mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-26 06:14:49 +02:00
8342062: Reformat keytool and jarsigner output for keys with a named parameter set
Reviewed-by: mullan
This commit is contained in:
Weijun Wang
parent
cc19897202
commit
fa5ff82eb3
12 changed files with 162 additions and 160 deletions
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -39,8 +39,8 @@ import java.security.cert.X509Certificate;
|
|||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.TrustAnchor;
|
||||
import java.security.cert.URICertStoreParameters;
|
||||
|
||||
|
||||
import java.security.spec.ECParameterSpec;
|
||||
import java.security.spec.NamedParameterSpec;
|
||||
import java.text.Collator;
|
||||
import java.text.MessageFormat;
|
||||
import java.util.*;
|
||||
|
|
@ -61,19 +61,12 @@ import java.util.Base64;
|
|||
|
||||
import sun.security.pkcs12.PKCS12KeyStore;
|
||||
import sun.security.provider.certpath.CertPathConstraintsParameters;
|
||||
import sun.security.util.ConstraintsParameters;
|
||||
import sun.security.util.ECKeySizeParameterSpec;
|
||||
import sun.security.util.KeyUtil;
|
||||
import sun.security.util.ObjectIdentifier;
|
||||
import sun.security.util.*;
|
||||
import sun.security.pkcs10.PKCS10;
|
||||
import sun.security.pkcs10.PKCS10Attribute;
|
||||
import sun.security.provider.X509Factory;
|
||||
import sun.security.provider.certpath.ssl.SSLServerCertStore;
|
||||
import sun.security.util.KnownOIDs;
|
||||
import sun.security.util.Password;
|
||||
import sun.security.util.SecurityProperties;
|
||||
import sun.security.util.SecurityProviderConstants;
|
||||
import sun.security.util.SignatureUtil;
|
||||
|
||||
import javax.crypto.KeyGenerator;
|
||||
import javax.crypto.SecretKey;
|
||||
import javax.crypto.SecretKeyFactory;
|
||||
|
|
@ -82,15 +75,12 @@ import javax.crypto.spec.PBEKeySpec;
|
|||
import sun.security.pkcs.PKCS9Attribute;
|
||||
import sun.security.tools.KeyStoreUtil;
|
||||
import sun.security.tools.PathList;
|
||||
import sun.security.util.DerValue;
|
||||
import sun.security.util.Pem;
|
||||
import sun.security.validator.Validator;
|
||||
import sun.security.x509.*;
|
||||
|
||||
import static java.security.KeyStore.*;
|
||||
import static sun.security.tools.keytool.Main.Command.*;
|
||||
import static sun.security.tools.keytool.Main.Option.*;
|
||||
import sun.security.util.DisabledAlgorithmConstraints;
|
||||
|
||||
/**
|
||||
* This tool manages keystores.
|
||||
|
|
@ -2035,20 +2025,18 @@ public final class Main {
|
|||
Object[] source;
|
||||
if (signerAlias != null) {
|
||||
form = new MessageFormat(rb.getString
|
||||
("Generating.keysize.bit.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.validality.days.for"));
|
||||
("Generating.full.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.days.for"));
|
||||
source = new Object[]{
|
||||
groupName == null ? keysize : KeyUtil.getKeySize(privKey),
|
||||
KeyUtil.fullDisplayAlgName(privKey),
|
||||
fullDisplayKeyName(privKey),
|
||||
newCert.getSigAlgName(),
|
||||
signerAlias,
|
||||
validity,
|
||||
x500Name};
|
||||
} else {
|
||||
form = new MessageFormat(rb.getString
|
||||
("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
|
||||
("Generating.full.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.days.for"));
|
||||
source = new Object[]{
|
||||
groupName == null ? keysize : KeyUtil.getKeySize(privKey),
|
||||
KeyUtil.fullDisplayAlgName(privKey),
|
||||
fullDisplayKeyName(privKey),
|
||||
newCert.getSigAlgName(),
|
||||
validity,
|
||||
x500Name};
|
||||
|
|
@ -2073,6 +2061,38 @@ public final class Main {
|
|||
keyStore.setKeyEntry(alias, privKey, keyPass, finalChain);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the full display name of the given key object. Could be
|
||||
* - "X25519", if its getParams() is NamedParameterSpec
|
||||
* - "EC (secp256r1)", if it's an EC key
|
||||
* - "1024-bit RSA", other known keys
|
||||
* - plain algorithm name, otherwise
|
||||
*
|
||||
* Note: the same method appears in keytool and jarsigner which uses
|
||||
* same resource string defined in their own Resources.java.
