Path: blob/master/test/jdk/sun/security/tools/keytool/fakecacerts/TrustedCert.java
41154 views
/*1* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 824414826* @summary Test keytool -printcert with -keystore and -trustcacerts options27* @library /test/lib28* @library /test/jdk/sun/security/util/module_patch29* @build java.base/sun.security.util.FilePaths30* @modules java.base/sun.security.util31* java.base/jdk.internal.misc32* @run main TrustedCert33*/3435import jdk.test.lib.SecurityTools;36import jdk.test.lib.process.OutputAnalyzer;37import jdk.test.lib.security.KeyStoreUtils;3839import java.io.ByteArrayOutputStream;40import java.io.File;41import java.io.IOException;42import java.nio.file.Files;43import java.nio.file.Paths;4445public class TrustedCert {4647// The --patch-module must be explicitly specified on the keytool48// command line because it's in a separate process49private static final String PATCH_OPTION;5051static {52String tmp = "";53for (String a : jdk.internal.misc.VM.getRuntimeArguments()) {54if (a.startsWith("--patch-module")) {55tmp = "-J" + a + " ";56break;57}58}59PATCH_OPTION = tmp;60}6162static OutputAnalyzer kt(String cmd, String ks) throws Exception {63return SecurityTools.keytool(cmd + " -keystore " + ks64+ " -storepass changeit")65.shouldHaveExitValue(0);66}6768static OutputAnalyzer kt1(String cmd, String ks) throws Exception {69return SecurityTools.keytool(cmd + " -keystore " + ks70+ " -storepass changeit")71.shouldNotHaveExitValue(0);72}7374static OutputAnalyzer patchcmd(String cmd, String options, String ks,75boolean nonzero) throws Exception {76if (nonzero) {77return kt1(PATCH_OPTION + " -" + cmd + " " + options, ks);78} else {79return kt(PATCH_OPTION + " -" + cmd + " " + options, ks);80}81}8283static void rm(String s) throws IOException {84System.out.println("---------------------------------------------");85System.out.println("$ rm " + s);86Files.deleteIfExists(Paths.get(s));87}8889private static void cat(String dest, String... src) throws IOException {90System.out.println("---------------------------------------------");91System.out.printf("$ cat ");9293ByteArrayOutputStream bout = new ByteArrayOutputStream();94for (String s : src) {95System.out.printf(s + " ");96bout.write(Files.readAllBytes(Paths.get(s)));97}98Files.write(Paths.get(dest), bout.toByteArray());99System.out.println("> " + dest);100}101102public static void main(String[] args) throws Exception {103104// Test -printcert with root CA in local keystore105kt("-genkeypair -keyalg rsa -keysize 1024 -sigalg SHA1withRSA " +106"-dname CN=ROOT -ext bc:c", "root.jks");107kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks");108kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks");109110kt("-exportcert -rfc -file root.pem", "root.jks");111kt("-importcert -alias root -file root.pem -noprompt", "ca.jks");112kt("-importcert -alias root -file root.pem -noprompt", "server.jks");113114kt("-certreq -file ca.req", "ca.jks");115kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks");116kt("-importcert -file ca.pem", "ca.jks");117118kt("-certreq -file server.req", "server.jks");119kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " +120"-outfile server.pem", "ca.jks");121kt("-importcert -file server.pem", "server.jks");122123cat("fullchain.pem", "server.pem", "root.pem");124kt("-printcert -file fullchain.pem ", "server.jks")125.shouldNotMatch("SHA1withRSA signature algorithm.*security risk")126.shouldMatch("1024-bit RSA key.*security risk");127128rm("ca.jks");129rm("server.jks");130rm("mycacerts");131132// Test -printcert with root CA in cacerts keystore133kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks");134kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks");135136// import root CA to mycacerts keystore137KeyStoreUtils.createCacerts("mycacerts", "root.pem");138139kt("-certreq -file ca.req", "ca.jks");140kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks");141142patchcmd("importcert", "-file ca.pem", "ca.jks", true);143patchcmd("importcert", "-file ca.pem -trustcacerts", "ca.jks", false);144145kt("-certreq -file server.req", "server.jks");146kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " +147"-outfile server.pem", "ca.jks");148kt("-importcert -file server.pem -noprompt", "server.jks");149150cat("fullchain.pem", "server.pem", "root.pem");151152patchcmd("-printcert", "-file fullchain.pem -trustcacerts", "server.jks", false)153.shouldNotMatch("SHA1withRSA signature algorithm.*security risk")154.shouldMatch("1024-bit RSA key.*security risk");155156patchcmd("-printcert", "-file fullchain.pem", "server.jks", false)157.shouldMatch("SHA1withRSA signature algorithm.*security risk")158.shouldMatch("1024-bit RSA key.*security risk");159}160}161162163