/*
* Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.tools;
import java.io.*;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Key;
import java.security.PublicKey;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.UnrecoverableKeyException;
import java.security.Principal;
import java.security.Provider;
import java.security.Identity;
import java.security.Signer;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.Collator;
import java.text.MessageFormat;
import java.util.*;
import java.lang.reflect.Constructor;
import java.net.URL;
import java.net.URLClassLoader;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
import sun.security.util.ObjectIdentifier;
import sun.security.pkcs.PKCS10;
import sun.security.provider.IdentityDatabase;
import sun.security.provider.SystemSigner;
import sun.security.provider.SystemIdentity;
import sun.security.provider.X509Factory;
import sun.security.util.DerOutputStream;
import sun.security.util.Password;
import sun.security.util.Resources;
import sun.security.util.PathList;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import sun.security.x509.*;
import static java.security.KeyStore.*;
/**
* This tool manages keystores.
*
* @author Jan Luehe
*
*
* @see java.security.KeyStore
* @see sun.security.provider.KeyProtector
* @see sun.security.provider.JavaKeyStore
*
* @since 1.2
*/
public final class KeyTool {
private boolean debug = false;
private int command = -1;
private String sigAlgName = null;
private String keyAlgName = null;
private boolean verbose = false;
private int keysize = -1;
private boolean rfc = false;
private long validity = (long)90;
private String alias = null;
private String dname = null;
private String dest = null;
private String filename = null;
private String srcksfname = null;
// User-specified providers are added before any command is called.
// However, they are not removed before the end of the main() method.
// If you're calling KeyTool.main() directly in your own Java program,
// please programtically add any providers you need and do not specify
// them through the command line.
private Set<Pair <String, String>> providers = null;
private String storetype = null;
private String srcProviderName = null;
private String providerName = null;
private String pathlist = null;
private char[] storePass = null;
private char[] storePassNew = null;
private char[] keyPass = null;
private char[] keyPassNew = null;
private char[] oldPass = null;
private char[] newPass = null;
private char[] destKeyPass = null;
private char[] srckeyPass = null;
private String ksfname = null;
private File ksfile = null;
private InputStream ksStream = null; // keystore stream
private KeyStore keyStore = null;
private boolean token = false;
private boolean nullStream = false;
private boolean kssave = false;
private boolean noprompt = false;
private boolean trustcacerts = false;
private boolean protectedPath = false;
private boolean srcprotectedPath = false;
private CertificateFactory cf = null;
private KeyStore caks = null; // "cacerts" keystore
private char[] srcstorePass = null;
private String srcstoretype = null;
private Set<char[]> passwords = new HashSet<char[]> ();
private String startDate = null;
private static final int CERTREQ = 1;
private static final int CHANGEALIAS = 2;
private static final int DELETE = 3;
private static final int EXPORTCERT = 4;
private static final int GENKEYPAIR = 5;
private static final int GENSECKEY = 6;
// there is no HELP
private static final int IDENTITYDB = 7;
private static final int IMPORTCERT = 8;
private static final int IMPORTKEYSTORE = 9;
private static final int KEYCLONE = 10;
private static final int KEYPASSWD = 11;
private static final int LIST = 12;
private static final int PRINTCERT = 13;
private static final int SELFCERT = 14;
private static final int STOREPASSWD = 15;
private static final Class[] PARAM_STRING = { String.class };
private static final String JKS = "jks";
private static final String NONE = "NONE";
private static final String P11KEYSTORE = "PKCS11";
private static final String P12KEYSTORE = "PKCS12";
private final String keyAlias = "mykey";
// for i18n
private static final java.util.ResourceBundle rb =
java.util.ResourceBundle.getBundle("sun.security.util.Resources");
private static final Collator collator = Collator.getInstance();
static {
// this is for case insensitive string comparisons
collator.setStrength(Collator.PRIMARY);
};
private KeyTool() { }
public static void main(String[] args) throws Exception {
KeyTool kt = new KeyTool();
kt.run(args, System.out);
}
private void run(String[] args, PrintStream out) throws Exception {
try {
parseArgs(args);
doCommands(out);
} catch (Exception e) {
System.out.println(rb.getString("keytool error: ") + e);
if (verbose) {
e.printStackTrace(System.out);
}
if (!debug) {
System.exit(1);
} else {
throw e;
}
} finally {
for (char[] pass : passwords) {
if (pass != null) {
Arrays.fill(pass, ' ');
pass = null;
}
}
if (ksStream != null) {
ksStream.close();
}
}
}
/**
* Parse command line arguments.
*/
void parseArgs(String[] args) {
if (args.length == 0) usage();
int i=0;
for (i=0; (i < args.length) && args[i].startsWith("-"); i++) {
String flags = args[i];
/*
* command modes
*/
if (collator.compare(flags, "-certreq") == 0) {
command = CERTREQ;
} else if (collator.compare(flags, "-delete") == 0) {
command = DELETE;
} else if (collator.compare(flags, "-export") == 0 ||
collator.compare(flags, "-exportcert") == 0) {
command = EXPORTCERT;
} else if (collator.compare(flags, "-genkey") == 0 ||
collator.compare(flags, "-genkeypair") == 0) {
command = GENKEYPAIR;
} else if (collator.compare(flags, "-help") == 0) {
usage();
return;
} else if (collator.compare(flags, "-identitydb") == 0) { // obsolete
command = IDENTITYDB;
} else if (collator.compare(flags, "-import") == 0 ||
collator.compare(flags, "-importcert") == 0) {
command = IMPORTCERT;
} else if (collator.compare(flags, "-keyclone") == 0) { // obsolete
command = KEYCLONE;
} else if (collator.compare(flags, "-changealias") == 0) {
command = CHANGEALIAS;
} else if (collator.compare(flags, "-keypasswd") == 0) {
command = KEYPASSWD;
} else if (collator.compare(flags, "-list") == 0) {
command = LIST;
} else if (collator.compare(flags, "-printcert") == 0) {
command = PRINTCERT;
} else if (collator.compare(flags, "-selfcert") == 0) { // obsolete
command = SELFCERT;
} else if (collator.compare(flags, "-storepasswd") == 0) {
command = STOREPASSWD;
} else if (collator.compare(flags, "-importkeystore") == 0) {
command = IMPORTKEYSTORE;
} else if (collator.compare(flags, "-genseckey") == 0) {
command = GENSECKEY;
}
/*
* specifiers
*/
else if (collator.compare(flags, "-keystore") == 0 ||
collator.compare(flags, "-destkeystore") == 0) {
if (++i == args.length) errorNeedArgument(flags);
ksfname = args[i];
} else if (collator.compare(flags, "-storepass") == 0 ||
collator.compare(flags, "-deststorepass") == 0) {
if (++i == args.length) errorNeedArgument(flags);
storePass = args[i].toCharArray();
passwords.add(storePass);
} else if (collator.compare(flags, "-storetype") == 0 ||
collator.compare(flags, "-deststoretype") == 0) {
if (++i == args.length) errorNeedArgument(flags);
storetype = args[i];
} else if (collator.compare(flags, "-srcstorepass") == 0) {
if (++i == args.length) errorNeedArgument(flags);
srcstorePass = args[i].toCharArray();
passwords.add(srcstorePass);
} else if (collator.compare(flags, "-srcstoretype") == 0) {
if (++i == args.length) errorNeedArgument(flags);
srcstoretype = args[i];
} else if (collator.compare(flags, "-srckeypass") == 0) {
if (++i == args.length) errorNeedArgument(flags);
srckeyPass = args[i].toCharArray();
passwords.add(srckeyPass);
} else if (collator.compare(flags, "-srcprovidername") == 0) {
if (++i == args.length) errorNeedArgument(flags);
srcProviderName = args[i];
} else if (collator.compare(flags, "-providername") == 0 ||
collator.compare(flags, "-destprovidername") == 0) {
if (++i == args.length) errorNeedArgument(flags);
providerName = args[i];
} else if (collator.compare(flags, "-providerpath") == 0) {
if (++i == args.length) errorNeedArgument(flags);
pathlist = args[i];
} else if (collator.compare(flags, "-keypass") == 0) {
if (++i == args.length) errorNeedArgument(flags);
keyPass = args[i].toCharArray();
passwords.add(keyPass);
} else if (collator.compare(flags, "-new") == 0) {
if (++i == args.length) errorNeedArgument(flags);
newPass = args[i].toCharArray();
passwords.add(newPass);
} else if (collator.compare(flags, "-destkeypass") == 0) {
if (++i == args.length) errorNeedArgument(flags);
destKeyPass = args[i].toCharArray();
passwords.add(destKeyPass);
} else if (collator.compare(flags, "-alias") == 0 ||
collator.compare(flags, "-srcalias") == 0) {
if (++i == args.length) errorNeedArgument(flags);
alias = args[i];
} else if (collator.compare(flags, "-dest") == 0 ||
collator.compare(flags, "-destalias") == 0) {
if (++i == args.length) errorNeedArgument(flags);
dest = args[i];
} else if (collator.compare(flags, "-dname") == 0) {
if (++i == args.length) errorNeedArgument(flags);
dname = args[i];
} else if (collator.compare(flags, "-keysize") == 0) {
if (++i == args.length) errorNeedArgument(flags);
keysize = Integer.parseInt(args[i]);
} else if (collator.compare(flags, "-keyalg") == 0) {
if (++i == args.length) errorNeedArgument(flags);
keyAlgName = args[i];
} else if (collator.compare(flags, "-sigalg") == 0) {
if (++i == args.length) errorNeedArgument(flags);
sigAlgName = args[i];
} else if (collator.compare(flags, "-startdate") == 0) {
if (++i == args.length) errorNeedArgument(flags);
startDate = args[i];
} else if (collator.compare(flags, "-validity") == 0) {
if (++i == args.length) errorNeedArgument(flags);
validity = Long.parseLong(args[i]);
} else if (collator.compare(flags, "-file") == 0) {
if (++i == args.length) errorNeedArgument(flags);
filename = args[i];
} else if (collator.compare(flags, "-srckeystore") == 0) {
if (++i == args.length) errorNeedArgument(flags);
srcksfname = args[i];
} else if ((collator.compare(flags, "-provider") == 0) ||
(collator.compare(flags, "-providerclass") == 0)) {
if (++i == args.length) errorNeedArgument(flags);
if (providers == null) {
providers = new HashSet<Pair <String, String>> (3);
}
String providerClass = args[i];
String providerArg = null;
if (args.length > (i+1)) {
flags = args[i+1];
if (collator.compare(flags, "-providerarg") == 0) {
if (args.length == (i+2)) errorNeedArgument(flags);
providerArg = args[i+2];
i += 2;
}
}
providers.add(
new Pair<String, String>(providerClass, providerArg));
}
/*
* options
*/
else if (collator.compare(flags, "-v") == 0) {
verbose = true;
} else if (collator.compare(flags, "-debug") == 0) {
debug = true;
} else if (collator.compare(flags, "-rfc") == 0) {
rfc = true;
} else if (collator.compare(flags, "-noprompt") == 0) {
noprompt = true;
} else if (collator.compare(flags, "-trustcacerts") == 0) {
trustcacerts = true;
} else if (collator.compare(flags, "-protected") == 0 ||
collator.compare(flags, "-destprotected") == 0) {
protectedPath = true;
} else if (collator.compare(flags, "-srcprotected") == 0) {
srcprotectedPath = true;
} else {
System.err.println(rb.getString("Illegal option: ") + flags);
tinyHelp();
}
}
if (i<args.length) {
MessageFormat form = new MessageFormat
(rb.getString("Usage error, <arg> is not a legal command"));
Object[] source = {args[i]};
throw new RuntimeException(form.format(source));
}
if (command == -1) {
System.err.println(rb.getString("Usage error: no command provided"));
tinyHelp();
}
}
/**
* Execute the commands.
