--- test/sun/security/tools/keytool/WeakAlg.java 2021-02-03 20:35:36.721872915 +0100 +++ ../../openjdk-11-dev/test/jdk/sun/security/tools/keytool/WeakAlg.java 2021-01-12 16:45:01.652066082 +0100 @@ -26,20 +26,29 @@ * @bug 8171319 8177569 8182879 8172404 * @summary keytool should print out warnings when reading or generating * cert/cert req using weak algorithms - * @library /lib/testlibrary + * @library /test/lib + * @modules java.base/sun.security.tools.keytool + * java.base/sun.security.tools + * java.base/sun.security.util + * @build jdk.test.lib.SecurityTools + * jdk.test.lib.Utils + * jdk.test.lib.Asserts + * jdk.test.lib.JDKToolFinder + * jdk.test.lib.JDKToolLauncher + * jdk.test.lib.Platform + * jdk.test.lib.process.* * @run main/othervm/timeout=600 -Duser.language=en -Duser.country=US WeakAlg */ -import jdk.testlibrary.Asserts; -import jdk.testlibrary.SecurityTools; -import jdk.testlibrary.OutputAnalyzer; +import jdk.test.lib.Asserts; +import jdk.test.lib.SecurityTools; +import jdk.test.lib.process.OutputAnalyzer; import sun.security.tools.KeyStoreUtil; import sun.security.util.DisabledAlgorithmConstraints; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.File; -import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.io.PrintStream; @@ -57,10 +66,6 @@ public class WeakAlg { - static String sep = File.separator; - static String cacerts_location = System.getProperty("java.home") + - sep + "lib" + sep + "security" + sep + "cacerts"; - public static void main(String[] args) throws Throwable { rm("ks"); @@ -219,10 +224,14 @@ static void jksTypeCheck() throws Exception { + // No warning for cacerts, all certs + kt0("-cacerts -list -storepass changeit") + .shouldNotContain("proprietary format"); + rm("ks"); rm("ks2"); - kt("-genkeypair -alias a -storetype pkcs12 -dname CN=A") + kt("-genkeypair -alias a -dname CN=A") .shouldNotContain("Warning:"); kt("-list") .shouldNotContain("Warning:"); @@ -246,18 +255,20 @@ .shouldContain("JKS keystore uses a proprietary format"); kt("-list") .shouldContain("JKS keystore uses a proprietary format"); + kt("-list -storetype pkcs12") // warn if JKS used as PKCS12 + .shouldContain("JKS keystore uses a proprietary format"); kt("-exportcert -alias a -file a.crt") .shouldContain("JKS keystore uses a proprietary format"); kt("-printcert -file a.crt") // no warning if keystore not touched .shouldNotContain("Warning:"); kt("-certreq -alias a -file a.req") - .shouldContain("JKS keystore uses a proprietary format"); + .shouldContain("JKS keystore uses a proprietary format"); kt("-printcertreq -file a.req") // no warning if keystore not touched .shouldNotContain("Warning:"); - // Earlier than JDK 9 defaults to JKS + // No warning if migrating from JKS importkeystore("ks", "ks2", "") - .shouldContain("Warning:"); + .shouldNotContain("Warning:"); importkeystore("ks", "ks3", "-deststoretype pkcs12") .shouldNotContain("Warning:"); @@ -266,19 +277,19 @@ kt("-genkeypair -alias a -dname CN=A -storetype jceks") .shouldContain("JCEKS keystore uses a proprietary format"); - kt("-list -storetype jceks") + kt("-list") .shouldContain("JCEKS keystore uses a proprietary format"); - kt("-importcert -alias b -file a.crt -noprompt -storetype jceks") + kt("-importcert -alias b -file a.crt -noprompt") .shouldContain("JCEKS keystore uses a proprietary format"); - kt("-exportcert -alias a -file a.crt -storetype jceks") + kt("-exportcert -alias a -file