< prev index next >
src/share/classes/sun/security/tools/KeyTool.java
Print this page
rev 1453 : 6561126: keytool should use larger default keysize for keypairs
Reviewed-by: mullan
rev 1455 : 6870812: enhance security tools to use ECC algorithms
Reviewed-by: vinnie, mullan
rev 1456 : 6802846: jarsigner needs enhanced cert validation(options)
Reviewed-by: xuelei
rev 1457 : 6324292: keytool -help is unhelpful
Reviewed-by: xuelei, mullan
rev 1458 : 6709758: keytool default cert fingerprint algorithm should be SHA1, not MD5
Reviewed-by: mullan, xuelei
rev 1459 : 6922482: keytool's help on -file always shows 'output file'
Reviewed-by: wetmore
rev 1460 : 6988163: sun.security.util.Resources dup and a keytool doc typo
Reviewed-by: xuelei
rev 1461 : 6987827: security/util/Resources.java needs improvement
Reviewed-by: valeriep
rev 1466 : 7019937: Translatability bug - Remove Unused String - String ID , read end of file
7019938: Translatability bug - Remove Unused String - String ID can not specify Principal with a
7019940: Translatability bug - Remove unused string - String ID: provided null name
7019942: Translatability bug - String ID: trustedCertEntry,
7019945: Translatability bug - Translatability issue - String ID: * has NOT been verified! In order to veri
7019947: Translatability bug - Translatability issue - String ID: * The integrity of the information stored i
7019949: Translatability bug - Translatability issue - String ID: * you must provide your keystore password.
Reviewed-by: weijun, wetmore
rev 1513 : 7194449: String resources for Key Tool and Policy Tool should be in their respective packages
Reviewed-by: alanb, weijun, mullan
rev 1592 : 8171954: Add stubs for sun.security.tools.KeyTool and sun.security.tools.JarSigner
Summary: Allow sun.security.tools.{keytool,jarsigner}.Main.main to be invoked using their old classes
Reviewed-by: omajid
@@ -1,7 +1,7 @@
/*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016 Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
@@ -23,3178 +23,19 @@
* questions.
*/
package sun.security.tools;
-import java.io.*;
-import java.math.BigInteger;
-import java.security.GeneralSecurityException;
-import java.security.InvalidParameterException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.Key;
-import java.security.PublicKey;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.UnrecoverableEntryException;
-import java.security.UnrecoverableKeyException;
-import java.security.Principal;
-import java.security.Provider;
-import java.security.Identity;
-import java.security.Signer;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CertStoreException;
-import java.security.cert.X509Certificate;
-import java.security.cert.CertificateException;
-import java.security.interfaces.DSAParams;
-import java.security.interfaces.DSAPrivateKey;
-import java.security.interfaces.DSAPublicKey;
-import java.security.interfaces.RSAPrivateCrtKey;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.text.Collator;
-import java.text.MessageFormat;
-import java.util.*;
-import java.lang.reflect.Constructor;
-import java.net.URL;
-import java.net.URLClassLoader;
-
-import sun.misc.BASE64Decoder;
-import sun.misc.BASE64Encoder;
-import sun.security.util.ObjectIdentifier;
-import sun.security.pkcs10.PKCS10;
-import sun.security.provider.IdentityDatabase;
-import sun.security.provider.SystemSigner;
-import sun.security.provider.SystemIdentity;
-import sun.security.provider.X509Factory;
-import sun.security.provider.certpath.CertStoreHelper;
-import sun.security.util.DerOutputStream;
-import sun.security.util.Password;
-import sun.security.util.Resources;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-
-import sun.security.x509.*;
-
-import static java.security.KeyStore.*;
+import sun.security.tools.keytool.Main;
/**
- * This tool manages keystores.
- *
- * @author Jan Luehe
- *
- *
- * @see java.security.KeyStore
- * @see sun.security.provider.KeyProtector
- * @see sun.security.provider.JavaKeyStore
- *
- * @since 1.2
+ * This is a stub for compatibility reasons.
+ * Please use sun.security.tools.keytool.Main in new code.
*/
-
public final class KeyTool {
- private boolean debug = false;
- private int command = -1;
- private String sigAlgName = null;
- private String keyAlgName = null;
- private boolean verbose = false;
- private int keysize = -1;
- private boolean rfc = false;
- private long validity = (long)90;
- private String alias = null;
- private String dname = null;
- private String dest = null;
- private String filename = null;
- private String srcksfname = null;
-
- // User-specified providers are added before any command is called.
- // However, they are not removed before the end of the main() method.
- // If you're calling KeyTool.main() directly in your own Java program,
- // please programtically add any providers you need and do not specify
- // them through the command line.
-
- private Set<Pair <String, String>> providers = null;
- private String storetype = null;
- private String srcProviderName = null;
- private String providerName = null;
- private String pathlist = null;
- private char[] storePass = null;
- private char[] storePassNew = null;
- private char[] keyPass = null;
- private char[] keyPassNew = null;
- private char[] oldPass = null;
- private char[] newPass = null;
- private char[] destKeyPass = null;
- private char[] srckeyPass = null;
- private String ksfname = null;
- private File ksfile = null;
- private InputStream ksStream = null; // keystore stream
- private KeyStore keyStore = null;
- private boolean token = false;
- private boolean nullStream = false;
- private boolean kssave = false;
- private boolean noprompt = false;
- private boolean trustcacerts = false;
- private boolean protectedPath = false;
- private boolean srcprotectedPath = false;
- private CertificateFactory cf = null;
- private KeyStore caks = null; // "cacerts" keystore
- private char[] srcstorePass = null;
- private String srcstoretype = null;
- private Set<char[]> passwords = new HashSet<char[]> ();
- private String startDate = null;
-
- private static final int CERTREQ = 1;
- private static final int CHANGEALIAS = 2;
- private static final int DELETE = 3;
- private static final int EXPORTCERT = 4;
- private static final int GENKEYPAIR = 5;
- private static final int GENSECKEY = 6;
- // there is no HELP
- private static final int IDENTITYDB = 7;
- private static final int IMPORTCERT = 8;
- private static final int IMPORTKEYSTORE = 9;
- private static final int KEYCLONE = 10;
- private static final int KEYPASSWD = 11;
- private static final int LIST = 12;
- private static final int PRINTCERT = 13;
- private static final int SELFCERT = 14;
- private static final int STOREPASSWD = 15;
-
- private static final Class[] PARAM_STRING = { String.class };
-
- private static final String JKS = "jks";
- private static final String NONE = "NONE";
- private static final String P11KEYSTORE = "PKCS11";
- private static final String P12KEYSTORE = "PKCS12";
- private final String keyAlias = "mykey";
-
- // for i18n
- private static final java.util.ResourceBundle rb =
- java.util.ResourceBundle.getBundle("sun.security.util.Resources");
- private static final Collator collator = Collator.getInstance();
- static {
- // this is for case insensitive string comparisons
- collator.setStrength(Collator.PRIMARY);
- };
-
private KeyTool() { }
public static void main(String[] args) throws Exception {
- KeyTool kt = new KeyTool();
- kt.run(args, System.out);
- }
-
- private void run(String[] args, PrintStream out) throws Exception {
- try {
- parseArgs(args);
- doCommands(out);
- } catch (Exception e) {
- System.out.println(rb.getString("keytool error: ") + e);
- if (verbose) {
- e.printStackTrace(System.out);
- }
- if (!debug) {
- System.exit(1);
- } else {
- throw e;
- }
- } finally {
- for (char[] pass : passwords) {
- if (pass != null) {
- Arrays.fill(pass, ' ');
- pass = null;
- }
- }
-
- if (ksStream != null) {
- ksStream.close();
- }
- }
- }
-
- /**
- * Parse command line arguments.
- */
- void parseArgs(String[] args) {
-
- if (args.length == 0) usage();
-
- int i=0;
-
- for (i=0; (i < args.length) && args[i].startsWith("-"); i++) {
-
- String flags = args[i];
- /*
- * command modes
- */
- if (collator.compare(flags, "-certreq") == 0) {
- command = CERTREQ;
- } else if (collator.compare(flags, "-delete") == 0) {
- command = DELETE;
- } else if (collator.compare(flags, "-export") == 0 ||
- collator.compare(flags, "-exportcert") == 0) {
- command = EXPORTCERT;
- } else if (collator.compare(flags, "-genkey") == 0 ||
- collator.compare(flags, "-genkeypair") == 0) {
- command = GENKEYPAIR;
- } else if (collator.compare(flags, "-help") == 0) {
- usage();
- return;
- } else if (collator.compare(flags, "-identitydb") == 0) { // obsolete
- command = IDENTITYDB;
- } else if (collator.compare(flags, "-import") == 0 ||
- collator.compare(flags, "-importcert") == 0) {
- command = IMPORTCERT;
- } else if (collator.compare(flags, "-keyclone") == 0) { // obsolete
- command = KEYCLONE;
- } else if (collator.compare(flags, "-changealias") == 0) {
- command = CHANGEALIAS;
- } else if (collator.compare(flags, "-keypasswd") == 0) {
- command = KEYPASSWD;
- } else if (collator.compare(flags, "-list") == 0) {
- command = LIST;
- } else if (collator.compare(flags, "-printcert") == 0) {
- command = PRINTCERT;
- } else if (collator.compare(flags, "-selfcert") == 0) { // obsolete
- command = SELFCERT;
- } else if (collator.compare(flags, "-storepasswd") == 0) {
- command = STOREPASSWD;
- } else if (collator.compare(flags, "-importkeystore") == 0) {
- command = IMPORTKEYSTORE;
- } else if (collator.compare(flags, "-genseckey") == 0) {
- command = GENSECKEY;
- }
-
- /*
- * specifiers
- */
- else if (collator.compare(flags, "-keystore") == 0 ||
- collator.compare(flags, "-destkeystore") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- ksfname = args[i];
- } else if (collator.compare(flags, "-storepass") == 0 ||
- collator.compare(flags, "-deststorepass") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- storePass = args[i].toCharArray();
- passwords.add(storePass);
- } else if (collator.compare(flags, "-storetype") == 0 ||
- collator.compare(flags, "-deststoretype") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- storetype = args[i];
- } else if (collator.compare(flags, "-srcstorepass") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- srcstorePass = args[i].toCharArray();
- passwords.add(srcstorePass);
- } else if (collator.compare(flags, "-srcstoretype") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- srcstoretype = args[i];
- } else if (collator.compare(flags, "-srckeypass") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- srckeyPass = args[i].toCharArray();
- passwords.add(srckeyPass);
- } else if (collator.compare(flags, "-srcprovidername") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- srcProviderName = args[i];
- } else if (collator.compare(flags, "-providername") == 0 ||
- collator.compare(flags, "-destprovidername") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- providerName = args[i];
- } else if (collator.compare(flags, "-providerpath") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- pathlist = args[i];
- } else if (collator.compare(flags, "-keypass") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- keyPass = args[i].toCharArray();
- passwords.add(keyPass);
- } else if (collator.compare(flags, "-new") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- newPass = args[i].toCharArray();
- passwords.add(newPass);
- } else if (collator.compare(flags, "-destkeypass") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- destKeyPass = args[i].toCharArray();
- passwords.add(destKeyPass);
- } else if (collator.compare(flags, "-alias") == 0 ||
- collator.compare(flags, "-srcalias") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- alias = args[i];
- } else if (collator.compare(flags, "-dest") == 0 ||
- collator.compare(flags, "-destalias") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- dest = args[i];
- } else if (collator.compare(flags, "-dname") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- dname = args[i];
- } else if (collator.compare(flags, "-keysize") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- keysize = Integer.parseInt(args[i]);
- } else if (collator.compare(flags, "-keyalg") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- keyAlgName = args[i];
- } else if (collator.compare(flags, "-sigalg") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- sigAlgName = args[i];
- } else if (collator.compare(flags, "-startdate") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- startDate = args[i];
- } else if (collator.compare(flags, "-validity") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- validity = Long.parseLong(args[i]);
- } else if (collator.compare(flags, "-file") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- filename = args[i];
- } else if (collator.compare(flags, "-srckeystore") == 0) {
- if (++i == args.length) errorNeedArgument(flags);
- srcksfname = args[i];
- } else if ((collator.compare(flags, "-provider") == 0) ||
- (collator.compare(flags, "-providerclass") == 0)) {
- if (++i == args.length) errorNeedArgument(flags);
- if (providers == null) {
- providers = new HashSet<Pair <String, String>> (3);
- }
- String providerClass = args[i];
- String providerArg = null;
-
- if (args.length > (i+1)) {
- flags = args[i+1];
- if (collator.compare(flags, "-providerarg") == 0) {
- if (args.length == (i+2)) errorNeedArgument(flags);
- providerArg = args[i+2];
- i += 2;
- }
- }
- providers.add(
- new Pair<String, String>(providerClass, providerArg));
- }
-
- /*
- * options
- */
- else if (collator.compare(flags, "-v") == 0) {
- verbose = true;
- } else if (collator.compare(flags, "-debug") == 0) {
- debug = true;
- } else if (collator.compare(flags, "-rfc") == 0) {
- rfc = true;
- } else if (collator.compare(flags, "-noprompt") == 0) {
- noprompt = true;
- } else if (collator.compare(flags, "-trustcacerts") == 0) {
- trustcacerts = true;
- } else if (collator.compare(flags, "-protected") == 0 ||
- collator.compare(flags, "-destprotected") == 0) {
- protectedPath = true;
- } else if (collator.compare(flags, "-srcprotected") == 0) {
- srcprotectedPath = true;
- } else {
- System.err.println(rb.getString("Illegal option: ") + flags);
- tinyHelp();
- }
- }
-
- if (i<args.length) {
- MessageFormat form = new MessageFormat
- (rb.getString("Usage error, <arg> is not a legal command"));
- Object[] source = {args[i]};
- throw new RuntimeException(form.format(source));
- }
-
- if (command == -1) {
- System.err.println(rb.getString("Usage error: no command provided"));
- tinyHelp();
- }
- }
-
- /**
- * Execute the commands.
