/* * Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions.
*/
kt("-delete -alias y");
kt("-printcrl -file y.crl")
.shouldContain("WARNING: not verified");
jksTypeCheck();
}
staticvoid jksTypeCheck() throws Exception {
// No warning for cacerts, all certs
kt0("-cacerts -list -storepass changeit")
.shouldNotContain("proprietary format");
rm("ks");
rm("ks2");
kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
.shouldNotContain("Warning:");
kt("-list")
.shouldNotContain("Warning:");
kt("-list -storetype jks") // no warning if PKCS12 used as JKS
.shouldNotContain("Warning:");
kt("-exportcert -alias a -file a.crt")
.shouldNotContain("Warning:");
// warn if migrating to JKS
importkeystore("ks", "ks2", "-deststoretype jks")
.shouldContain("JKS keystore uses a proprietary format");
rm("ks");
rm("ks2");
rm("ks3");
// no warning if all certs
kt("-importcert -alias b -file a.crt -storetype jks -noprompt")
.shouldNotContain("Warning:");
kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
.shouldContain("JKS keystore uses a proprietary format");
kt("-list")
.shouldContain("JKS keystore uses a proprietary format");
kt("-list -storetype pkcs12") // warn if JKS used as PKCS12
.shouldContain("JKS keystore uses a proprietary format");
kt("-exportcert -alias a -file a.crt")
.shouldContain("JKS keystore uses a proprietary format");
kt("-printcert -file a.crt") // warning since -keystore option is supported
.shouldContain("JKS keystore uses a proprietary format");
kt("-certreq -alias a -file a.req")
.shouldContain("JKS keystore uses a proprietary format");
kt("-printcertreq -file a.req") // no warning if keystore not touched
.shouldNotContain("Warning:");
// No warning if migrating from JKS
importkeystore("ks", "ks2", "")
.shouldNotContain("Warning:");
Asserts.assertEQ(
KeyStore.getInstance( new File("ks"), "changeit".toCharArray()).getType(), "PKCS12");
Asserts.assertEQ(
KeyStore.getInstance( new File("ks.old6"), "changeit".toCharArray()).getType(), "JKS");
// One password prompt is enough for migration
kt0("-importkeystore -srckeystore ks -destkeystore ks", "changeit")
.shouldMatch("original.*ks.old7");
// But three if importing to a different keystore
rm("ks2");
kt0("-importkeystore -srckeystore ks -destkeystore ks2", "changeit")
.shouldContain("Keystore password is too short");
// cert already in
kt("-importcert -alias d -file a.cert", "no")
.shouldContain("Certificate already exists in keystore")
.shouldContain("Warning")
.shouldMatch("The input.*MD5withRSA.*is disabled")
.shouldContain("Do you still want to add it?");
kt("-importcert -alias d -file a.cert -noprompt")
.shouldContain("Warning")
.shouldMatch("The input.*MD5withRSA.*is disabled")
.shouldNotContain("[no]");
// cert is self-signed
kt("-delete -alias a");
kt("-delete -alias d");
kt("-importcert -alias d -file a.cert", "no")
.shouldContain("Warning")
.shouldContain("MD5withRSA (disabled)")
.shouldMatch("The input.*MD5withRSA.*is disabled")
.shouldContain("Trust this certificate?");
kt("-importcert -alias d -file a.cert -noprompt")
.shouldContain("Warning")
.shouldMatch("The input.*MD5withRSA.*is disabled")
.shouldNotContain("[no]");
// JDK-8177569: no warning for sigalg of trusted cert
String weakSigAlgCA = null;
KeyStore ks = KeyStoreUtil.getCacertsKeyStore(); if (ks != null) {
DisabledAlgorithmConstraints disabledCheck = new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
Set<CryptoPrimitive> sigPrimitiveSet = Collections
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
for (String s : Collections.list(ks.aliases())) { if (ks.isCertificateEntry(s)) {
X509Certificate c = (X509Certificate)ks.getCertificate(s);
String sigAlg = c.getSigAlgName(); if (!disabledCheck.permits(sigPrimitiveSet, sigAlg, null)) {
weakSigAlgCA = sigAlg;
Files.write(Paths.get("ca.cert"),
ks.getCertificate(s).getEncoded()); break;
}
}
}
} if (weakSigAlgCA != null) { // The following 2 commands still have a warning on why not using // the -cacerts option directly.
kt("-list -keystore " + KeyStoreUtil.getCacerts())
.shouldNotMatch("signature algorithm.*risk");
kt("-list -v -keystore " + KeyStoreUtil.getCacerts())
.shouldNotMatch("signature algorithm.*risk");
// Importing with -trustcacerts ignore CA cert's sig alg
kt("-delete -alias d");
kt("-importcert -alias d -trustcacerts -file ca.cert", "no")
.shouldContain("Certificate already exists in system-wide CA")
.shouldNotMatch("signature algorithm.*risk")
.shouldContain("Do you still want to add it to your own keystore?");
kt("-importcert -alias d -trustcacerts -file ca.cert -noprompt")
.shouldNotMatch("signature algorithm.*risk")
.shouldNotContain("[no]");
// but not without -trustcacerts
kt("-delete -alias d");
kt("-importcert -alias d -file ca.cert", "no")
.shouldContain("name: " + weakSigAlgCA + " (disabled)")
.shouldContain("Warning")
.shouldMatch("The input.*" + weakSigAlgCA + ".*is disabled")
.shouldContain("Trust this certificate?");
kt("-importcert -alias d -file ca.cert -noprompt")
.shouldContain("Warning")
.shouldMatch("The input.*" + weakSigAlgCA + ".*is disabled")
.shouldNotContain("[no]");
}
// a non self-signed weak cert
reStore();
certreq("b", "");
gencert("c-b", "");
kt("-importcert -alias d -file c-b.cert") // weak only, no prompt
.shouldContain("Warning")
.shouldNotContain("512-bit RSA key (disabled)")
.shouldMatch("The input.*512-bit RSA key.*is disabled")
.shouldNotContain("[no]");
// JDK-8177569: no warning for sigalg of trusted cert
reStore(); // Change a into a TrustedCertEntry
kt("-exportcert -alias a -file a.cert");
kt("-delete -alias a");
kt("-importcert -alias a -file a.cert -noprompt");
kt("-list -alias a -v")
.shouldNotContain("disabled")
.shouldNotContain("Warning"); // This time a is trusted and no warning on its weak sig alg
kt("-importcert -alias c -file a-c.cert")
.shouldNotContain("Warning");
reStore();
gencert("a-b", "");
gencert("b-c", "");
// Full chain with root
cat("a-a-b-c.cert", "b-c.cert", "a-b.cert", "a.cert");
kt("-importcert -alias c -file a-a-b-c.cert") // only weak
.shouldContain("Warning")
.shouldMatch("Reply #2 of 3.*512-bit RSA key.*is disabled")
.shouldMatch("Reply #3 of 3.*MD5withRSA.*is disabled")
.shouldNotContain("[no]");
// Without root
cat("a-b-c.cert", "b-c.cert", "a-b.cert");
kt("-importcert -alias c -file a-b-c.cert") // only weak
.shouldContain("Warning")
.shouldMatch("Reply #2 of 2.*512-bit RSA key.*is disabled")
.shouldMatch("Issuer .*MD5withRSA.*is disabled")
.shouldNotContain("[no]");
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