*/
void doCommands(PrintStream out) throws Exception {
if (storetype == null) {
storetype = KeyStore.getDefaultType();
}
storetype = KeyStoreUtil.niceStoreTypeName(storetype);
if (srcstoretype == null) {
srcstoretype = KeyStore.getDefaultType();
}
srcstoretype = KeyStoreUtil.niceStoreTypeName(srcstoretype);
if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
KeyStoreUtil.isWindowsKeyStore(storetype)) {
token = true;
if (ksfname == null) {
ksfname = NONE;
}
}
if (NONE.equals(ksfname)) {
nullStream = true;
}
if (token && !nullStream) {
System.err.println(MessageFormat.format(rb.getString
("-keystore must be NONE if -storetype is {0}"), storetype));
System.err.println();
tinyHelp();
}
if (token &&
(command == KEYPASSWD || command == STOREPASSWD)) {
throw new UnsupportedOperationException(MessageFormat.format(rb.getString
("-storepasswd and -keypasswd commands not supported " +
"if -storetype is {0}"), storetype));
}
if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) {
throw new UnsupportedOperationException(rb.getString
("-keypasswd commands not supported " +
"if -storetype is PKCS12"));
}
if (token && (keyPass != null || newPass != null || destKeyPass != null)) {
throw new IllegalArgumentException(MessageFormat.format(rb.getString
("-keypass and -new " +
"can not be specified if -storetype is {0}"), storetype));
}
if (protectedPath) {
if (storePass != null || keyPass != null ||
newPass != null || destKeyPass != null) {
throw new IllegalArgumentException(rb.getString
("if -protected is specified, " +
"then -storepass, -keypass, and -new " +
"must not be specified"));
}
}
if (srcprotectedPath) {
if (srcstorePass != null || srckeyPass != null) {
throw new IllegalArgumentException(rb.getString
("if -srcprotected is specified, " +
"then -srcstorepass and -srckeypass " +
"must not be specified"));
}
}
if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
if (storePass != null || keyPass != null ||
newPass != null || destKeyPass != null) {
throw new IllegalArgumentException(rb.getString
("if keystore is not password protected, " +
"then -storepass, -keypass, and -new " +
"must not be specified"));
}
}
if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
if (srcstorePass != null || srckeyPass != null) {
throw new IllegalArgumentException(rb.getString
("if source keystore is not password protected, " +
"then -srcstorepass and -srckeypass " +
"must not be specified"));
}
}
if (validity <= (long)0) {
throw new Exception
(rb.getString("Validity must be greater than zero"));
}
// Try to load and install specified provider
if (providers != null) {
ClassLoader cl = null;
if (pathlist != null) {
String path = null;
path = PathList.appendPath(
path, System.getProperty("java.class.path"));
path = PathList.appendPath(
path, System.getProperty("env.class.path"));
path = PathList.appendPath(path, pathlist);
URL[] urls = PathList.pathToURLs(path);
cl = new URLClassLoader(urls);
} else {
cl = ClassLoader.getSystemClassLoader();
}
for (Pair <String, String> provider: providers) {
String provName = provider.fst;
Class<?> provClass;
if (cl != null) {
provClass = cl.loadClass(provName);
} else {
provClass = Class.forName(provName);
}
String provArg = provider.snd;
Object obj;
if (provArg == null) {
obj = provClass.newInstance();
} else {
Constructor<?> c = provClass.getConstructor(PARAM_STRING);
obj = c.newInstance(provArg);
}
if (!(obj instanceof Provider)) {
MessageFormat form = new MessageFormat
(rb.getString("provName not a provider"));
Object[] source = {provName};
throw new Exception(form.format(source));
}
Security.addProvider((Provider)obj);
}
}
if (command == LIST && verbose && rfc) {
System.err.println(rb.getString
("Must not specify both -v and -rfc with 'list' command"));
tinyHelp();
}
// Make sure provided passwords are at least 6 characters long
if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) {
throw new Exception(rb.getString
("Key password must be at least 6 characters"));
}
if (newPass != null && newPass.length < 6) {
throw new Exception(rb.getString
("New password must be at least 6 characters"));
}
if (destKeyPass != null && destKeyPass.length < 6) {
throw new Exception(rb.getString
("New password must be at least 6 characters"));
}
// Check if keystore exists.
// If no keystore has been specified at the command line, try to use
// the default, which is located in $HOME/.keystore.
// If the command is "genkey", "identitydb", "import", or "printcert",
// it is OK not to have a keystore.
if (command != PRINTCERT) {
if (ksfname == null) {
ksfname = System.getProperty("user.home") + File.separator
+ ".keystore";
}
if (!nullStream) {
try {
ksfile = new File(ksfname);
// Check if keystore file is empty
if (ksfile.exists() && ksfile.length() == 0) {
throw new Exception(rb.getString
("Keystore file exists, but is empty: ") + ksfname);
}
ksStream = new FileInputStream(ksfile);
} catch (FileNotFoundException e) {
if (command != GENKEYPAIR &&
command != GENSECKEY &&
command != IDENTITYDB &&
command != IMPORTCERT &&
command != IMPORTKEYSTORE) {
throw new Exception(rb.getString
("Keystore file does not exist: ") + ksfname);
}
}
}
}
if ((command == KEYCLONE || command == CHANGEALIAS)
&& dest == null) {
dest = getAlias("destination");
if ("".equals(dest)) {
throw new Exception(rb.getString
("Must specify destination alias"));
}
}
if (command == DELETE && alias == null) {
alias = getAlias(null);
if ("".equals(alias)) {
throw new Exception(rb.getString("Must specify alias"));
}
}
// Create new keystore
if (providerName == null) {
keyStore = KeyStore.getInstance(storetype);
} else {
keyStore = KeyStore.getInstance(storetype, providerName);
}
/*
* Load the keystore data.
*
* At this point, it's OK if no keystore password has been provided.
* We want to make sure that we can load the keystore data, i.e.,
* the keystore data has the right format. If we cannot load the
* keystore, why bother asking the user for his or her password?
* Only if we were able to load the keystore, and no keystore
* password has been provided, will we prompt the user for the
* keystore password to verify the keystore integrity.
* This means that the keystore is loaded twice: first load operation
* checks the keystore format, second load operation verifies the
* keystore integrity.
*
* If the keystore password has already been provided (at the
* command line), however, the keystore is loaded only once, and the
* keystore format and integrity are checked "at the same time".
*
* Null stream keystores are loaded later.
*/
if (!nullStream) {
keyStore.load(ksStream, storePass);
if (ksStream != null) {
ksStream.close();
}
}
// All commands that create or modify the keystore require a keystore
// password.
if (nullStream && storePass != null) {
keyStore.load(null, storePass);
} else if (!nullStream && storePass != null) {
// If we are creating a new non nullStream-based keystore,
// insist that the password be at least 6 characters
if (ksStream == null && storePass.length < 6) {
throw new Exception(rb.getString
("Keystore password must be at least 6 characters"));
}
} else if (storePass == null) {
// only prompt if (protectedPath == false)
if (!protectedPath && !KeyStoreUtil.isWindowsKeyStore(storetype) &&
(command == CERTREQ ||
command == DELETE ||
command == GENKEYPAIR ||
command == GENSECKEY ||
command == IMPORTCERT ||
command == IMPORTKEYSTORE ||
command == KEYCLONE ||
command == CHANGEALIAS ||
command == SELFCERT ||
command == STOREPASSWD ||
command == KEYPASSWD ||
command == IDENTITYDB)) {
int count = 0;
do {
if (command == IMPORTKEYSTORE) {
System.err.print
(rb.getString("Enter destination keystore password: "));
} else {
System.err.print
(rb.getString("Enter keystore password: "));
}
System.err.flush();
storePass = Password.readPassword(System.in);
passwords.add(storePass);
// If we are creating a new non nullStream-based keystore,
// insist that the password be at least 6 characters
if (!nullStream && (storePass == null || storePass.length < 6)) {
System.err.println(rb.getString
("Keystore password is too short - " +
"must be at least 6 characters"));
storePass = null;
}
// If the keystore file does not exist and needs to be
// created, the storepass should be prompted twice.
