< prev index next >

src/share/classes/sun/security/tools/keytool/Main.java

Print this page 
rev 14231 : 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Reviewed-by: mullan, xuelei, weijun


  33 import java.security.KeyStore;
  34 import java.security.KeyStoreException;
  35 import java.security.MessageDigest;
  36 import java.security.Key;
  37 import java.security.PublicKey;
  38 import java.security.PrivateKey;
  39 import java.security.Security;
  40 import java.security.Signature;
  41 import java.security.Timestamp;
  42 import java.security.UnrecoverableEntryException;
  43 import java.security.UnrecoverableKeyException;
  44 import java.security.NoSuchAlgorithmException;
  45 import java.security.Principal;
  46 import java.security.Provider;
  47 import java.security.cert.Certificate;
  48 import java.security.cert.CertificateFactory;
  49 import java.security.cert.CertStoreException;
  50 import java.security.cert.CRL;
  51 import java.security.cert.X509Certificate;
  52 import java.security.cert.CertificateException;

  53 import java.security.spec.AlgorithmParameterSpec;

  54 import java.text.Collator;
  55 import java.text.MessageFormat;
  56 import java.util.*;
  57 import java.util.jar.JarEntry;
  58 import java.util.jar.JarFile;
  59 import java.lang.reflect.Constructor;
  60 import java.math.BigInteger;
  61 import java.net.URI;
  62 import java.net.URL;
  63 import java.net.URLClassLoader;
  64 import java.security.cert.CertStore;
  65 
  66 import java.security.cert.X509CRL;
  67 import java.security.cert.X509CRLEntry;
  68 import java.security.cert.X509CRLSelector;
  69 import javax.security.auth.x500.X500Principal;
  70 import java.util.Base64;
  71 
  72 import sun.security.util.DisabledAlgorithmConstraints;
  73 import sun.security.util.KeyUtil;

  74 import sun.security.util.ObjectIdentifier;
  75 import sun.security.pkcs10.PKCS10;
  76 import sun.security.pkcs10.PKCS10Attribute;
  77 import sun.security.provider.X509Factory;
  78 import sun.security.provider.certpath.CertStoreHelper;
  79 import sun.security.util.Password;
  80 import sun.security.util.SecurityProviderConstants;
  81 import sun.security.util.SignatureUtil;
  82 import javax.crypto.KeyGenerator;
  83 import javax.crypto.SecretKey;
  84 import javax.crypto.SecretKeyFactory;
  85 import javax.crypto.spec.PBEKeySpec;
  86 
  87 import sun.security.pkcs.PKCS9Attribute;
  88 import sun.security.tools.KeyStoreUtil;
  89 import sun.security.tools.PathList;
  90 import sun.security.util.DerValue;
  91 import sun.security.util.Pem;
  92 import sun.security.x509.*;
  93 


3072                 keyPass = otherKeyPass;
3073             }
3074             count++;
3075         } while ((keyPass == null) && count < 3);
3076 
3077         if (keyPass == null) {
3078             throw new Exception(rb.getString("Too.many.failures.try.later"));
3079         }
3080 
3081         return keyPass;
3082     }
3083 
3084     private String withWeak(String alg) {
3085         if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
3086             return alg;
3087         } else {
3088             return String.format(rb.getString("with.weak"), alg);
3089         }
3090     }
3091 











3092     private String withWeak(PublicKey key) {
3093         if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
3094             return String.format(rb.getString("key.bit"),
3095                     KeyUtil.getKeySize(key), key.getAlgorithm());
3096         } else {
3097             return String.format(rb.getString("key.bit.weak"),
3098                     KeyUtil.getKeySize(key), key.getAlgorithm());
3099         }
3100     }
3101 
3102     /**
3103      * Prints a certificate in a human readable format.
3104      */
3105     private void printX509Cert(X509Certificate cert, PrintStream out)
3106         throws Exception
3107     {
3108         /*
3109         out.println("Owner: "
3110                     + cert.getSubjectDN().toString()
3111                     + "\n"


4362         if (caks != null && caks.getCertificateAlias(cert) != null) {
4363             return true;
4364         } else {
4365             String inKS = keyStore.getCertificateAlias(cert);
4366             return inKS != null && keyStore.isCertificateEntry(inKS);
4367         }
4368     }
4369 
4370     private void checkWeak(String label, String sigAlg, Key key) {
4371 
4372         if (sigAlg != null && !DISABLED_CHECK.permits(
4373                 SIG_PRIMITIVE_SET, sigAlg, null)) {
4374             weakWarnings.add(String.format(
4375                     rb.getString("whose.sigalg.risk"), label, sigAlg));
4376         }
4377         if (key != null && !DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
4378             weakWarnings.add(String.format(
4379                     rb.getString("whose.key.risk"),
4380                     label,
4381                     String.format(rb.getString("key.bit"),
4382                             KeyUtil.getKeySize(key), key.getAlgorithm())));
4383         }
4384     }
4385 
4386     private void checkWeak(String label, Certificate[] certs)
4387             throws KeyStoreException {
4388         for (int i = 0; i < certs.length; i++) {
4389             Certificate cert = certs[i];
4390             if (cert instanceof X509Certificate) {
4391                 X509Certificate xc = (X509Certificate)cert;
4392                 String fullLabel = label;
4393                 if (certs.length > 1) {
4394                     fullLabel = oneInMany(label, i, certs.length);
4395                 }
4396                 checkWeak(fullLabel, xc);
4397             }
4398         }
4399     }
4400 
4401     private void checkWeak(String label, Certificate cert)
4402             throws KeyStoreException {




