1 /* 2 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import jdk.test.lib.SecurityTools; 25 import sun.security.util.ObjectIdentifier; 26 27 import java.nio.file.Files; 28 import java.nio.file.Path; 29 import java.nio.file.Paths; 30 import java.util.ArrayList; 31 import java.util.List; 32 33 import static jdk.testlibrary.security.DerUtils.*; 34 import static sun.security.pkcs.ContentInfo.DATA_OID; 35 import static sun.security.pkcs.ContentInfo.ENCRYPTED_DATA_OID; 36 import static sun.security.x509.AlgorithmId.*; 37 38 /* 39 * @test 40 * @bug 8076190 41 * @library /lib/testlibrary /lib 42 * @modules java.base/sun.security.pkcs 43 * java.base/sun.security.x509 44 * java.base/sun.security.util 45 * @summary Checks the preferences order of pkcs12 params 46 */ 47 public class ParamsPreferences { 48 49 public static final void main(String[] args) throws Exception { 50 int c = 0; 51 52 // with storepass 53 test(c++, "-", "-", 54 pbeWithSHA1AndRC2_40_oid, 50000, 55 pbeWithSHA1AndDESede_oid, 50000, 56 SHA_oid, 100000); 57 58 // password-less with system property 59 test(c++, "keystore.pkcs12.certProtectionAlgorithm", "NONE", 60 "keystore.pkcs12.macAlgorithm", "NONE", 61 "-", "-", 62 null, 0, 63 pbeWithSHA1AndDESede_oid, 50000, 64 null, 0); 65 66 // password-less with security property 67 test(c++, "-", 68 "keystore.pkcs12.certProtectionAlgorithm", "NONE", 69 "keystore.pkcs12.macAlgorithm", "NONE", 70 "-", 71 null, 0, 72 pbeWithSHA1AndDESede_oid, 50000, 73 null, 0); 74 75 // back to with storepass by overriding security property with system property 76 test(c++, "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", 77 "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", 78 "-", 79 "keystore.pkcs12.certProtectionAlgorithm", "NONE", 80 "keystore.pkcs12.macAlgorithm", "NONE", 81 "-", 82 pbeWithSHA1AndDESede_oid, 50000, 83 pbeWithSHA1AndDESede_oid, 50000, 84 SHA256_oid, 100000); 85 86 // back to with storepass by using "" to force hardcoded default 87 test(c++, "keystore.pkcs12.certProtectionAlgorithm", "", 88 "keystore.pkcs12.keyProtectionAlgorithm", "", 89 "keystore.pkcs12.macAlgorithm", "", 90 "-", 91 "keystore.pkcs12.certProtectionAlgorithm", "NONE", 92 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 93 "keystore.pkcs12.macAlgorithm", "NONE", 94 "-", 95 pbeWithSHA1AndRC2_40_oid, 50000, 96 pbeWithSHA1AndDESede_oid, 50000, 97 SHA_oid, 100000); 98 99 // change everything with system property 100 test(c++, "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", 101 "keystore.pkcs12.certPbeIterationCount", 3000, 102 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 103 "keystore.pkcs12.keyPbeIterationCount", 4000, 104 "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", 105 "keystore.pkcs12.macIterationCount", 2000, 106 "-", "-", 107 pbeWithSHA1AndDESede_oid, 3000, 108 pbeWithSHA1AndRC2_40_oid, 4000, 109 SHA256_oid, 2000); 110 111 // change everything with security property 112 test(c++, "-", 113 "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", 114 "keystore.pkcs12.certPbeIterationCount", 3000, 115 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 116 "keystore.pkcs12.keyPbeIterationCount", 4000, 117 "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", 118 "keystore.pkcs12.macIterationCount", 2000, 119 "-", 120 pbeWithSHA1AndDESede_oid, 3000, 121 pbeWithSHA1AndRC2_40_oid, 4000, 122 SHA256_oid, 2000); 123 124 // override security property with system property 125 test(c++, "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndDESede", 126 "keystore.pkcs12.certPbeIterationCount", 13000, 127 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 