OpenJDK / jdk / jdk
changeset 59886:f37be32c7662
8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options
Reviewed-by: weijun, jjiang
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java Tue Jun 23 10:07:10 2020 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java Tue Jun 23 16:30:38 2020 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,6 +32,7 @@ import java.util.*; import java.util.concurrent.locks.ReentrantLock; import sun.security.action.*; +import sun.security.util.FilePaths; import sun.security.validator.TrustStoreUtil; /** @@ -76,8 +77,7 @@ private static final String defaultStorePath = GetPropertyAction.privilegedGetProperty("java.home") + fileSep + "lib" + fileSep + "security"; - private static final String defaultStore = - defaultStorePath + fileSep + "cacerts"; + private static final String defaultStore = FilePaths.cacerts(); private static final String jsseDefaultStore = defaultStorePath + fileSep + "jssecacerts";
--- a/src/java.base/share/classes/sun/security/tools/KeyStoreUtil.java Tue Jun 23 10:07:10 2020 +0200 +++ b/src/java.base/share/classes/sun/security/tools/KeyStoreUtil.java Tue Jun 23 16:30:38 2020 +0800 @@ -51,6 +51,7 @@ import java.util.ResourceBundle; import java.util.ServiceLoader; +import sun.security.util.FilePaths; import sun.security.util.PropertyExpander; /** @@ -110,10 +111,7 @@ * Returns the file name of the keystore with the configured CA certificates. */ public static String getCacerts() { - String sep = File.separator; - return System.getProperty("java.home") + sep - + "lib" + sep + "security" + sep - + "cacerts"; + return FilePaths.cacerts(); } /**
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java Tue Jun 23 10:07:10 2020 +0200 +++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java Tue Jun 23 16:30:38 2020 +0800 @@ -260,12 +260,15 @@ PROVIDERPATH, V, PROTECTED), PRINTCERT("Prints.the.content.of.a.certificate", RFC, FILEIN, SSLSERVER, JARFILE, + KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, - PROVIDERPATH, V), + PROVIDERPATH, V, PROTECTED), PRINTCERTREQ("Prints.the.content.of.a.certificate.request", FILEIN, V), PRINTCRL("Prints.the.content.of.a.CRL.file", - FILEIN, V), + FILEIN, KEYSTORE, STOREPASS, STORETYPE, TRUSTCACERTS, + PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, + V, PROTECTED), STOREPASSWD("Changes.the.store.password.of.a.keystore", NEW, KEYSTORE, CACERTS, STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, V), @@ -719,7 +722,7 @@ } boolean isKeyStoreRelated(Command cmd) { - return cmd != PRINTCERT && cmd != PRINTCERTREQ && cmd != SHOWINFO; + return cmd != PRINTCERTREQ && cmd != SHOWINFO; } /** @@ -904,14 +907,15 @@ } catch (FileNotFoundException e) { // These commands do not need the keystore to be existing. // Either it will create a new one or the keystore is - // optional (i.e. PRINTCRL). + // optional (i.e. PRINTCRL and PRINTCERT). if (command != GENKEYPAIR && command != GENSECKEY && command != IDENTITYDB && command != IMPORTCERT && command != IMPORTPASS && command != IMPORTKEYSTORE && - command != PRINTCRL) { + command != PRINTCRL && + command != PRINTCERT) { throw new Exception(rb.getString ("Keystore.file.does.not.exist.") + ksfname); } @@ -1073,7 +1077,7 @@ } } else { // here we have EXPORTCERT and LIST (info valid until STOREPASSWD) - if (command != PRINTCRL) { + if (command != PRINTCRL && command != PRINTCERT) { System.err.print(rb.getString("Enter.keystore.password.")); System.err.flush(); storePass = Password.readPassword(System.in); @@ -1108,10 +1112,10 @@ } } - // -trustcacerts can only be specified on -importcert. - // Reset it so that warnings on CA cert will remain for - // -printcert, etc. - if (command != IMPORTCERT) { + // -trustcacerts