if (storePass != null && !nullStream && ksStream == null) {
System.err.print(rb.getString("Re-enter new password: "));
char[] storePassAgain = Password.readPassword(System.in);
passwords.add(storePassAgain);
if (!Arrays.equals(storePass, storePassAgain)) {
System.err.println
(rb.getString("They don't match. Try again"));
storePass = null;
}
}
count++;
} while ((storePass == null) && count < 3);
if (storePass == null) {
System.err.println
(rb.getString("Too many failures - try later"));
return;
}
} else if (!protectedPath
&& !KeyStoreUtil.isWindowsKeyStore(storetype)
&& !(command == PRINTCERT)) {
// here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
System.err.print(rb.getString("Enter keystore password: "));
System.err.flush();
storePass = Password.readPassword(System.in);
passwords.add(storePass);
}
// Now load a nullStream-based keystore,
// or verify the integrity of an input stream-based keystore
if (nullStream) {
keyStore.load(null, storePass);
} else if (ksStream != null) {
ksStream = new FileInputStream(ksfile);
keyStore.load(ksStream, storePass);
ksStream.close();
}
}
if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) {
MessageFormat form = new MessageFormat(rb.getString(
"Warning: Different store and key passwords not supported " +
"for PKCS12 KeyStores. Ignoring user-specified <command> value."));
if (keyPass != null && !Arrays.equals(storePass, keyPass)) {
Object[] source = {"-keypass"};
System.err.println(form.format(source));
keyPass = storePass;
}
if (newPass != null && !Arrays.equals(storePass, newPass)) {
Object[] source = {"-new"};
System.err.println(form.format(source));
newPass = storePass;
}
if (destKeyPass != null && !Arrays.equals(storePass, destKeyPass)) {
Object[] source = {"-destkeypass"};
System.err.println(form.format(source));
destKeyPass = storePass;
}
}
// Create a certificate factory
if (command == PRINTCERT || command == IMPORTCERT
|| command == IDENTITYDB) {
cf = CertificateFactory.getInstance("X509");
}
if (trustcacerts) {
caks = getCacertsKeyStore();
}
// Perform the specified command
if (command == CERTREQ) {
PrintStream ps = null;
if (filename != null) {
ps = new PrintStream(new FileOutputStream
(filename));
out = ps;
}
try {
doCertReq(alias, sigAlgName, out);
} finally {
if (ps != null) {
ps.close();
}
}
if (verbose && filename != null) {
MessageFormat form = new MessageFormat(rb.getString
("Certification request stored in file <filename>"));
Object[] source = {filename};
System.err.println(form.format(source));
System.err.println(rb.getString("Submit this to your CA"));
}
} else if (command == DELETE) {
doDeleteEntry(alias);
kssave = true;
} else if (command == EXPORTCERT) {
PrintStream ps = null;
if (filename != null) {
ps = new PrintStream(new FileOutputStream
(filename));
out = ps;
}
try {
doExportCert(alias, out);
} finally {
if (ps != null) {
ps.close();
}
}
if (filename != null) {
MessageFormat form = new MessageFormat(rb.getString
("Certificate stored in file <filename>"));
Object[] source = {filename};
System.err.println(form.format(source));
}
} else if (command == GENKEYPAIR) {
if (keyAlgName == null) {
keyAlgName = "DSA";
}
doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
kssave = true;
} else if (command == GENSECKEY) {
if (keyAlgName == null) {
keyAlgName = "DES";
}
doGenSecretKey(alias, keyAlgName, keysize);
kssave = true;
} else if (command == IDENTITYDB) {
InputStream inStream = System.in;
if (filename != null) {
inStream = new FileInputStream(filename);
}
try {
doImportIdentityDatabase(inStream);
} finally {
if (inStream != System.in) {
inStream.close();
}
}
} else if (command == IMPORTCERT) {
InputStream inStream = System.in;
if (filename != null) {
inStream = new FileInputStream(filename);
}
try {
String importAlias = (alias!=null)?alias:keyAlias;
if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) {
kssave = installReply(importAlias, inStream);
if (kssave) {
System.err.println(rb.getString
("Certificate reply was installed in keystore"));
} else {
System.err.println(rb.getString
("Certificate reply was not installed in keystore"));
}
} else if (!keyStore.containsAlias(importAlias) ||
keyStore.entryInstanceOf(importAlias,
KeyStore.TrustedCertificateEntry.class)) {
kssave = addTrustedCert(importAlias, inStream);
if (kssave) {
System.err.println(rb.getString
("Certificate was added to keystore"));
} else {
System.err.println(rb.getString
("Certificate was not added to keystore"));
}
}
} finally {
if (inStream != System.in) {
inStream.close();
}
}
} else if (command == IMPORTKEYSTORE) {
doImportKeyStore();
kssave = true;
} else if (command == KEYCLONE) {
keyPassNew = newPass;
// added to make sure only key can go thru
if (alias == null) {
alias = keyAlias;
}
if (keyStore.containsAlias(alias) == false) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> does not exist"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
MessageFormat form = new MessageFormat(rb.getString(
"Alias <alias> references an entry type that is not a private key entry. " +
"The -keyclone command only supports cloning of private key entries"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
doCloneEntry(alias, dest, true); // Now everything can be cloned
kssave = true;
} else if (command == CHANGEALIAS) {
if (alias == null) {
alias = keyAlias;
}
doCloneEntry(alias, dest, false);
// in PKCS11, clone a PrivateKeyEntry will delete the old one
if (keyStore.containsAlias(alias)) {
doDeleteEntry(alias);
}
kssave = true;
} else if (command == KEYPASSWD) {
keyPassNew = newPass;
doChangeKeyPasswd(alias);
kssave = true;
} else if (command == LIST) {
if (alias != null) {
doPrintEntry(alias, out, true);
} else {
doPrintEntries(out);
}
} else if (command == PRINTCERT) {
InputStream inStream = System.in;
if (filename != null) {
inStream = new FileInputStream(filename);
}
try {
doPrintCert(inStream, out);
} finally {
if (inStream != System.in) {
inStream.close();
}
}
} else if (command == SELFCERT) {
doSelfCert(alias, dname, sigAlgName);
kssave = true;
} else if (command == STOREPASSWD) {
storePassNew = newPass;
if (storePassNew == null) {
storePassNew = getNewPasswd("keystore password", storePass);
}
kssave = true;
}
// If we need to save the keystore, do so.
if (kssave) {
if (verbose) {
MessageFormat form = new MessageFormat
(rb.getString("[Storing ksfname]"));
Object[] source = {nullStream ? "keystore" : ksfname};
System.err.println(form.format(source));
}
if (token) {
keyStore.store(null, null);
} else {
FileOutputStream fout = null;
try {
fout = (nullStream ?
(FileOutputStream)null :
new FileOutputStream(ksfname));
keyStore.store
(fout,
(storePassNew!=null) ? storePassNew : storePass);
} finally {
if (fout != null) {
fout.close();
}
}
}
}
}
/**
* Creates a PKCS#10 cert signing request, corresponding to the
* keys (and name) associated with a given alias.
*/
private void doCertReq(String alias, String sigAlgName, PrintStream out)
throws Exception
{
if (alias == null) {
alias = keyAlias;
}
Object[] objs = recoverKey(alias, storePass, keyPass);
PrivateKey privKey = (PrivateKey)objs[0];
if (keyPass == null) {
keyPass = (char[])objs[1];
}
Certificate cert = keyStore.getCertificate(alias);
if (cert == null) {
MessageFormat form = new MessageFormat
(rb.getString("alias has no public key (certificate)"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
PKCS10 request = new PKCS10(cert.getPublicKey());
// Construct an X500Signer object, so that we can sign the request
if (sigAlgName == null) {
// If no signature algorithm was specified at the command line,
// we choose one that is compatible with the selected private key
String keyAlgName = privKey.getAlgorithm();
if ("DSA".equalsIgnoreCase(keyAlgName)
|| "DSS".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1WithDSA";
} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1WithRSA";
} else {
throw new Exception(rb.getString
("Cannot derive signature algorithm"));
}
}
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privKey);
X500Name subject =
new X500Name(((X509Certificate)cert).getSubjectDN().toString());
X500Signer signer = new X500Signer(signature, subject);
// Sign the request and base-64 encode it
request.encodeAndSign(signer);
request.print(out);
}
/**
* Deletes an entry from the keystore.
*/
private void doDeleteEntry(String alias) throws Exception {
if (keyStore.containsAlias(alias) == false) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> does not exist"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
keyStore.deleteEntry(alias);
}
/**
* Exports a certificate from the keystore.
*/
private void doExportCert(String alias, PrintStream out)
throws Exception
{
if (storePass == null
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
printWarning();
}
if (alias == null) {
alias = keyAlias;
}
if (keyStore.containsAlias(alias) == false) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> does not exist"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias);
if (cert == null) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> has no certificate"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
dumpCert(cert, out);
}
/**
* Prompt the user for a keypass when generating a key entry.
* @param alias the entry we will set password for
* @param orig the original entry of doing a dup, null if generate new
* @param origPass the password to copy from if user press ENTER
*/
private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{
if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
return origPass;
} else if (!token) {
// Prompt for key password
int count;
for (count = 0; count < 3; count++) {
MessageFormat form = new MessageFormat(rb.getString
("Enter key password for <alias>"));
Object[] source = {alias};
System.err.println(form.format(source));
if (orig == null) {
System.err.print(rb.getString
("\t(RETURN if same as keystore password): "));
} else {
form = new MessageFormat(rb.getString
("\t(RETURN if same as for <otherAlias>)"));
Object[] src = {orig};
System.err.print(form.format(src));
}
System.err.flush();
char[] entered = Password.readPassword(System.in);
passwords.add(entered);
if (entered == null) {
return origPass;
} else if (entered.length >= 6) {
System.err.print(rb.getString("Re-enter new password: "));
char[] passAgain = Password.readPassword(System.in);
passwords.add(passAgain);
if (!Arrays.equals(entered, passAgain)) {
System.err.println
(rb.getString("They don't match. Try again"));
continue;
}
return entered;
} else {
System.err.println(rb.getString
("Key password is too short - must be at least 6 characters"));
}
}
if (count == 3) {
if (command == KEYCLONE) {
throw new Exception(rb.getString
("Too many failures. Key entry not cloned"));
} else {
throw new Exception(rb.getString
("Too many failures - key not added to keystore"));
}
}
}
return null; // PKCS11
}
/**
* Creates a new secret key.
*/
private void doGenSecretKey(String alias, String keyAlgName,
int keysize)
throws Exception
{
if (alias == null) {
alias = keyAlias;
}
if (keyStore.containsAlias(alias)) {
MessageFormat form = new MessageFormat(rb.getString
("Secret key not generated, alias <alias> already exists"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
SecretKey secKey = null;
KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName);
if (keysize != -1) {
keygen.init(keysize);
} else if ("DES".equalsIgnoreCase(keyAlgName)) {
keygen.init(56);
} else if ("DESede".equalsIgnoreCase(keyAlgName)) {
keygen.init(168);
} else {
throw new Exception(rb.getString
("Please provide -keysize for secret key generation"));
}
secKey = keygen.generateKey();
if (keyPass == null) {
keyPass = promptForKeyPass(alias, null, storePass);
}
keyStore.setKeyEntry(alias, secKey, keyPass, null);
}
/**
* Creates a new key pair and self-signed certificate.
*/
private void doGenKeyPair(String alias, String dname, String keyAlgName,
int keysize, String sigAlgName)
throws Exception
{
if (keysize == -1) {
if ("EC".equalsIgnoreCase(keyAlgName)) {
keysize = 256;
} else {
keysize = 1024;
}
}
if (alias == null) {
alias = keyAlias;
}
if (keyStore.containsAlias(alias)) {
MessageFormat form = new MessageFormat(rb.getString
("Key pair not generated, alias <alias> already exists"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
if (sigAlgName == null) {
if ("DSA".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1WithDSA";
} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1WithRSA";
} else if ("EC".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1withECDSA";
} else {
throw new Exception(rb.getString
("Cannot derive signature algorithm"));
}
}
CertAndKeyGen keypair =
new CertAndKeyGen(keyAlgName, sigAlgName, providerName);
// If DN is provided, parse it. Otherwise, prompt the user for it.