|
||||
*
|
||||
* @param key the key object, cannot be null
|
||||
* @return the full name
|
||||
*/
|
||||
private static String fullDisplayKeyName(Key key) {
|
||||
var alg = key.getAlgorithm();
|
||||
if (key instanceof AsymmetricKey ak) {
|
||||
var params = ak.getParams();
|
||||
if (params instanceof NamedParameterSpec nps) {
|
||||
return nps.getName(); // directly return
|
||||
} else if (params instanceof ECParameterSpec eps) {
|
||||
var nc = CurveDB.lookup(eps);
|
||||
if (nc != null) {
|
||||
alg += " (" + nc.getNameAndAliases()[0] + ")"; // append name
|
||||
}
|
||||
}
|
||||
}
|
||||
var size = KeyUtil.getKeySize(key);
|
||||
return size >= 0
|
||||
? String.format(rb.getString("size.bit.alg"), size, alg)
|
||||
: alg;
|
||||
}
|
||||
|
||||
private String ecGroupNameForSize(int size) throws Exception {
|
||||
AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
|
||||
ap.init(new ECKeySizeParameterSpec(size));
|
||||
|
|
@ -3598,22 +3618,17 @@ public final class Main {
|
|||
|
||||
private String withWeakConstraint(Key key,
|
||||
CertPathConstraintsParameters cpcp) {
|
||||
int kLen = KeyUtil.getKeySize(key);
|
||||
String displayAlg = KeyUtil.fullDisplayAlgName(key);
|
||||
String displayAlg = fullDisplayKeyName(key);
|
||||
try {
|
||||
DISABLED_CHECK.permits(key.getAlgorithm(), cpcp, true);
|
||||
} catch (CertPathValidatorException e) {
|
||||
return String.format(rb.getString("key.bit.disabled"), kLen, displayAlg);
|
||||
return String.format(rb.getString("key.bit.disabled"), displayAlg);
|
||||
}
|
||||
try {
|
||||
LEGACY_CHECK.permits(key.getAlgorithm(), cpcp, true);
|
||||
if (kLen >= 0) {
|
||||
return String.format(rb.getString("key.bit"), kLen, displayAlg);
|
||||
} else {
|
||||
return String.format(rb.getString("unknown.size.1"), displayAlg);
|
||||
}
|
||||
return String.format(rb.getString("key.bit"), displayAlg);
|
||||
} catch (CertPathValidatorException e) {
|
||||
return String.format(rb.getString("key.bit.weak"), kLen, displayAlg);
|
||||
return String.format(rb.getString("key.bit.weak"), displayAlg);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -4977,14 +4992,12 @@ public final class Main {
|
|||
} catch (CertPathValidatorException e) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.key.weak"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
|
||||
String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
|
||||
}
|
||||
} catch (CertPathValidatorException e) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.key.disabled"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
|
||||
String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -5004,13 +5017,11 @@ public final class Main {
|
|||
if (!DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.key.disabled"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
|
||||
String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
|
||||
} else if (!LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.key.weak"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
|
||||
String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -5075,7 +5086,7 @@ public final class Main {
|
|||
weakWarnings.add(String.format(
|
||||
rb.getString("key.size.weak"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(secKey), secKeyAlg)));
|
||||
fullDisplayKeyName(secKey))));
|
||||
} else {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("key.algorithm.weak"), label, secKeyAlg));
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -307,10 +307,12 @@ public class Resources extends java.util.ListResourceBundle {
|
|||
"Specifying -keysize for generating EC keys is deprecated, please use \"-groupname %s\" instead."},
|
||||
{"Key.pair.not.generated.alias.alias.already.exists",
|
||||
"Key pair not generated, alias <{0}> already exists"},
|
||||