can be specified on -importcert, -printcert or -printcrl. + // Reset it so that warnings on CA cert will remain for other command. + if (command != IMPORTCERT && command != PRINTCERT + && command != PRINTCRL) { trustcacerts = false; } @@ -2442,27 +2446,6 @@ } } - private static <T> Iterable<T> e2i(final Enumeration<T> e) { - return new Iterable<T>() { - @Override - public Iterator<T> iterator() { - return new Iterator<T>() { - @Override - public boolean hasNext() { - return e.hasMoreElements(); - } - @Override - public T next() { - return e.nextElement(); - } - public void remove() { - throw new UnsupportedOperationException("Not supported yet."); - } - }; - } - }; - } - /** * Loads CRLs from a source. This method is also called in JarSigner. * @param src the source, which means System.in if null, or a URI, @@ -2556,7 +2539,7 @@ throws Exception { X509CRLImpl xcrl = (X509CRLImpl)crl; X500Principal issuer = xcrl.getIssuerX500Principal(); - for (String s: e2i(ks.aliases())) { + for (String s: Collections.list(ks.aliases())) { Certificate cert = ks.getCertificate(s); if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate)cert; @@ -2605,8 +2588,13 @@ if (issuer == null) { out.println(rb.getString ("STAR")); - out.println(rb.getString - ("warning.not.verified.make.sure.keystore.is.correct")); + if (trustcacerts) { + out.println(rb.getString + ("warning.not.verified.make.sure.keystore.is.correct")); + } else { + out.println(rb.getString + ("warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts")); + } out.println(rb.getString ("STARNN")); }
--- a/src/java.base/share/classes/sun/security/tools/keytool/Resources.java Tue Jun 23 10:07:10 2020 +0200 +++ b/src/java.base/share/classes/sun/security/tools/keytool/Resources.java Tue Jun 23 16:30:38 2020 +0800 @@ -429,6 +429,8 @@ {"warning.not.verified.make.sure.keystore.is.correct", "WARNING: not verified. Make sure -keystore is correct."}, + {"warning.not.verified.make.sure.keystore.is.correct.or.specify.trustcacerts", + "WARNING: not verified. Make sure -keystore is correct or specify -trustcacerts."}, {"Extensions.", "Extensions: "}, {".Empty.value.", "(Empty value)"},
--- a/src/java.base/share/classes/sun/security/util/AnchorCertificates.java Tue Jun 23 10:07:10 2020 +0200 +++ b/src/java.base/share/classes/sun/security/util/AnchorCertificates.java Tue Jun 23 16:30:38 2020 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -36,7 +36,6 @@ import java.util.HashSet; import java.util.Set; -import jdk.internal.util.StaticProperty; import sun.security.x509.X509CertImpl; /** @@ -53,10 +52,9 @@ AccessController.doPrivileged(new PrivilegedAction<Void>() { @Override public Void run() { - File f = new File(StaticProperty.javaHome(), - "lib/security/cacerts"); - KeyStore cacerts; + File f = new File(FilePaths.cacerts()); try { + KeyStore cacerts; cacerts = KeyStore.getInstance("JKS"); try (FileInputStream fis = new FileInputStream(f)) { cacerts.load(fis, null);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/java.base/share/classes/sun/security/util/FilePaths.java Tue Jun 23 16:30:38 2020 +0800 @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import jdk.internal.util.StaticProperty; + +import java.io.File; + +public class FilePaths { + public static String cacerts() { + return StaticProperty.javaHome() + File.separator + "lib" + + File.separator + "security" + File.separator + "cacerts"; + } +}
--- a/test/jdk/sun/security/tools/keytool/WeakAlg.java Tue Jun 23 10:07:10 2020 +0200 +++ b/test/jdk/sun/security/tools/keytool/WeakAlg.java Tue Jun 23 16:30:38 2020 +0800 @@ -259,8 +259,8 @@ .shouldContain("JKS keystore uses a proprietary format"); kt("-exportcert -alias a -file a.crt") .shouldContain("JKS keystore uses a proprietary format"); - kt("-printcert -file a.crt") // no warning if keystore not touched - .shouldNotContain("Warning:"); + kt("-printcert -file a.crt") // warning since -keystore option is supported + .shouldContain("JKS keystore uses a proprietary format"); kt("-certreq -alias a -file a.req") .shouldContain("JKS keystore uses a proprietary format"); kt("-printcertreq -file a.req") // no warning if keystore not touched @@ -283,8 +283,8 @@ .shouldContain("JCEKS keystore uses a proprietary format"); kt("-exportcert -alias a -file a.crt") .shouldContain("JCEKS keystore uses a proprietary format"); - kt("-printcert -file a.crt") - .shouldNotContain("Warning:"); + kt("-printcert -file a.crt") // warning since -keystore option is supported + .shouldContain("JCEKS keystore uses a proprietary format"); kt("-certreq -alias a -file a.req") .shouldContain("JCEKS keystore uses a proprietary format"); kt("-printcertreq -file a.req")
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/tools/keytool/fakecacerts/MyOwnCacerts.java Tue Jun 23 16:30:38 2020 +0800 @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8244148 + * @library /test/lib + * @library /test/jdk/sun/security/util/module_patch + * @build java.base/sun.security.util.FilePaths + * @modules java.base/jdk.internal.misc + * @run main MyOwnCacerts + */ + +import jdk.test.lib.SecurityTools; +import jdk.test.lib.process.OutputAnalyzer; + +public class MyOwnCacerts { + + // The --patch-module must be explicitly specified on the keytool + // command line because it's in a separate process + private static final String PATCH_OPTION; + + static { + String tmp = ""; + for (String a : jdk.internal.misc.VM.getRuntimeArguments()) { + if (a.startsWith("--patch-module")) { + tmp = "-J" + a + " "; + break; + } + } + PATCH_OPTION = tmp; + } + + public static void main(String[] args) throws Exception { + kt("-keystore mycacerts -genkeypair -alias a" + + " -dname CN=root -keyalg EC -storepass changeit") + .shouldContain("Warning: use -cacerts option"); + kt("-list -cacerts -storepass changeit") + .shouldContain("Your keystore contains 1 entry"); + } + + static OutputAnalyzer kt(String s) throws Exception { + return SecurityTools.keytool(PATCH_OPTION + s); + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/tools/keytool/fakecacerts/TrustedCRL.java Tue Jun 23 16:30:38 2020 +0800 @@ -0,0 +1,101 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8244148 + * @summary Test keytool -printcrl with -keystore and -trustcacerts options + * @library /test/lib + * @library /test/jdk/sun/security/util/module_patch + * @build java.base/sun.security.util.FilePaths + * @modules java.base/sun.security.util + * java.base/jdk.internal.misc + * @run main TrustedCRL + */ + +import jdk.test.lib.SecurityTools; +import jdk.test.lib.process.OutputAnalyzer; +import jdk.test.lib.security.KeyStoreUtils; + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TrustedCRL { + + // The --patch-module must be explicitly specified on the keytool + // command line because it's in a separate process + private static final String PATCH_OPTION; + + static { + String tmp = ""; + for (String a : jdk.internal.misc.VM.getRuntimeArguments()) { + if (a.startsWith("--patch-module")) { + tmp = "-J" + a + " "; + break; + } + } + PATCH_OPTION = tmp; + } + + static OutputAnalyzer kt(String cmd) throws Exception { + return SecurityTools.keytool(cmd + " -keystore ks" + + " -storepass changeit") + .shouldHaveExitValue(0); + } + + static OutputAnalyzer patchcmd(String cmd, String options) + throws Exception { + return kt(PATCH_OPTION + " -" + cmd + " " + options); + } + + static void rm(String s) throws IOException { + System.out.println("---------------------------------------------"); + System.out.println("$ rm " + s); + Files.deleteIfExists(Paths.get(s)); + } + + public static void main(String[] args) throws Exception { + + // Test -printcrl with root CA in cacerts keystore + kt("-genkeypair -alias myca -dname CN=CA -keyalg RSA" + + " -keysize 1024 -sigalg SHA1withRSA"); + + kt("-exportcert -alias myca -rfc -file ca.pem"); + + // import root CA to mycacerts keystore + KeyStoreUtils.createCacerts("mycacerts", "ca.pem"); + + kt("-gencrl -alias myca -id 0 -file ca.crl -sigalg MD5withRSA"); + + patchcmd("printcrl", "-file ca.crl -trustcacerts") + .shouldMatch("Verified by.*in cacerts"); + + // Test -printcrl with root CA in local keystore + kt("-gencrl -alias myca -id 0 -file ca.crl"); + + kt("-printcrl -file ca.crl") + .shouldMatch("Verified by.*in keystore"); + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/tools/keytool/fakecacerts/TrustedCert.java Tue Jun 23 16:30:38 2020 +0800 @@ -0,0 +1,161 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8244148 + * @summary Test keytool -printcert with -keystore and -trustcacerts options + * @library /test/lib + * @library /test/jdk/sun/security/util/module_patch + * @build java.base/sun.security.util.FilePaths + * @modules java.base/sun.security.util + * java.base/jdk.internal.misc + * @run main TrustedCert + */ + +import jdk.test.lib.SecurityTools; +import jdk.test.lib.process.OutputAnalyzer; +import jdk.test.lib.security.KeyStoreUtils; + +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; + +public class TrustedCert { + + // The --patch-module must be explicitly specified on the keytool + // command line because it's in a separate process + private static final String PATCH_OPTION; + + static { + String tmp = ""; + for (String a : jdk.internal.misc.VM.getRuntimeArguments()) { + if (a.startsWith("--patch-module")) { + tmp = "-J" + a + " "; + break; + } + } + PATCH_OPTION = tmp; + } + + static OutputAnalyzer kt(String cmd, String ks) throws Exception { + return SecurityTools.keytool(cmd + " -keystore " + ks + + " -storepass changeit") + .shouldHaveExitValue(0); + } + + static OutputAnalyzer kt1(String cmd, String ks) throws Exception { + return SecurityTools.keytool(cmd + " -keystore " + ks + + " -storepass changeit") + .shouldNotHaveExitValue(0); + } + + static OutputAnalyzer patchcmd(String cmd, String options, String ks, + boolean nonzero) throws Exception { + if (nonzero) { + return kt1(PATCH_OPTION + " -" + cmd + " " + options, ks); + } else { + return kt(PATCH_OPTION + " -" + cmd + " " + options, ks); + } + } + + static void rm(String s) throws IOException { + System.out.println("---------------------------------------------"); + System.out.println("$ rm " + s); + Files.deleteIfExists(Paths.get(s)); + } + + private static void cat(String dest, String... src) throws IOException { + System.out.println("---------------------------------------------"); + System.out.printf("$ cat "); + + ByteArrayOutputStream bout = new ByteArrayOutputStream(); + for (String s : src) { + System.out.printf(s + " "); + bout.write(Files.readAllBytes(Paths.get(s))); + } + Files.write(Paths.get(dest), bout.toByteArray()); + System.out.println("> " + dest); + } + + public static void main(String[] args) throws Exception { + + // Test -printcert with root CA in local keystore + kt("-genkeypair -keyalg rsa -keysize 1024 -sigalg SHA1withRSA " + + "-dname CN=ROOT -ext bc:c", "root.jks"); + kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks"); + kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks"); + + kt("-exportcert -rfc -file root.pem", "root.jks"); + kt("-importcert -alias root -file root.pem -noprompt", "ca.jks"); + kt("-importcert -alias root -file root.pem -noprompt", "server.jks"); + + kt("-certreq -file ca.req", "ca.jks"); + kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks"); + kt("-importcert -file ca.pem", "ca.jks"); + + kt("-certreq -file server.req", "server.jks"); + kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " + + "-outfile server.pem", "ca.jks"); + kt("-importcert -file server.pem", "server.jks"); + + cat("fullchain.pem", "server.pem", "root.pem"); + kt("-printcert -file fullchain.pem ", "server.jks") + .shouldNotMatch("SHA1withRSA signature algorithm.