X500Name x500Name;
if (dname == null) {
x500Name = getX500Name();
} else {
x500Name = new X500Name(dname);
}
keypair.generate(keysize);
PrivateKey privKey = keypair.getPrivateKey();
X509Certificate[] chain = new X509Certificate[1];
chain[0] = keypair.getSelfCertificate(
x500Name, getStartDate(startDate), validity*24L*60L*60L);
if (verbose) {
MessageFormat form = new MessageFormat(rb.getString
("Generating keysize bit keyAlgName key pair and self-signed certificate " +
"(sigAlgName) with a validity of validality days\n\tfor: x500Name"));
Object[] source = {new Integer(keysize),
privKey.getAlgorithm(),
chain[0].getSigAlgName(),
new Long(validity),
x500Name};
System.err.println(form.format(source));
}
if (keyPass == null) {
keyPass = promptForKeyPass(alias, null, storePass);
}
keyStore.setKeyEntry(alias, privKey, keyPass, chain);
}
/**
* Clones an entry
* @param orig original alias
* @param dest destination alias
* @changePassword if the password can be changed
*/
private void doCloneEntry(String orig, String dest, boolean changePassword)
throws Exception
{
if (orig == null) {
orig = keyAlias;
}
if (keyStore.containsAlias(dest)) {
MessageFormat form = new MessageFormat
(rb.getString("Destination alias <dest> already exists"));
Object[] source = {dest};
throw new Exception(form.format(source));
}
Object[] objs = recoverEntry(keyStore, orig, storePass, keyPass);
Entry entry = (Entry)objs[0];
keyPass = (char[])objs[1];
PasswordProtection pp = null;
if (keyPass != null) { // protected
if (!changePassword || P12KEYSTORE.equalsIgnoreCase(storetype)) {
keyPassNew = keyPass;
} else {
if (keyPassNew == null) {
keyPassNew = promptForKeyPass(dest, orig, keyPass);
}
}
pp = new PasswordProtection(keyPassNew);
}
keyStore.setEntry(dest, entry, pp);
}
/**
* Changes a key password.
*/
private void doChangeKeyPasswd(String alias) throws Exception
{
if (alias == null) {
alias = keyAlias;
}
Object[] objs = recoverKey(alias, storePass, keyPass);
Key privKey = (Key)objs[0];
if (keyPass == null) {
keyPass = (char[])objs[1];
}
if (keyPassNew == null) {
MessageFormat form = new MessageFormat
(rb.getString("key password for <alias>"));
Object[] source = {alias};
keyPassNew = getNewPasswd(form.format(source), keyPass);
}
keyStore.setKeyEntry(alias, privKey, keyPassNew,
keyStore.getCertificateChain(alias));
}
/**
* Imports a JDK 1.1-style identity database. We can only store one
* certificate per identity, because we use the identity's name as the
* alias (which references a keystore entry), and aliases must be unique.
*/
private void doImportIdentityDatabase(InputStream in)
throws Exception
{
byte[] encoded;
ByteArrayInputStream bais;
java.security.cert.X509Certificate newCert;
java.security.cert.Certificate[] chain = null;
PrivateKey privKey;
boolean modified = false;
IdentityDatabase idb = IdentityDatabase.fromStream(in);
for (Enumeration<Identity> enum_ = idb.identities();
enum_.hasMoreElements();) {
Identity id = enum_.nextElement();
newCert = null;
// only store trusted identities in keystore
if ((id instanceof SystemSigner && ((SystemSigner)id).isTrusted())
|| (id instanceof SystemIdentity
&& ((SystemIdentity)id).isTrusted())) {
// ignore if keystore entry with same alias name already exists
if (keyStore.containsAlias(id.getName())) {
MessageFormat form = new MessageFormat
(rb.getString("Keystore entry for <id.getName()> already exists"));
Object[] source = {id.getName()};
System.err.println(form.format(source));
continue;
}
java.security.Certificate[] certs = id.certificates();
if (certs!=null && certs.length>0) {
// we can only store one user cert per identity.
// convert old-style to new-style cert via the encoding
DerOutputStream dos = new DerOutputStream();
certs[0].encode(dos);
encoded = dos.toByteArray();
bais = new ByteArrayInputStream(encoded);
newCert = (X509Certificate)cf.generateCertificate(bais);
bais.close();
// if certificate is self-signed, make sure it verifies
if (isSelfSigned(newCert)) {
PublicKey pubKey = newCert.getPublicKey();
try {
newCert.verify(pubKey);
} catch (Exception e) {
// ignore this cert
continue;
}
}
if (id instanceof SystemSigner) {
MessageFormat form = new MessageFormat(rb.getString
("Creating keystore entry for <id.getName()> ..."));
Object[] source = {id.getName()};
System.err.println(form.format(source));
if (chain==null) {
chain = new java.security.cert.Certificate[1];
}
chain[0] = newCert;
privKey = ((SystemSigner)id).getPrivateKey();
keyStore.setKeyEntry(id.getName(), privKey, storePass,
chain);
} else {
keyStore.setCertificateEntry(id.getName(), newCert);
}
kssave = true;
}
}
}
if (!kssave) {
System.err.println(rb.getString
("No entries from identity database added"));
}
}
/**
* Prints a single keystore entry.
*/
private void doPrintEntry(String alias, PrintStream out,
boolean printWarning)
throws Exception
{
if (storePass == null && printWarning
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
printWarning();
}
if (keyStore.containsAlias(alias) == false) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> does not exist"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
if (verbose || rfc || debug) {
MessageFormat form = new MessageFormat
(rb.getString("Alias name: alias"));
Object[] source = {alias};
out.println(form.format(source));
if (!token) {
form = new MessageFormat(rb.getString
("Creation date: keyStore.getCreationDate(alias)"));
Object[] src = {keyStore.getCreationDate(alias)};
out.println(form.format(src));
}
} else {
if (!token) {
MessageFormat form = new MessageFormat
(rb.getString("alias, keyStore.getCreationDate(alias), "));
Object[] source = {alias, keyStore.getCreationDate(alias)};
out.print(form.format(source));
} else {
MessageFormat form = new MessageFormat
(rb.getString("alias, "));
Object[] source = {alias};
out.print(form.format(source));
}
}
if (keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
if (verbose || rfc || debug) {
Object[] source = {"SecretKeyEntry"};
out.println(new MessageFormat(
rb.getString("Entry type: <type>")).format(source));
} else {
out.println("SecretKeyEntry, ");
}
} else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
if (verbose || rfc || debug) {
Object[] source = {"PrivateKeyEntry"};
out.println(new MessageFormat(
rb.getString("Entry type: <type>")).format(source));
} else {
out.println("PrivateKeyEntry, ");
}
// Get the chain
Certificate[] chain = keyStore.getCertificateChain(alias);
if (chain != null) {
if (verbose || rfc || debug) {
out.println(rb.getString
("Certificate chain length: ") + chain.length);
for (int i = 0; i < chain.length; i ++) {
MessageFormat form = new MessageFormat
(rb.getString("Certificate[(i + 1)]:"));
Object[] source = {new Integer((i + 1))};
out.println(form.format(source));
if (verbose && (chain[i] instanceof X509Certificate)) {
printX509Cert((X509Certificate)(chain[i]), out);
} else if (debug) {
out.println(chain[i].toString());
} else {
dumpCert(chain[i], out);
}
}
} else {
// Print the digest of the user cert only
out.println
(rb.getString("Certificate fingerprint (MD5): ") +
getCertFingerPrint("MD5", chain[0]));
}
}
} else if (keyStore.entryInstanceOf(alias,
KeyStore.TrustedCertificateEntry.class)) {
// We have a trusted certificate entry
Certificate cert = keyStore.getCertificate(alias);
if (verbose && (cert instanceof X509Certificate)) {
out.println(rb.getString("Entry type: trustedCertEntry\n"));
printX509Cert((X509Certificate)cert, out);
} else if (rfc) {
out.println(rb.getString("Entry type: trustedCertEntry\n"));
dumpCert(cert, out);
} else if (debug) {
out.println(cert.toString());
} else {
out.println(rb.getString("trustedCertEntry,"));
out.println(rb.getString("Certificate fingerprint (MD5): ")
+ getCertFingerPrint("MD5", cert));
}
} else {
out.println(rb.getString("Unknown Entry Type"));
}
}
/**
* Load the srckeystore from a stream, used in -importkeystore
* @returns the src KeyStore
*/
KeyStore loadSourceKeyStore() throws Exception {
boolean isPkcs11 = false;
InputStream is = null;
if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) ||
KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
if (!NONE.equals(srcksfname)) {
System.err.println(MessageFormat.format(rb.getString
("-keystore must be NONE if -storetype is {0}"), srcstoretype));
System.err.println();
tinyHelp();
}
isPkcs11 = true;
} else {
if (srcksfname != null) {
File srcksfile = new File(srcksfname);
if (srcksfile.exists() && srcksfile.length() == 0) {
throw new Exception(rb.getString
("Source keystore file exists, but is empty: ") +
srcksfname);
}
is = new FileInputStream(srcksfile);
} else {
throw new Exception(rb.getString
("Please specify -srckeystore"));
}
}
KeyStore store;
try {
if (srcProviderName == null) {
store = KeyStore.getInstance(srcstoretype);
} else {
store = KeyStore.getInstance(srcstoretype, srcProviderName);
}
if (srcstorePass == null
&& !srcprotectedPath
&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
System.err.print(rb.getString("Enter source keystore password: "));
System.err.flush();
srcstorePass = Password.readPassword(System.in);
passwords.add(srcstorePass);
}
// always let keypass be storepass when using pkcs12
if (P12KEYSTORE.equalsIgnoreCase(srcstoretype)) {
if (srckeyPass != null && srcstorePass != null &&
!Arrays.equals(srcstorePass, srckeyPass)) {
MessageFormat form = new MessageFormat(rb.getString(
"Warning: Different store and key passwords not supported " +
"for PKCS12 KeyStores. Ignoring user-specified <command> value."));
Object[] source = {"-srckeypass"};
System.err.println(form.format(source));
srckeyPass = srcstorePass;
}
}
store.load(is, srcstorePass); // "is" already null in PKCS11
} finally {
if (is != null) {
is.close();
}
}
if (srcstorePass == null
&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
// anti refactoring, copied from printWarning(),
// but change 2 lines
System.err.println();
System.err.println(rb.getString
("***************** WARNING WARNING WARNING *****************"));
System.err.println(rb.getString
("* The integrity of the information stored in the srckeystore*"));
System.err.println(rb.getString
("* has NOT been verified! In order to verify its integrity, *"));
System.err.println(rb.getString
("* you must provide the srckeystore password. *"));
System.err.println(rb.getString
("***************** WARNING WARNING WARNING *****************"));
System.err.println();
}
return store;
}
/**
* import all keys and certs from importkeystore.