128 "keystore.pkcs12.keyPbeIterationCount", 14000, 129 "keystore.pkcs12.macAlgorithm", "HmacPBESHA256", 130 "keystore.pkcs12.macIterationCount", 12000, 131 "-", 132 "keystore.pkcs12.certProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 133 "keystore.pkcs12.certPbeIterationCount", 3000, 134 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndDESede", 135 "keystore.pkcs12.keyPbeIterationCount", 4000, 136 "keystore.pkcs12.macAlgorithm", "HmacPBESHA1", 137 "keystore.pkcs12.macIterationCount", 2000, 138 "-", 139 pbeWithSHA1AndDESede_oid, 13000, 140 pbeWithSHA1AndRC2_40_oid, 14000, 141 SHA256_oid, 12000); 142 143 // check keyProtectionAlgorithm old behavior. Preferences of 144 // 4 different settings. 145 146 test(c++, "-", 147 "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", 148 "-", 149 pbeWithSHA1AndRC2_40_oid, 50000, 150 pbeWithSHA1AndRC2_128_oid, 50000, 151 SHA_oid, 100000); 152 test(c++, "-", 153 "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", 154 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 155 "-", 156 pbeWithSHA1AndRC2_40_oid, 50000, 157 pbeWithSHA1AndRC2_40_oid, 50000, 158 SHA_oid, 100000); 159 test(c++, 160 "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_128", 161 "-", 162 "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", 163 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 164 "-", 165 pbeWithSHA1AndRC2_40_oid, 50000, 166 pbeWithSHA1AndRC4_128_oid, 50000, 167 SHA_oid, 100000); 168 test(c++, 169 "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_128", 170 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_40", 171 "-", 172 "keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128", 173 "keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40", 174 "-", 175 pbeWithSHA1AndRC2_40_oid, 50000, 176 pbeWithSHA1AndRC4_40_oid, 50000, 177 SHA_oid, 100000); 178 } 179 180 /** 181 * Run once. 182 * 183 * @param args an array containing system properties and values, "-", 184 * security properties and values, "-", expected certPbeAlg, 185 * certPbeIC, keyPbeAlg, keyPbeIc, macAlg, macIC. 186 */ 187 static void test(int n, Object... args) throws Exception { 188 boolean isSysProp = true; 189 String cmd = "-keystore ks" + n + " -storetype PKCS12 -genkeypair -keyalg EC " 190 + "-alias a -dname CN=A -storepass changeit " 191 + "-J-Djava.security.properties=" + n + ".conf"; 192 List<String> jsConf = new ArrayList<>(); 193 for (int i = 0; i < args.length; i++) { 194 if (isSysProp) { 195 if (args[i].equals("-")) { 196 isSysProp = false; 197 } else { 198 cmd += " -J-D" + args[i] + "=" + args[++i]; 199 } 200 } else { 201 if (args[i] == "-") { 202 Files.write(Paths.get(n + ".conf"), jsConf); 203 System.out.println("--------- test starts ----------"); 204 System.out.println(jsConf); 205 SecurityTools.keytool(cmd).shouldHaveExitValue(0); 206 207 byte[] data = Files.readAllBytes(Paths.get("ks" + n)); 208 209 // cert pbe alg + ic 210 if (args[i+1] == null) { 211 checkAlg(data, "110c10", DATA_OID); 212 } else { 213 checkAlg(data, "110c10", ENCRYPTED_DATA_OID); 214 checkAlg(data, "110c110110", (ObjectIdentifier)args[i+1]); 215 checkInt(data, "110c1101111", (int)args[i+2]); 216 } 217 218 // key pbe alg + ic 219 checkAlg(data, "110c010c01000", (ObjectIdentifier)args[i+3]); 220 checkInt(data, "110c010c010011", (int)args[i+4]); 221 222 // mac alg + ic 223 if (args[i+5] == null) { 224 shouldNotExist(data, "2"); 225 } else { 226 checkAlg(data, "2000", (ObjectIdentifier)args[i+5]); 227 checkInt(data, "22", (int)args[i+6]); 228 } 229 } else { 230 jsConf.add(args[i] + "=" + args[++i]); 231 } 232 } 233 } 234 } 235 }