Mercurial > hg > openjdk > bsd-port > jdk
changeset 8807:b531b441e3c3
8057810: New defaults for DSA keys in jarsigner and keytool
Reviewed-by: coffeys, valeriep
Contributed-by: prasadarao.koppula@oracle.com
author | rpatil |
---|---|
date | Wed, 22 Nov 2017 03:12:34 +0000 |
parents | f468fe784056 |
children | a50328748e05 |
files | src/share/classes/sun/security/tools/jarsigner/Main.java src/share/classes/sun/security/tools/keytool/Main.java test/sun/security/tools/jarsigner/DefaultSigalg.java test/sun/security/tools/keytool/KeyToolTest.java test/sun/security/tools/keytool/autotest.sh test/sun/security/tools/keytool/standard.sh |
diffstat | 6 files changed, 125 insertions(+), 21 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/jarsigner/Main.java Tue Nov 21 23:14:09 2017 +0000 +++ b/src/share/classes/sun/security/tools/jarsigner/Main.java Wed Nov 22 03:12:34 2017 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -2517,7 +2517,7 @@ if (sigalg == null) { if (keyAlgorithm.equalsIgnoreCase("DSA")) - signatureAlgorithm = "SHA1withDSA"; + signatureAlgorithm = "SHA256withDSA"; else if (keyAlgorithm.equalsIgnoreCase("RSA")) signatureAlgorithm = "SHA256withRSA"; else if (keyAlgorithm.equalsIgnoreCase("EC"))
--- a/src/share/classes/sun/security/tools/keytool/Main.java Tue Nov 21 23:14:09 2017 +0000 +++ b/src/share/classes/sun/security/tools/keytool/Main.java Wed Nov 22 03:12:34 2017 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1596,7 +1596,7 @@ private static String getCompatibleSigAlgName(String keyAlgName) throws Exception { if ("DSA".equalsIgnoreCase(keyAlgName)) { - return "SHA1WithDSA"; + return "SHA256WithDSA"; } else if ("RSA".equalsIgnoreCase(keyAlgName)) { return "SHA256WithRSA"; } else if ("EC".equalsIgnoreCase(keyAlgName)) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/tools/jarsigner/DefaultSigalg.java Wed Nov 22 03:12:34 2017 +0000 @@ -0,0 +1,107 @@ +/* + * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8057810 + * @summary New defaults for DSA keys in jarsigner and keytool + * @compile -XDignore.symbol.file DefaultSigalg.java + */ + +import sun.security.pkcs.PKCS7; +import sun.security.util.KeyUtil; + +import java.io.FileInputStream; +import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.jar.JarFile; + +public class DefaultSigalg { + + public static void main(String[] args) throws Exception { + + // Three test cases + String[] keyalgs = {"DSA", "RSA", "EC"}; + // Expected default keytool sigalg + String[] sigalgs = {"SHA256withDSA", "SHA256withRSA", "SHA256withECDSA"}; + // Expected keysizes + int[] keysizes = {2048, 2048, 256}; + // Expected jarsigner digest alg used in signature + String[] digestalgs = {"SHA-256", "SHA-256", "SHA-256"}; + + // Create a jar file + sun.tools.jar.Main m = + new sun.tools.jar.Main(System.out, System.err, "jar"); + Files.write(Paths.get("x"), new byte[10]); + if (!m.run("cvf a.jar x".split(" "))) { + throw new Exception("jar creation failed"); + } + + // Generate keypairs and sign the jar + Files.deleteIfExists(Paths.get("jks")); + for (String keyalg: keyalgs) { + sun.security.tools.keytool.Main.main( + ("-keystore jks -storepass changeit -keypass changeit " + + "-dname CN=A -alias " + keyalg + " -genkeypair " + + "-keyalg " + keyalg).split(" ")); + sun.security.tools.jarsigner.Main.main( + ("-keystore jks -storepass changeit a.jar " + keyalg).split(" ")); + } + + // Check result + KeyStore ks = KeyStore.getInstance("JKS"); + try (FileInputStream jks = new FileInputStream("jks"); + JarFile jf = new JarFile("a.jar")) { + ks.load(jks, null); + for (int i = 0; i<keyalgs.length; i++) { + String keyalg = keyalgs[i]; + // keytool + X509Certificate c = (X509Certificate) ks.getCertificate(keyalg); + String sigalg = c.getSigAlgName(); + if (!sigalg.equals(sigalgs[i])) { + throw new Exception( + "keytool sigalg for " + keyalg + " is " + sigalg); + } + int keysize = KeyUtil.getKeySize(c.getPublicKey()); + if (keysize != keysizes[i]) { + throw new Exception( + "keytool keysize for " + keyalg + " is " + keysize); + } + // jarsigner + String bk = "META-INF/" + keyalg + "." + keyalg; + try (InputStream is = jf.getInputStream(jf.getEntry(bk))) { + String digestalg = new PKCS7(is).getSignerInfos()[0] + .getDigestAlgorithmId().toString(); + if (!digestalg.equals(digestalgs[i])) { + throw new Exception( + "jarsigner digest of sig for " + keyalg + + " is " + digestalg); + } + } + } + } + } +}
--- a/test/sun/security/tools/keytool/KeyToolTest.java Tue Nov 21 23:14:09 2017 +0000 +++ b/test/sun/security/tools/keytool/KeyToolTest.java Wed Nov 22 03:12:34 2017 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -170,6 +170,13 @@ */ void testOK(String input, String cmd) throws Exception { try { + // Workaround for "8057810: Make SHA256withDSA the default + // jarsigner and keytool algorithm for DSA keys". Unfortunately + // SunPKCS11-NSS does not support SHA256withDSA yet. + if (cmd.contains("p11-nss.txt") && cmd.contains("-genkey") + && !cmd.contains("-keyalg")) { + cmd += " -sigalg SHA1withDSA -keysize 1024"; + } test(input, cmd); } catch(Exception e) { afterFail(input, cmd, "OK"); @@ -245,6 +252,9 @@ * Helper method, print some output after a test does not do as expected */ void afterFail(String input, String cmd, String should) { + if (cmd.contains("p11-nss.txt")) { + cmd = "-J-Dnss.lib=" + System.getProperty("nss.lib") + " " + cmd; + } System.err.println("\nTest fails for the command ---\n" + "keytool " + cmd + "\nOr its debug version ---\n" + "keytool -debug " + cmd); @@ -794,7 +804,7 @@ remove("x.jks.p1.cert"); remove("csr1"); // PrivateKeyEntry can do certreq - testOK("", "-keystore x.jks -storepass changeit -keypass changeit -genkeypair -dname CN=olala"); + testOK("", "-keystore x.jks -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keysize 1024"); testOK("", "-keystore x.jks -storepass changeit -certreq -file csr1 -alias mykey"); testOK("", "-keystore x.jks -storepass changeit -certreq -file csr1"); testOK("", "-keystore x.jks -storepass changeit -certreq -file csr1 -sigalg SHA1withDSA");
--- a/test/sun/security/tools/keytool/autotest.sh Tue Nov 21 23:14:09 2017 +0000 +++ b/test/sun/security/tools/keytool/autotest.sh Wed Nov 22 03:12:34 2017 +0000 @@ -1,5 +1,5 @@ # -# Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -100,13 +100,4 @@ KeyToolTest status=$? -rm -f p11-nss.txt -rm -f cert8.db -rm -f key3.db -rm -f secmod.db - -rm HumanInputStream*.class -rm KeyToolTest*.class -rm TestException.class - exit $status
--- a/test/sun/security/tools/keytool/standard.sh Tue Nov 21 23:14:09 2017 +0000 +++ b/test/sun/security/tools/keytool/standard.sh Wed Nov 22 03:12:34 2017 +0000 @@ -1,5 +1,5 @@ # -# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -61,9 +61,5 @@ echo | ${TESTJAVA}${FS}bin${FS}java ${TESTVMOPTS} -Dfile KeyToolTest status=$? -rm HumanInputStream*.class -rm KeyToolTest*.class -rm TestException.class - exit $status