Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
242bd913
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
242bd913
编写于
6月 24, 2010
作者:
W
weijun
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6958026: Problem with PKCS12 keystore
Reviewed-by: mullan
上级
88c8e023
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
176 addition
and
36 deletion
+176
-36
src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+56
-36
test/sun/security/pkcs12/PKCS12SameKeyId.java
test/sun/security/pkcs12/PKCS12SameKeyId.java
+120
-0
未找到文件。
src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
浏览文件 @
242bd913
/*
* Copyright (c) 1999, 20
07
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -180,24 +180,15 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
String
alias
;
};
private
static
class
KeyId
{
byte
[]
keyId
;
KeyId
(
byte
[]
keyId
)
{
// A certificate with its PKCS #9 attributes
private
static
class
CertEntry
{
final
X509Certificate
cert
;
final
byte
[]
keyId
;
final
String
alias
;
CertEntry
(
X509Certificate
cert
,
byte
[]
keyId
,
String
alias
)
{
this
.
cert
=
cert
;
this
.
keyId
=
keyId
;
}
public
int
hashCode
()
{
int
hash
=
0
;
for
(
int
i
=
0
;
i
<
keyId
.
length
;
i
++)
hash
+=
keyId
[
i
];
return
hash
;
}
public
boolean
equals
(
Object
obj
)
{
if
(!(
obj
instanceof
KeyId
))
return
false
;
KeyId
that
=
(
KeyId
)
obj
;
return
(
Arrays
.
equals
(
this
.
keyId
,
that
.
keyId
));
this
.
alias
=
alias
;
}
}
...
...
@@ -209,7 +200,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
new
Hashtable
<
String
,
KeyEntry
>();
private
ArrayList
<
KeyEntry
>
keyList
=
new
ArrayList
<
KeyEntry
>();
private
LinkedHashMap
<
Object
,
X509Certificate
>
certs
=
new
LinkedHashMap
<
Object
,
X509Certificate
>();
private
LinkedHashMap
<
X500Principal
,
X509Certificate
>
certsMap
=
new
LinkedHashMap
<
X500Principal
,
X509Certificate
>();
private
ArrayList
<
CertEntry
>
certEntries
=
new
ArrayList
<
CertEntry
>();
/**
* Returns the key associated with the given alias, using the given
...
...
@@ -472,6 +465,15 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
KeyEntry
entry
=
new
KeyEntry
();
entry
.
date
=
new
Date
();
try
{
// set the keyId to current date
entry
.
keyId
=
(
"Time "
+
(
entry
.
date
).
getTime
()).
getBytes
(
"UTF8"
);
}
catch
(
UnsupportedEncodingException
ex
)
{
// Won't happen
}
// set the alias
entry
.
alias
=
alias
.
toLowerCase
();
entry
.
protectedPrivKey
=
key
.
clone
();
if
(
chain
!=
null
)
{
entry
.
chain
=
chain
.
clone
();
...
...
@@ -1027,10 +1029,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
// All Certs should have a unique friendlyName.
// This change is made to meet NSS requirements.
byte
[]
bagAttrs
=
null
;
String
friendlyName
=
cert
.
getSubjectX500Principal
().
getName
();
if
(
i
==
0
)
{
// Only End-Entity Cert should have a localKeyId.
bagAttrs
=
getBagAttributes
(
friendlyName
,
entry
.
keyId
);
bagAttrs
=
getBagAttributes
(
entry
.
alias
,
entry
.
keyId
);
}
else
{
// Trusted root CA certs and Intermediate CA certs do not
// need to have a localKeyId, and hence localKeyId is null
...
...
@@ -1038,7 +1039,8 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
// NSS pkcs12 library requires trusted CA certs in the
// certificate chain to have unique or null localKeyID.
// However, IE/OpenSSL do not impose this restriction.
bagAttrs
=
getBagAttributes
(
friendlyName
,
null
);
bagAttrs
=
getBagAttributes
(
cert
.
getSubjectX500Principal
().
getName
(),
null
);
}
if
(
bagAttrs
!=
null
)
{
safeBag
.
write
(
bagAttrs
);
...
...
@@ -1333,24 +1335,49 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
if
(
entry
.
keyId
!=
null
)
{
ArrayList
<
X509Certificate
>
chain
=
new
ArrayList
<
X509Certificate
>();
X509Certificate
cert
=
certs
.
get
(
new
KeyId
(
entry
.
keyId
)
);
X509Certificate
cert
=
findMatchedCertificate
(
entry
);
while
(
cert
!=
null
)
{
chain
.
add
(
cert
);
X500Principal
issuerDN
=
cert
.
getIssuerX500Principal
();
if
(
issuerDN
.
equals
(
cert
.
getSubjectX500Principal
()))
{
break
;
}
cert
=
certs
.
get
(
issuerDN
);
cert
=
certs
Map
.
get
(
issuerDN
);
}
/* Update existing KeyEntry in entries table */
if
(
chain
.
size
()
>
0
)
entry
.
chain
=
chain
.
toArray
(
new
Certificate
[
chain
.
size
()]);
}
}
certs
.
clear
();
certEntries
.
clear
();
certsMap
.
clear
();
keyList
.
clear
();
}
/**
* Locates a matched CertEntry from certEntries, and returns its cert.
* @param entry the KeyEntry to match
* @return a certificate, null if not found
*/
private
X509Certificate
findMatchedCertificate
(
KeyEntry
entry
)
{
CertEntry
keyIdMatch
=
null
;
CertEntry
aliasMatch
=
null
;
for
(
CertEntry
ce:
certEntries
)
{
if
(
Arrays
.
equals
(
entry
.
keyId
,
ce
.
keyId
))
{
keyIdMatch
=
ce
;
if
(
entry
.
alias
.
equalsIgnoreCase
(
ce
.
alias
))
{
// Full match!
return
ce
.
cert
;
}
}
else
if
(
entry
.
alias
.
equalsIgnoreCase
(
ce
.
alias
))
{
aliasMatch
=
ce
;
}
}
// keyId match first, for compatibility
if
(
keyIdMatch
!=
null
)
return
keyIdMatch
.
cert
;
else
if
(
aliasMatch
!=
null
)
return
aliasMatch
.
cert
;
else
return
null
;
}
private
void
loadSafeContents
(
DerInputStream
stream
,
char
[]
password
)
throws
IOException
,
NoSuchAlgorithmException
,
CertificateException
...
...
@@ -1491,19 +1518,12 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
keyId
=
"01"
.
getBytes
(
"UTF8"
);
}
}
if
(
keyId
!=
null
)
{
KeyId
keyid
=
new
KeyId
(
keyId
);
if
(!
certs
.
containsKey
(
keyid
))
certs
.
put
(
keyid
,
cert
);
}
if
(
alias
!=
null
)
{
if
(!
certs
.
containsKey
(
alias
))
certs
.
put
(
alias
,
cert
);
}
certEntries
.
add
(
new
CertEntry
(
cert
,
keyId
,
alias
));
X500Principal
subjectDN
=
cert
.
getSubjectX500Principal
();
if
(
subjectDN
!=
null
)
{
if
(!
certs
.
containsKey
(
subjectDN
))
certs
.
put
(
subjectDN
,
cert
);
if
(!
certsMap
.
containsKey
(
subjectDN
))
{
certsMap
.
put
(
subjectDN
,
cert
);
}
}
}
}
...
...
test/sun/security/pkcs12/PKCS12SameKeyId.java
0 → 100644
浏览文件 @
242bd913
/*
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 6958026
* @summary Problem with PKCS12 keystore
*/
import
java.io.File
;
import
java.io.FileInputStream
;
import
java.io.FileOutputStream
;
import
java.security.AlgorithmParameters
;
import
java.security.KeyStore
;
import
java.security.cert.Certificate
;
import
java.security.cert.X509Certificate
;
import
javax.crypto.Cipher
;
import
javax.crypto.SecretKey
;
import
javax.crypto.SecretKeyFactory
;
import
javax.crypto.spec.PBEKeySpec
;
import
javax.crypto.spec.PBEParameterSpec
;
import
sun.security.pkcs.EncryptedPrivateKeyInfo
;
import
sun.security.tools.KeyTool
;
import
sun.security.util.ObjectIdentifier
;
import
sun.security.x509.AlgorithmId
;
import
sun.security.x509.X500Name
;
public
class
PKCS12SameKeyId
{
private
static
final
String
JKSFILE
=
"PKCS12SameKeyId.jks"
;
private
static
final
String
P12FILE
=
"PKCS12SameKeyId.p12"
;
private
static
final
char
[]
PASSWORD
=
"changeit"
.
