCount != storeCount) {
79
            throw new Exception("Stored " + storeCount + " user passwords, " +
80
                "recovered " + recoverCount + " user passwords");
81
        }
82
        System.out.println("\nStored " + storeCount + " user passwords, " +
83
            "recovered " + recoverCount + " user passwords");
84

85
        new File(KEYSTORE).delete();
86

87
        storeCount = storeByShell();
88
        recoverCount = recoverByShell();
89

90
        if (recoverCount != storeCount || storeCount < 11) {
91
            throw new Exception("Stored " + storeCount + " user passwords, " +
92
                    "recovered " + recoverCount + " user passwords");
93
        }
94
        System.out.println("\nStored " + storeCount + " user passwords, " +
95
                "recovered " + recoverCount + " user passwords");
96

97
        new File(KEYSTORE).delete();
98
    }
99

100
    private static int store() throws Exception {
101
        int count = 0;
102
        // Load an empty PKCS#12 keystore
103
        KeyStore keystore = KeyStore.getInstance("PKCS12");
104
        System.out.println("\nLoading PKCS#12 keystore...");
105
        keystore.load(null, null);
106

107
        // Derive a PBE key from the password
108
        PBEKeySpec keySpec = new PBEKeySpec(USER_PWD);
109
        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE");
110
        SecretKey key = factory.generateSecret(keySpec);
111
        PBEParameterSpec specWithEightByteSalt =
112
            new PBEParameterSpec("NaClNaCl".getBytes(), 1024);
113

114
        // Store the user password in a keystore entry (for each algorithm)
115
        for (String algorithm : PBE_ALGORITHMS) {
116

117
            try {
118
                System.out.println("Storing user password '" +
119
                    new String(USER_PWD) + "' (protected by " + algorithm +
120
                    ")");
121

122
                if (algorithm.equals("default PBE algorithm")) {
123
                     keystore.setKeyEntry(
124
                         "this entry is protected by " + algorithm, key,
125
                         ENTRY_PWD, null);
126
                } else {
127
                    keystore.setEntry(
128
                        "this entry is protected by " + algorithm,
129
                        new KeyStore.SecretKeyEntry(key),
130
                        new KeyStore.PasswordProtection(ENTRY_PWD, algorithm,
131
                            null));
132
                }
133
                count++;
134

135
            } catch (KeyStoreException e) {
136
                Throwable inner = e.getCause();
137
                if (inner instanceof UnrecoverableKeyException) {
138
                    Throwable inner2 = inner.getCause();
139
                    if (inner2 instanceof InvalidAlgorithmParameterException) {
140
                        System.out.println("...re-trying due to: " +
141
                            inner2.getMessage());
142

143
                        // Some PBE algorithms demand an 8-byte salt
144
                        keystore.setEntry(
145
                            "this entry is protected by " + algorithm,
146
                            new KeyStore.SecretKeyEntry(key),
147
                            new KeyStore.PasswordProtection(ENTRY_PWD,
148
                                algorithm, specWithEightByteSalt));
149
                        count++;
150

151
                    } else if (inner2  instanceof InvalidKeyException) {
152
                        System.out.println("...skipping due to: " +
153
                            inner2.getMessage());
154
                        // Unsupported crypto keysize
155
                        continue;
156
                    }
157
                } else {
158
                    throw e;
159
                }
160
            }
161
        }
162

163
        // Store the PKCS#12 keystore
164
        System.out.println("Storing PKCS#12 keystore to: " + KEYSTORE);
165
        try (FileOutputStream out = new FileOutputStream(KEYSTORE)) {
166
            keystore.store(out, KEYSTORE_PWD);
167
        }
168

169
        return count;
170
    }
171

172
    private static int recover() throws Exception {
173
        int count = 0;
174
        // Load the PKCS#12 keystore
175
        KeyStore keystore = KeyStore.getInstance("PKCS12");
176
        System.out.println("\nLoading PKCS#12 keystore from: " + KEYSTORE);
177
        try (FileInputStream in = new FileInputStream(KEYSTORE)) {
178
            keystore.load(in, KEYSTORE_PWD);
179
        }
180

181
        SecretKey key;
182
        SecretKeyFactory factory;
183
        PBEKeySpec keySpec;
184

185
        // Retrieve each user password from the keystore
186
        for (String algorithm : PBE_ALGORITHMS) {
187
            key = (SecretKey) keystore.getKey("this entry is protected by " +
188
                algorithm, ENTRY_PWD);
189

190
            if (key != null) {
191
                count++;
192
                factory = SecretKeyFactory.getInstance(key.getAlgorithm());
193
                keySpec =
194
                    (PBEKeySpec) factory.getKeySpec(key, PBEKeySpec.class);
195
                char[] pwd = keySpec.getPassword();
196
                System.out.println("Recovered user password '" +
197
                     new String(pwd) + "' (protected by " + algorithm + ")");
198

199
                if (!Arrays.equals(USER_PWD, pwd)) {
200
                    throw new Exception("Failed to recover the user password " +
201
                        "protected by " + algorithm);
202
                }
203
            }
204
        }
205

206
        return count;
207
    }
208

209
    private static int storeByShell() throws Exception {
210
        int count = 0;
211
        for (String algorithm : PBE_ALGORITHMS) {
212
            System.out.println("Storing user password (protected by " + algorithm + " )");
213
            String importCmd = count < 5 ? "-importpassword" : "-importpass";
214
            String keyAlg = algorithm.equals("default PBE algorithm")
215
                    ? "" : (" -keyalg " + algorithm);
216
            SecurityTools.setResponse("hello1");
217
            OutputAnalyzer oa = SecurityTools.keytool(importCmd
218
                    + " -storetype pkcs12 -keystore mykeystore.p12"
219
                    + " -storepass changeit -alias `this entry is protected by "
220
                    + algorithm + "`" + keyAlg);
221
            if (oa.getExitValue() == 0) {
222
                System.out.println("OK");
223
                count++;
224
            } else {
225
                System.out.println("ERROR");
226
            }
227
        }
228
        return count;
229
    }
230

231
    private static int recoverByShell() throws Exception {
232
        return (int)SecurityTools.keytool("-list -storetype pkcs12"
233
                + " -keystore mykeystore.p12 -storepass changeit")
234
                .shouldHaveExitValue(0)
235
                .asLines().stream()
236
                .filter(s -> s.contains("this entry is protected by"))
237
                .count();
238
    }
239
}
240

241