* keep alias unchanged if no name conflict, otherwise, prompt.
* keep keypass unchanged for keys
*/
private void doImportKeyStore() throws Exception {
if (alias != null) {
doImportKeyStoreSingle(loadSourceKeyStore(), alias);
} else {
if (dest != null || srckeyPass != null || destKeyPass != null) {
throw new Exception(rb.getString(
"if alias not specified, destalias, srckeypass, " +
"and destkeypass must not be specified"));
}
doImportKeyStoreAll(loadSourceKeyStore());
}
/*
* Information display rule of -importkeystore
* 1. inside single, shows failure
* 2. inside all, shows sucess
* 3. inside all where there is a failure, prompt for continue
* 4. at the final of all, shows summary
*/
}
/**
* Import a single entry named alias from srckeystore
* @returns 1 if the import action succeed
* 0 if user choose to ignore an alias-dumplicated entry
* 2 if setEntry throws Exception
*/
private int doImportKeyStoreSingle(KeyStore srckeystore, String alias)
throws Exception {
String newAlias = (dest==null) ? alias : dest;
if (keyStore.containsAlias(newAlias)) {
Object[] source = {alias};
if (noprompt) {
System.err.println(new MessageFormat(rb.getString(
"Warning: Overwriting existing alias <alias> in destination keystore")).format(source));
} else {
String reply = getYesNoReply(new MessageFormat(rb.getString(
"Existing entry alias <alias> exists, overwrite? [no]: ")).format(source));
if ("NO".equals(reply)) {
newAlias = inputStringFromStdin(rb.getString
("Enter new alias name\t(RETURN to cancel import for this entry): "));
if ("".equals(newAlias)) {
System.err.println(new MessageFormat(rb.getString(
"Entry for alias <alias> not imported.")).format(
source));
return 0;
}
}
}
}
Object[] objs = recoverEntry(srckeystore, alias, srcstorePass, srckeyPass);
Entry entry = (Entry)objs[0];
PasswordProtection pp = null;
// According to keytool.html, "The destination entry will be protected
// using destkeypass. If destkeypass is not provided, the destination
// entry will be protected with the source entry password."
// so always try to protect with destKeyPass.
if (destKeyPass != null) {
pp = new PasswordProtection(destKeyPass);
} else if (objs[1] != null) {
pp = new PasswordProtection((char[])objs[1]);
}
try {
keyStore.setEntry(newAlias, entry, pp);
return 1;
} catch (KeyStoreException kse) {
Object[] source2 = {alias, kse.toString()};
MessageFormat form = new MessageFormat(rb.getString(
"Problem importing entry for alias <alias>: <exception>.\nEntry for alias <alias> not imported."));
System.err.println(form.format(source2));
return 2;
}
}
private void doImportKeyStoreAll(KeyStore srckeystore) throws Exception {
int ok = 0;
int count = srckeystore.size();
for (Enumeration<String> e = srckeystore.aliases();
e.hasMoreElements(); ) {
String alias = e.nextElement();
int result = doImportKeyStoreSingle(srckeystore, alias);
if (result == 1) {
ok++;
Object[] source = {alias};
MessageFormat form = new MessageFormat(rb.getString("Entry for alias <alias> successfully imported."));
System.err.println(form.format(source));
} else if (result == 2) {
if (!noprompt) {
String reply = getYesNoReply("Do you want to quit the import process? [no]: ");
if ("YES".equals(reply)) {
break;
}
}
}
}
Object[] source = {ok, count-ok};
MessageFormat form = new MessageFormat(rb.getString(
"Import command completed: <ok> entries successfully imported, <fail> entries failed or cancelled"));
System.err.println(form.format(source));
}
/**
* Prints all keystore entries.
*/
private void doPrintEntries(PrintStream out)
throws Exception
{
if (storePass == null
&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
printWarning();
} else {
out.println();
}
out.println(rb.getString("Keystore type: ") + keyStore.getType());
out.println(rb.getString("Keystore provider: ") +
keyStore.getProvider().getName());
out.println();
MessageFormat form;
form = (keyStore.size() == 1) ?
new MessageFormat(rb.getString
("Your keystore contains keyStore.size() entry")) :
new MessageFormat(rb.getString
("Your keystore contains keyStore.size() entries"));
Object[] source = {new Integer(keyStore.size())};
out.println(form.format(source));
out.println();
for (Enumeration<String> e = keyStore.aliases();
e.hasMoreElements(); ) {
String alias = e.nextElement();
doPrintEntry(alias, out, false);
if (verbose || rfc) {
out.println(rb.getString("\n"));
out.println(rb.getString
("*******************************************"));
out.println(rb.getString
("*******************************************\n\n"));
}
}
}
/**
* Reads a certificate (or certificate chain) and prints its contents in
* a human readbable format.
*/
private void doPrintCert(InputStream in, PrintStream out)
throws Exception
{
Collection<? extends Certificate> c = null;
try {
c = cf.generateCertificates(in);
} catch (CertificateException ce) {
throw new Exception(rb.getString("Failed to parse input"), ce);
}
if (c.isEmpty()) {
throw new Exception(rb.getString("Empty input"));
}
Certificate[] certs = c.toArray(new Certificate[c.size()]);
for (int i=0; i<certs.length; i++) {
X509Certificate x509Cert = null;
try {
x509Cert = (X509Certificate)certs[i];
} catch (ClassCastException cce) {
throw new Exception(rb.getString("Not X.509 certificate"));
}
if (certs.length > 1) {
MessageFormat form = new MessageFormat
(rb.getString("Certificate[(i + 1)]:"));
Object[] source = {new Integer(i + 1)};
out.println(form.format(source));
}
printX509Cert(x509Cert, out);
if (i < (certs.length-1)) {
out.println();
}
}
}
/**
* Creates a self-signed certificate, and stores it as a single-element
* certificate chain.
*/
private void doSelfCert(String alias, String dname, String sigAlgName)
throws Exception
{
if (alias == null) {
alias = keyAlias;
}
Object[] objs = recoverKey(alias, storePass, keyPass);
PrivateKey privKey = (PrivateKey)objs[0];
if (keyPass == null)
keyPass = (char[])objs[1];
// Determine the signature algorithm
if (sigAlgName == null) {
// If no signature algorithm was specified at the command line,
// we choose one that is compatible with the selected private key
String keyAlgName = privKey.getAlgorithm();
if ("DSA".equalsIgnoreCase(keyAlgName)
|| "DSS".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1WithDSA";
} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1WithRSA";
} else if ("EC".equalsIgnoreCase(keyAlgName)) {
sigAlgName = "SHA1withECDSA";
} else {
throw new Exception
(rb.getString("Cannot derive signature algorithm"));
}
}
// Get the old certificate
Certificate oldCert = keyStore.getCertificate(alias);
if (oldCert == null) {
MessageFormat form = new MessageFormat
(rb.getString("alias has no public key"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
if (!(oldCert instanceof X509Certificate)) {
MessageFormat form = new MessageFormat
(rb.getString("alias has no X.509 certificate"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
// convert to X509CertImpl, so that we can modify selected fields
// (no public APIs available yet)
byte[] encoded = oldCert.getEncoded();
X509CertImpl certImpl = new X509CertImpl(encoded);
X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME
+ "." +
X509CertImpl.INFO);
// Extend its validity
Date firstDate = getStartDate(startDate);
Date lastDate = new Date();
lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
CertificateValidity interval = new CertificateValidity(firstDate,
lastDate);
certInfo.set(X509CertInfo.VALIDITY, interval);
// Make new serial number
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber
((int)(firstDate.getTime()/1000)));
// Set owner and issuer fields
X500Name owner;
if (dname == null) {
// Get the owner name from the certificate
owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." +
CertificateSubjectName.DN_NAME);
} else {
// Use the owner name specified at the command line
owner = new X500Name(dname);
certInfo.set(X509CertInfo.SUBJECT + "." +
CertificateSubjectName.DN_NAME, owner);
}
// Make issuer same as owner (self-signed!)
certInfo.set(X509CertInfo.ISSUER + "." +
CertificateIssuerName.DN_NAME, owner);
// The inner and outer signature algorithms have to match.
// The way we achieve that is really ugly, but there seems to be no
// other solution: We first sign the cert, then retrieve the
// outer sigalg and use it to set the inner sigalg
X509CertImpl newCert = new X509CertImpl(certInfo);
newCert.sign(privKey, sigAlgName);
AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG);
certInfo.set(CertificateAlgorithmId.NAME + "." +
CertificateAlgorithmId.ALGORITHM, sigAlgid);
// first upgrade to version 3
certInfo.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
// Sign the new certificate
newCert = new X509CertImpl(certInfo);
newCert.sign(privKey, sigAlgName);
// Store the new certificate as a single-element certificate chain
keyStore.setKeyEntry(alias, privKey,
(keyPass != null) ? keyPass : storePass,
new Certificate[] { newCert } );
if (verbose) {
System.err.println(rb.getString("New certificate (self-signed):"));
System.err.print(newCert.toString());
System.err.println();
}
}
/**
* Processes a certificate reply from a certificate authority.
*
* <p>Builds a certificate chain on top of the certificate reply,
* using trusted certificates from the keystore. The chain is complete
* after a self-signed certificate has been encountered. The self-signed
* certificate is considered a root certificate authority, and is stored
* at the end of the chain.
*
* <p>The newly generated chain replaces the old chain associated with the
* key entry.
*
* @return true if the certificate reply was installed, otherwise false.
*/
private boolean installReply(String alias, InputStream in)
throws Exception
{
if (alias == null) {
alias = keyAlias;
}
Object[] objs = recoverKey(alias, storePass, keyPass);
PrivateKey privKey = (PrivateKey)objs[0];
if (keyPass == null) {
keyPass = (char[])objs[1];
}
Certificate userCert = keyStore.getCertificate(alias);
if (userCert == null) {
MessageFormat form = new MessageFormat
(rb.getString("alias has no public key (certificate)"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
// Read the certificates in the reply
Collection<? extends Certificate> c = cf.generateCertificates(in);
if (c.isEmpty()) {
throw new Exception(rb.getString("Reply has no certificates"));
}
Certificate[] replyCerts = c.toArray(new Certificate[c.size()]);
Certificate[] newChain;
if (replyCerts.length == 1) {
// single-cert reply
newChain = establishCertChain(userCert, replyCerts[0]);
} else {
// cert-chain reply (e.g., PKCS#7)
newChain = validateReply(alias, userCert, replyCerts);
}
// Now store the newly established chain in the keystore. The new
// chain replaces the old one.
if (newChain != null) {
keyStore.setKeyEntry(alias, privKey,
(keyPass != null) ? keyPass : storePass,
newChain);
return true;
} else {
return false;
}
}
/**
* Imports a certificate and adds it to the list of trusted certificates.
