| /* |
| * Copyright (c) 2017, 2021, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| /* |
| * @test |
| * @bug 8192988 8266220 |
| * @summary keytool should support -storepasswd for pkcs12 keystores |
| * @library /test/lib |
| * @build jdk.test.lib.SecurityTools |
| * jdk.test.lib.Utils |
| * jdk.test.lib.Asserts |
| * jdk.test.lib.JDKToolFinder |
| * jdk.test.lib.JDKToolLauncher |
| * jdk.test.lib.Platform |
| * jdk.test.lib.process.* |
| * @run main PKCS12Passwd |
| */ |
| |
| import jdk.test.lib.Asserts; |
| import jdk.test.lib.SecurityTools; |
| import jdk.test.lib.process.OutputAnalyzer; |
| |
| import java.io.File; |
| import java.security.KeyStore; |
| import java.util.Collections; |
| |
| public class PKCS12Passwd { |
| |
| public static void main(String[] args) throws Exception { |
| |
| // A PrivateKeyEntry |
| kt("-genkeypair -alias a -dname CN=A -keyalg DSA") |
| .shouldHaveExitValue(0); |
| |
| // A TrustedCertificateEntry (genkeypair, export, delete, import) |
| kt("-genkeypair -alias b -dname CN=B -keyalg DSA") |
| .shouldHaveExitValue(0); |
| kt("-exportcert -alias b -file b.cert") |
| .shouldHaveExitValue(0); |
| kt("-delete -alias b") |
| .shouldHaveExitValue(0); |
| kt("-list -alias b") |
| .shouldHaveExitValue(1); |
| kt("-importcert -alias b -file b.cert -noprompt") |
| .shouldHaveExitValue(0); |
| |
| // A SecretKeyEntry |
| kt("-genseckey -keyalg AES -keysize 256 -alias c") |
| .shouldHaveExitValue(0); |
| |
| // Change password |
| |
| // 1. Using -importkeystore |
| ktFull("-importkeystore -srckeystore ks -destkeystore ks2 " |
| + "-srcstoretype pkcs12 -deststoretype pkcs12 " |
| + "-srcstorepass changeit -deststorepass newpass") |
| .shouldHaveExitValue(0); |
| |
| check("ks2", "newpass", "newpass"); |
| |
| // 2. Using -storepasswd |
| kt("-storepasswd -new newpass") |
| .shouldHaveExitValue(0) |
| .shouldNotContain("Ignoring user-specified"); |
| |
| check("ks", "newpass", "newpass"); |
| |
| // Other facts. Not necessarily the correct thing. |
| |
| // A PKCS12 keystore can be loaded as a JKS, and it follows JKS rules |
| // which means the storepass and keypass can be changed separately! |
| |
| ktFull("-genkeypair -alias a -dname CN=A -storetype pkcs12 -keyalg DSA " |
| + "-storepass changeit -keypass changeit -keystore p12") |
| .shouldHaveExitValue(0); |
| |
| // Only storepass is changed |
| ktFull("-storepasswd -storepass changeit -new newpass " |
| + "-keystore p12 -storetype jks") |
| .shouldHaveExitValue(0); |
| |
| check("p12", "newpass", "changeit"); |
| |
| // Only keypass is changed |
| ktFull("-keypasswd -storepass newpass -keypass changeit -new newpass " |
| + "-keystore p12 -storetype jks -alias a") |
| .shouldHaveExitValue(0); |
| |
| check("p12", "newpass", "newpass"); |
| |
| // Conversely, a JKS keystore can be laoded as a PKCS12, and it follows |
| // PKCS12 rules that both passwords are changed at the same time and |
| // some commands are rejected. |
| |
| ktFull("-genkeypair -alias a -dname CN=A -storetype jks -keyalg DSA " |
| + "-storepass changeit -keypass changeit -keystore jks") |
| .shouldHaveExitValue(0); |
| |
| // Both storepass and keypass changed. |
| ktFull("-storepasswd -storepass changeit -new newpass " |
| + "-keystore jks -storetype pkcs12") |
| .shouldHaveExitValue(0); |
| |
| check("jks", "newpass", "newpass"); |
| |
| // -keypasswd is not available for pkcs12 |
| ktFull("-keypasswd -storepass newpass -keypass newpass -new newerpass " |
| + "-keystore jks -storetype pkcs12 -alias a") |
| .shouldHaveExitValue(1); |
| |
| // but available for JKS |
| ktFull("-keypasswd -storepass newpass -keypass newpass -new newerpass " |
| + "-keystore jks -alias a") |
| .shouldHaveExitValue(0); |
| |
| check("jks", "newpass", "newerpass"); |
| |
| // A password-less keystore |
| ktFull("-keystore nopass -genkeypair -keyalg EC " |
| + "-storepass changeit -alias no -dname CN=no " |
| + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE " |
| + "-J-Dkeystore.pkcs12.macAlgorithm=NONE") |
| .shouldHaveExitValue(0); |
| |
| ktFull("-keystore nopass -list") |
| .shouldHaveExitValue(0) |
| .shouldNotContain("Enter keystore password:"); |
| |
| ktFull("-keystore nopass -list -storetype pkcs12") |
| .shouldHaveExitValue(0) |
| .shouldNotContain("Enter keystore password:"); |
| } |
| |
| // Makes sure we can load entries in a keystore |
| static void check(String file, String storePass, String keyPass) |
| throws Exception { |
| |
| KeyStore ks = KeyStore.getInstance( |
| new File(file), storePass.toCharArray()); |
| |
| for (String a : Collections.list(ks.aliases())) { |
| if (ks.isCertificateEntry(a)) { |
| ks.getCertificate(a); |
| } else { |
| ks.getEntry(a, |
| new KeyStore.PasswordProtection(keyPass.toCharArray())); |
| } |
| } |
| } |
| |
| static OutputAnalyzer kt(String arg) throws Exception { |
| return ktFull("-keystore ks -storepass changeit " + arg); |
| } |
| |
| static OutputAnalyzer ktFull(String arg) throws Exception { |
| return SecurityTools.keytool("-debug " + arg); |
| } |
| } |
