archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-19 18:44:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

Browse source 
Reviewed-by: weijun, jjiang
This commit is contained in:
Hai-May Chao 2020-06-23 16:30:38 +08:00
parent 8d9826e4d1
commit e3eb38f4d2
12 changed files with 459 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -32,6 +32,7 @@ import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import sun.security.action.*;
import sun.security.util.FilePaths;
import sun.security.validator.TrustStoreUtil;
/**
@ -76,8 +77,7 @@ final class TrustStoreManager {
private static final String defaultStorePath =
GetPropertyAction.privilegedGetProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore =
defaultStorePath + fileSep + "cacerts";
private static final String defaultStore = FilePaths.cacerts();
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";

6
src/java.base/share/classes/sun/security/tools/KeyStoreUtil.java
View file

@ -51,6 +51,7 @@ import java.util.Properties;
import java.util.ResourceBundle;
import java.util.ServiceLoader;
import sun.security.util.FilePaths;
import sun.security.util.PropertyExpander;
/**
@ -110,10 +111,7 @@ public class KeyStoreUtil {
* Returns the file name of the keystore with the configured CA certificates.
*/
public static String getCacerts() {
String sep = File.separator;
return System.getProperty("java.home") + sep
+ "lib" + sep + "security" + sep
+ "cacerts";
return FilePaths.cacerts();
}
/**

56
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View file

@ -260,12 +260,15 @@ public final class Main {
PROVIDERPATH, V, PROTECTED),
PRINTCERT("Prints.the.content.of.a.certificate",
RFC, FILEIN, SSLSERVER, JARFILE,
KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS,
PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
PROVIDERPATH, V),
PROVIDERPATH, V, PROTECTED),
PRINTCERTREQ("Prints.the.content.of.a.certificate.request",
FILEIN, V),
PRINTCRL("Prints.the.content.of.a.CRL.file",
FILEIN, V),
FILEIN, KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS,
PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH,
V, PROTECTED),
STOREPASSWD("Changes.the.store.password.of.a.keystore",
NEW, KEYSTORE, CACERTS, STOREPASS, STORETYPE, PROVIDERNAME,
ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, V),
@ -719,7 +722,7 @@ public final class Main {
}
boolean isKeyStoreRelated(Command cmd) {
return cmd != PRINTCERT && cmd != PRINTCERTREQ && cmd != SHOWINFO;
return cmd != PRINTCERTREQ && cmd != SHOWINFO;
}
/**
@ -904,14 +907,15 @@ public final class Main {
} catch (FileNotFoundException e) {
// These commands do not need the keystore to be existing.
// Either it will create a new one or the keystore is
// optional (i.e. PRINTCRL).
// optional (i.e. PRINTCRL and PRINTCERT).
if (command != GENKEYPAIR &&
command != GENSECKEY &&
command != IDENTITYDB &&
command != IMPORTCERT &&
command != IMPORTPASS &&
command != IMPORTKEYSTORE &&
command != PRINTCRL) {
command != PRINTCRL &&
command != PRINTCERT) {
throw new Exception(rb.getString
("Keystore.file.does.not.exist.") + ksfname);
}
@ -1073,7 +1077,7 @@ public final class Main {
}
} else {
// here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
if (command != PRINTCRL) {
if (command != PRINTCRL && command != PRINTCERT) {
System.err.print(rb.getString("Enter.keystore.password."));
System.err.flush();
storePass = Password.readPassword(System.in);
@ -1108,10 +1112,10 @@ public final class Main {
}
}
// -trustcacerts can only be specified on -importcert.
// Reset it so that warnings on CA cert will remain for
// -printcert, etc.
if (command != IMPORTCERT) {
// -trustcacerts can be specified on -importcert, -printcert or -printcrl.
// Reset it so that warnings on CA cert will remain for other command.
if (command != IMPORTCERT && command != PRINTCERT
&& command != PRINTCRL) {
trustcacerts = false;
}
@ -2442,27 +2446,6 @@ public final class Main {
}
}
private static <T> Iterable<T> e2i(final Enumeration<T> e) {
return new Iterable<T>() {
@Override
public Iterator<T> iterator() {
return new Iterator<T>() {
@Override
public boolean hasNext() {
return e.hasMoreElements();
}
@Override
public T next() {
return e.nextElement();
}
public void remove() {
throw new UnsupportedOperationException("Not supported yet.");
}
};
}
};
}
/**
* Loads CRLs from a source. This method is also called in JarSigner.
* @param src the source, which means System.in if null, or a URI,
@ -2556,7 +2539,7 @@ public final class Main {
throws Exception {
X509CRLImpl xcrl = (X509CRLImpl)crl;
X500Principal issuer = xcrl.getIssuerX500Principal();
for (String s: e2i(ks.aliases())) {
for (String s: Collections.list(ks.aliases())) {
Certificate cert = ks.getCertificate(s);
if (cert instanceof X509Certificate) {
X509Certificate xcert = (X509Certificate)cert;
@ -2605,8 +2588,13 @@ public final class Main {
if (issuer == null) {
out.println(rb.getString
("STAR"));
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct"));
if (trustcacerts) {
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct"));
} else {
out.println(rb.getString
("warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts"));
}
out.println(rb.getString
("STARNN"));
}

2
src/java.base/share/classes/sun/security/tools/keytool/Resources.java
View file

@ -429,6 +429,8 @@ public class Resources extends java.util.ListResourceBundle {
{"warning.not.verified.make.sure.keystore.is.correct",
"WARNING: not verified. Make sure -keystore is correct."},
{"warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts",
"WARNING: not verified. Make sure -keystore is correct or specify -trustcacerts."},
{"Extensions.", "Extensions: "},
{".Empty.value.", "(Empty value)"},

8
src/java.base/share/classes/sun/security/util/AnchorCertificates.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -36,7 +36,6 @@ import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import jdk.internal.util.StaticProperty;
import sun.security.x509.X509CertImpl;
/**
@ -53,10 +52,9 @@ public class AnchorCertificates {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
File f = new File(StaticProperty.javaHome(),
"lib/security/cacerts");
KeyStore cacerts;
File f = new File(FilePaths.cacerts());
try {
KeyStore cacerts;
cacerts = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream(f)) {
cacerts.load(fis, null);

37
src/java.base/share/classes/sun/security/util/FilePaths.java Normal file
View file

@ -0,0 +1,37 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import jdk.internal.util.StaticProperty;
import java.io.File;
public class FilePaths {
public static String cacerts() {
return StaticProperty.javaHome() + File.separator + "lib"
+ File.separator + "security" + File.separator + "cacerts";
}
}