  33 import java.security.KeyStore;
  34 import java.security.KeyStoreException;
  35 import java.security.MessageDigest;
  36 import java.security.Key;
  37 import java.security.PublicKey;
  38 import java.security.PrivateKey;
  39 import java.security.Security;
  40 import java.security.Signature;
  41 import java.security.Timestamp;
  42 import java.security.UnrecoverableEntryException;
  43 import java.security.UnrecoverableKeyException;
  44 import java.security.NoSuchAlgorithmException;
  45 import java.security.Principal;
  46 import java.security.Provider;
  47 import java.security.cert.Certificate;
  48 import java.security.cert.CertificateFactory;
  49 import java.security.cert.CertStoreException;
  50 import java.security.cert.CRL;
  51 import java.security.cert.X509Certificate;
  52 import java.security.cert.CertificateException;
  53 import java.security.interfaces.ECKey;
  54 import java.security.spec.AlgorithmParameterSpec;
  55 import java.security.spec.ECParameterSpec;
  56 import java.text.Collator;
  57 import java.text.MessageFormat;
  58 import java.util.*;
  59 import java.util.jar.JarEntry;
  60 import java.util.jar.JarFile;
  61 import java.lang.reflect.Constructor;
  62 import java.math.BigInteger;
  63 import java.net.URI;
  64 import java.net.URL;
  65 import java.net.URLClassLoader;
  66 import java.security.cert.CertStore;
  67 
  68 import java.security.cert.X509CRL;
  69 import java.security.cert.X509CRLEntry;
  70 import java.security.cert.X509CRLSelector;
  71 import javax.security.auth.x500.X500Principal;
  72 import java.util.Base64;
  73 
  74 import sun.security.util.DisabledAlgorithmConstraints;
  75 import sun.security.util.KeyUtil;
  76 import sun.security.util.NamedCurve;
  77 import sun.security.util.ObjectIdentifier;
  78 import sun.security.pkcs10.PKCS10;
  79 import sun.security.pkcs10.PKCS10Attribute;
  80 import sun.security.provider.X509Factory;
  81 import sun.security.provider.certpath.CertStoreHelper;
  82 import sun.security.util.Password;
  83 import sun.security.util.SecurityProviderConstants;
  84 import sun.security.util.SignatureUtil;
  85 import javax.crypto.KeyGenerator;
  86 import javax.crypto.SecretKey;
  87 import javax.crypto.SecretKeyFactory;
  88 import javax.crypto.spec.PBEKeySpec;
  89 
  90 import sun.security.pkcs.PKCS9Attribute;
  91 import sun.security.tools.KeyStoreUtil;
  92 import sun.security.tools.PathList;
  93 import sun.security.util.DerValue;
  94 import sun.security.util.Pem;
  95 import sun.security.x509.*;
  96 


3075                 keyPass = otherKeyPass;
3076             }
3077             count++;
3078         } while ((keyPass == null) && count < 3);
3079 
3080         if (keyPass == null) {
3081             throw new Exception(rb.getString("Too.many.failures.try.later"));
3082         }
3083 
3084         return keyPass;
3085     }
3086 
3087     private String withWeak(String alg) {
3088         if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
3089             return alg;
3090         } else {
3091             return String.format(rb.getString("with.weak"), alg);
3092         }
3093     }
3094 
3095     private String fullDisplayAlgName(Key key) {
3096         String result = key.getAlgorithm();
3097         if (key instanceof ECKey) {
3098             ECParameterSpec paramSpec = ((ECKey) key).getParams();
3099             if (paramSpec instanceof NamedCurve) {
3100                 result += " (" + paramSpec.toString().split(" ")[0] + ")";
3101             }
3102         }
3103         return result;
3104     }
3105 
3106     private String withWeak(PublicKey key) {
3107         if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
3108             return String.format(rb.getString("key.bit"),
3109                     KeyUtil.getKeySize(key), key.getAlgorithm());
3110         } else {
3111             return String.format(rb.getString("key.bit.weak"),
3112                     KeyUtil.getKeySize(key), key.getAlgorithm());
3113         }
3114     }
3115 
3116     /**
3117      * Prints a certificate in a human readable format.
3118      */
3119     private void printX509Cert(X509Certificate cert, PrintStream out)
3120         throws Exception
3121     {
3122         /*
3123         out.println("Owner: "
3124                     + cert.getSubjectDN().toString()
3125                     + "\n"


4376         if (caks != null && caks.getCertificateAlias(cert) != null) {
4377             return true;
4378         } else {
4379             String inKS = keyStore.getCertificateAlias(cert);
4380             return inKS != null && keyStore.isCertificateEntry(inKS);
4381         }
4382     }
4383 
4384     private void checkWeak(String label, String sigAlg, Key key) {
4385 
4386         if (sigAlg != null && !DISABLED_CHECK.permits(
4387                 SIG_PRIMITIVE_SET, sigAlg, null)) {
4388             weakWarnings.add(String.format(
4389                     rb.getString("whose.sigalg.risk"), label, sigAlg));
4390         }
4391         if (key != null && !DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
4392             weakWarnings.add(String.format(
4393                     rb.getString("whose.key.risk"),
4394                     label,
4395                     String.format(rb.getString("key.bit"),
4396                             KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
4397         }
4398     }
4399 
4400     private void checkWeak(String label, Certificate[] certs)
4401             throws KeyStoreException {
4402         for (int i = 0; i < certs.length; i++) {
4403             Certificate cert = certs[i];
4404             if (cert instanceof X509Certificate) {
4405                 X509Certificate xc = (X509Certificate)cert;
4406                 String fullLabel = label;
4407                 if (certs.length > 1) {
4408                     fullLabel = oneInMany(label, i, certs.length);
4409                 }
4410                 checkWeak(fullLabel, xc);
4411             }
4412         }
4413     }
4414 
4415     private void checkWeak(String label, Certificate cert)
4416             throws KeyStoreException {
< prev index next >