archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 14:24:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8260693: Provide the support for specifying a signer in keytool -genkeypair

Browse source 
Reviewed-by: weijun
This commit is contained in:
Hai-May Chao 2021-04-09 01:59:59 +00:00
parent 77b16739ab
commit 719f95e504
6 changed files with 484 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

108
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View file

@ -162,6 +162,8 @@ public final class Main {
private String srcstoretype = null;
private Set<char[]> passwords = new HashSet<>();
private String startDate = null;
private String signerAlias = null;
private char[] signerKeyPass = null;
private boolean tlsInfo = false;
@ -208,6 +210,7 @@ public final class Main {
GENKEYPAIR("Generates.a.key.pair",
ALIAS, KEYALG, KEYSIZE, CURVENAME, SIGALG, DNAME,
STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
SIGNER, SIGNERKEYPASS,
STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
GENSECKEY("Generates.a.secret.key",
@ -352,6 +355,8 @@ public final class Main {
PROVIDERPATH("providerpath", "<list>", "provider.classpath"),
RFC("rfc", null, "output.in.RFC.style"),
SIGALG("sigalg", "<alg>", "signature.algorithm.name"),
SIGNER("signer", "<alias>", "signer.alias"),
SIGNERKEYPASS("signerkeypass", "<arg>", "signer.key.password"),
SRCALIAS("srcalias", "<alias>", "source.alias"),
SRCKEYPASS("srckeypass", "<arg>", "source.key.password"),
SRCKEYSTORE("srckeystore", "<keystore>", "source.keystore.name"),
@ -603,6 +608,11 @@ public final class Main {
keyAlgName = args[++i];
} else if (collator.compare(flags, "-sigalg") == 0) {
sigAlgName = args[++i];
} else if (collator.compare(flags, "-signer") == 0) {
signerAlias = args[++i];
} else if (collator.compare(flags, "-signerkeypass") == 0) {
signerKeyPass = getPass(modifier, args[++i]);
passwords.add(signerKeyPass);
} else if (collator.compare(flags, "-startdate") == 0) {
startDate = args[++i];
} else if (collator.compare(flags, "-validity") == 0) {
@ -1148,7 +1158,8 @@ public final class Main {
throw new Exception(rb.getString(
"keyalg.option.missing.error"));
}
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName,
signerAlias);
kssave = true;
} else if (command == GENSECKEY) {
if (keyAlgName == null) {
@ -1858,7 +1869,8 @@ public final class Main {
* Creates a new key pair and self-signed certificate.
*/
private void doGenKeyPair(String alias, String dname, String keyAlgName,
int keysize, String groupName, String sigAlgName)
int keysize, String groupName, String sigAlgName,
String signerAlias)
throws Exception
{
if (groupName != null) {
@ -1879,6 +1891,14 @@ public final class Main {
keysize = 255;
} else if ("Ed448".equalsIgnoreCase(keyAlgName)) {
keysize = 448;
} else if ("XDH".equalsIgnoreCase(keyAlgName)) {
keysize = SecurityProviderConstants.DEF_XEC_KEY_SIZE;
} else if ("X25519".equalsIgnoreCase(keyAlgName)) {
keysize = 255;
} else if ("X448".equalsIgnoreCase(keyAlgName)) {
keysize = 448;
} else if ("DH".equalsIgnoreCase(keyAlgName)) {
keysize = SecurityProviderConstants.DEF_DH_KEY_SIZE;
}
} else {
if ("EC".equalsIgnoreCase(keyAlgName)) {
@ -1900,9 +1920,35 @@ public final class Main {
throw new Exception(form.format(source));
}
CertAndKeyGen keypair =
new CertAndKeyGen(keyAlgName, sigAlgName, providerName);
CertAndKeyGen keypair;
KeyIdentifier signerSubjectKeyId = null;
if (signerAlias != null) {
PrivateKey signerPrivateKey =
(PrivateKey)recoverKey(signerAlias, storePass, signerKeyPass).fst;
Certificate signerCert = keyStore.getCertificate(signerAlias);
X509CertImpl signerCertImpl;
if (signerCert instanceof X509CertImpl) {
signerCertImpl = (X509CertImpl) signerCert;
} else {
signerCertImpl = new X509CertImpl(signerCert.getEncoded());
}
X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
X509CertImpl.NAME + "." + X509CertImpl.INFO);
X500Name signerSubjectName = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
X509CertInfo.DN_NAME);
keypair = new CertAndKeyGen(keyAlgName, sigAlgName, providerName,
signerPrivateKey, signerSubjectName);
signerSubjectKeyId = signerCertImpl.getSubjectKeyId();
if (signerSubjectKeyId == null) {
signerSubjectKeyId = new KeyIdentifier(signerCert.getPublicKey());
}
} else {
keypair = new CertAndKeyGen(keyAlgName, sigAlgName, providerName);
}
// If DN is provided, parse it. Otherwise, prompt the user for it.
X500Name x500Name;
@ -1920,34 +1966,55 @@ public final class Main {
keypair.generate(keysize);
}
PrivateKey privKey = keypair.getPrivateKey();
CertificateExtensions ext = createV3Extensions(
null,
null,
v3ext,
keypair.getPublicKeyAnyway(),
null);
signerSubjectKeyId);
X509Certificate[] chain = new X509Certificate[1];
chain[0] = keypair.getSelfCertificate(
PrivateKey privKey = keypair.getPrivateKey();
X509Certificate newCert = keypair.getSelfCertificate(
x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
MessageFormat form = new MessageFormat(rb.getString
("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
Object[] source = {
groupName == null ? keysize : KeyUtil.getKeySize(privKey),
fullDisplayAlgName(privKey),
chain[0].getSigAlgName(),
validity,
x500Name};
System.err.println(form.format(source));
if (signerAlias != null) {
MessageFormat form = new MessageFormat(rb.getString
("Generating.keysize.bit.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.validality.days.for"));
Object[] source = {
groupName == null ? keysize : KeyUtil.getKeySize(privKey),
fullDisplayAlgName(privKey),
newCert.getSigAlgName(),
signerAlias,
validity,
x500Name};
System.err.println(form.format(source));
} else {
MessageFormat form = new MessageFormat(rb.getString
("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
Object[] source = {
groupName == null ? keysize : KeyUtil.getKeySize(privKey),
fullDisplayAlgName(privKey),
newCert.getSigAlgName(),
validity,
x500Name};
System.err.println(form.format(source));
}
if (keyPass == null) {
keyPass = promptForKeyPass(alias, null, storePass);
}
checkWeak(rb.getString("the.generated.certificate"), chain[0]);
keyStore.setKeyEntry(alias, privKey, keyPass, chain);
Certificate[] finalChain;
if (signerAlias != null) {
Certificate[] signerChain = keyStore.getCertificateChain(signerAlias);
finalChain = new X509Certificate[signerChain.length + 1];
finalChain[0] = newCert;
System.arraycopy(signerChain, 0, finalChain, 1, signerChain.length);
} else {
finalChain = new Certificate[] { newCert };
}
checkWeak(rb.getString("the.generated.certificate"), finalChain);
keyStore.setKeyEntry(alias, privKey, keyPass, finalChain);
}
private String ecGroupNameForSize(int size) throws Exception {
@ -4243,7 +4310,6 @@ public final class Main {
* @param existingEx the original extensions, can be null, used for -selfcert
* @param extstrs -ext values, Read keytool doc
* @param pkey the public key for the certificate
* @param akey the public key for the authority (issuer)
* @param aSubjectKeyId the subject key identifier for the authority (issuer)
* @return the created CertificateExtensions
*/