- */
- void doCommands(PrintStream out) throws Exception {
-
- if (storetype == null) {
- storetype = KeyStore.getDefaultType();
- }
- storetype = KeyStoreUtil.niceStoreTypeName(storetype);
-
- if (srcstoretype == null) {
- srcstoretype = KeyStore.getDefaultType();
- }
- srcstoretype = KeyStoreUtil.niceStoreTypeName(srcstoretype);
-
- if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
- KeyStoreUtil.isWindowsKeyStore(storetype)) {
- token = true;
- if (ksfname == null) {
- ksfname = NONE;
- }
- }
- if (NONE.equals(ksfname)) {
- nullStream = true;
- }
-
- if (token && !nullStream) {
- System.err.println(MessageFormat.format(rb.getString
- ("-keystore must be NONE if -storetype is {0}"), storetype));
- System.err.println();
- tinyHelp();
- }
-
- if (token &&
- (command == KEYPASSWD || command == STOREPASSWD)) {
- throw new UnsupportedOperationException(MessageFormat.format(rb.getString
- ("-storepasswd and -keypasswd commands not supported " +
- "if -storetype is {0}"), storetype));
- }
-
- if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) {
- throw new UnsupportedOperationException(rb.getString
- ("-keypasswd commands not supported " +
- "if -storetype is PKCS12"));
- }
-
- if (token && (keyPass != null || newPass != null || destKeyPass != null)) {
- throw new IllegalArgumentException(MessageFormat.format(rb.getString
- ("-keypass and -new " +
- "can not be specified if -storetype is {0}"), storetype));
- }
-
- if (protectedPath) {
- if (storePass != null || keyPass != null ||
- newPass != null || destKeyPass != null) {
- throw new IllegalArgumentException(rb.getString
- ("if -protected is specified, " +
- "then -storepass, -keypass, and -new " +
- "must not be specified"));
- }
- }
-
- if (srcprotectedPath) {
- if (srcstorePass != null || srckeyPass != null) {
- throw new IllegalArgumentException(rb.getString
- ("if -srcprotected is specified, " +
- "then -srcstorepass and -srckeypass " +
- "must not be specified"));
- }
- }
-
- if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
- if (storePass != null || keyPass != null ||
- newPass != null || destKeyPass != null) {
- throw new IllegalArgumentException(rb.getString
- ("if keystore is not password protected, " +
- "then -storepass, -keypass, and -new " +
- "must not be specified"));
- }
- }
-
- if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
- if (srcstorePass != null || srckeyPass != null) {
- throw new IllegalArgumentException(rb.getString
- ("if source keystore is not password protected, " +
- "then -srcstorepass and -srckeypass " +
- "must not be specified"));
- }
- }
-
- if (validity <= (long)0) {
- throw new Exception
- (rb.getString("Validity must be greater than zero"));
- }
-
- // Try to load and install specified provider
- if (providers != null) {
- ClassLoader cl = null;
- if (pathlist != null) {
- String path = null;
- path = PathList.appendPath(
- path, System.getProperty("java.class.path"));
- path = PathList.appendPath(
- path, System.getProperty("env.class.path"));
- path = PathList.appendPath(path, pathlist);
-
- URL[] urls = PathList.pathToURLs(path);
- cl = new URLClassLoader(urls);
- } else {
- cl = ClassLoader.getSystemClassLoader();
- }
-
- for (Pair <String, String> provider: providers) {
- String provName = provider.fst;
- Class<?> provClass;
- if (cl != null) {
- provClass = cl.loadClass(provName);
- } else {
- provClass = Class.forName(provName);
- }
-
- String provArg = provider.snd;
- Object obj;
- if (provArg == null) {
- obj = provClass.newInstance();
- } else {
- Constructor<?> c = provClass.getConstructor(PARAM_STRING);
- obj = c.newInstance(provArg);
- }
- if (!(obj instanceof Provider)) {
- MessageFormat form = new MessageFormat
- (rb.getString("provName not a provider"));
- Object[] source = {provName};
- throw new Exception(form.format(source));
- }
- Security.addProvider((Provider)obj);
- }
- }
-
- if (command == LIST && verbose && rfc) {
- System.err.println(rb.getString
- ("Must not specify both -v and -rfc with 'list' command"));
- tinyHelp();
- }
-
- // Make sure provided passwords are at least 6 characters long
- if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) {
- throw new Exception(rb.getString
- ("Key password must be at least 6 characters"));
- }
- if (newPass != null && newPass.length < 6) {
- throw new Exception(rb.getString
- ("New password must be at least 6 characters"));
- }
- if (destKeyPass != null && destKeyPass.length < 6) {
- throw new Exception(rb.getString
- ("New password must be at least 6 characters"));
- }
-
- // Check if keystore exists.
- // If no keystore has been specified at the command line, try to use
- // the default, which is located in $HOME/.keystore.
- // If the command is "genkey", "identitydb", "import", or "printcert",
- // it is OK not to have a keystore.
- if (command != PRINTCERT) {
- if (ksfname == null) {
- ksfname = System.getProperty("user.home") + File.separator
- + ".keystore";
- }
-
- if (!nullStream) {
- try {
- ksfile = new File(ksfname);
- // Check if keystore file is empty
- if (ksfile.exists() && ksfile.length() == 0) {
- throw new Exception(rb.getString
- ("Keystore file exists, but is empty: ") + ksfname);
- }
- ksStream = new FileInputStream(ksfile);
- } catch (FileNotFoundException e) {
- if (command != GENKEYPAIR &&
- command != GENSECKEY &&
- command != IDENTITYDB &&
- command != IMPORTCERT &&
- command != IMPORTKEYSTORE) {
- throw new Exception(rb.getString
- ("Keystore file does not exist: ") + ksfname);
- }
- }
- }
- }
-
- if ((command == KEYCLONE || command == CHANGEALIAS)
- && dest == null) {
- dest = getAlias("destination");
- if ("".equals(dest)) {
- throw new Exception(rb.getString
- ("Must specify destination alias"));
- }
- }
-
- if (command == DELETE && alias == null) {
- alias = getAlias(null);
- if ("".equals(alias)) {
- throw new Exception(rb.getString("Must specify alias"));
- }
- }
-
- // Create new keystore
- if (providerName == null) {
- keyStore = KeyStore.getInstance(storetype);
- } else {
- keyStore = KeyStore.getInstance(storetype, providerName);
- }
-
- /*
- * Load the keystore data.
- *
- * At this point, it's OK if no keystore password has been provided.
- * We want to make sure that we can load the keystore data, i.e.,
- * the keystore data has the right format. If we cannot load the
- * keystore, why bother asking the user for his or her password?
- * Only if we were able to load the keystore, and no keystore
- * password has been provided, will we prompt the user for the
- * keystore password to verify the keystore integrity.
- * This means that the keystore is loaded twice: first load operation
- * checks the keystore format, second load operation verifies the
- * keystore integrity.
- *
- * If the keystore password has already been provided (at the
- * command line), however, the keystore is loaded only once, and the
- * keystore format and integrity are checked "at the same time".
- *
- * Null stream keystores are loaded later.
- */
- if (!nullStream) {
- keyStore.load(ksStream, storePass);
- if (ksStream != null) {
- ksStream.close();
- }
- }
-
- // All commands that create or modify the keystore require a keystore
- // password.
-
- if (nullStream && storePass != null) {
- keyStore.load(null, storePass);
- } else if (!nullStream && storePass != null) {
- // If we are creating a new non nullStream-based keystore,
- // insist that the password be at least 6 characters
- if (ksStream == null && storePass.length < 6) {
- throw new Exception(rb.getString
- ("Keystore password must be at least 6 characters"));
- }
- } else if (storePass == null) {
-
- // only prompt if (protectedPath == false)
-
- if (!protectedPath && !KeyStoreUtil.isWindowsKeyStore(storetype) &&
- (command == CERTREQ ||
- command == DELETE ||
- command == GENKEYPAIR ||
- command == GENSECKEY ||
- command == IMPORTCERT ||
- command == IMPORTKEYSTORE ||
- command == KEYCLONE ||
- command == CHANGEALIAS ||
- command == SELFCERT ||
- command == STOREPASSWD ||
- command == KEYPASSWD ||
- command == IDENTITYDB)) {
- int count = 0;
- do {
- if (command == IMPORTKEYSTORE) {
- System.err.print
- (rb.getString("Enter destination keystore password: "));
- } else {
- System.err.print
- (rb.getString("Enter keystore password: "));
- }
- System.err.flush();
- storePass = Password.readPassword(System.in);
- passwords.add(storePass);
-
- // If we are creating a new non nullStream-based keystore,
- // insist that the password be at least 6 characters
- if (!nullStream && (storePass == null || storePass.length < 6)) {
- System.err.println(rb.getString
- ("Keystore password is too short - " +
- "must be at least 6 characters"));
- storePass = null;
- }
-
- // If the keystore file does not exist and needs to be
- // created, the storepass should be prompted twice.
