archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 14:24:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8281234: The -protected option is not always checked in keytool and jarsigner

Browse source 
Reviewed-by: hchao, mullan
This commit is contained in:
Weijun Wang 2022-03-02 14:07:26 +00:00
parent d80f697182
commit fc918a73d0
4 changed files with 198 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View file

@ -1286,6 +1286,7 @@ public final class Main {
kssave = true;
} else if (command == LIST) {
if (storePass == null
&& !protectedPath
&& !KeyStoreUtil.isWindowsKeyStore(storetype)
&& !isPasswordlessKeyStore) {
printNoIntegrityWarning();
@ -1685,6 +1686,7 @@ public final class Main {
throws Exception
{
if (storePass == null
&& !protectedPath
&& !KeyStoreUtil.isWindowsKeyStore(storetype)
&& !isPasswordlessKeyStore) {
printNoIntegrityWarning();

2
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
View file

@ -2185,7 +2185,7 @@ public class Main {
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
storepass = getPass
(rb.getString("Enter.Passphrase.for.keystore."));
} else if (!token && storepass == null && prompt) {
} else if (!token && storepass == null && prompt && !protectedPath) {
storepass = getPass
(rb.getString("Enter.Passphrase.for.keystore."));
}

190
test/jdk/sun/security/tools/jarsigner/AutoKeyStore.java Normal file
View file

@ -0,0 +1,190 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8281234
* @summary The -protected option is not always checked in keytool and jarsigner
* @library /test/lib
* @modules java.base/sun.security.tools.keytool
* java.base/sun.security.x509
*/
import jdk.test.lib.Asserts;
import jdk.test.lib.SecurityTools;
import jdk.test.lib.util.JarUtils;
import sun.security.tools.keytool.CertAndKeyGen;
import sun.security.x509.X500Name;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import java.util.jar.JarFile;
public class AutoKeyStore {
public static void main(String[] args) throws Exception {
JarUtils.createJarFile(Path.of("unsigned.jar"), Path.of("."),
Files.writeString(Path.of("file"), "hello"));
SecurityTools.keytool("""
-J--add-exports -Jjava.base/sun.security.tools.keytool=ALL-UNNAMED
-J--add-exports -Jjava.base/sun.security.x509=ALL-UNNAMED
-providerClass AutoKeyStore$AutoProvider
-providerPath $test.classes
-storetype AUTO -keystore NONE -protected
-list
""").shouldHaveExitValue(0)
.shouldContain("Keystore type: AUTO")
.shouldContain("Keystore provider: AUTO")
.shouldContain("PrivateKeyEntry");
SecurityTools.jarsigner("""
-J--add-exports -Jjava.base/sun.security.tools.keytool=ALL-UNNAMED
-J--add-exports -Jjava.base/sun.security.x509=ALL-UNNAMED
-providerClass AutoKeyStore$AutoProvider
-providerPath $test.classes
-storetype AUTO -keystore NONE -protected
-signedJar signed.jar
unsigned.jar
one
""").shouldHaveExitValue(0)
.shouldContain("jar signed.");
Asserts.assertTrue(new JarFile("signed.jar")
.getEntry("META-INF/ONE.EC") != null);
}
public static class AutoProvider extends Provider {
public AutoProvider() {
super("AUTO", "1.1.1", "auto");
put("KeyStore.AUTO", "AutoKeyStore$KeyStoreImpl");
}
}
// This keystore is not based on file. Whenever it's loaded
// a self-sign certificate is generated inside
public static class KeyStoreImpl extends KeyStoreSpi {
private PrivateKey pri;
private PublicKey pub;
private X509Certificate cert;
@Override
public Key engineGetKey(String alias, char[] password) {
return pri;
}
@Override
public Certificate[] engineGetCertificateChain(String alias) {
return new Certificate[] { cert };
}
@Override
public Certificate engineGetCertificate(String alias) {
return cert;
}
@Override
public Date engineGetCreationDate(String alias) {
return new Date();
}
@Override
public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) throws KeyStoreException {
throw new KeyStoreException("Not supported");
}
@Override
public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) throws KeyStoreException {
throw new KeyStoreException("Not supported");
}
@Override
public void engineSetCertificateEntry(String alias, Certificate cert) throws KeyStoreException {
throw new KeyStoreException("Not supported");
}
@Override
public void engineDeleteEntry(String alias) throws KeyStoreException {
throw new KeyStoreException("Not supported");
}
@Override
public Enumeration<String> engineAliases() {
return Collections.enumeration(List.of("one"));
}
@Override
public boolean engineContainsAlias(String alias) {
return alias.equalsIgnoreCase("one");
}
@Override
public int engineSize() {
return 1;
}
@Override
public boolean engineIsKeyEntry(String alias) {
return true;
}
@Override
public boolean engineIsCertificateEntry(String alias) {
return false;
}
@Override
public String engineGetCertificateAlias(Certificate cert) {
return "one";
}
@Override
public void engineStore(OutputStream stream, char[] password) {
}
@Override
public void engineLoad(InputStream stream, char[] password) throws IOException {
try {
CertAndKeyGen cag = new CertAndKeyGen("EC", "SHA256withECDSA");
cag.generate("secp256r1");
pri = cag.getPrivateKey();
pub = cag.getPublicKey();
cert = cag.getSelfCertificate(new X500Name("CN=one"), 3600);
} catch (Exception e) {
throw new IOException("Not loaded");
}
}
}
}

8
test/lib/jdk/test/lib/SecurityTools.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -40,8 +40,8 @@ import jdk.test.lib.process.ProcessTools;
* Run security tools (including jarsigner and keytool) in a new process.
* The en_US locale is always used so a test can always match output to
* English text. {@code /dev/urandom} is used as entropy source so tool will
* not block because of entropy scarcity. {@code -Jvm-options} is supported
* as an argument.
* not block because of entropy scarcity. An argument can be a normal string,
* {@code -Jvm-options}, or {@code $sysProp}.
*/
public class SecurityTools {
@ -66,6 +66,8 @@ public class SecurityTools {
} else if (Platform.isWindows() && arg.isEmpty()) {
// JDK-6518827: special handling for empty argument on Windows
launcher.addToolArg("\"\"");
} else if (arg.length() > 1 && arg.charAt(0) == '$') {
launcher.addToolArg(System.getProperty(arg.substring(1)));
} else {
launcher.addToolArg(arg);
}