toCharArray
();
private
static
final
int
SIZE
=
10
;
public
static
void
main
(
String
[]
args
)
throws
Exception
{
// Prepare a JKS keystore with many entries
new
File
(
JKSFILE
).
delete
();
for
(
int
i
=
0
;
i
<
SIZE
;
i
++)
{
System
.
err
.
print
(
"."
);
String
cmd
=
"-keystore "
+
JKSFILE
+
" -storepass changeit -keypass changeit "
+
"-genkeypair -alias p"
+
i
+
" -dname CN="
+
i
;
KeyTool
.
main
(
cmd
.
split
(
" "
));
}
// Prepare EncryptedPrivateKeyInfo parameters, copied from various
// places in PKCS12KeyStore.java
AlgorithmParameters
algParams
=
AlgorithmParameters
.
getInstance
(
"PBEWithSHA1AndDESede"
);
algParams
.
init
(
new
PBEParameterSpec
(
"12345678"
.
getBytes
(),
1024
));
AlgorithmId
algid
=
new
AlgorithmId
(
new
ObjectIdentifier
(
"1.2.840.113549.1.12.1.3"
),
algParams
);
PBEKeySpec
keySpec
=
new
PBEKeySpec
(
PASSWORD
);
SecretKeyFactory
skFac
=
SecretKeyFactory
.
getInstance
(
"PBE"
);
SecretKey
skey
=
skFac
.
generateSecret
(
keySpec
);
Cipher
cipher
=
Cipher
.
getInstance
(
"PBEWithSHA1AndDESede"
);
cipher
.
init
(
Cipher
.
ENCRYPT_MODE
,
skey
,
algParams
);
// Pre-calculated keys and certs and aliases
byte
[][]
keys
=
new
byte
[
SIZE
][];
Certificate
[][]
certChains
=
new
Certificate
[
SIZE
][];
String
[]
aliases
=
new
String
[
SIZE
];
// Reads from JKS keystore and pre-calculate
KeyStore
ks
=
KeyStore
.
getInstance
(
"jks"
);
ks
.
load
(
new
FileInputStream
(
JKSFILE
),
PASSWORD
);
for
(
int
i
=
0
;
i
<
SIZE
;
i
++)
{
aliases
[
i
]
=
"p"
+
i
;
byte
[]
enckey
=
cipher
.
doFinal
(
ks
.
getKey
(
aliases
[
i
],
PASSWORD
).
getEncoded
());
keys
[
i
]
=
new
EncryptedPrivateKeyInfo
(
algid
,
enckey
).
getEncoded
();
certChains
[
i
]
=
ks
.
getCertificateChain
(
aliases
[
i
]);
}
// Write into PKCS12 keystore. Use this overloaded version of
// setKeyEntry() to be as fast as possible, so that they would
// have same localKeyId.
KeyStore
p12
=
KeyStore
.
getInstance
(
"pkcs12"
);
p12
.
load
(
null
,
PASSWORD
);
for
(
int
i
=
0
;
i
<
SIZE
;
i
++)
{
p12
.
setKeyEntry
(
aliases
[
i
],
keys
[
i
],
certChains
[
i
]);
}
p12
.
store
(
new
FileOutputStream
(
P12FILE
),
PASSWORD
);
// Check private keys still match certs
p12
=
KeyStore
.
getInstance
(
"pkcs12"
);
p12
.
load
(
new
FileInputStream
(
P12FILE
),
PASSWORD
);
for
(
int
i
=
0
;
i
<
SIZE
;
i
++)
{
String
a
=
"p"
+
i
;
X509Certificate
x
=
(
X509Certificate
)
p12
.
getCertificate
(
a
);
X500Name
name
=
(
X500Name
)
x
.
getSubjectDN
();
if
(!
name
.
getCommonName
().
equals
(
""
+
i
))
{
throw
new
Exception
(
a
+
"'s cert is "
+
name
);
}
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录