- if (storePass != null && !nullStream && ksStream == null) {
- System.err.print(rb.getString("Re-enter new password: "));
- char[] storePassAgain = Password.readPassword(System.in);
- passwords.add(storePassAgain);
- if (!Arrays.equals(storePass, storePassAgain)) {
- System.err.println
- (rb.getString("They don't match. Try again"));
- storePass = null;
- }
- }
-
- count++;
- } while ((storePass == null) && count < 3);
-
-
- if (storePass == null) {
- System.err.println
- (rb.getString("Too many failures - try later"));
- return;
- }
- } else if (!protectedPath
- && !KeyStoreUtil.isWindowsKeyStore(storetype)
- && !(command == PRINTCERT)) {
- // here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
- System.err.print(rb.getString("Enter keystore password: "));
- System.err.flush();
- storePass = Password.readPassword(System.in);
- passwords.add(storePass);
- }
-
- // Now load a nullStream-based keystore,
- // or verify the integrity of an input stream-based keystore
- if (nullStream) {
- keyStore.load(null, storePass);
- } else if (ksStream != null) {
- ksStream = new FileInputStream(ksfile);
- keyStore.load(ksStream, storePass);
- ksStream.close();
- }
- }
-
- if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) {
- MessageFormat form = new MessageFormat(rb.getString(
- "Warning: Different store and key passwords not supported " +
- "for PKCS12 KeyStores. Ignoring user-specified <command> value."));
- if (keyPass != null && !Arrays.equals(storePass, keyPass)) {
- Object[] source = {"-keypass"};
- System.err.println(form.format(source));
- keyPass = storePass;
- }
- if (newPass != null && !Arrays.equals(storePass, newPass)) {
- Object[] source = {"-new"};
- System.err.println(form.format(source));
- newPass = storePass;
- }
- if (destKeyPass != null && !Arrays.equals(storePass, destKeyPass)) {
- Object[] source = {"-destkeypass"};
- System.err.println(form.format(source));
- destKeyPass = storePass;
- }
- }
-
- // Create a certificate factory
- if (command == PRINTCERT || command == IMPORTCERT
- || command == IDENTITYDB) {
- cf = CertificateFactory.getInstance("X509");
- }
-
- if (trustcacerts) {
- caks = getCacertsKeyStore();
- }
-
- // Perform the specified command
- if (command == CERTREQ) {
- PrintStream ps = null;
- if (filename != null) {
- ps = new PrintStream(new FileOutputStream
- (filename));
- out = ps;
- }
- try {
- doCertReq(alias, sigAlgName, out);
- } finally {
- if (ps != null) {
- ps.close();
- }
- }
- if (verbose && filename != null) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certification request stored in file <filename>"));
- Object[] source = {filename};
- System.err.println(form.format(source));
- System.err.println(rb.getString("Submit this to your CA"));
- }
- } else if (command == DELETE) {
- doDeleteEntry(alias);
- kssave = true;
- } else if (command == EXPORTCERT) {
- PrintStream ps = null;
- if (filename != null) {
- ps = new PrintStream(new FileOutputStream
- (filename));
- out = ps;
- }
- try {
- doExportCert(alias, out);
- } finally {
- if (ps != null) {
- ps.close();
- }
- }
- if (filename != null) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certificate stored in file <filename>"));
- Object[] source = {filename};
- System.err.println(form.format(source));
- }
- } else if (command == GENKEYPAIR) {
- if (keyAlgName == null) {
- keyAlgName = "DSA";
- }
- doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
- kssave = true;
- } else if (command == GENSECKEY) {
- if (keyAlgName == null) {
- keyAlgName = "DES";
- }
- doGenSecretKey(alias, keyAlgName, keysize);
- kssave = true;
- } else if (command == IDENTITYDB) {
- InputStream inStream = System.in;
- if (filename != null) {
- inStream = new FileInputStream(filename);
- }
- try {
- doImportIdentityDatabase(inStream);
- } finally {
- if (inStream != System.in) {
- inStream.close();
- }
- }
- } else if (command == IMPORTCERT) {
- InputStream inStream = System.in;
- if (filename != null) {
- inStream = new FileInputStream(filename);
- }
- try {
- String importAlias = (alias!=null)?alias:keyAlias;
- if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) {
- kssave = installReply(importAlias, inStream);
- if (kssave) {
- System.err.println(rb.getString
- ("Certificate reply was installed in keystore"));
- } else {
- System.err.println(rb.getString
- ("Certificate reply was not installed in keystore"));
- }
- } else if (!keyStore.containsAlias(importAlias) ||
- keyStore.entryInstanceOf(importAlias,
- KeyStore.TrustedCertificateEntry.class)) {
- kssave = addTrustedCert(importAlias, inStream);
- if (kssave) {
- System.err.println(rb.getString
- ("Certificate was added to keystore"));
- } else {
- System.err.println(rb.getString
- ("Certificate was not added to keystore"));
- }
- }
- } finally {
- if (inStream != System.in) {
- inStream.close();
- }
- }
- } else if (command == IMPORTKEYSTORE) {
- doImportKeyStore();
- kssave = true;
- } else if (command == KEYCLONE) {
- keyPassNew = newPass;
-
- // added to make sure only key can go thru
- if (alias == null) {
- alias = keyAlias;
- }
- if (keyStore.containsAlias(alias) == false) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> does not exist"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
- if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
- MessageFormat form = new MessageFormat(rb.getString(
- "Alias <alias> references an entry type that is not a private key entry. " +
- "The -keyclone command only supports cloning of private key entries"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- doCloneEntry(alias, dest, true); // Now everything can be cloned
- kssave = true;
- } else if (command == CHANGEALIAS) {
- if (alias == null) {
- alias = keyAlias;
- }
- doCloneEntry(alias, dest, false);
- // in PKCS11, clone a PrivateKeyEntry will delete the old one
- if (keyStore.containsAlias(alias)) {
- doDeleteEntry(alias);
- }
- kssave = true;
- } else if (command == KEYPASSWD) {
- keyPassNew = newPass;
- doChangeKeyPasswd(alias);
- kssave = true;
- } else if (command == LIST) {
- if (alias != null) {
- doPrintEntry(alias, out, true);
- } else {
- doPrintEntries(out);
- }
- } else if (command == PRINTCERT) {
- InputStream inStream = System.in;
- if (filename != null) {
- inStream = new FileInputStream(filename);
- }
- try {
- doPrintCert(inStream, out);
- } finally {
- if (inStream != System.in) {
- inStream.close();
- }
- }
- } else if (command == SELFCERT) {
- doSelfCert(alias, dname, sigAlgName);
- kssave = true;
- } else if (command == STOREPASSWD) {
- storePassNew = newPass;
- if (storePassNew == null) {
- storePassNew = getNewPasswd("keystore password", storePass);
- }
- kssave = true;
- }
-
- // If we need to save the keystore, do so.
- if (kssave) {
- if (verbose) {
- MessageFormat form = new MessageFormat
- (rb.getString("[Storing ksfname]"));
- Object[] source = {nullStream ? "keystore" : ksfname};
- System.err.println(form.format(source));
- }
-
- if (token) {
- keyStore.store(null, null);
- } else {
- FileOutputStream fout = null;
- try {
- fout = (nullStream ?
- (FileOutputStream)null :
- new FileOutputStream(ksfname));
- keyStore.store
- (fout,
- (storePassNew!=null) ? storePassNew : storePass);
- } finally {
- if (fout != null) {
- fout.close();
- }
- }
- }
- }
- }
-
- /**
- * Creates a PKCS#10 cert signing request, corresponding to the
- * keys (and name) associated with a given alias.
- */
- private void doCertReq(String alias, String sigAlgName, PrintStream out)
- throws Exception
- {
- if (alias == null) {
- alias = keyAlias;
- }
-
- Object[] objs = recoverKey(alias, storePass, keyPass);
- PrivateKey privKey = (PrivateKey)objs[0];
- if (keyPass == null) {
- keyPass = (char[])objs[1];
- }
-
- Certificate cert = keyStore.getCertificate(alias);
- if (cert == null) {
- MessageFormat form = new MessageFormat
- (rb.getString("alias has no public key (certificate)"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
- PKCS10 request = new PKCS10(cert.getPublicKey());
-
- // Construct an X500Signer object, so that we can sign the request
- if (sigAlgName == null) {
- // If no signature algorithm was specified at the command line,
- // we choose one that is compatible with the selected private key
- String keyAlgName = privKey.getAlgorithm();
- if ("DSA".equalsIgnoreCase(keyAlgName)
- || "DSS".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1WithDSA";
- } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1WithRSA";
- } else {
- throw new Exception(rb.getString
- ("Cannot derive signature algorithm"));
- }
- }
-
- Signature signature = Signature.getInstance(sigAlgName);
- signature.initSign(privKey);
- X500Name subject =
- new X500Name(((X509Certificate)cert).getSubjectDN().toString());
- X500Signer signer = new X500Signer(signature, subject);
-
- // Sign the request and base-64 encode it
- request.encodeAndSign(signer);
- request.print(out);
- }
-
- /**
- * Deletes an entry from the keystore.
- */
- private void doDeleteEntry(String alias) throws Exception {
- if (keyStore.containsAlias(alias) == false) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> does not exist"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
- keyStore.deleteEntry(alias);
- }
-
- /**
- * Exports a certificate from the keystore.
- */
- private void doExportCert(String alias, PrintStream out)
- throws Exception
- {
- if (storePass == null
- && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
- printWarning();
- }
- if (alias == null) {
- alias = keyAlias;
- }
- if (keyStore.containsAlias(alias) == false) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> does not exist"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias);
- if (cert == null) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> has no certificate"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
- dumpCert(cert, out);
- }
-
- /**
- * Prompt the user for a keypass when generating a key entry.
- * @param alias the entry we will set password for
- * @param orig the original entry of doing a dup, null if generate new
- * @param origPass the password to copy from if user press ENTER
- */
- private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{
- if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
- return origPass;
- } else if (!token) {
- // Prompt for key password
- int count;
- for (count = 0; count < 3; count++) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Enter key password for <alias>"));
- Object[] source = {alias};
- System.err.println(form.format(source));
- if (orig == null) {
- System.err.print(rb.getString
- ("\t(RETURN if same as keystore password): "));
- } else {
- form = new MessageFormat(rb.getString
- ("\t(RETURN if same as for <otherAlias>)"));
- Object[] src = {orig};
- System.err.print(form.format(src));
- }
- System.err.flush();
- char[] entered = Password.readPassword(System.in);
- passwords.add(entered);
- if (entered == null) {
- return origPass;
- } else if (entered.length >= 6) {
- System.err.print(rb.getString("Re-enter new password: "));
- char[] passAgain = Password.readPassword(System.in);
- passwords.add(passAgain);
- if (!Arrays.equals(entered, passAgain)) {
- System.err.println
- (rb.getString("They don't match. Try again"));
- continue;
- }
- return entered;
- } else {
- System.err.println(rb.getString
- ("Key password is too short - must be at least 6 characters"));
- }
- }
- if (count == 3) {
- if (command == KEYCLONE) {
- throw new Exception(rb.getString
- ("Too many failures. Key entry not cloned"));
- } else {
- throw new Exception(rb.getString
- ("Too many failures - key not added to keystore"));
- }
- }
- }
- return null; // PKCS11
- }
- /**
- * Creates a new secret key.
- */
- private void doGenSecretKey(String alias, String keyAlgName,
- int keysize)
- throws Exception
- {
- if (alias == null) {
- alias = keyAlias;
- }
- if (keyStore.containsAlias(alias)) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Secret key not generated, alias <alias> already exists"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- SecretKey secKey = null;
- KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName);
- if (keysize != -1) {
- keygen.init(keysize);
- } else if ("DES".equalsIgnoreCase(keyAlgName)) {
- keygen.init(56);
- } else if ("DESede".equalsIgnoreCase(keyAlgName)) {
- keygen.init(168);
- } else {
- throw new Exception(rb.getString
- ("Please provide -keysize for secret key generation"));
- }
-
- secKey = keygen.generateKey();
- if (keyPass == null) {
- keyPass = promptForKeyPass(alias, null, storePass);
- }
- keyStore.setKeyEntry(alias, secKey, keyPass, null);
- }
-
- /**
- * Creates a new key pair and self-signed certificate.
