security/pkcs12/PKCS12SameKeyId.java

2549N/A/*
2549N/A * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
2549N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
2549N/A *
2549N/A * This code is free software; you can redistribute it and/or modify it
2549N/A * under the terms of the GNU General Public License version 2 only, as
2549N/A * published by the Free Software Foundation.
2549N/A *
2549N/A * This code is distributed in the hope that it will be useful, but WITHOUT
2549N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
2549N/A * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
2549N/A * version 2 for more details (a copy is included in the LICENSE file that
2549N/A * accompanied this code).
2549N/A *
2549N/A * You should have received a copy of the GNU General Public License version
2549N/A * 2 along with this work; if not, write to the Free Software Foundation,
2549N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
2549N/A *
2549N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
2549N/A * or visit www.oracle.com if you need additional information or have any
2549N/A * questions.
2549N/A */
2549N/A
2549N/A/*
2549N/A * @test
2549N/A * @bug 6958026
2549N/A * @summary Problem with PKCS12 keystore
2549N/A */
2549N/A
2549N/Aimport java.io.File;
2549N/Aimport java.io.FileInputStream;
2549N/Aimport java.io.FileOutputStream;
2549N/Aimport java.security.AlgorithmParameters;
2549N/Aimport java.security.KeyStore;
2549N/Aimport java.security.cert.Certificate;
2549N/Aimport java.security.cert.X509Certificate;
2549N/Aimport javax.crypto.Cipher;
2549N/Aimport javax.crypto.SecretKey;
2549N/Aimport javax.crypto.SecretKeyFactory;
2549N/Aimport javax.crypto.spec.PBEKeySpec;
2549N/Aimport javax.crypto.spec.PBEParameterSpec;
2549N/Aimport sun.security.pkcs.EncryptedPrivateKeyInfo;
2549N/Aimport sun.security.tools.KeyTool;
2549N/Aimport sun.security.util.ObjectIdentifier;
2549N/Aimport sun.security.x509.AlgorithmId;
2549N/Aimport sun.security.x509.X500Name;
2549N/A
2549N/Apublic class PKCS12SameKeyId {
2549N/A
2549N/A    private static final String JKSFILE = "PKCS12SameKeyId.jks";
2549N/A    private static final String P12FILE = "PKCS12SameKeyId.p12";
2549N/A    private static final char[] PASSWORD = "changeit".toCharArray();
2549N/A    private static final int SIZE = 10;
2549N/A
2549N/A    public static void main(String[] args) throws Exception {
2549N/A
2549N/A        // Prepare a JKS keystore with many entries
2549N/A        new File(JKSFILE).delete();
2549N/A        for (int i=0; i<SIZE; i++) {
2549N/A            System.err.print(".");
2549N/A            String cmd = "-keystore " + JKSFILE
2549N/A                    + " -storepass changeit -keypass changeit "
2549N/A                    + "-genkeypair -alias p" + i + " -dname CN=" + i;
2549N/A            KeyTool.main(cmd.split(" "));
2549N/A        }
2549N/A
2549N/A        // Prepare EncryptedPrivateKeyInfo parameters, copied from various
2549N/A        // places in PKCS12KeyStore.java
2549N/A        AlgorithmParameters algParams =
2549N/A                AlgorithmParameters.getInstance("PBEWithSHA1AndDESede");
2549N/A        algParams.init(new PBEParameterSpec("12345678".getBytes(), 1024));
2549N/A        AlgorithmId algid = new AlgorithmId(
2549N/A                new ObjectIdentifier("1.2.840.113549.1.12.1.3"), algParams);
2549N/A
2549N/A        PBEKeySpec keySpec = new PBEKeySpec(PASSWORD);
2549N/A        SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
2549N/A        SecretKey skey = skFac.generateSecret(keySpec);
2549N/A
2549N/A        Cipher cipher = Cipher.getInstance("PBEWithSHA1AndDESede");
2549N/A        cipher.init(Cipher.ENCRYPT_MODE, skey, algParams);
2549N/A
2549N/A        // Pre-calculated keys and certs and aliases
2549N/A        byte[][] keys = new byte[SIZE][];
2549N/A        Certificate[][] certChains = new Certificate[SIZE][];
2549N/A        String[] aliases = new String[SIZE];
2549N/A
2549N/A        // Reads from JKS keystore and pre-calculate
2549N/A        KeyStore ks = KeyStore.getInstance("jks");
5361N/A        try (FileInputStream fis = new FileInputStream(JKSFILE)) {
5361N/A            ks.load(fis, PASSWORD);
5361N/A        }
2549N/A        for (int i=0; i<SIZE; i++) {
2549N/A            aliases[i] = "p" + i;
2549N/A            byte[] enckey = cipher.doFinal(
2549N/A                    ks.getKey(aliases[i], PASSWORD).getEncoded());
2549N/A            keys[i] = new EncryptedPrivateKeyInfo(algid, enckey).getEncoded();
2549N/A            certChains[i] = ks.getCertificateChain(aliases[i]);
2549N/A        }
2549N/A
2549N/A        // Write into PKCS12 keystore. Use this overloaded version of
2549N/A        // setKeyEntry() to be as fast as possible, so that they would
2549N/A        // have same localKeyId.
2549N/A        KeyStore p12 = KeyStore.getInstance("pkcs12");
2549N/A        p12.load(null, PASSWORD);
2549N/A        for (int i=0; i<SIZE; i++) {
2549N/A            p12.setKeyEntry(aliases[i], keys[i], certChains[i]);
2549N/A        }
5361N/A        try (FileOutputStream fos = new FileOutputStream(P12FILE)) {
5361N/A            p12.store(fos, PASSWORD);
5361N/A        }
2549N/A
2549N/A        // Check private keys still match certs
2549N/A        p12 = KeyStore.getInstance("pkcs12");
5361N/A        try (FileInputStream fis = new FileInputStream(P12FILE)) {
5361N/A            p12.load(fis, PASSWORD);
5361N/A        }
2549N/A        for (int i=0; i<SIZE; i++) {
2549N/A            String a = "p" + i;
2549N/A            X509Certificate x = (X509Certificate)p12.getCertificate(a);
2549N/A            X500Name name = (X500Name)x.getSubjectDN();
2549N/A            if (!name.getCommonName().equals(""+i)) {
2549N/A                throw new Exception(a + "'s cert is " + name);
2549N/A            }
2549N/A        }
2549N/A    }
2549N/A}