*
* @return true if the certificate was added, otherwise false.
*/
private boolean addTrustedCert(String alias, InputStream in)
throws Exception
{
if (alias == null) {
throw new Exception(rb.getString("Must specify alias"));
}
if (keyStore.containsAlias(alias)) {
MessageFormat form = new MessageFormat(rb.getString
("Certificate not imported, alias <alias> already exists"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
// Read the certificate
X509Certificate cert = null;
try {
cert = (X509Certificate)cf.generateCertificate(in);
} catch (ClassCastException cce) {
throw new Exception(rb.getString("Input not an X.509 certificate"));
} catch (CertificateException ce) {
throw new Exception(rb.getString("Input not an X.509 certificate"));
}
// if certificate is self-signed, make sure it verifies
boolean selfSigned = false;
if (isSelfSigned(cert)) {
cert.verify(cert.getPublicKey());
selfSigned = true;
}
if (noprompt) {
keyStore.setCertificateEntry(alias, cert);
return true;
}
// check if cert already exists in keystore
String reply = null;
String trustalias = keyStore.getCertificateAlias(cert);
if (trustalias != null) {
MessageFormat form = new MessageFormat(rb.getString
("Certificate already exists in keystore under alias <trustalias>"));
Object[] source = {trustalias};
System.err.println(form.format(source));
reply = getYesNoReply
(rb.getString("Do you still want to add it? [no]: "));
} else if (selfSigned) {
if (trustcacerts && (caks != null) &&
((trustalias=caks.getCertificateAlias(cert)) != null)) {
MessageFormat form = new MessageFormat(rb.getString
("Certificate already exists in system-wide CA keystore under alias <trustalias>"));
Object[] source = {trustalias};
System.err.println(form.format(source));
reply = getYesNoReply
(rb.getString("Do you still want to add it to your own keystore? [no]: "));
}
if (trustalias == null) {
// Print the cert and ask user if they really want to add
// it to their keystore
printX509Cert(cert, System.out);
reply = getYesNoReply
(rb.getString("Trust this certificate? [no]: "));
}
}
if (reply != null) {
if ("YES".equals(reply)) {
keyStore.setCertificateEntry(alias, cert);
return true;
} else {
return false;
}
}
// Try to establish trust chain
try {
Certificate[] chain = establishCertChain(null, cert);
if (chain != null) {
keyStore.setCertificateEntry(alias, cert);
return true;
}
} catch (Exception e) {
// Print the cert and ask user if they really want to add it to
// their keystore
printX509Cert(cert, System.out);
reply = getYesNoReply
(rb.getString("Trust this certificate? [no]: "));
if ("YES".equals(reply)) {
keyStore.setCertificateEntry(alias, cert);
return true;
} else {
return false;
}
}
return false;
}
/**
* Prompts user for new password. New password must be different from
* old one.
*
* @param prompt the message that gets prompted on the screen
* @param oldPasswd the current (i.e., old) password
*/
private char[] getNewPasswd(String prompt, char[] oldPasswd)
throws Exception
{
char[] entered = null;
char[] reentered = null;
for (int count = 0; count < 3; count++) {
MessageFormat form = new MessageFormat
(rb.getString("New prompt: "));
Object[] source = {prompt};
System.err.print(form.format(source));
entered = Password.readPassword(System.in);
passwords.add(entered);
if (entered == null || entered.length < 6) {
System.err.println(rb.getString
("Password is too short - must be at least 6 characters"));
} else if (Arrays.equals(entered, oldPasswd)) {
System.err.println(rb.getString("Passwords must differ"));
} else {
form = new MessageFormat
(rb.getString("Re-enter new prompt: "));
Object[] src = {prompt};
System.err.print(form.format(src));
reentered = Password.readPassword(System.in);
passwords.add(reentered);
if (!Arrays.equals(entered, reentered)) {
System.err.println
(rb.getString("They don't match. Try again"));
} else {
Arrays.fill(reentered, ' ');
return entered;
}
}
if (entered != null) {
Arrays.fill(entered, ' ');
entered = null;
}
if (reentered != null) {
Arrays.fill(reentered, ' ');
reentered = null;
}
}
throw new Exception(rb.getString("Too many failures - try later"));
}
/**
* Prompts user for alias name.
* @param prompt the {0} of "Enter {0} alias name: " in prompt line
* @returns the string entered by the user, without the \n at the end
*/
private String getAlias(String prompt) throws Exception {
if (prompt != null) {
MessageFormat form = new MessageFormat
(rb.getString("Enter prompt alias name: "));
Object[] source = {prompt};
System.err.print(form.format(source));
} else {
System.err.print(rb.getString("Enter alias name: "));
}
return (new BufferedReader(new InputStreamReader(
System.in))).readLine();
}
/**
* Prompts user for an input string from the command line (System.in)
* @prompt the prompt string printed
* @returns the string entered by the user, without the \n at the end
*/
private String inputStringFromStdin(String prompt) throws Exception {
System.err.print(prompt);
return (new BufferedReader(new InputStreamReader(
System.in))).readLine();
}
/**
* Prompts user for key password. User may select to choose the same
* password (<code>otherKeyPass</code>) as for <code>otherAlias</code>.
*/
private char[] getKeyPasswd(String alias, String otherAlias,
char[] otherKeyPass)
throws Exception
{
int count = 0;
char[] keyPass = null;
do {
if (otherKeyPass != null) {
MessageFormat form = new MessageFormat(rb.getString
("Enter key password for <alias>"));
Object[] source = {alias};
System.err.println(form.format(source));
form = new MessageFormat(rb.getString
("\t(RETURN if same as for <otherAlias>)"));
Object[] src = {otherAlias};
System.err.print(form.format(src));
} else {
MessageFormat form = new MessageFormat(rb.getString
("Enter key password for <alias>"));
Object[] source = {alias};
System.err.print(form.format(source));
}
System.err.flush();
keyPass = Password.readPassword(System.in);
passwords.add(keyPass);
if (keyPass == null) {
keyPass = otherKeyPass;
}
count++;
} while ((keyPass == null) && count < 3);
if (keyPass == null) {
throw new Exception(rb.getString("Too many failures - try later"));
}
return keyPass;
}
/**
* Prints a certificate in a human readable format.
*/
private void printX509Cert(X509Certificate cert, PrintStream out)
throws Exception
{
/*
out.println("Owner: "
+ cert.getSubjectDN().toString()
+ "\n"
+ "Issuer: "
+ cert.getIssuerDN().toString()
+ "\n"
+ "Serial number: " + cert.getSerialNumber().toString(16)
+ "\n"
+ "Valid from: " + cert.getNotBefore().toString()
+ " until: " + cert.getNotAfter().toString()
+ "\n"
+ "Certificate fingerprints:\n"
+ "\t MD5: " + getCertFingerPrint("MD5", cert)
+ "\n"
+ "\t SHA1: " + getCertFingerPrint("SHA1", cert));
*/
MessageFormat form = new MessageFormat
(rb.getString("*PATTERN* printX509Cert"));
Object[] source = {cert.getSubjectDN().toString(),
cert.getIssuerDN().toString(),
cert.getSerialNumber().toString(16),
cert.getNotBefore().toString(),
cert.getNotAfter().toString(),
getCertFingerPrint("MD5", cert),
getCertFingerPrint("SHA1", cert),
cert.getSigAlgName(),
cert.getVersion()
};
out.println(form.format(source));
int extnum = 0;
if (cert instanceof X509CertImpl) {
X509CertImpl impl = (X509CertImpl)cert;
if (cert.getCriticalExtensionOIDs() != null) {
for (String extOID : cert.getCriticalExtensionOIDs()) {
if (extnum == 0) {
out.println();
out.println(rb.getString("Extensions: "));
out.println();
}
out.println("#"+(++extnum)+": "+
impl.getExtension(new ObjectIdentifier(extOID)));
}
}
if (cert.getNonCriticalExtensionOIDs() != null) {
for (String extOID : cert.getNonCriticalExtensionOIDs()) {
if (extnum == 0) {
out.println();
out.println(rb.getString("Extensions: "));
out.println();
}
Extension ext = impl.getExtension(new ObjectIdentifier(extOID));
if (ext != null) {
out.println("#"+(++extnum)+": "+ ext);
} else {
out.println("#"+(++extnum)+": "+
impl.getUnparseableExtension(new ObjectIdentifier(extOID)));
}
}
}
}
}
/**
* Returns true if the certificate is self-signed, false otherwise.
*/
private boolean isSelfSigned(X509Certificate cert) {
return cert.getSubjectDN().equals(cert.getIssuerDN());
}
/**
* Returns true if the given certificate is trusted, false otherwise.
*/
private boolean isTrusted(Certificate cert)
throws Exception
{
if (keyStore.getCertificateAlias(cert) != null) {
return true; // found in own keystore
}
if (trustcacerts && (caks != null) &&
(caks.getCertificateAlias(cert) != null)) {
return true; // found in CA keystore
}
return false;
}
/**
* Gets an X.500 name suitable for inclusion in a certification request.
*/
private X500Name getX500Name() throws IOException {
BufferedReader in;
in = new BufferedReader(new InputStreamReader(System.in));
String commonName = "Unknown";
String organizationalUnit = "Unknown";
String organization = "Unknown";
String city = "Unknown";
String state = "Unknown";
String country = "Unknown";
X500Name name;
String userInput = null;
int maxRetry = 20;
do {
if (maxRetry-- < 0) {
throw new RuntimeException(rb.getString(
"Too may retries, program terminated"));
}
commonName = inputString(in,
rb.getString("What is your first and last name?"),
commonName);
organizationalUnit = inputString(in,
rb.getString
("What is the name of your organizational unit?"),
organizationalUnit);
organization = inputString(in,
rb.getString("What is the name of your organization?"),
organization);
city = inputString(in,
rb.getString("What is the name of your City or Locality?"),
city);
state = inputString(in,
rb.getString("What is the name of your State or Province?"),
state);
country = inputString(in,
rb.getString
("What is the two-letter country code for this unit?"),
country);
name = new X500Name(commonName, organizationalUnit, organization,
city, state, country);
MessageFormat form = new MessageFormat
(rb.getString("Is <name> correct?"));
Object[] source = {name};
userInput = inputString
(in, form.format(source), rb.getString("no"));
} while (collator.compare(userInput, rb.getString("yes")) != 0 &&
collator.compare(userInput, rb.getString("y")) != 0);
System.err.println();
return name;
}
private String inputString(BufferedReader in, String prompt,
String defaultValue)
throws IOException
{
System.err.println(prompt);
MessageFormat form = new MessageFormat
(rb.getString(" [defaultValue]: "));
Object[] source = {defaultValue};
System.err.print(form.format(source));
System.err.flush();
String value = in.readLine();
if (value == null || collator.compare(value, "") == 0) {
value = defaultValue;
}
return value;
}
/**
* Writes an X.509 certificate in base64 or binary encoding to an output
* stream.