- */
- private void doGenKeyPair(String alias, String dname, String keyAlgName,
- int keysize, String sigAlgName)
- throws Exception
- {
- if (keysize == -1) {
- if ("EC".equalsIgnoreCase(keyAlgName)) {
- keysize = 256;
- } else {
- keysize = 1024;
- }
- }
-
- if (alias == null) {
- alias = keyAlias;
- }
-
- if (keyStore.containsAlias(alias)) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Key pair not generated, alias <alias> already exists"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- if (sigAlgName == null) {
- if ("DSA".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1WithDSA";
- } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1WithRSA";
- } else if ("EC".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1withECDSA";
- } else {
- throw new Exception(rb.getString
- ("Cannot derive signature algorithm"));
- }
- }
- CertAndKeyGen keypair =
- new CertAndKeyGen(keyAlgName, sigAlgName, providerName);
-
-
- // If DN is provided, parse it. Otherwise, prompt the user for it.
- X500Name x500Name;
- if (dname == null) {
- x500Name = getX500Name();
- } else {
- x500Name = new X500Name(dname);
- }
-
- keypair.generate(keysize);
- PrivateKey privKey = keypair.getPrivateKey();
-
- X509Certificate[] chain = new X509Certificate[1];
- chain[0] = keypair.getSelfCertificate(
- x500Name, getStartDate(startDate), validity*24L*60L*60L);
-
- if (verbose) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Generating keysize bit keyAlgName key pair and self-signed certificate " +
- "(sigAlgName) with a validity of validality days\n\tfor: x500Name"));
- Object[] source = {new Integer(keysize),
- privKey.getAlgorithm(),
- chain[0].getSigAlgName(),
- new Long(validity),
- x500Name};
- System.err.println(form.format(source));
- }
-
- if (keyPass == null) {
- keyPass = promptForKeyPass(alias, null, storePass);
- }
- keyStore.setKeyEntry(alias, privKey, keyPass, chain);
- }
-
- /**
- * Clones an entry
- * @param orig original alias
- * @param dest destination alias
- * @changePassword if the password can be changed
- */
- private void doCloneEntry(String orig, String dest, boolean changePassword)
- throws Exception
- {
- if (orig == null) {
- orig = keyAlias;
- }
-
- if (keyStore.containsAlias(dest)) {
- MessageFormat form = new MessageFormat
- (rb.getString("Destination alias <dest> already exists"));
- Object[] source = {dest};
- throw new Exception(form.format(source));
- }
-
- Object[] objs = recoverEntry(keyStore, orig, storePass, keyPass);
- Entry entry = (Entry)objs[0];
- keyPass = (char[])objs[1];
-
- PasswordProtection pp = null;
-
- if (keyPass != null) { // protected
- if (!changePassword || P12KEYSTORE.equalsIgnoreCase(storetype)) {
- keyPassNew = keyPass;
- } else {
- if (keyPassNew == null) {
- keyPassNew = promptForKeyPass(dest, orig, keyPass);
- }
- }
- pp = new PasswordProtection(keyPassNew);
- }
- keyStore.setEntry(dest, entry, pp);
- }
-
- /**
- * Changes a key password.
- */
- private void doChangeKeyPasswd(String alias) throws Exception
- {
-
- if (alias == null) {
- alias = keyAlias;
- }
- Object[] objs = recoverKey(alias, storePass, keyPass);
- Key privKey = (Key)objs[0];
- if (keyPass == null) {
- keyPass = (char[])objs[1];
- }
-
- if (keyPassNew == null) {
- MessageFormat form = new MessageFormat
- (rb.getString("key password for <alias>"));
- Object[] source = {alias};
- keyPassNew = getNewPasswd(form.format(source), keyPass);
- }
- keyStore.setKeyEntry(alias, privKey, keyPassNew,
- keyStore.getCertificateChain(alias));
- }
-
- /**
- * Imports a JDK 1.1-style identity database. We can only store one
- * certificate per identity, because we use the identity's name as the
- * alias (which references a keystore entry), and aliases must be unique.
- */
- private void doImportIdentityDatabase(InputStream in)
- throws Exception
- {
- byte[] encoded;
- ByteArrayInputStream bais;
- java.security.cert.X509Certificate newCert;
- java.security.cert.Certificate[] chain = null;
- PrivateKey privKey;
- boolean modified = false;
-
- IdentityDatabase idb = IdentityDatabase.fromStream(in);
- for (Enumeration<Identity> enum_ = idb.identities();
- enum_.hasMoreElements();) {
- Identity id = enum_.nextElement();
- newCert = null;
- // only store trusted identities in keystore
- if ((id instanceof SystemSigner && ((SystemSigner)id).isTrusted())
- || (id instanceof SystemIdentity
- && ((SystemIdentity)id).isTrusted())) {
- // ignore if keystore entry with same alias name already exists
- if (keyStore.containsAlias(id.getName())) {
- MessageFormat form = new MessageFormat
- (rb.getString("Keystore entry for <id.getName()> already exists"));
- Object[] source = {id.getName()};
- System.err.println(form.format(source));
- continue;
- }
- java.security.Certificate[] certs = id.certificates();
- if (certs!=null && certs.length>0) {
- // we can only store one user cert per identity.
- // convert old-style to new-style cert via the encoding
- DerOutputStream dos = new DerOutputStream();
- certs[0].encode(dos);
- encoded = dos.toByteArray();
- bais = new ByteArrayInputStream(encoded);
- newCert = (X509Certificate)cf.generateCertificate(bais);
- bais.close();
-
- // if certificate is self-signed, make sure it verifies
- if (isSelfSigned(newCert)) {
- PublicKey pubKey = newCert.getPublicKey();
- try {
- newCert.verify(pubKey);
- } catch (Exception e) {
- // ignore this cert
- continue;
- }
- }
-
- if (id instanceof SystemSigner) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Creating keystore entry for <id.getName()> ..."));
- Object[] source = {id.getName()};
- System.err.println(form.format(source));
- if (chain==null) {
- chain = new java.security.cert.Certificate[1];
- }
- chain[0] = newCert;
- privKey = ((SystemSigner)id).getPrivateKey();
- keyStore.setKeyEntry(id.getName(), privKey, storePass,
- chain);
- } else {
- keyStore.setCertificateEntry(id.getName(), newCert);
- }
- kssave = true;
- }
- }
- }
- if (!kssave) {
- System.err.println(rb.getString
- ("No entries from identity database added"));
- }
- }
-
- /**
- * Prints a single keystore entry.
- */
- private void doPrintEntry(String alias, PrintStream out,
- boolean printWarning)
- throws Exception
- {
- if (storePass == null && printWarning
- && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
- printWarning();
- }
-
- if (keyStore.containsAlias(alias) == false) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> does not exist"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- if (verbose || rfc || debug) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias name: alias"));
- Object[] source = {alias};
- out.println(form.format(source));
-
- if (!token) {
- form = new MessageFormat(rb.getString
- ("Creation date: keyStore.getCreationDate(alias)"));
- Object[] src = {keyStore.getCreationDate(alias)};
- out.println(form.format(src));
- }
- } else {
- if (!token) {
- MessageFormat form = new MessageFormat
- (rb.getString("alias, keyStore.getCreationDate(alias), "));
- Object[] source = {alias, keyStore.getCreationDate(alias)};
- out.print(form.format(source));
- } else {
- MessageFormat form = new MessageFormat
- (rb.getString("alias, "));
- Object[] source = {alias};
- out.print(form.format(source));
- }
- }
-
- if (keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
- if (verbose || rfc || debug) {
- Object[] source = {"SecretKeyEntry"};
- out.println(new MessageFormat(
- rb.getString("Entry type: <type>")).format(source));
- } else {
- out.println("SecretKeyEntry, ");
- }
- } else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
- if (verbose || rfc || debug) {
- Object[] source = {"PrivateKeyEntry"};
- out.println(new MessageFormat(
- rb.getString("Entry type: <type>")).format(source));
- } else {
- out.println("PrivateKeyEntry, ");
- }
-
- // Get the chain
- Certificate[] chain = keyStore.getCertificateChain(alias);
- if (chain != null) {
- if (verbose || rfc || debug) {
- out.println(rb.getString
- ("Certificate chain length: ") + chain.length);
- for (int i = 0; i < chain.length; i ++) {
- MessageFormat form = new MessageFormat
- (rb.getString("Certificate[(i + 1)]:"));
- Object[] source = {new Integer((i + 1))};
- out.println(form.format(source));
- if (verbose && (chain[i] instanceof X509Certificate)) {
- printX509Cert((X509Certificate)(chain[i]), out);
- } else if (debug) {
- out.println(chain[i].toString());
- } else {
- dumpCert(chain[i], out);
- }
- }
- } else {
- // Print the digest of the user cert only
- out.println
- (rb.getString("Certificate fingerprint (MD5): ") +
- getCertFingerPrint("MD5", chain[0]));
- }
- }
- } else if (keyStore.entryInstanceOf(alias,
- KeyStore.TrustedCertificateEntry.class)) {
- // We have a trusted certificate entry
- Certificate cert = keyStore.getCertificate(alias);
- if (verbose && (cert instanceof X509Certificate)) {
- out.println(rb.getString("Entry type: trustedCertEntry\n"));
- printX509Cert((X509Certificate)cert, out);
- } else if (rfc) {
- out.println(rb.getString("Entry type: trustedCertEntry\n"));
- dumpCert(cert, out);
- } else if (debug) {
- out.println(cert.toString());
- } else {
- out.println(rb.getString("trustedCertEntry,"));
- out.println(rb.getString("Certificate fingerprint (MD5): ")
- + getCertFingerPrint("MD5", cert));
- }
- } else {
- out.println(rb.getString("Unknown Entry Type"));
- }
- }
-
- /**
- * Load the srckeystore from a stream, used in -importkeystore
- * @returns the src KeyStore
- */
- KeyStore loadSourceKeyStore() throws Exception {
- boolean isPkcs11 = false;
-
- InputStream is = null;
-
- if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) ||
- KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
- if (!NONE.equals(srcksfname)) {
- System.err.println(MessageFormat.format(rb.getString
- ("-keystore must be NONE if -storetype is {0}"), srcstoretype));
- System.err.println();
- tinyHelp();
- }
- isPkcs11 = true;
- } else {
- if (srcksfname != null) {
- File srcksfile = new File(srcksfname);
- if (srcksfile.exists() && srcksfile.length() == 0) {
- throw new Exception(rb.getString
- ("Source keystore file exists, but is empty: ") +
- srcksfname);
- }
- is = new FileInputStream(srcksfile);
- } else {
- throw new Exception(rb.getString
- ("Please specify -srckeystore"));
- }
- }
-
- KeyStore store;
- try {
- if (srcProviderName == null) {
- store = KeyStore.getInstance(srcstoretype);
- } else {
- store = KeyStore.getInstance(srcstoretype, srcProviderName);
- }
-
- if (srcstorePass == null
- && !srcprotectedPath
- && !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
- System.err.print(rb.getString("Enter source keystore password: "));
- System.err.flush();
- srcstorePass = Password.readPassword(System.in);
- passwords.add(srcstorePass);
- }
-
- // always let keypass be storepass when using pkcs12
- if (P12KEYSTORE.equalsIgnoreCase(srcstoretype)) {
- if (srckeyPass != null && srcstorePass != null &&
- !Arrays.equals(srcstorePass, srckeyPass)) {
- MessageFormat form = new MessageFormat(rb.getString(
- "Warning: Different store and key passwords not supported " +
- "for PKCS12 KeyStores. Ignoring user-specified <command> value."));
- Object[] source = {"-srckeypass"};
- System.err.println(form.format(source));
- srckeyPass = srcstorePass;
- }
- }
-
- store.load(is, srcstorePass); // "is" already null in PKCS11
- } finally {
- if (is != null) {
- is.close();
- }
- }
-
- if (srcstorePass == null
- && !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
- // anti refactoring, copied from printWarning(),
- // but change 2 lines
- System.err.println();
- System.err.println(rb.getString
- ("***************** WARNING WARNING WARNING *****************"));
- System.err.println(rb.getString
- ("* The integrity of the information stored in the srckeystore*"));
- System.err.println(rb.getString
- ("* has NOT been verified! In order to verify its integrity, *"));
- System.err.println(rb.getString
- ("* you must provide the srckeystore password. *"));
- System.err.println(rb.getString
- ("***************** WARNING WARNING WARNING *****************"));
- System.err.println();
- }
-
- return store;
- }
-
- /**
- * import all keys and certs from importkeystore.
- * keep alias unchanged if no name conflict, otherwise, prompt.
- * keep keypass unchanged for keys
- */
- private void doImportKeyStore() throws Exception {
-
- if (alias != null) {
- doImportKeyStoreSingle(loadSourceKeyStore(), alias);
- } else {
- if (dest != null || srckeyPass != null || destKeyPass != null) {
- throw new Exception(rb.getString(
- "if alias not specified, destalias, srckeypass, " +
- "and destkeypass must not be specified"));
- }
- doImportKeyStoreAll(loadSourceKeyStore());
- }
- /*
- * Information display rule of -importkeystore
- * 1. inside single, shows failure
- * 2. inside all, shows sucess
- * 3. inside all where there is a failure, prompt for continue
- * 4. at the final of all, shows summary
- */
- }
-
- /**
- * Import a single entry named alias from srckeystore
- * @returns 1 if the import action succeed
- * 0 if user choose to ignore an alias-dumplicated entry
- * 2 if setEntry throws Exception
- */
- private int doImportKeyStoreSingle(KeyStore srckeystore, String alias)
- throws Exception {
-
- String newAlias = (dest==null) ? alias : dest;
-
- if (keyStore.containsAlias(newAlias)) {
- Object[] source = {alias};
- if (noprompt) {
- System.err.println(new MessageFormat(rb.getString(
- "Warning: Overwriting existing alias <alias> in destination keystore")).format(source));
- } else {
- String reply = getYesNoReply(new MessageFormat(rb.getString(
- "Existing entry alias <alias> exists, overwrite? [no]: ")).format(source));
- if ("NO".equals(reply)) {
- newAlias = inputStringFromStdin(rb.getString
- ("Enter new alias name\t(RETURN to cancel import for this entry): "));
- if ("".equals(newAlias)) {
- System.err.println(new MessageFormat(rb.getString(
- "Entry for alias <alias> not imported.")).format(
- source));
- return 0;
- }
- }
- }
- }
-
- Object[] objs = recoverEntry(srckeystore, alias, srcstorePass, srckeyPass);
- Entry entry = (Entry)objs[0];
-
- PasswordProtection pp = null;
-
- // According to keytool.html, "The destination entry will be protected
- // using destkeypass. If destkeypass is not provided, the destination
- // entry will be protected with the source entry password."
- // so always try to protect with destKeyPass.
- if (destKeyPass != null) {
- pp = new PasswordProtection(destKeyPass);
- } else if (objs[1] != null) {
- pp = new PasswordProtection((char[])objs[1]);
- }
-
- try {
- keyStore.setEntry(newAlias, entry, pp);
- return 1;
- } catch (KeyStoreException kse) {
- Object[] source2 = {alias, kse.toString()};
- MessageFormat form = new MessageFormat(rb.getString(
- "Problem importing entry for alias <alias>: <exception>.\nEntry for alias <alias> not imported."));
- System.err.println(form.format(source2));
- return 2;
- }
- }
-
- private void doImportKeyStoreAll(KeyStore srckeystore) throws Exception {
-
- int ok = 0;
- int count = srckeystore.size();
- for (Enumeration<String> e = srckeystore.aliases();
- e.hasMoreElements(); ) {
- String alias = e.nextElement();
- int result = doImportKeyStoreSingle(srckeystore, alias);
- if (result == 1) {
- ok++;
- Object[] source = {alias};
- MessageFormat form = new MessageFormat(rb.getString("Entry for alias <alias> successfully imported."));
- System.err.println(form.format(source));
- } else if (result == 2) {
- if (!noprompt) {
- String reply = getYesNoReply("Do you want to quit the import process? [no]: ");
- if ("YES".equals(reply)) {
- break;
- }
- }
- }
- }
- Object[] source = {ok, count-ok};
- MessageFormat form = new MessageFormat(rb.getString(
- "Import command completed: <ok> entries successfully imported, <fail> entries failed or cancelled"));
- System.err.println(form.format(source));
- }
-
- /**
- * Prints all keystore entries.
- */
- private void doPrintEntries(PrintStream out)
- throws Exception
- {
- if (storePass == null
- && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
- printWarning();
- } else {
- out.println();
- }
-
- out.println(rb.getString("Keystore type: ") + keyStore.getType());
- out.println(rb.getString("Keystore provider: ") +
- keyStore.getProvider().getName());
- out.println();
-
- MessageFormat form;
- form = (keyStore.size() == 1) ?
- new MessageFormat(rb.getString
- ("Your keystore contains keyStore.size() entry")) :
- new MessageFormat(rb.getString
- ("Your keystore contains keyStore.size() entries"));
- Object[] source = {new Integer(keyStore.size())};
- out.println(form.format(source));
- out.println();
-
- for (Enumeration<String> e = keyStore.aliases();
- e.hasMoreElements(); ) {
- String alias = e.nextElement();
- doPrintEntry(alias, out, false);
- if (verbose || rfc) {
- out.println(rb.getString("\n"));
- out.println(rb.getString
- ("*******************************************"));
- out.println(rb.getString
- ("*******************************************\n\n"));
- }
- }
- }
-
- /**
- * Reads a certificate (or certificate chain) and prints its contents in
- * a human readbable format.
- */
- private void doPrintCert(InputStream in, PrintStream out)
- throws Exception
- {
- Collection<? extends Certificate> c = null;
- try {
- c = cf.generateCertificates(in);
- } catch (CertificateException ce) {
- throw new Exception(rb.getString("Failed to parse input"), ce);
- }
- if (c.isEmpty()) {
- throw new Exception(rb.getString("Empty input"));
- }
- Certificate[] certs = c.toArray(new Certificate[c.size()]);
- for (int i=0; i<certs.length; i++) {
- X509Certificate x509Cert = null;
- try {
- x509Cert = (X509Certificate)certs[i];
- } catch (ClassCastException cce) {
- throw new Exception(rb.getString("Not X.509 certificate"));
- }
- if (certs.length > 1) {
- MessageFormat form = new MessageFormat
- (rb.getString("Certificate[(i + 1)]:"));
- Object[] source = {new Integer(i + 1)};
- out.println(form.format(source));
- }
- printX509Cert(x509Cert, out);
- if (i < (certs.length-1)) {
- out.println();
- }
- }
- }
-
- /**
- * Creates a self-signed certificate, and stores it as a single-element
- * certificate chain.
- */
- private void doSelfCert(String alias, String dname, String sigAlgName)
- throws Exception
- {
- if (alias == null) {
- alias = keyAlias;
- }
-
- Object[] objs = recoverKey(alias, storePass, keyPass);
- PrivateKey privKey = (PrivateKey)objs[0];
- if (keyPass == null)
- keyPass = (char[])objs[1];
-
- // Determine the signature algorithm
- if (sigAlgName == null) {
- // If no signature algorithm was specified at the command line,
- // we choose one that is compatible with the selected private key
- String keyAlgName = privKey.getAlgorithm();
- if ("DSA".equalsIgnoreCase(keyAlgName)
- || "DSS".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1WithDSA";
- } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1WithRSA";
- } else if ("EC".equalsIgnoreCase(keyAlgName)) {
- sigAlgName = "SHA1withECDSA";
- } else {
- throw new Exception
- (rb.getString("Cannot derive signature algorithm"));
- }
- }
-
- // Get the old certificate
- Certificate oldCert = keyStore.getCertificate(alias);
- if (oldCert == null) {
- MessageFormat form = new MessageFormat
- (rb.getString("alias has no public key"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
- if (!(oldCert instanceof X509Certificate)) {
- MessageFormat form = new MessageFormat
- (rb.getString("alias has no X.509 certificate"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- // convert to X509CertImpl, so that we can modify selected fields
- // (no public APIs available yet)
- byte[] encoded = oldCert.getEncoded();
- X509CertImpl certImpl = new X509CertImpl(encoded);
- X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME
- + "." +
- X509CertImpl.INFO);
-
- // Extend its validity
- Date firstDate = getStartDate(startDate);
- Date lastDate = new Date();
- lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
- CertificateValidity interval = new CertificateValidity(firstDate,
- lastDate);
- certInfo.set(X509CertInfo.VALIDITY, interval);
-
- // Make new serial number
- certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber
- ((int)(firstDate.getTime()/1000)));
-
- // Set owner and issuer fields
- X500Name owner;
- if (dname == null) {
- // Get the owner name from the certificate
- owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." +
- CertificateSubjectName.DN_NAME);
- } else {
- // Use the owner name specified at the command line
- owner = new X500Name(dname);
- certInfo.set(X509CertInfo.SUBJECT + "." +
- CertificateSubjectName.DN_NAME, owner);
- }
- // Make issuer same as owner (self-signed!)
- certInfo.set(X509CertInfo.ISSUER + "." +
- CertificateIssuerName.DN_NAME, owner);
-
- // The inner and outer signature algorithms have to match.
- // The way we achieve that is really ugly, but there seems to be no
- // other solution: We first sign the cert, then retrieve the
- // outer sigalg and use it to set the inner sigalg
- X509CertImpl newCert = new X509CertImpl(certInfo);
- newCert.sign(privKey, sigAlgName);
- AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG);
- certInfo.set(CertificateAlgorithmId.NAME + "." +
- CertificateAlgorithmId.ALGORITHM, sigAlgid);
-
- // first upgrade to version 3
-
- certInfo.set(X509CertInfo.VERSION,
- new CertificateVersion(CertificateVersion.V3));
-
- // Sign the new certificate
- newCert = new X509CertImpl(certInfo);
- newCert.sign(privKey, sigAlgName);
-
- // Store the new certificate as a single-element certificate chain
- keyStore.setKeyEntry(alias, privKey,
- (keyPass != null) ? keyPass : storePass,
- new Certificate[] { newCert } );
-
- if (verbose) {
- System.err.println(rb.getString("New certificate (self-signed):"));
- System.err.print(newCert.toString());
- System.err.println();
- }
- }
-
- /**
- * Processes a certificate reply from a certificate authority.
- *
- * <p>Builds a certificate chain on top of the certificate reply,
- * using trusted certificates from the keystore. The chain is complete
- * after a self-signed certificate has been encountered. The self-signed
- * certificate is considered a root certificate authority, and is stored
- * at the end of the chain.
- *
- * <p>The newly generated chain replaces the old chain associated with the
- * key entry.
- *
- * @return true if the certificate reply was installed, otherwise false.
- */
- private boolean installReply(String alias, InputStream in)
- throws Exception
- {
- if (alias == null) {
- alias = keyAlias;
- }
-
- Object[] objs = recoverKey(alias, storePass, keyPass);
- PrivateKey privKey = (PrivateKey)objs[0];
- if (keyPass == null) {
- keyPass = (char[])objs[1];
- }
-
- Certificate userCert = keyStore.getCertificate(alias);
- if (userCert == null) {
- MessageFormat form = new MessageFormat
- (rb.getString("alias has no public key (certificate)"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- // Read the certificates in the reply
- Collection<? extends Certificate> c = cf.generateCertificates(in);
- if (c.isEmpty()) {
- throw new Exception(rb.getString("Reply has no certificates"));
- }
- Certificate[] replyCerts = c.toArray(new Certificate[c.size()]);
- Certificate[] newChain;
- if (replyCerts.length == 1) {
- // single-cert reply
- newChain = establishCertChain(userCert, replyCerts[0]);
- } else {
- // cert-chain reply (e.g., PKCS#7)
- newChain = validateReply(alias, userCert, replyCerts);
- }
-
- // Now store the newly established chain in the keystore. The new
- // chain replaces the old one.
- if (newChain != null) {
- keyStore.setKeyEntry(alias, privKey,
- (keyPass != null) ? keyPass : storePass,
- newChain);
- return true;
- } else {
- return false;
- }
- }
-
- /**
- * Imports a certificate and adds it to the list of trusted certificates.
- *
- * @return true if the certificate was added, otherwise false.
- */
- private boolean addTrustedCert(String alias, InputStream in)
- throws Exception
- {
- if (alias == null) {
- throw new Exception(rb.getString("Must specify alias"));
- }
- if (keyStore.containsAlias(alias)) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certificate not imported, alias <alias> already exists"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- // Read the certificate
- X509Certificate cert = null;
- try {
- cert = (X509Certificate)cf.generateCertificate(in);
- } catch (ClassCastException cce) {
- throw new Exception(rb.getString("Input not an X.509 certificate"));
- } catch (CertificateException ce) {
- throw new Exception(rb.getString("Input not an X.509 certificate"));
- }
-
- // if certificate is self-signed, make sure it verifies
- boolean selfSigned = false;
- if (isSelfSigned(cert)) {
- cert.verify(cert.getPublicKey());
- selfSigned = true;
- }
-
- if (noprompt) {
- keyStore.setCertificateEntry(alias, cert);
- return true;
- }
-
- // check if cert already exists in keystore
- String reply = null;
- String trustalias = keyStore.getCertificateAlias(cert);
- if (trustalias != null) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certificate already exists in keystore under alias <trustalias>"));
- Object[] source = {trustalias};
- System.err.println(form.format(source));
- reply = getYesNoReply
- (rb.getString("Do you still want to add it? [no]: "));
- } else if (selfSigned) {
- if (trustcacerts && (caks != null) &&
- ((trustalias=caks.getCertificateAlias(cert)) != null)) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certificate already exists in system-wide CA keystore under alias <trustalias>"));
- Object[] source = {trustalias};
- System.err.println(form.format(source));
- reply = getYesNoReply
- (rb.getString("Do you still want to add it to your own keystore? [no]: "));
- }
- if (trustalias == null) {
- // Print the cert and ask user if they really want to add
- // it to their keystore
- printX509Cert(cert, System.out);
- reply = getYesNoReply
- (rb.getString("Trust this certificate? [no]: "));
- }
- }
- if (reply != null) {
- if ("YES".equals(reply)) {
- keyStore.setCertificateEntry(alias, cert);
- return true;
- } else {
- return false;
- }
- }
-
- // Try to establish trust chain
- try {
- Certificate[] chain = establishCertChain(null, cert);
- if (chain != null) {
- keyStore.setCertificateEntry(alias, cert);
- return true;
- }
- } catch (Exception e) {
- // Print the cert and ask user if they really want to add it to
- // their keystore
- printX509Cert(cert, System.out);
- reply = getYesNoReply
- (rb.getString("Trust this certificate? [no]: "));
- if ("YES".equals(reply)) {
- keyStore.setCertificateEntry(alias, cert);
- return true;
- } else {
- return false;
- }
- }
-
- return false;
- }
-
- /**
- * Prompts user for new password. New password must be different from
- * old one.
- *
- * @param prompt the message that gets prompted on the screen
- * @param oldPasswd the current (i.e., old) password
- */
- private char[] getNewPasswd(String prompt, char[] oldPasswd)
- throws Exception
- {
- char[] entered = null;
- char[] reentered = null;
-
- for (int count = 0; count < 3; count++) {
- MessageFormat form = new MessageFormat
- (rb.getString("New prompt: "));
- Object[] source = {prompt};
- System.err.print(form.format(source));
- entered = Password.readPassword(System.in);
- passwords.add(entered);
- if (entered == null || entered.length < 6) {
- System.err.println(rb.getString
- ("Password is too short - must be at least 6 characters"));
- } else if (Arrays.equals(entered, oldPasswd)) {
- System.err.println(rb.getString("Passwords must differ"));
- } else {
- form = new MessageFormat
- (rb.getString("Re-enter new prompt: "));
- Object[] src = {prompt};
- System.err.print(form.format(src));
- reentered = Password.readPassword(System.in);
- passwords.add(reentered);
- if (!Arrays.equals(entered, reentered)) {
- System.err.println
- (rb.getString("They don't match. Try again"));
- } else {
- Arrays.fill(reentered, ' ');
- return entered;
- }
- }
- if (entered != null) {
- Arrays.fill(entered, ' ');
- entered = null;
- }
- if (reentered != null) {
- Arrays.fill(reentered, ' ');
- reentered = null;
- }
- }
- throw new Exception(rb.getString("Too many failures - try later"));
- }
-
- /**
- * Prompts user for alias name.
- * @param prompt the {0} of "Enter {0} alias name: " in prompt line
- * @returns the string entered by the user, without the \n at the end
- */
- private String getAlias(String prompt) throws Exception {
- if (prompt != null) {
- MessageFormat form = new MessageFormat
- (rb.getString("Enter prompt alias name: "));
- Object[] source = {prompt};
- System.err.print(form.format(source));
- } else {
- System.err.print(rb.getString("Enter alias name: "));
- }
- return (new BufferedReader(new InputStreamReader(
- System.in))).readLine();
- }
-
- /**
- * Prompts user for an input string from the command line (System.in)
- * @prompt the prompt string printed
- * @returns the string entered by the user, without the \n at the end
- */
- private String inputStringFromStdin(String prompt) throws Exception {
- System.err.print(prompt);
- return (new BufferedReader(new InputStreamReader(
- System.in))).readLine();
- }
-
- /**
- * Prompts user for key password. User may select to choose the same
- * password (<code>otherKeyPass</code>) as for <code>otherAlias</code>.
- */
- private char[] getKeyPasswd(String alias, String otherAlias,
- char[] otherKeyPass)
- throws Exception
- {
- int count = 0;
- char[] keyPass = null;
-
- do {
- if (otherKeyPass != null) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Enter key password for <alias>"));
- Object[] source = {alias};
- System.err.println(form.format(source));
-
- form = new MessageFormat(rb.getString
- ("\t(RETURN if same as for <otherAlias>)"));
- Object[] src = {otherAlias};
- System.err.print(form.format(src));
- } else {
- MessageFormat form = new MessageFormat(rb.getString
- ("Enter key password for <alias>"));
- Object[] source = {alias};
- System.err.print(form.format(source));
- }
- System.err.flush();
- keyPass = Password.readPassword(System.in);
- passwords.add(keyPass);
- if (keyPass == null) {
- keyPass = otherKeyPass;
- }
- count++;
- } while ((keyPass == null) && count < 3);
-
- if (keyPass == null) {
- throw new Exception(rb.getString("Too many failures - try later"));
- }
-
- return keyPass;
- }
-
- /**
- * Prints a certificate in a human readable format.
- */
- private void printX509Cert(X509Certificate cert, PrintStream out)
- throws Exception
- {
- /*
- out.println("Owner: "
- + cert.getSubjectDN().toString()
- + "\n"
- + "Issuer: "
- + cert.getIssuerDN().toString()
- + "\n"
- + "Serial number: " + cert.getSerialNumber().toString(16)
- + "\n"
- + "Valid from: " + cert.getNotBefore().toString()
- + " until: " + cert.getNotAfter().toString()
- + "\n"
- + "Certificate fingerprints:\n"
- + "\t MD5: " + getCertFingerPrint("MD5", cert)
- + "\n"
- + "\t SHA1: " + getCertFingerPrint("SHA1", cert));
- */
-
- MessageFormat form = new MessageFormat
- (rb.getString("*PATTERN* printX509Cert"));
- Object[] source = {cert.getSubjectDN().toString(),
- cert.getIssuerDN().toString(),
- cert.getSerialNumber().toString(16),
- cert.getNotBefore().toString(),
- cert.getNotAfter().toString(),
- getCertFingerPrint("MD5", cert),
- getCertFingerPrint("SHA1", cert),
- cert.getSigAlgName(),
- cert.getVersion()
- };
- out.println(form.format(source));
-
- int extnum = 0;
- if (cert instanceof X509CertImpl) {
- X509CertImpl impl = (X509CertImpl)cert;
- if (cert.getCriticalExtensionOIDs() != null) {
- for (String extOID : cert.getCriticalExtensionOIDs()) {
- if (extnum == 0) {
- out.println();
- out.println(rb.getString("Extensions: "));
- out.println();
- }
- out.println("#"+(++extnum)+": "+
- impl.getExtension(new ObjectIdentifier(extOID)));
- }
- }
- if (cert.getNonCriticalExtensionOIDs() != null) {
- for (String extOID : cert.getNonCriticalExtensionOIDs()) {
- if (extnum == 0) {
- out.println();
- out.println(rb.getString("Extensions: "));
- out.println();
- }
- Extension ext = impl.getExtension(new ObjectIdentifier(extOID));
- if (ext != null) {
- out.println("#"+(++extnum)+": "+ ext);
- } else {
- out.println("#"+(++extnum)+": "+
- impl.getUnparseableExtension(new ObjectIdentifier(extOID)));
- }
- }
- }
- }
- }
-
- /**
- * Returns true if the certificate is self-signed, false otherwise.
- */
- private boolean isSelfSigned(X509Certificate cert) {
- return cert.getSubjectDN().equals(cert.getIssuerDN());
- }
-
- /**
- * Returns true if the given certificate is trusted, false otherwise.
- */
- private boolean isTrusted(Certificate cert)
- throws Exception
- {
- if (keyStore.getCertificateAlias(cert) != null) {
- return true; // found in own keystore
- }
- if (trustcacerts && (caks != null) &&
- (caks.getCertificateAlias(cert) != null)) {
- return true; // found in CA keystore
- }
- return false;
- }
-
- /**
- * Gets an X.500 name suitable for inclusion in a certification request.
- */
- private X500Name getX500Name() throws IOException {
- BufferedReader in;
- in = new BufferedReader(new InputStreamReader(System.in));
- String commonName = "Unknown";
- String organizationalUnit = "Unknown";
- String organization = "Unknown";
- String city = "Unknown";
- String state = "Unknown";
- String country = "Unknown";
- X500Name name;
- String userInput = null;
-
- int maxRetry = 20;
- do {
- if (maxRetry-- < 0) {
- throw new RuntimeException(rb.getString(
- "Too may retries, program terminated"));
- }
- commonName = inputString(in,
- rb.getString("What is your first and last name?"),
- commonName);
- organizationalUnit = inputString(in,
- rb.getString
- ("What is the name of your organizational unit?"),
- organizationalUnit);
- organization = inputString(in,
- rb.getString("What is the name of your organization?"),
- organization);
- city = inputString(in,
- rb.getString("What is the name of your City or Locality?"),
- city);
- state = inputString(in,
- rb.getString("What is the name of your State or Province?"),
- state);
- country = inputString(in,
- rb.getString
- ("What is the two-letter country code for this unit?"),
- country);
- name = new X500Name(commonName, organizationalUnit, organization,
- city, state, country);
- MessageFormat form = new MessageFormat
- (rb.getString("Is <name> correct?"));
- Object[] source = {name};
- userInput = inputString
- (in, form.format(source), rb.getString("no"));
- } while (collator.compare(userInput, rb.getString("yes")) != 0 &&
- collator.compare(userInput, rb.getString("y")) != 0);
-
- System.err.println();
- return name;
- }
-
- private String inputString(BufferedReader in, String prompt,
- String defaultValue)
- throws IOException
- {
- System.err.println(prompt);
- MessageFormat form = new MessageFormat
- (rb.getString(" [defaultValue]: "));
- Object[] source = {defaultValue};
- System.err.print(form.format(source));
- System.err.flush();
-
- String value = in.readLine();
- if (value == null || collator.compare(value, "") == 0) {
- value = defaultValue;
- }
- return value;
- }
-
- /**
- * Writes an X.509 certificate in base64 or binary encoding to an output
- * stream.