{"Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for",
|
||||
"Generating {0} bit {1} key pair and self-signed certificate ({2}) with a validity of {3} days\n\tfor: {4}"},
|
||||
{"Generating.keysize.bit.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.validality.days.for",
|
||||
"Generating {0} bit {1} key pair and a certificate ({2}) issued by <{3}> with a validity of {4} days\n\tfor: {5}"},
|
||||
{"size.bit.alg",
|
||||
"%1$d-bit %2$s"},
|
||||
{"Generating.full.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.days.for",
|
||||
"Generating {0} key pair and self-signed certificate ({1}) with a validity of {2} days\n\tfor: {3}"},
|
||||
{"Generating.full.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.days.for",
|
||||
"Generating {0} key pair and a certificate ({1}) issued by <{2}> with a validity of {3} days\n\tfor: {4}"},
|
||||
{"Enter.key.password.for.alias.", "Enter key password for <{0}>"},
|
||||
{".RETURN.if.same.as.keystore.password.",
|
||||
"\t(RETURN if same as keystore password): "},
|
||||
|
|
@ -479,10 +481,9 @@ public class Resources extends java.util.ListResourceBundle {
|
|||
{"alias.in.keystore", "Issuer <%s>"},
|
||||
{"with.weak", "%s (weak)"},
|
||||
{"with.disabled", "%s (disabled)"},
|
||||
{"key.bit", "%1$d-bit %2$s key"},
|
||||
{"key.bit.weak", "%1$d-bit %2$s key (weak)"},
|
||||
{"key.bit.disabled", "%1$d-bit %2$s key (disabled)"},
|
||||
{"unknown.size.1", "%s key of unknown size"},
|
||||
{"key.bit", "%s key"},
|
||||
{"key.bit.weak", "%s key (weak)"},
|
||||
{"key.bit.disabled", "%s key (disabled)"},
|
||||
{".PATTERN.printX509Cert.with.weak",
|
||||
"Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t SHA1: {5}\n\t SHA256: {6}\nSignature algorithm name: {7}\nSubject Public Key Algorithm: {8}\nVersion: {9}"},
|
||||
{"PKCS.10.with.weak",
|
||||
|
|
@ -494,7 +495,7 @@ public class Resources extends java.util.ListResourceBundle {
|
|||
{"Unable.to.parse.denyAfter.string.in.exception.message", "Unable to parse denyAfter date string in exception message"},
|
||||
{"whose.sigalg.weak", "%1$s uses the %2$s signature algorithm which is considered a security risk."},
|
||||
{"whose.key.disabled", "%1$s uses a %2$s which is considered a security risk and is disabled."},
|
||||
{"whose.key.weak", "%1$s uses a %2$s which is considered a security risk. This key size will be disabled in a future update."},
|
||||
{"whose.key.weak", "%1$s uses a %2$s which is considered a security risk. It will be disabled in a future update."},
|
||||
{"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
|
||||
{"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
|
||||
{"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2012, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2012, 2025, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -174,27 +174,6 @@ public final class KeyUtil {
|
|||
return -1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the algorithm name of the given key object. If an EC key is
|
||||
* specified, returns the algorithm name and its named curve.
|
||||
*
|
||||
* @param key the key object, cannot be null
|
||||
* @return the algorithm name of the given key object, or return in the
|
||||
* form of "EC (named curve)" if the given key object is an EC key
|
||||
*/
|
||||
public static final String fullDisplayAlgName(Key key) {
|
||||
String result = key.getAlgorithm();
|
||||
if (key instanceof AsymmetricKey ak) {
|
||||
AlgorithmParameterSpec paramSpec = ak.getParams();
|
||||
if (paramSpec instanceof NamedCurve nc) {
|
||||
result += " (" + nc.getNameAndAliases()[0] + ")";
|
||||
} else if (paramSpec instanceof NamedParameterSpec nps) {
|
||||
result = nps.getName();
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether the key is valid or not.
|
||||
* <P>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue