Merge

65e38ffc · asaha · 4ac119aa · d0675d3e · 65e38ffc · 65e38ffc
8 changed file
--- a/.hgtags
+++ b/.hgtags
@@ -720,6 +720,7 @@ bd40efd56b4544ff9048d2f7be4cf108b281a6f3 jdk8u151-b02
 0efdf2c7a21464e5f3d89474ffdfe81db61031fd jdk8u151-b05
 c6c870e267de694bc85dc4af23a648824063f95b jdk8u151-b06
 84b0fbbfb8d664031a9f5283f79b13b98714cc7f jdk8u151-b07
+8fd79358682edc86abaac1c839486834410be74b jdk8u151-b08
 1442bc728814af451e2dd1a6719a64485d27e3a0 jdk8u122-b00
 f6030acfa5aec0e64d45adfac69b9e7e5c12bc74 jdk8u122-b01
 6b072c3a6db7ab06804c91aab77431799dfb5d47 jdk8u122-b02

--- a/src/share/classes/sun/security/pkcs10/PKCS10.java
+++ b/src/share/classes/sun/security/pkcs10/PKCS10.java
@@ -167,7 +167,8 @@ public class PKCS10 {
        // key and signature algorithm we found.
        //
        try {
-            sig = Signature.getInstance(id.getName());
+            sigAlg = id.getName();
+            sig = Signature.getInstance(sigAlg);
            sig.initVerify(subjectPublicKeyInfo);
            sig.update(data);
            if (!sig.verify(sigData))
@@ -218,6 +219,7 @@ public class PKCS10 {
        signature.update(certificateRequestInfo, 0,
                certificateRequestInfo.length);
        sig = signature.sign();
+        sigAlg = signature.getAlgorithm();

        /*
         * Build guts of SIGNED macro
@@ -250,6 +252,11 @@ public class PKCS10 {
    public PublicKey getSubjectPublicKeyInfo()
        { return subjectPublicKeyInfo; }

+    /**
+     * Returns the signature algorithm.
+     */
+    public String getSigAlg() { return sigAlg; }
+
    /**
     * Returns the additional attributes requested.
     */
@@ -348,6 +355,7 @@ public class PKCS10 {

    private X500Name            subject;
    private PublicKey           subjectPublicKeyInfo;
+    private String              sigAlg;
    private PKCS10Attributes    attributeSet;
    private byte[]              encoded;        // signed
 }
--- a/src/share/classes/sun/security/provider/certpath/BasicChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/BasicChecker.java
@@ -51,7 +51,7 @@ import sun.security.util.Debug;

 /**
 * BasicChecker is a PKIXCertPathChecker that checks the basic information
- * on a PKIX certificate, namely the signature, timestamp, and subject/issuer
+ * on a PKIX certificate, namely the signature, validity, and subject/issuer
 * name chaining.
 *
 * @since       1.4
@@ -125,7 +125,7 @@ class BasicChecker extends PKIXCertPathChecker {
    }

    /**
-     * Performs the signature, timestamp, and subject/issuer name chaining
+     * Performs the signature, validity, and subject/issuer name chaining
     * checks on the certificate using its internal state. This method does
     * not remove any critical extensions from the Collection.
     *
@@ -141,7 +141,7 @@ class BasicChecker extends PKIXCertPathChecker {
        X509Certificate currCert = (X509Certificate)cert;

        if (!sigOnly) {
-            verifyTimestamp(currCert);
+            verifyValidity(currCert);
            verifyNameChaining(currCert);
        }
        verifySignature(currCert);
@@ -177,12 +177,12 @@ class BasicChecker extends PKIXCertPathChecker {
    }

    /**
-     * Internal method to verify the timestamp on a certificate
+     * Internal method to verify the validity on a certificate
     */
-    private void verifyTimestamp(X509Certificate cert)
+    private void verifyValidity(X509Certificate cert)
        throws CertPathValidatorException
    {
-        String msg = "timestamp";
+        String msg = "validity";
        if (debug != null)
            debug.println("---checking " + msg + ":" + date.toString() + "...");


--- a/src/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/share/classes/sun/security/tools/keytool/Main.java
--- a/src/share/classes/sun/security/tools/keytool/Resources.java
+++ b/src/share/classes/sun/security/tools/keytool/Resources.java
@@ -345,8 +345,6 @@ public class Resources extends java.util.ListResourceBundle {
        {"Enter.alias.name.", "Enter alias name:  "},
        {".RETURN.if.same.as.for.otherAlias.",
                "\t(RETURN if same as for <{0}>)"},
-        {".PATTERN.printX509Cert",
-                "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t MD5:  {5}\n\t SHA1: {6}\n\t SHA256: {7}\n\t Signature algorithm name: {8}\n\t Version: {9}"},
        {"What.is.your.first.and.last.name.",
                "What is your first and last name?"},
        {"What.is.the.name.of.your.organizational.unit.",
@@ -413,16 +411,12 @@ public class Resources extends java.util.ListResourceBundle {
        {"Please.provide.keysize.for.secret.key.generation",
                "Please provide -keysize for secret key generation"},

-        {"verified.by.s.in.s", "Verified by %s in %s"},
        {"warning.not.verified.make.sure.keystore.is.correct",
            "WARNING: not verified. Make sure -keystore is correct."},

        {"Extensions.", "Extensions: "},
        {".Empty.value.", "(Empty value)"},
        {"Extension.Request.", "Extension Request:"},
-        {"PKCS.10.Certificate.Request.Version.1.0.Subject.s.Public.Key.s.format.s.key.",
-                "PKCS #10 Certificate Request (Version 1.0)\n" +
-                "Subject: %s\nPublic Key: %s format %s key\n"},
        {"Unknown.keyUsage.type.", "Unknown keyUsage type: "},
        {"Unknown.extendedkeyUsage.type.", "Unknown extendedkeyUsage type: "},
        {"Unknown.AccessDescription.type.", "Unknown AccessDescription type: "},
@@ -431,7 +425,38 @@ public class Resources extends java.util.ListResourceBundle {
                 "This extension cannot be marked as critical. "},
        {"Odd.number.of.hex.digits.found.", "Odd number of hex digits found: "},
        {"Unknown.extension.type.", "Unknown extension type: "},
-        {"command.{0}.is.ambiguous.", "command {0} is ambiguous:"}
+        {"command.{0}.is.ambiguous.", "command {0} is ambiguous:"},
+
+        // 8171319: keytool should print out warnings when reading or
+        // generating cert/cert req using weak algorithms
+        {"the.certificate.request", "The certificate request"},
+        {"the.issuer", "The issuer"},
+        {"the.generated.certificate", "The generated certificate"},
+        {"the.generated.crl", "The generated CRL"},
+        {"the.generated.certificate.request", "The generated certificate request"},
+        {"the.certificate", "The certificate"},
+        {"the.crl", "The CRL"},
+        {"the.tsa.certificate", "The TSA certificate"},
+        {"the.input", "The input"},
+        {"reply", "Reply"},
+        {"one.in.many", "%s #%d of %d"},
+        {"alias.in.cacerts", "Issuer <%s> in cacerts"},
+        {"alias.in.keystore", "Issuer <%s>"},
+        {"with.weak", "%s (weak)"},
+        {"key.bit", "%d-bit %s key"},
+        {"key.bit.weak", "%d-bit %s key (weak)"},
+        {".PATTERN.printX509Cert.with.weak",
+                "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t MD5:  {5}\n\t SHA1: {6}\n\t SHA256: {7}\nSignature algorithm name: {8}\nSubject Public Key Algorithm: {9}\nVersion: {10}"},
+        {"PKCS.10.with.weak",
+                "PKCS #10 Certificate Request (Version 1.0)\n" +
+                        "Subject: %s\nFormat: %s\nPublic Key: %s\nSignature algorithm: %s\n"},
+        {"verified.by.s.in.s.weak", "Verified by %s in %s with a %s"},
+        {"whose.sigalg.risk", "%s uses the %s signature algorithm which is considered a security risk."},
+        {"whose.key.risk", "%s uses a %s which is considered a security risk."},
+        {"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
+        {"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
+        {"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
+        {"importing.keystore.status", "Importing keystore %1$s to %2$s..."},
    };



--- a/src/share/classes/sun/security/x509/X509CRLImpl.java
+++ b/src/share/classes/sun/security/x509/X509CRLImpl.java
@@ -536,10 +536,15 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
     * @return value of this CRL in a printable form.
     */
    public String toString() {
+        return toStringWithAlgName("" + sigAlgId);
+    }
+
+    // Specifically created for keytool to append a (weak) label to sigAlg
+    public String toStringWithAlgName(String name) {
        StringBuffer sb = new StringBuffer();
        sb.append("X.509 CRL v" + (version+1) + "\n");
        if (sigAlgId != null)
-            sb.append("Signature Algorithm: " + sigAlgId.toString() +
+            sb.append("Signature Algorithm: " + name.toString() +
                  ", OID=" + (sigAlgId.getOID()).toString() + "\n");
        if (issuer != null)
            sb.append("Issuer: " + issuer.toString() + "\n");

--- a/test/sun/security/tools/keytool/WeakAlg.java
+++ b/test/sun/security/tools/keytool/WeakAlg.java
--- a/test/sun/security/tools/keytool/keyalg.sh
+++ b/test/sun/security/tools/keytool/keyalg.sh
+#
+# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# @test
+# @bug 8029659
+# @summary Keytool, print key algorithm of certificate or key entry
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+TESTTOOLVMOPTS="$TESTTOOLVMOPTS -J-Duser.language=en -J-Duser.country=US"
+
+KS=ks
+KEYTOOL="$TESTJAVA/bin/keytool ${TESTTOOLVMOPTS} -keystore ks -storepass changeit -keypass changeit"
+
+rm $KS 2> /dev/null
+
+$KEYTOOL -genkeypair -alias ca -dname CN=CA -keyalg EC || exit 1
+$KEYTOOL -genkeypair -alias user -dname CN=User -keyalg RSA -keysize 1024 || exit 2
+$KEYTOOL -certreq -alias user |
+        $KEYTOOL -gencert -alias ca -rfc -sigalg SHA1withECDSA |
+        $KEYTOOL -printcert > user.dump || exit 3
+
+cat user.dump | grep "Signature algorithm name:" | grep SHA1withECDSA || exit 4
+cat user.dump | grep "Subject Public Key Algorithm:" | grep RSA | grep 1024 || exit 5
+