- */
- private void dumpCert(Certificate cert, PrintStream out)
- throws IOException, CertificateException
- {
- if (rfc) {
- BASE64Encoder encoder = new BASE64Encoder();
- out.println(X509Factory.BEGIN_CERT);
- encoder.encodeBuffer(cert.getEncoded(), out);
- out.println(X509Factory.END_CERT);
- } else {
- out.write(cert.getEncoded()); // binary
- }
- }
-
- /**
- * Converts a byte to hex digit and writes to the supplied buffer
- */
- private void byte2hex(byte b, StringBuffer buf) {
- char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
- '9', 'A', 'B', 'C', 'D', 'E', 'F' };
- int high = ((b & 0xf0) >> 4);
- int low = (b & 0x0f);
- buf.append(hexChars[high]);
- buf.append(hexChars[low]);
- }
-
- /**
- * Converts a byte array to hex string
- */
- private String toHexString(byte[] block) {
- StringBuffer buf = new StringBuffer();
- int len = block.length;
- for (int i = 0; i < len; i++) {
- byte2hex(block[i], buf);
- if (i < len-1) {
- buf.append(":");
- }
- }
- return buf.toString();
- }
-
- /**
- * Recovers (private) key associated with given alias.
- *
- * @return an array of objects, where the 1st element in the array is the
- * recovered private key, and the 2nd element is the password used to
- * recover it.
- */
- private Object[] recoverKey(String alias, char[] storePass,
- char[] keyPass)
- throws Exception
- {
- Key key = null;
-
- if (keyStore.containsAlias(alias) == false) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> does not exist"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
- if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class) &&
- !keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> has no key"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- if (keyPass == null) {
- // Try to recover the key using the keystore password
- try {
- key = keyStore.getKey(alias, storePass);
-
- keyPass = storePass;
- passwords.add(keyPass);
- } catch (UnrecoverableKeyException e) {
- // Did not work out, so prompt user for key password
- if (!token) {
- keyPass = getKeyPasswd(alias, null, null);
- key = keyStore.getKey(alias, keyPass);
- } else {
- throw e;
- }
- }
- } else {
- key = keyStore.getKey(alias, keyPass);
- }
-
- return new Object[] {key, keyPass};
- }
-
- /**
- * Recovers entry associated with given alias.
- *
- * @return an array of objects, where the 1st element in the array is the
- * recovered entry, and the 2nd element is the password used to
- * recover it (null if no password).
- */
- private Object[] recoverEntry(KeyStore ks,
- String alias,
- char[] pstore,
- char[] pkey) throws Exception {
-
- if (ks.containsAlias(alias) == false) {
- MessageFormat form = new MessageFormat
- (rb.getString("Alias <alias> does not exist"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- PasswordProtection pp = null;
- Entry entry;
-
- try {
- // First attempt to access entry without key password
- // (PKCS11 entry or trusted certificate entry, for example)
-
- entry = ks.getEntry(alias, pp);
- pkey = null;
- } catch (UnrecoverableEntryException une) {
-
- if(P11KEYSTORE.equalsIgnoreCase(ks.getType()) ||
- KeyStoreUtil.isWindowsKeyStore(ks.getType())) {
- // should not happen, but a possibility
- throw une;
- }
-
- // entry is protected
-
- if (pkey != null) {
-
- // try provided key password
-
- pp = new PasswordProtection(pkey);
- entry = ks.getEntry(alias, pp);
-
- } else {
-
- // try store pass
-
- try {
- pp = new PasswordProtection(pstore);
- entry = ks.getEntry(alias, pp);
- pkey = pstore;
- } catch (UnrecoverableEntryException une2) {
- if (P12KEYSTORE.equalsIgnoreCase(ks.getType())) {
-
- // P12 keystore currently does not support separate
- // store and entry passwords
-
- throw une2;
- } else {
-
- // prompt for entry password
-
- pkey = getKeyPasswd(alias, null, null);
- pp = new PasswordProtection(pkey);
- entry = ks.getEntry(alias, pp);
- }
- }
- }
- }
-
- return new Object[] {entry, pkey};
- }
- /**
- * Gets the requested finger print of the certificate.
- */
- private String getCertFingerPrint(String mdAlg, Certificate cert)
- throws Exception
- {
- byte[] encCertInfo = cert.getEncoded();
- MessageDigest md = MessageDigest.getInstance(mdAlg);
- byte[] digest = md.digest(encCertInfo);
- return toHexString(digest);
- }
-
- /**
- * Prints warning about missing integrity check.
- */
- private void printWarning() {
- System.err.println();
- System.err.println(rb.getString
- ("***************** WARNING WARNING WARNING *****************"));
- System.err.println(rb.getString
- ("* The integrity of the information stored in your keystore *"));
- System.err.println(rb.getString
- ("* has NOT been verified! In order to verify its integrity, *"));
- System.err.println(rb.getString
- ("* you must provide your keystore password. *"));
- System.err.println(rb.getString
- ("***************** WARNING WARNING WARNING *****************"));
- System.err.println();
- }
-
- /**
- * Validates chain in certification reply, and returns the ordered
- * elements of the chain (with user certificate first, and root
- * certificate last in the array).
- *
- * @param alias the alias name
- * @param userCert the user certificate of the alias
- * @param replyCerts the chain provided in the reply
- */
- private Certificate[] validateReply(String alias,
- Certificate userCert,
- Certificate[] replyCerts)
- throws Exception
- {
- // order the certs in the reply (bottom-up).
- // we know that all certs in the reply are of type X.509, because
- // we parsed them using an X.509 certificate factory
- int i;
- PublicKey userPubKey = userCert.getPublicKey();
- for (i=0; i<replyCerts.length; i++) {
- if (userPubKey.equals(replyCerts[i].getPublicKey())) {
- break;
- }
- }
- if (i == replyCerts.length) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certificate reply does not contain public key for <alias>"));
- Object[] source = {alias};
- throw new Exception(form.format(source));
- }
-
- Certificate tmpCert = replyCerts[0];
- replyCerts[0] = replyCerts[i];
- replyCerts[i] = tmpCert;
- Principal issuer = ((X509Certificate)replyCerts[0]).getIssuerDN();
-
- for (i=1; i < replyCerts.length-1; i++) {
- // find a cert in the reply whose "subject" is the same as the
- // given "issuer"
- int j;
- for (j=i; j<replyCerts.length; j++) {
- Principal subject;
- subject = ((X509Certificate)replyCerts[j]).getSubjectDN();
- if (subject.equals(issuer)) {
- tmpCert = replyCerts[i];
- replyCerts[i] = replyCerts[j];
- replyCerts[j] = tmpCert;
- issuer = ((X509Certificate)replyCerts[i]).getIssuerDN();
- break;
- }
- }
- if (j == replyCerts.length) {
- throw new Exception
- (rb.getString("Incomplete certificate chain in reply"));
- }
- }
-
- // now verify each cert in the ordered chain
- for (i=0; i<replyCerts.length-1; i++) {
- PublicKey pubKey = replyCerts[i+1].getPublicKey();
- try {
- replyCerts[i].verify(pubKey);
- } catch (Exception e) {
- throw new Exception(rb.getString
- ("Certificate chain in reply does not verify: ") +
- e.getMessage());
- }
- }
-
- if (noprompt) {
- return replyCerts;
- }
-
- // do we trust the (root) cert at the top?
- Certificate topCert = replyCerts[replyCerts.length-1];
- if (!isTrusted(topCert)) {
- boolean verified = false;
- Certificate rootCert = null;
- if (trustcacerts && (caks!= null)) {
- for (Enumeration<String> aliases = caks.aliases();
- aliases.hasMoreElements(); ) {
- String name = aliases.nextElement();
- rootCert = caks.getCertificate(name);
- if (rootCert != null) {
- try {
- topCert.verify(rootCert.getPublicKey());
- verified = true;
- break;
- } catch (Exception e) {
- }
- }
- }
- }
- if (!verified) {
- System.err.println();
- System.err.println
- (rb.getString("Top-level certificate in reply:\n"));
- printX509Cert((X509Certificate)topCert, System.out);
- System.err.println();
- System.err.print(rb.getString("... is not trusted. "));
- String reply = getYesNoReply
- (rb.getString("Install reply anyway? [no]: "));
- if ("NO".equals(reply)) {
- return null;
- }
- } else {
- if (!isSelfSigned((X509Certificate)topCert)) {
- // append the (self-signed) root CA cert to the chain
- Certificate[] tmpCerts =
- new Certificate[replyCerts.length+1];
- System.arraycopy(replyCerts, 0, tmpCerts, 0,
- replyCerts.length);
- tmpCerts[tmpCerts.length-1] = rootCert;
- replyCerts = tmpCerts;
- }
- }
- }
-
- return replyCerts;
- }
-
- /**
- * Establishes a certificate chain (using trusted certificates in the
- * keystore), starting with the user certificate
- * and ending at a self-signed certificate found in the keystore.
- *
- * @param userCert the user certificate of the alias
- * @param certToVerify the single certificate provided in the reply
- */
- private Certificate[] establishCertChain(Certificate userCert,
- Certificate certToVerify)
- throws Exception
- {
- if (userCert != null) {
- // Make sure that the public key of the certificate reply matches
- // the original public key in the keystore
- PublicKey origPubKey = userCert.getPublicKey();
- PublicKey replyPubKey = certToVerify.getPublicKey();
- if (!origPubKey.equals(replyPubKey)) {
- throw new Exception(rb.getString
- ("Public keys in reply and keystore don't match"));
- }
-
- // If the two certs are identical, we're done: no need to import
- // anything
- if (certToVerify.equals(userCert)) {
- throw new Exception(rb.getString
- ("Certificate reply and certificate in keystore are identical"));
- }
- }
-
- // Build a hash table of all certificates in the keystore.
- // Use the subject distinguished name as the key into the hash table.
- // All certificates associated with the same subject distinguished
- // name are stored in the same hash table entry as a vector.
- Hashtable<Principal, Vector<Certificate>> certs = null;
- if (keyStore.size() > 0) {
- certs = new Hashtable<Principal, Vector<Certificate>>(11);
- keystorecerts2Hashtable(keyStore, certs);
- }
- if (trustcacerts) {
- if (caks!=null && caks.size()>0) {
- if (certs == null) {
- certs = new Hashtable<Principal, Vector<Certificate>>(11);
- }
- keystorecerts2Hashtable(caks, certs);
- }
- }
-
- // start building chain
- Vector<Certificate> chain = new Vector<Certificate>(2);
- if (buildChain((X509Certificate)certToVerify, chain, certs)) {
- Certificate[] newChain = new Certificate[chain.size()];
- // buildChain() returns chain with self-signed root-cert first and
- // user-cert last, so we need to invert the chain before we store
- // it
- int j=0;
- for (int i=chain.size()-1; i>=0; i--) {
- newChain[j] = chain.elementAt(i);
- j++;
- }
- return newChain;
- } else {
- throw new Exception
- (rb.getString("Failed to establish chain from reply"));
- }
- }
-
- /**
- * Recursively tries to establish chain from pool of trusted certs.