*/
private void dumpCert(Certificate cert, PrintStream out)
throws IOException, CertificateException
{
if (rfc) {
BASE64Encoder encoder = new BASE64Encoder();
out.println(X509Factory.BEGIN_CERT);
encoder.encodeBuffer(cert.getEncoded(), out);
out.println(X509Factory.END_CERT);
} else {
out.write(cert.getEncoded()); // binary
}
}
/**
* Converts a byte to hex digit and writes to the supplied buffer
*/
private void byte2hex(byte b, StringBuffer buf) {
char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
'9', 'A', 'B', 'C', 'D', 'E', 'F' };
int high = ((b & 0xf0) >> 4);
int low = (b & 0x0f);
buf.append(hexChars[high]);
buf.append(hexChars[low]);
}
/**
* Converts a byte array to hex string
*/
private String toHexString(byte[] block) {
StringBuffer buf = new StringBuffer();
int len = block.length;
for (int i = 0; i < len; i++) {
byte2hex(block[i], buf);
if (i < len-1) {
buf.append(":");
}
}
return buf.toString();
}
/**
* Recovers (private) key associated with given alias.
*
* @return an array of objects, where the 1st element in the array is the
* recovered private key, and the 2nd element is the password used to
* recover it.
*/
private Object[] recoverKey(String alias, char[] storePass,
char[] keyPass)
throws Exception
{
Key key = null;
if (keyStore.containsAlias(alias) == false) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> does not exist"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class) &&
!keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> has no key"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
if (keyPass == null) {
// Try to recover the key using the keystore password
try {
key = keyStore.getKey(alias, storePass);
keyPass = storePass;
passwords.add(keyPass);
} catch (UnrecoverableKeyException e) {
// Did not work out, so prompt user for key password
if (!token) {
keyPass = getKeyPasswd(alias, null, null);
key = keyStore.getKey(alias, keyPass);
} else {
throw e;
}
}
} else {
key = keyStore.getKey(alias, keyPass);
}
return new Object[] {key, keyPass};
}
/**
* Recovers entry associated with given alias.
*
* @return an array of objects, where the 1st element in the array is the
* recovered entry, and the 2nd element is the password used to
* recover it (null if no password).
*/
private Object[] recoverEntry(KeyStore ks,
String alias,
char[] pstore,
char[] pkey) throws Exception {
if (ks.containsAlias(alias) == false) {
MessageFormat form = new MessageFormat
(rb.getString("Alias <alias> does not exist"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
PasswordProtection pp = null;
Entry entry;
try {
// First attempt to access entry without key password
// (PKCS11 entry or trusted certificate entry, for example)
entry = ks.getEntry(alias, pp);
pkey = null;
} catch (UnrecoverableEntryException une) {
if(P11KEYSTORE.equalsIgnoreCase(ks.getType()) ||
KeyStoreUtil.isWindowsKeyStore(ks.getType())) {
// should not happen, but a possibility
throw une;
}
// entry is protected
if (pkey != null) {
// try provided key password
pp = new PasswordProtection(pkey);
entry = ks.getEntry(alias, pp);
} else {
// try store pass
try {
pp = new PasswordProtection(pstore);
entry = ks.getEntry(alias, pp);
pkey = pstore;
} catch (UnrecoverableEntryException une2) {
if (P12KEYSTORE.equalsIgnoreCase(ks.getType())) {
// P12 keystore currently does not support separate
// store and entry passwords
throw une2;
} else {
// prompt for entry password
pkey = getKeyPasswd(alias, null, null);
pp = new PasswordProtection(pkey);
entry = ks.getEntry(alias, pp);
}
}
}
}
return new Object[] {entry, pkey};
}
/**
* Gets the requested finger print of the certificate.
*/
private String getCertFingerPrint(String mdAlg, Certificate cert)
throws Exception
{
byte[] encCertInfo = cert.getEncoded();
MessageDigest md = MessageDigest.getInstance(mdAlg);
byte[] digest = md.digest(encCertInfo);
return toHexString(digest);
}
/**
* Prints warning about missing integrity check.
*/
private void printWarning() {
System.err.println();
System.err.println(rb.getString
("***************** WARNING WARNING WARNING *****************"));
System.err.println(rb.getString
("* The integrity of the information stored in your keystore *"));
System.err.println(rb.getString
("* has NOT been verified! In order to verify its integrity, *"));
System.err.println(rb.getString
("* you must provide your keystore password. *"));
System.err.println(rb.getString
("***************** WARNING WARNING WARNING *****************"));
System.err.println();
}
/**
* Validates chain in certification reply, and returns the ordered
* elements of the chain (with user certificate first, and root
* certificate last in the array).
*
* @param alias the alias name
* @param userCert the user certificate of the alias
* @param replyCerts the chain provided in the reply
*/
private Certificate[] validateReply(String alias,
Certificate userCert,
Certificate[] replyCerts)
throws Exception
{
// order the certs in the reply (bottom-up).
// we know that all certs in the reply are of type X.509, because
// we parsed them using an X.509 certificate factory
int i;
PublicKey userPubKey = userCert.getPublicKey();
for (i=0; i<replyCerts.length; i++) {
if (userPubKey.equals(replyCerts[i].getPublicKey())) {
break;
}
}
if (i == replyCerts.length) {
MessageFormat form = new MessageFormat(rb.getString
("Certificate reply does not contain public key for <alias>"));
Object[] source = {alias};
throw new Exception(form.format(source));
}
Certificate tmpCert = replyCerts[0];
replyCerts[0] = replyCerts[i];
replyCerts[i] = tmpCert;
Principal issuer = ((X509Certificate)replyCerts[0]).getIssuerDN();
for (i=1; i < replyCerts.length-1; i++) {
// find a cert in the reply whose "subject" is the same as the
// given "issuer"
int j;
for (j=i; j<replyCerts.length; j++) {
Principal subject;
subject = ((X509Certificate)replyCerts[j]).getSubjectDN();
if (subject.equals(issuer)) {
tmpCert = replyCerts[i];
replyCerts[i] = replyCerts[j];
replyCerts[j] = tmpCert;
issuer = ((X509Certificate)replyCerts[i]).getIssuerDN();
break;
}
}
if (j == replyCerts.length) {
throw new Exception
(rb.getString("Incomplete certificate chain in reply"));
}
}
// now verify each cert in the ordered chain
for (i=0; i<replyCerts.length-1; i++) {
PublicKey pubKey = replyCerts[i+1].getPublicKey();
try {
replyCerts[i].verify(pubKey);
} catch (Exception e) {
throw new Exception(rb.getString
("Certificate chain in reply does not verify: ") +
e.getMessage());
}
}
if (noprompt) {
return replyCerts;
}
// do we trust the (root) cert at the top?
Certificate topCert = replyCerts[replyCerts.length-1];
if (!isTrusted(topCert)) {
boolean verified = false;
Certificate rootCert = null;
if (trustcacerts && (caks!= null)) {
for (Enumeration<String> aliases = caks.aliases();
aliases.hasMoreElements(); ) {
String name = aliases.nextElement();
rootCert = caks.getCertificate(name);
if (rootCert != null) {
try {
topCert.verify(rootCert.getPublicKey());
verified = true;
break;
} catch (Exception e) {
}
}
}
}
if (!verified) {
System.err.println();
System.err.println
(rb.getString("Top-level certificate in reply:\n"));
printX509Cert((X509Certificate)topCert, System.out);
System.err.println();
System.err.print(rb.getString("... is not trusted. "));
String reply = getYesNoReply
(rb.getString("Install reply anyway? [no]: "));
if ("NO".equals(reply)) {
return null;
}
} else {
if (!isSelfSigned((X509Certificate)topCert)) {
// append the (self-signed) root CA cert to the chain
Certificate[] tmpCerts =
new Certificate[replyCerts.length+1];
System.arraycopy(replyCerts, 0, tmpCerts, 0,
replyCerts.length);
tmpCerts[tmpCerts.length-1] = rootCert;
replyCerts = tmpCerts;
}
}
}
return replyCerts;
}
/**
* Establishes a certificate chain (using trusted certificates in the
* keystore), starting with the user certificate
* and ending at a self-signed certificate found in the keystore.
*
* @param userCert the user certificate of the alias
* @param certToVerify the single certificate provided in the reply
*/
private Certificate[] establishCertChain(Certificate userCert,
Certificate certToVerify)
throws Exception
{
if (userCert != null) {
// Make sure that the public key of the certificate reply matches
// the original public key in the keystore
PublicKey origPubKey = userCert.getPublicKey();
PublicKey replyPubKey = certToVerify.getPublicKey();
if (!origPubKey.equals(replyPubKey)) {
throw new Exception(rb.getString
("Public keys in reply and keystore don't match"));
}
// If the two certs are identical, we're done: no need to import
// anything
if (certToVerify.equals(userCert)) {
throw new Exception(rb.getString
("Certificate reply and certificate in keystore are identical"));
}
}
// Build a hash table of all certificates in the keystore.
// Use the subject distinguished name as the key into the hash table.
// All certificates associated with the same subject distinguished
// name are stored in the same hash table entry as a vector.
Hashtable<Principal, Vector<Certificate>> certs = null;
if (keyStore.size() > 0) {
certs = new Hashtable<Principal, Vector<Certificate>>(11);
keystorecerts2Hashtable(keyStore, certs);
}
if (trustcacerts) {
if (caks!=null && caks.size()>0) {
if (certs == null) {
certs = new Hashtable<Principal, Vector<Certificate>>(11);
}
keystorecerts2Hashtable(caks, certs);
}
}
// start building chain
Vector<Certificate> chain = new Vector<Certificate>(2);
if (buildChain((X509Certificate)certToVerify, chain, certs)) {
Certificate[] newChain = new Certificate[chain.size()];
// buildChain() returns chain with self-signed root-cert first and
// user-cert last, so we need to invert the chain before we store
// it
int j=0;
for (int i=chain.size()-1; i>=0; i--) {
newChain[j] = chain.elementAt(i);
j++;
}
return newChain;
} else {
throw new Exception
(rb.getString("Failed to establish chain from reply"));
}
}
/**
* Recursively tries to establish chain from pool of trusted certs.
*
* @param certToVerify the cert that needs to be verified.
* @param chain the chain that's being built.