*security risk") + .shouldMatch("1024-bit RSA key.*security risk"); + + rm("ca.jks"); + rm("server.jks"); + rm("mycacerts"); + + // Test -printcert with root CA in cacerts keystore + kt("-genkeypair -keyalg RSA -dname CN=CA -ext bc:c", "ca.jks"); + kt("-genkeypair -keyalg RSA -dname CN=SERVER", "server.jks"); + + // import root CA to mycacerts keystore + KeyStoreUtils.createCacerts("mycacerts", "root.pem"); + + kt("-certreq -file ca.req", "ca.jks"); + kt("-gencert -ext BC=0 -rfc -infile ca.req -outfile ca.pem", "root.jks"); + + patchcmd("importcert", "-file ca.pem", "ca.jks", true); + patchcmd("importcert", "-file ca.pem -trustcacerts", "ca.jks", false); + + kt("-certreq -file server.req", "server.jks"); + kt("-gencert -ext ku:c=dig,keyEncipherment -rfc -infile server.req " + + "-outfile server.pem", "ca.jks"); + kt("-importcert -file server.pem -noprompt", "server.jks"); + + cat("fullchain.pem", "server.pem", "root.pem"); + + patchcmd("-printcert", "-file fullchain.pem -trustcacerts", "server.jks", false) + .shouldNotMatch("SHA1withRSA signature algorithm.*security risk") + .shouldMatch("1024-bit RSA key.*security risk"); + + patchcmd("-printcert", "-file fullchain.pem", "server.jks", false) + .shouldMatch("SHA1withRSA signature algorithm.*security risk") + .shouldMatch("1024-bit RSA key.*security risk"); + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/util/module_patch/java.base/sun/security/util/FilePaths.java Tue Jun 23 16:30:38 2020 +0800 @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import jdk.internal.util.StaticProperty; + +import java.io.File; + +// This is a patched version +public class FilePaths { + public static String cacerts() { + return System.getProperty("test.cacerts", "mycacerts"); + } +}
--- a/test/lib/jdk/test/lib/security/KeyStoreUtils.java Tue Jun 23 10:07:10 2020 +0200 +++ b/test/lib/jdk/test/lib/security/KeyStoreUtils.java Tue Jun 23 16:30:38 2020 +0800 @@ -23,12 +23,15 @@ package jdk.test.lib.security; +import java.io.*; import java.io.ByteArrayInputStream; import java.io.FileInputStream; import java.io.InputStream; import java.security.KeyStore; import java.security.PrivateKey; import java.security.cert.Certificate; +import java.security.cert.CertificateFactory; +import java.security.KeyStore; import java.util.ArrayList; import java.util.Base64; import java.util.List; @@ -289,4 +292,25 @@ new String[] { CertUtils.DSA_CERT })); return createKeyStore(entries.toArray(new KeyEntry[entries.size()])); } + + /** + * Creates cacerts keystore with the trusted certificate(s) + * @param args arguments to cacerts keystore name and trusted certificates + * @throws Exception if there is an error + * + */ + public static void createCacerts(String ks, String... crts) throws Exception { + try (OutputStream os = new FileOutputStream(ks)) { + KeyStore k = KeyStore.getInstance("JKS"); + k.load(null, null); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + for (int pos = 0; pos < crts.length; pos++) { + try (InputStream is = new FileInputStream(crts[pos])) { + k.setCertificateEntry("root" + pos, + cf.generateCertificate(is)); + } + } + k.store(os, "changeit".toCharArray()); + } + } }