Mercurial > hg > openjdk > jdk6 > jdk
changeset 1719:a52e30264abb
8057810: New defaults for DSA keys in jarsigner and keytool
Reviewed-by: coffeys, valeriep
Contributed-by: prasadarao.koppula@oracle.com
author | rpatil |
---|---|
date | Tue, 15 Aug 2017 11:46:02 -0700 |
parents | ce758cf960f3 |
children | 7cb359c0e53c |
files | src/share/classes/sun/security/tools/jarsigner/Main.java src/share/classes/sun/security/tools/keytool/Main.java test/sun/security/tools/jarsigner/DefaultSigalg.java test/sun/security/tools/keytool/KeyToolTest.java test/sun/security/tools/keytool/autotest.sh |
diffstat | 5 files changed, 125 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/jarsigner/Main.java Thu Mar 23 15:00:29 2017 -0700 +++ b/src/share/classes/sun/security/tools/jarsigner/Main.java Tue Aug 15 11:46:02 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -2480,7 +2480,7 @@ if (sigalg == null) { if (keyAlgorithm.equalsIgnoreCase("DSA")) - signatureAlgorithm = "SHA1withDSA"; + signatureAlgorithm = "SHA256withDSA"; else if (keyAlgorithm.equalsIgnoreCase("RSA")) signatureAlgorithm = "SHA256withRSA"; else if (keyAlgorithm.equalsIgnoreCase("EC"))
--- a/src/share/classes/sun/security/tools/keytool/Main.java Thu Mar 23 15:00:29 2017 -0700 +++ b/src/share/classes/sun/security/tools/keytool/Main.java Tue Aug 15 11:46:02 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1091,8 +1091,9 @@ // If no signature algorithm was specified at the command line, // we choose one that is compatible with the selected private key String keyAlgName = privKey.getAlgorithm(); - if ("DSA".equalsIgnoreCase(keyAlgName) - || "DSS".equalsIgnoreCase(keyAlgName)) { + if ("DSA".equalsIgnoreCase(keyAlgName)) { + sigAlgName = "SHA256WithDSA"; + } else if ("DSS".equalsIgnoreCase(keyAlgName)) { sigAlgName = "SHA1WithDSA"; } else if ("RSA".equalsIgnoreCase(keyAlgName)) { sigAlgName = "SHA1WithRSA";
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/tools/jarsigner/DefaultSigalg.java Tue Aug 15 11:46:02 2017 -0700 @@ -0,0 +1,106 @@ +/* + * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8057810 + * @summary New defaults for DSA keys in jarsigner and keytool + */ + +import sun.security.pkcs.PKCS7; +import sun.security.util.KeyUtil; + +import java.io.FileInputStream; +import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.jar.JarFile; + +public class DefaultSigalg { + + public static void main(String[] args) throws Exception { + + // Three test cases + String[] keyalgs = {"DSA", "RSA", "EC"}; + // Expected default keytool sigalg + String[] sigalgs = {"SHA256withDSA", "SHA256withRSA", "SHA256withECDSA"}; + // Expected keysizes + int[] keysizes = {2048, 2048, 256}; + // Expected jarsigner digest alg used in signature + String[] digestalgs = {"SHA-256", "SHA-256", "SHA-256"}; + + // Create a jar file + sun.tools.jar.Main m = + new sun.tools.jar.Main(System.out, System.err, "jar"); + Files.write(Paths.get("x"), new byte[10]); + if (!m.run("cvf a.jar x".split(" "))) { + throw new Exception("jar creation failed"); + } + + // Generate keypairs and sign the jar + Files.deleteIfExists(Paths.get("jks")); + for (String keyalg: keyalgs) { + sun.security.tools.keytool.Main.main( + ("-keystore jks -storepass changeit -keypass changeit " + + "-dname CN=A -alias " + keyalg + " -genkeypair " + + "-keyalg " + keyalg).split(" ")); + sun.security.tools.jarsigner.Main.main( + ("-keystore jks -storepass changeit a.jar " + keyalg).split(" ")); + } + + // Check result + KeyStore ks = KeyStore.getInstance("JKS"); + try (FileInputStream jks = new FileInputStream("jks"); + JarFile jf = new JarFile("a.jar")) { + ks.load(jks, null); + for (int i = 0; i<keyalgs.length; i++) { + String keyalg = keyalgs[i]; + // keytool + X509Certificate c = (X509Certificate) ks.getCertificate(keyalg); + String sigalg = c.getSigAlgName(); + if (!sigalg.equals(sigalgs[i])) { + throw new Exception( + "keytool sigalg for " + keyalg + " is " + sigalg); + } + int keysize = KeyUtil.getKeySize(c.getPublicKey()); + if (keysize != keysizes[i]) { + throw new Exception( + "keytool keysize for " + keyalg + " is " + keysize); + } + // jarsigner + String bk = "META-INF/" + keyalg + "." + keyalg; + try (InputStream is = jf.getInputStream(jf.getEntry(bk))) { + String digestalg = new PKCS7(is).getSignerInfos()[0] + .getDigestAlgorithmId().toString(); + if (!digestalg.equals(digestalgs[i])) { + throw new Exception( + "jarsigner digest of sig for " + keyalg + + " is " + digestalg); + } + } + } + } + } +}
--- a/test/sun/security/tools/keytool/KeyToolTest.java Thu Mar 23 15:00:29 2017 -0700 +++ b/test/sun/security/tools/keytool/KeyToolTest.java Tue Aug 15 11:46:02 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -167,6 +167,13 @@ */ void testOK(String input, String cmd) throws Exception { try { + // Workaround for "8057810: Make SHA256withDSA the default + // jarsigner and keytool algorithm for DSA keys". Unfortunately + // SunPKCS11-NSS does not support SHA256withDSA yet. + if (cmd.contains("p11-nss.txt") && cmd.contains("-genkey") + && !cmd.contains("-keyalg")) { + cmd += " -sigalg SHA1withDSA -keysize 1024"; + } test(input, cmd); } catch(Exception e) { afterFail(input, cmd, "OK"); @@ -242,6 +249,9 @@ * Helper method, print some output after a test does not do as expected */ void afterFail(String input, String cmd, String should) { + if (cmd.contains("p11-nss.txt")) { + cmd = "-J-Dnss.lib=" + System.getProperty("nss.lib") + " " + cmd; + } System.err.println("\nTest fails for the command ---\n" + "keytool " + cmd + "\nOr its debug version ---\n" + "keytool -debug " + cmd); @@ -782,7 +792,7 @@ remove("x.jks.p1.cert"); remove("csr1"); // PrivateKeyEntry can do certreq - testOK("", "-keystore x.jks -storepass changeit -keypass changeit -genkeypair -dname CN=olala"); + testOK("", "-keystore x.jks -storepass changeit -keypass changeit -genkeypair -dname CN=olala -keysize 1024"); testOK("", "-keystore x.jks -storepass changeit -certreq -file csr1 -alias mykey"); testOK("", "-keystore x.jks -storepass changeit -certreq -file csr1"); testOK("", "-keystore x.jks -storepass changeit -certreq -file csr1 -sigalg SHA1withDSA");
--- a/test/sun/security/tools/keytool/autotest.sh Thu Mar 23 15:00:29 2017 -0700 +++ b/test/sun/security/tools/keytool/autotest.sh Tue Aug 15 11:46:02 2017 -0700 @@ -1,5 +1,5 @@ # -# Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -103,13 +103,4 @@ STATUS=$? -rm -f p11-nss.txt -rm -f cert8.db -rm -f key3.db -rm -f secmod.db - -rm HumanInputStream*.class -rm KeyToolTest.class -rm TestException.class - exit ${STATUS}