Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
2e77de17
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
3
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
2e77de17
编写于
4月 16, 2010
作者:
W
weijun
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6937978: let keytool -gencert generate the chain
Reviewed-by: mullan
上级
95bef4c2
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
72 addition
and
63 deletion
+72
-63
src/share/classes/sun/security/tools/KeyTool.java
src/share/classes/sun/security/tools/KeyTool.java
+57
-50
test/sun/security/tools/keytool/selfissued.sh
test/sun/security/tools/keytool/selfissued.sh
+15
-13
未找到文件。
src/share/classes/sun/security/tools/KeyTool.java
浏览文件 @
2e77de17
...
...
@@ -1211,6 +1211,14 @@ public final class KeyTool {
X509CertImpl
cert
=
new
X509CertImpl
(
info
);
cert
.
sign
(
privateKey
,
sigAlgName
);
dumpCert
(
cert
,
out
);
for
(
Certificate
ca:
keyStore
.
getCertificateChain
(
alias
))
{
if
(
ca
instanceof
X509Certificate
)
{
X509Certificate
xca
=
(
X509Certificate
)
ca
;
if
(!
isSelfSigned
(
xca
))
{
dumpCert
(
xca
,
out
);
}
}
}
}
/**
...
...
@@ -2640,19 +2648,33 @@ public final class KeyTool {
}
/**
* Returns true if the given certificate is trusted, false otherwise.
* Locates a signer for a given certificate from a given keystore and
* returns the signer's certificate.
* @param cert the certificate whose signer is searched, not null
* @param ks the keystore to search with, not null
* @return <code>cert</code> itself if it's already inside <code>ks</code>,
* or a certificate inside <code>ks</code> who signs <code>cert</code>,
* or null otherwise.
*/
private
boolean
isTrusted
(
Certificate
cert
)
throws
Exception
{
if
(
keyStore
.
getCertificateAlias
(
cert
)
!=
null
)
{
return
true
;
// found in own keystore
private
static
Certificate
getTrustedSigner
(
Certificate
cert
,
KeyStore
ks
)
throws
Exception
{
if
(
ks
.
getCertificateAlias
(
cert
)
!=
null
)
{
return
cert
;
}
if
(
trustcacerts
&&
(
caks
!=
null
)
&&
(
caks
.
getCertificateAlias
(
cert
)
!=
null
))
{
return
true
;
// found in CA keystore
for
(
Enumeration
<
String
>
aliases
=
ks
.
aliases
();
aliases
.
hasMoreElements
();
)
{
String
name
=
aliases
.
nextElement
();
Certificate
trustedCert
=
ks
.
getCertificate
(
name
);
if
(
trustedCert
!=
null
)
{
try
{
cert
.
verify
(
trustedCert
.
getPublicKey
());
return
trustedCert
;
}
catch
(
Exception
e
)
{
// Not verified, skip to the next one
}
}
}
return
false
;
return
null
;
}
/**
...
...
@@ -2985,48 +3007,33 @@ public final class KeyTool {
return
replyCerts
;
}
// do we trust the
(root)
cert at the top?
// do we trust the cert at the top?
Certificate
topCert
=
replyCerts
[
replyCerts
.
length
-
1
];
if
(!
isTrusted
(
topCert
))
{
boolean
verified
=
false
;
Certificate
rootCert
=
null
;
if
(
trustcacerts
&&
(
caks
!=
null
))
{
for
(
Enumeration
<
String
>
aliases
=
caks
.
aliases
();
aliases
.
hasMoreElements
();
)
{
String
name
=
aliases
.
nextElement
();
rootCert
=
caks
.
getCertificate
(
name
);
if
(
rootCert
!=
null
)
{
try
{
topCert
.
verify
(
rootCert
.
getPublicKey
());
verified
=
true
;
break
;
}
catch
(
Exception
e
)
{
}
}
}
Certificate
root
=
getTrustedSigner
(
topCert
,
keyStore
);
if
(
root
==
null
&&
trustcacerts
&&
caks
!=
null
)
{
root
=
getTrustedSigner
(
topCert
,
caks
);
}
if
(
root
==
null
)
{
System
.
err
.
println
();
System
.
err
.
println
(
rb
.
getString
(
"Top-level certificate in reply:\n"
));
printX509Cert
((
X509Certificate
)
topCert
,
System
.
out
);
System
.
err
.
println
();
System
.
err
.
print
(
rb
.
getString
(
"... is not trusted. "
));
String
reply
=
getYesNoReply
(
rb
.
getString
(
"Install reply anyway? [no]: "
));
if
(
"NO"
.
equals
(
reply
))
{
return
null
;
}
if
(!
verified
)
{
System
.
err
.
println
();
System
.
err
.
println
(
rb
.
getString
(
"Top-level certificate in reply:\n"
));
printX509Cert
((
X509Certificate
)
topCert
,
System
.
out
);
System
.
err
.
println
();
System
.
err
.
print
(
rb
.
getString
(
"... is not trusted. "
));
String
reply
=
getYesNoReply
(
rb
.
getString
(
"Install reply anyway? [no]: "
));
if
(
"NO"
.
equals
(
reply
))
{
return
null
;
}
}
else
{
if
(!
isSelfSigned
((
X509Certificate
)
topCert
))
{
// append the (self-signed) root CA cert to the chain
Certificate
[]
tmpCerts
=
new
Certificate
[
replyCerts
.
length
+
1
];
System
.
arraycopy
(
replyCerts
,
0
,
tmpCerts
,
0
,
replyCerts
.
length
);
tmpCerts
[
tmpCerts
.
length
-
1
]
=
rootCert
;
replyCerts
=
tmpCerts
;
}
}
else
{
if
(
root
!=
topCert
)
{
// append the root CA cert to the chain
Certificate
[]
tmpCerts
=
new
Certificate
[
replyCerts
.
length
+
1
];
System
.
arraycopy
(
replyCerts
,
0
,
tmpCerts
,
0
,
replyCerts
.
length
);
tmpCerts
[
tmpCerts
.
length
-
1
]
=
root
;
replyCerts
=
tmpCerts
;
}
}
...
...
test/sun/security/tools/keytool/selfissued.sh
浏览文件 @
2e77de17
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# Copyright 2009
-2010
Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
...
...
@@ -22,8 +22,8 @@
#
# @test
# @bug 6825352
# @summary support self-issued certificate in keytool
# @bug 6825352
6937978
# @summary support self-issued certificate in keytool
and let -gencert generate the chain
#
# @run shell selfissued.sh
#
...
...
@@ -50,20 +50,22 @@ KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystor
rm
$KS
$KT
-alias
ca
-dname
CN
=
CA
-genkeypair
$KT
-alias
me
-dname
CN
=
CA
-genkeypair
$KT
-alias
ca1
-dname
CN
=
CA
-genkeypair
$KT
-alias
ca2
-dname
CN
=
CA
-genkeypair
$KT
-alias
e1
-dname
CN
=
E1
-genkeypair
$KT
-alias
e2
-dname
CN
=
E2
-genkeypair
# me signed by ca, self-issued
$KT
-alias
me
-certreq
|
$KT
-alias
ca
-gencert
|
$KT
-alias
me
-importcert
# ca signs ca1, ca1 signs ca2, all self-issued
$KT
-alias
ca1
-certreq
|
$KT
-alias
ca
-gencert
-ext
san
=
dns:ca1
\
|
$KT
-alias
ca1
-importcert
$KT
-alias
ca2
-certreq
|
$KT
-alias
ca1
-gencert
-ext
san
=
dns:ca2
\
|
$KT
-alias
ca2
-importcert
# Import e1 signed by me, should add me and ca
$KT
-alias
e1
-certreq
|
$KT
-alias
me
-gencert
|
$KT
-alias
e1
-importcert
# Import e1 signed by ca2, should add ca2 and ca1, at least 3 certs in the chain
$KT
-alias
e1
-certreq
|
$KT
-alias
ca2
-gencert
>
e1.cert
$KT
-alias
ca1
-delete
$KT
-alias
ca2
-delete
cat
e1.cert |
$KT
-alias
e1
-importcert
$KT
-alias
e1
-list
-v
|
grep
'\[3\]'
||
{
echo
Bad E1
;
exit
1
;
}
# Import (e2 signed by me,ca,me), should reorder to (e2,me,ca)
(
$KT
-alias
e2
-certreq
|
$KT
-alias
me
-gencert
;
$KT
-exportcert
-alias
ca
;
$KT
-exportcert
-alias
me
)
|
$KT
-alias
e2
-importcert
$KT
-alias
e2
-list
-v
|
grep
'\[3\]'
||
{
echo
Bad E2
;
exit
1
;
}
echo
Good
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录