* @param certs the pool of trusted certs
*
* @return true if successful, false otherwise.
*/
private boolean buildChain(X509Certificate certToVerify,
Vector<Certificate> chain,
Hashtable<Principal, Vector<Certificate>> certs) {
Principal subject = certToVerify.getSubjectDN();
Principal issuer = certToVerify.getIssuerDN();
if (subject.equals(issuer)) {
// reached self-signed root cert;
// no verification needed because it's trusted.
chain.addElement(certToVerify);
return true;
}
// Get the issuer's certificate(s)
Vector<Certificate> vec = certs.get(issuer);
if (vec == null) {
return false;
}
// Try out each certificate in the vector, until we find one
// whose public key verifies the signature of the certificate
// in question.
for (Enumeration<Certificate> issuerCerts = vec.elements();
issuerCerts.hasMoreElements(); ) {
X509Certificate issuerCert
= (X509Certificate)issuerCerts.nextElement();
PublicKey issuerPubKey = issuerCert.getPublicKey();
try {
certToVerify.verify(issuerPubKey);
} catch (Exception e) {
continue;
}
if (buildChain(issuerCert, chain, certs)) {
chain.addElement(certToVerify);
return true;
}
}
return false;
}
/**
* Prompts user for yes/no decision.
*
* @return the user's decision, can only be "YES" or "NO"
*/
private String getYesNoReply(String prompt)
throws IOException
{
String reply = null;
int maxRetry = 20;
do {
if (maxRetry-- < 0) {
throw new RuntimeException(rb.getString(
"Too may retries, program terminated"));
}
System.err.print(prompt);
System.err.flush();
reply = (new BufferedReader(new InputStreamReader
(System.in))).readLine();
if (collator.compare(reply, "") == 0 ||
collator.compare(reply, rb.getString("n")) == 0 ||
collator.compare(reply, rb.getString("no")) == 0) {
reply = "NO";
} else if (collator.compare(reply, rb.getString("y")) == 0 ||
collator.compare(reply, rb.getString("yes")) == 0) {
reply = "YES";
} else {
System.err.println(rb.getString("Wrong answer, try again"));
reply = null;
}
} while (reply == null);
return reply;
}
/**
* Returns the keystore with the configured CA certificates.
*/
private KeyStore getCacertsKeyStore()
throws Exception
{
String sep = File.separator;
File file = new File(System.getProperty("java.home") + sep
+ "lib" + sep + "security" + sep
+ "cacerts");
if (!file.exists()) {
return null;
}
FileInputStream fis = null;
KeyStore caks = null;
try {
fis = new FileInputStream(file);
caks = KeyStore.getInstance(JKS);
caks.load(fis, null);
} finally {
if (fis != null) {
fis.close();
}
}
return caks;
}
/**
* Stores the (leaf) certificates of a keystore in a hashtable.
* All certs belonging to the same CA are stored in a vector that
* in turn is stored in the hashtable, keyed by the CA's subject DN
*/
private void keystorecerts2Hashtable(KeyStore ks,
Hashtable<Principal, Vector<Certificate>> hash)
throws Exception {
for (Enumeration<String> aliases = ks.aliases();
aliases.hasMoreElements(); ) {
String alias = aliases.nextElement();
Certificate cert = ks.getCertificate(alias);
if (cert != null) {
Principal subjectDN = ((X509Certificate)cert).getSubjectDN();
Vector<Certificate> vec = hash.get(subjectDN);
if (vec == null) {
vec = new Vector<Certificate>();
vec.addElement(cert);
} else {
if (!vec.contains(cert)) {
vec.addElement(cert);
}
}
hash.put(subjectDN, vec);
}
}
}
/**
* Returns the issue time that's specified the -startdate option
* @param s the value of -startdate option
*/
private static Date getStartDate(String s) throws IOException {
Calendar c = new GregorianCalendar();
if (s != null) {
IOException ioe = new IOException("Illegal startdate value");
int len = s.length();
if (len == 0) {
throw ioe;
}
if (s.charAt(0) == '-' || s.charAt(0) == '+') {
// Form 1: ([+-]nnn[ymdHMS])+
int start = 0;
while (start < len) {
int sign = 0;
switch (s.charAt(start)) {
case '+': sign = 1; break;
case '-': sign = -1; break;
default: throw ioe;
}
int i = start+1;
for (; i<len; i++) {
char ch = s.charAt(i);
if (ch < '0' || ch > '9') break;
}
if (i == start+1) throw ioe;
int number = Integer.parseInt(s.substring(start+1, i));
if (i >= len) throw ioe;
int unit = 0;
switch (s.charAt(i)) {
case 'y': unit = Calendar.YEAR; break;
case 'm': unit = Calendar.MONTH; break;
case 'd': unit = Calendar.DATE; break;
case 'H': unit = Calendar.HOUR; break;
case 'M': unit = Calendar.MINUTE; break;
case 'S': unit = Calendar.SECOND; break;
default: throw ioe;
}
c.add(unit, sign * number);
start = i + 1;
}
} else {
// Form 2: [yyyy/mm/dd] [HH:MM:SS]
String date = null, time = null;
if (len == 19) {
date = s.substring(0, 10);
time = s.substring(11);
if (s.charAt(10) != ' ')
throw ioe;
} else if (len == 10) {
date = s;
} else if (len == 8) {
time = s;
} else {
throw ioe;
}
if (date != null) {
if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) {
c.set(Integer.valueOf(date.substring(0, 4)),
Integer.valueOf(date.substring(5, 7))-1,
Integer.valueOf(date.substring(8, 10)));
} else {
throw ioe;
}
}
if (time != null) {
if (time.matches("\\d\\d:\\d\\d:\\d\\d")) {
c.set(Calendar.HOUR_OF_DAY, Integer.valueOf(time.substring(0, 2)));
c.set(Calendar.MINUTE, Integer.valueOf(time.substring(0, 2)));
c.set(Calendar.SECOND, Integer.valueOf(time.substring(0, 2)));
c.set(Calendar.MILLISECOND, 0);
} else {
throw ioe;
}
}
}
}
return c.getTime();
}
/**
* Prints the usage of this tool.
*/
private void usage() {
System.err.println(rb.getString("keytool usage:\n"));
System.err.println(rb.getString
("-certreq [-v] [-protected]"));
System.err.println(rb.getString
("\t [-alias <alias>] [-sigalg <sigalg>]"));
System.err.println(rb.getString
("\t [-file <csr_file>] [-keypass <keypass>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-changealias [-v] [-protected] -alias <alias> -destalias <destalias>"));
System.err.println(rb.getString
("\t [-keypass <keypass>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-delete [-v] [-protected] -alias <alias>"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-exportcert [-v] [-rfc] [-protected]"));
System.err.println(rb.getString
("\t [-alias <alias>] [-file <cert_file>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-genkeypair [-v] [-protected]"));
System.err.println(rb.getString
("\t [-alias <alias>]"));
System.err.println(rb.getString
("\t [-keyalg <keyalg>] [-keysize <keysize>]"));
System.err.println(rb.getString
("\t [-sigalg <sigalg>] [-dname <dname>]"));
System.err.println(rb.getString
("\t [-validity <valDays>] [-keypass <keypass>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-genseckey [-v] [-protected]"));
System.err.println(rb.getString
("\t [-alias <alias>] [-keypass <keypass>]"));
System.err.println(rb.getString
("\t [-keyalg <keyalg>] [-keysize <keysize>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString("-help"));
System.err.println();
System.err.println(rb.getString
("-importcert [-v] [-noprompt] [-trustcacerts] [-protected]"));
System.err.println(rb.getString
("\t [-alias <alias>]"));
System.err.println(rb.getString
("\t [-file <cert_file>] [-keypass <keypass>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-importkeystore [-v] "));
System.err.println(rb.getString
("\t [-srckeystore <srckeystore>] [-destkeystore <destkeystore>]"));
System.err.println(rb.getString
("\t [-srcstoretype <srcstoretype>] [-deststoretype <deststoretype>]"));
System.err.println(rb.getString
("\t [-srcstorepass <srcstorepass>] [-deststorepass <deststorepass>]"));
System.err.println(rb.getString
("\t [-srcprotected] [-destprotected]"));
System.err.println(rb.getString
("\t [-srcprovidername <srcprovidername>]\n\t [-destprovidername <destprovidername>]"));
System.err.println(rb.getString
("\t [-srcalias <srcalias> [-destalias <destalias>]"));
System.err.println(rb.getString
("\t [-srckeypass <srckeypass>] [-destkeypass <destkeypass>]]"));
System.err.println(rb.getString
("\t [-noprompt]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-keypasswd [-v] [-alias <alias>]"));
System.err.println(rb.getString
("\t [-keypass <old_keypass>] [-new <new_keypass>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-list [-v | -rfc] [-protected]"));
System.err.println(rb.getString
("\t [-alias <alias>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
System.err.println();
System.err.println(rb.getString
("-printcert [-v] [-file <cert_file>]"));
System.err.println();
System.err.println(rb.getString
("-storepasswd [-v] [-new <new_storepass>]"));
System.err.println(rb.getString
("\t [-keystore <keystore>] [-storepass <storepass>]"));
System.err.println(rb.getString
("\t [-storetype <storetype>] [-providername <name>]"));
System.err.println(rb.getString
("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
System.err.println(rb.getString
("\t [-providerpath <pathlist>]"));
if (debug) {
throw new RuntimeException("NO ERROR, SORRY");
} else {
System.exit(1);
}
}
private void tinyHelp() {
System.err.println(rb.getString("Try keytool -help"));
// do not drown user with the help lines.
if (debug) {
throw new RuntimeException("NO BIG ERROR, SORRY");
} else {
System.exit(1);
}
}
private void errorNeedArgument(String flag) {
Object[] source = {flag};
System.err.println(new MessageFormat(
rb.getString("Command option <flag> needs an argument.")).format(source));
tinyHelp();
}
}
// This class is exactly the same as com.sun.tools.javac.util.Pair,
// it's copied here since the original one is not included in JRE.
class Pair<A, B> {
public final A fst;
public final B snd;
public Pair(A fst, B snd) {
this.fst = fst;
this.snd = snd;
}
public String toString() {
return "Pair[" + fst + "," + snd + "]";
}
private static boolean equals(Object x, Object y) {
return (x == null && y == null) || (x != null && x.equals(y));
}
public boolean equals(Object other) {
return
other instanceof Pair &&
equals(fst, ((Pair)other).fst) &&
equals(snd, ((Pair)other).snd);
}
public int hashCode() {
if (fst == null) return (snd == null) ? 0 : snd.hashCode() + 1;
else if (snd == null) return fst.hashCode() + 2;
else return fst.hashCode() * 17 + snd.hashCode();
}
}