- *
- * @param certToVerify the cert that needs to be verified.
- * @param chain the chain that's being built.
- * @param certs the pool of trusted certs
- *
- * @return true if successful, false otherwise.
- */
- private boolean buildChain(X509Certificate certToVerify,
- Vector<Certificate> chain,
- Hashtable<Principal, Vector<Certificate>> certs) {
- Principal subject = certToVerify.getSubjectDN();
- Principal issuer = certToVerify.getIssuerDN();
- if (subject.equals(issuer)) {
- // reached self-signed root cert;
- // no verification needed because it's trusted.
- chain.addElement(certToVerify);
- return true;
- }
-
- // Get the issuer's certificate(s)
- Vector<Certificate> vec = certs.get(issuer);
- if (vec == null) {
- return false;
- }
-
- // Try out each certificate in the vector, until we find one
- // whose public key verifies the signature of the certificate
- // in question.
- for (Enumeration<Certificate> issuerCerts = vec.elements();
- issuerCerts.hasMoreElements(); ) {
- X509Certificate issuerCert
- = (X509Certificate)issuerCerts.nextElement();
- PublicKey issuerPubKey = issuerCert.getPublicKey();
- try {
- certToVerify.verify(issuerPubKey);
- } catch (Exception e) {
- continue;
- }
- if (buildChain(issuerCert, chain, certs)) {
- chain.addElement(certToVerify);
- return true;
- }
- }
- return false;
- }
-
- /**
- * Prompts user for yes/no decision.
- *
- * @return the user's decision, can only be "YES" or "NO"
- */
- private String getYesNoReply(String prompt)
- throws IOException
- {
- String reply = null;
- int maxRetry = 20;
- do {
- if (maxRetry-- < 0) {
- throw new RuntimeException(rb.getString(
- "Too may retries, program terminated"));
- }
- System.err.print(prompt);
- System.err.flush();
- reply = (new BufferedReader(new InputStreamReader
- (System.in))).readLine();
- if (collator.compare(reply, "") == 0 ||
- collator.compare(reply, rb.getString("n")) == 0 ||
- collator.compare(reply, rb.getString("no")) == 0) {
- reply = "NO";
- } else if (collator.compare(reply, rb.getString("y")) == 0 ||
- collator.compare(reply, rb.getString("yes")) == 0) {
- reply = "YES";
- } else {
- System.err.println(rb.getString("Wrong answer, try again"));
- reply = null;
- }
- } while (reply == null);
- return reply;
- }
-
- /**
- * Returns the keystore with the configured CA certificates.
- */
- private KeyStore getCacertsKeyStore()
- throws Exception
- {
- String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
- if (!file.exists()) {
- return null;
- }
- FileInputStream fis = null;
- KeyStore caks = null;
- try {
- fis = new FileInputStream(file);
- caks = KeyStore.getInstance(JKS);
- caks.load(fis, null);
- } finally {
- if (fis != null) {
- fis.close();
- }
- }
- return caks;
- }
-
- /**
- * Stores the (leaf) certificates of a keystore in a hashtable.
- * All certs belonging to the same CA are stored in a vector that
- * in turn is stored in the hashtable, keyed by the CA's subject DN
- */
- private void keystorecerts2Hashtable(KeyStore ks,
- Hashtable<Principal, Vector<Certificate>> hash)
- throws Exception {
-
- for (Enumeration<String> aliases = ks.aliases();
- aliases.hasMoreElements(); ) {
- String alias = aliases.nextElement();
- Certificate cert = ks.getCertificate(alias);
- if (cert != null) {
- Principal subjectDN = ((X509Certificate)cert).getSubjectDN();
- Vector<Certificate> vec = hash.get(subjectDN);
- if (vec == null) {
- vec = new Vector<Certificate>();
- vec.addElement(cert);
- } else {
- if (!vec.contains(cert)) {
- vec.addElement(cert);
- }
- }
- hash.put(subjectDN, vec);
- }
- }
- }
-
- /**
- * Returns the issue time that's specified the -startdate option
- * @param s the value of -startdate option
- */
- private static Date getStartDate(String s) throws IOException {
- Calendar c = new GregorianCalendar();
- if (s != null) {
- IOException ioe = new IOException("Illegal startdate value");
- int len = s.length();
- if (len == 0) {
- throw ioe;
- }
- if (s.charAt(0) == '-' || s.charAt(0) == '+') {
- // Form 1: ([+-]nnn[ymdHMS])+
- int start = 0;
- while (start < len) {
- int sign = 0;
- switch (s.charAt(start)) {
- case '+': sign = 1; break;
- case '-': sign = -1; break;
- default: throw ioe;
- }
- int i = start+1;
- for (; i<len; i++) {
- char ch = s.charAt(i);
- if (ch < '0' || ch > '9') break;
- }
- if (i == start+1) throw ioe;
- int number = Integer.parseInt(s.substring(start+1, i));
- if (i >= len) throw ioe;
- int unit = 0;
- switch (s.charAt(i)) {
- case 'y': unit = Calendar.YEAR; break;
- case 'm': unit = Calendar.MONTH; break;
- case 'd': unit = Calendar.DATE; break;
- case 'H': unit = Calendar.HOUR; break;
- case 'M': unit = Calendar.MINUTE; break;
- case 'S': unit = Calendar.SECOND; break;
- default: throw ioe;
- }
- c.add(unit, sign * number);
- start = i + 1;
- }
- } else {
- // Form 2: [yyyy/mm/dd] [HH:MM:SS]
- String date = null, time = null;
- if (len == 19) {
- date = s.substring(0, 10);
- time = s.substring(11);
- if (s.charAt(10) != ' ')
- throw ioe;
- } else if (len == 10) {
- date = s;
- } else if (len == 8) {
- time = s;
- } else {
- throw ioe;
- }
- if (date != null) {
- if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) {
- c.set(Integer.valueOf(date.substring(0, 4)),
- Integer.valueOf(date.substring(5, 7))-1,
- Integer.valueOf(date.substring(8, 10)));
- } else {
- throw ioe;
- }
- }
- if (time != null) {
- if (time.matches("\\d\\d:\\d\\d:\\d\\d")) {
- c.set(Calendar.HOUR_OF_DAY, Integer.valueOf(time.substring(0, 2)));
- c.set(Calendar.MINUTE, Integer.valueOf(time.substring(0, 2)));
- c.set(Calendar.SECOND, Integer.valueOf(time.substring(0, 2)));
- c.set(Calendar.MILLISECOND, 0);
- } else {
- throw ioe;
- }
- }
- }
- }
- return c.getTime();
- }
-
- /**
- * Prints the usage of this tool.
- */
- private void usage() {
- System.err.println(rb.getString("keytool usage:\n"));
-
- System.err.println(rb.getString
- ("-certreq [-v] [-protected]"));
- System.err.println(rb.getString
- ("\t [-alias <alias>] [-sigalg <sigalg>]"));
- System.err.println(rb.getString
- ("\t [-file <csr_file>] [-keypass <keypass>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-changealias [-v] [-protected] -alias <alias> -destalias <destalias>"));
- System.err.println(rb.getString
- ("\t [-keypass <keypass>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-delete [-v] [-protected] -alias <alias>"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-exportcert [-v] [-rfc] [-protected]"));
- System.err.println(rb.getString
- ("\t [-alias <alias>] [-file <cert_file>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-genkeypair [-v] [-protected]"));
- System.err.println(rb.getString
- ("\t [-alias <alias>]"));
- System.err.println(rb.getString
- ("\t [-keyalg <keyalg>] [-keysize <keysize>]"));
- System.err.println(rb.getString
- ("\t [-sigalg <sigalg>] [-dname <dname>]"));
- System.err.println(rb.getString
- ("\t [-validity <valDays>] [-keypass <keypass>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-genseckey [-v] [-protected]"));
- System.err.println(rb.getString
- ("\t [-alias <alias>] [-keypass <keypass>]"));
- System.err.println(rb.getString
- ("\t [-keyalg <keyalg>] [-keysize <keysize>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString("-help"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-importcert [-v] [-noprompt] [-trustcacerts] [-protected]"));
- System.err.println(rb.getString
- ("\t [-alias <alias>]"));
- System.err.println(rb.getString
- ("\t [-file <cert_file>] [-keypass <keypass>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-importkeystore [-v] "));
- System.err.println(rb.getString
- ("\t [-srckeystore <srckeystore>] [-destkeystore <destkeystore>]"));
- System.err.println(rb.getString
- ("\t [-srcstoretype <srcstoretype>] [-deststoretype <deststoretype>]"));
- System.err.println(rb.getString
- ("\t [-srcstorepass <srcstorepass>] [-deststorepass <deststorepass>]"));
- System.err.println(rb.getString
- ("\t [-srcprotected] [-destprotected]"));
- System.err.println(rb.getString
- ("\t [-srcprovidername <srcprovidername>]\n\t [-destprovidername <destprovidername>]"));
- System.err.println(rb.getString
- ("\t [-srcalias <srcalias> [-destalias <destalias>]"));
- System.err.println(rb.getString
- ("\t [-srckeypass <srckeypass>] [-destkeypass <destkeypass>]]"));
- System.err.println(rb.getString
- ("\t [-noprompt]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-keypasswd [-v] [-alias <alias>]"));
- System.err.println(rb.getString
- ("\t [-keypass <old_keypass>] [-new <new_keypass>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-list [-v | -rfc] [-protected]"));
- System.err.println(rb.getString
- ("\t [-alias <alias>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-printcert [-v] [-file <cert_file>]"));
- System.err.println();
-
- System.err.println(rb.getString
- ("-storepasswd [-v] [-new <new_storepass>]"));
- System.err.println(rb.getString
- ("\t [-keystore <keystore>] [-storepass <storepass>]"));
- System.err.println(rb.getString
- ("\t [-storetype <storetype>] [-providername <name>]"));
- System.err.println(rb.getString
- ("\t [-providerclass <provider_class_name> [-providerarg <arg>]] ..."));
- System.err.println(rb.getString
- ("\t [-providerpath <pathlist>]"));
-
- if (debug) {
- throw new RuntimeException("NO ERROR, SORRY");
- } else {
- System.exit(1);
- }
- }
-
- private void tinyHelp() {
- System.err.println(rb.getString("Try keytool -help"));
-
- // do not drown user with the help lines.
- if (debug) {
- throw new RuntimeException("NO BIG ERROR, SORRY");
- } else {
- System.exit(1);
- }
- }
-
- private void errorNeedArgument(String flag) {
- Object[] source = {flag};
- System.err.println(new MessageFormat(
- rb.getString("Command option <flag> needs an argument.")).format(source));
- tinyHelp();
- }
-}
-
-// This class is exactly the same as com.sun.tools.javac.util.Pair,
-// it's copied here since the original one is not included in JRE.
-class Pair<A, B> {
-
- public final A fst;
- public final B snd;
-
- public Pair(A fst, B snd) {
- this.fst = fst;
- this.snd = snd;
- }
-
- public String toString() {
- return "Pair[" + fst + "," + snd + "]";
- }
-
- private static boolean equals(Object x, Object y) {
- return (x == null && y == null) || (x != null && x.equals(y));
- }
-
- public boolean equals(Object other) {
- return
- other instanceof Pair &&
- equals(fst, ((Pair)other).fst) &&
- equals(snd, ((Pair)other).snd);
- }
-
- public int hashCode() {
- if (fst == null) return (snd == null) ? 0 : snd.hashCode() + 1;
- else if (snd == null) return fst.hashCode() + 2;
- else return fst.hashCode() * 17 + snd.hashCode();
+ Main.main(args);
}
}
< prev index next >