a.crt") .shouldContain("JCEKS keystore uses a proprietary format"); kt("-printcert -file a.crt") .shouldNotContain("Warning:"); - kt("-certreq -alias a -file a.req -storetype jceks") + kt("-certreq -alias a -file a.req") .shouldContain("JCEKS keystore uses a proprietary format"); kt("-printcertreq -file a.req") .shouldNotContain("Warning:"); - kt("-genseckey -alias c -keyalg AES -keysize 128 -storetype jceks") + kt("-genseckey -alias c -keyalg AES -keysize 128") .shouldContain("JCEKS keystore uses a proprietary format"); } @@ -306,54 +317,51 @@ // Same type backup importkeystore("ks", "ks", "") .shouldContain("Warning:") - .shouldMatch(".*ks.old"); + .shouldMatch("original.*ks.old"); importkeystore("ks", "ks", "") .shouldContain("Warning:") - .shouldMatch(".*ks.old2"); + .shouldMatch("original.*ks.old2"); importkeystore("ks", "ks", "-srcstoretype jks") // it knows real type .shouldContain("Warning:") - .shouldMatch(".*ks.old3"); + .shouldMatch("original.*ks.old3"); String cPath = new File("ks").getCanonicalPath(); importkeystore("ks", cPath, "") .shouldContain("Warning:") - .shouldMatch(".*ks.old4"); + .shouldMatch("original.*ks.old4"); // Migration importkeystore("ks", "ks", "-deststoretype jks") .shouldContain("Warning:") .shouldContain("JKS keystore uses a proprietary format") - .shouldMatch("The original.*ks.old5"); + .shouldMatch("Migrated.*JKS.*PKCS12.*ks.old5"); - KeyStore test_ks = KeyStore.getInstance("JKS"); - test_ks.load(new FileInputStream(new File("ks")), - "changeit".toCharArray()); Asserts.assertEQ( - test_ks.getType(), "JKS"); + KeyStore.getInstance( + new File("ks"), "changeit".toCharArray()).getType(), + "JKS"); - importkeystore("ks", "ks", "-deststoretype PKCS12") + importkeystore("ks", "ks", "-srcstoretype PKCS12") .shouldContain("Warning:") .shouldNotContain("proprietary format") - .shouldMatch("Migrated.*Non.*JKS.*ks.old6"); + .shouldMatch("Migrated.*PKCS12.*JKS.*ks.old6"); - test_ks = KeyStore.getInstance("PKCS12"); - test_ks.load(new FileInputStream(new File("ks")), - "changeit".toCharArray()); Asserts.assertEQ( - test_ks.getType(), "PKCS12"); + KeyStore.getInstance( + new File("ks"), "changeit".toCharArray()).getType(), + "PKCS12"); - test_ks = KeyStore.getInstance("JKS"); - test_ks.load(new FileInputStream(new File("ks.old6")), - "changeit".toCharArray()); Asserts.assertEQ( - test_ks.getType(), "JKS"); + KeyStore.getInstance( + new File("ks.old6"), "changeit".toCharArray()).getType(), + "JKS"); // One password prompt is enough for migration kt0("-importkeystore -srckeystore ks -destkeystore ks", "changeit") - .shouldMatch("backed.*ks.old7"); + .shouldMatch("original.*ks.old7"); // But three if importing to a different keystore rm("ks2"); @@ -424,9 +432,9 @@ if (weakSigAlgCA != null) { // The following 2 commands still have a warning on why not using // the -cacerts option directly. - kt("-list -keystore " + cacerts_location) + kt("-list -keystore " + KeyStoreUtil.getCacerts()) .shouldNotContain("risk"); - kt("-list -v -keystore " + cacerts_location) + kt("-list -v -keystore " + KeyStoreUtil.getCacerts()) .shouldNotContain("risk"); // -printcert will always show warnings @@ -900,7 +908,7 @@ static OutputAnalyzer genkeypair(String alias, String options) { return kt("-genkeypair -alias " + alias + " -dname CN=" + alias - + " -keyalg RSA -storetype PKCS12 " + options); + + " -storetype PKCS12 " + options); } static OutputAnalyzer certreq(String alias, String options) {