1 /* 2 * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.tools; 27 28 29 import java.io.BufferedReader; 30 import java.io.File; 31 import java.io.FileInputStream; 32 import java.io.IOException; 33 import java.io.InputStreamReader; 34 35 import java.io.StreamTokenizer; 36 import java.io.StringReader; 37 import java.net.URL; 38 39 import java.security.KeyStore; 40 41 import java.security.Provider; 42 import java.security.Security; 43 import java.security.cert.X509Certificate; 44 import java.text.Collator; 45 46 import java.util.ArrayList; 47 import java.util.Arrays; 48 import java.util.List; 49 import java.util.Locale; 50 import java.util.Properties; 51 import java.util.ResourceBundle; 52 import java.util.ServiceLoader; 53 54 import sun.security.util.PropertyExpander; 55 56 /** 57 * <p> This class provides several utilities to <code>KeyStore</code>. 58 * 59 * @since 1.6.0 60 */ 61 public class KeyStoreUtil { 62 KeyStoreUtil()63 private KeyStoreUtil() { 64 // this class is not meant to be instantiated 65 } 66 67 /** 68 * Returns true if the certificate is self-signed, false otherwise. 69 */ isSelfSigned(X509Certificate cert)70 public static boolean isSelfSigned(X509Certificate cert) { 71 return signedBy(cert, cert); 72 } 73 signedBy(X509Certificate end, X509Certificate ca)74 public static boolean signedBy(X509Certificate end, X509Certificate ca) { 75 if (!ca.getSubjectX500Principal().equals(end.getIssuerX500Principal())) { 76 return false; 77 } 78 try { 79 end.verify(ca.getPublicKey()); 80 return true; 81 } catch (Exception e) { 82 return false; 83 } 84 } 85 86 /** 87 * Returns true if KeyStore has a password. This is true except for 88 * MSCAPI KeyStores 89 */ isWindowsKeyStore(String storetype)90 public static boolean isWindowsKeyStore(String storetype) { 91 return storetype != null 92 && (storetype.equalsIgnoreCase("Windows-MY") 93 || storetype.equalsIgnoreCase("Windows-ROOT")); 94 } 95 96 /** 97 * Returns standard-looking names for storetype 98 */ niceStoreTypeName(String storetype)99 public static String niceStoreTypeName(String storetype) { 100 if (storetype.equalsIgnoreCase("Windows-MY")) { 101 return "Windows-MY"; 102 } else if(storetype.equalsIgnoreCase("Windows-ROOT")) { 103 return "Windows-ROOT"; 104 } else { 105 return storetype.toUpperCase(Locale.ENGLISH); 106 } 107 } 108 109 /** 110 * Returns the file name of the keystore with the configured CA certificates. 111 */ getCacerts()112 public static String getCacerts() { 113 String sep = File.separator; 114 return System.getProperty("java.home") + sep 115 + "lib" + sep + "security" + sep 116 + "cacerts"; 117 } 118 119 /** 120 * Returns the keystore with the configured CA certificates. 121 */ getCacertsKeyStore()122 public static KeyStore getCacertsKeyStore() throws Exception { 123 File file = new File(getCacerts()); 124 if (!file.exists()) { 125 return null; 126 } 127 return KeyStore.getInstance(file, (char[])null); 128 } 129 getPassWithModifier(String modifier, String arg, ResourceBundle rb, Collator collator)130 public static char[] getPassWithModifier(String modifier, String arg, 131 ResourceBundle rb, 132 Collator collator) { 133 if (modifier == null) { 134 return arg.toCharArray(); 135 } else if (collator.compare(modifier, "env") == 0) { 136 String value = System.getenv(arg); 137 if (value == null) { 138 System.err.println(rb.getString( 139 "Cannot.find.environment.variable.") + arg); 140 return null; 141 } else { 142 return value.toCharArray(); 143 } 144 } else if (collator.compare(modifier, "file") == 0) { 145 try { 146 URL url = null; 147 try { 148 url = new URL(arg); 149 } catch (java.net.MalformedURLException mue) { 150 File f = new File(arg); 151 if (f.exists()) { 152 url = f.toURI().toURL(); 153 } else { 154 System.err.println(rb.getString( 155 "Cannot.find.file.") + arg); 156 return null; 157 } 158 } 159 160 try (BufferedReader br = 161 new BufferedReader(new InputStreamReader( 162 url.openStream()))) { 163 String value = br.readLine(); 164 165 if (value == null) { 166 return new char[0]; 167 } 168 169 return value.toCharArray(); 170 } 171 } catch (IOException ioe) { 172 System.err.println(ioe); 173 return null; 174 } 175 } else { 176 System.err.println(rb.getString("Unknown.password.type.") + 177 modifier); 178 return null; 179 } 180 } 181 182 /** 183 * Parses a option line likes 184 * -genkaypair -dname "CN=Me" 185 * and add the results into a list 186 * @param list the list to fill into 187 * @param s the line 188 */ parseArgsLine(List<String> list, String s)189 private static void parseArgsLine(List<String> list, String s) 190 throws IOException, PropertyExpander.ExpandException { 191 StreamTokenizer st = new StreamTokenizer(new StringReader(s)); 192 193 st.resetSyntax(); 194 st.whitespaceChars(0x00, 0x20); 195 st.wordChars(0x21, 0xFF); 196 // Everything is a word char except for quotation and apostrophe 197 st.quoteChar('"'); 198 st.quoteChar('\''); 199 200 while (true) { 201 if (st.nextToken() == StreamTokenizer.TT_EOF) { 202 break; 203 } 204 list.add(PropertyExpander.expand(st.sval)); 205 } 206 } 207 208 /** 209 * Prepends matched options from a pre-configured options file. 210 * 211 * @param tool the name of the tool, can be "keytool" or "jarsigner" 212 * @param file the pre-configured options file 213 * @param c1 the name of the command, with the "-" prefix, 214 * must not be null 215 * @param c2 the alternative command name, with the "-" prefix, 216 * null if none. For example, "genkey" is alt name for 217 * "genkeypair". A command can only have one alt name now. 218 * @param args existing arguments 219 * @return arguments combined 220 * @throws IOException if there is a file I/O or format error 221 * @throws PropertyExpander.ExpandException 222 * if there is a property expansion error 223 */ expandArgs(String tool, String file, String c1, String c2, String[] args)224 public static String[] expandArgs(String tool, String file, 225 String c1, String c2, String[] args) 226 throws IOException, PropertyExpander.ExpandException { 227 228 List<String> result = new ArrayList<>(); 229 Properties p = new Properties(); 230 p.load(new FileInputStream(file)); 231 232 String s = p.getProperty(tool + ".all"); 233 if (s != null) { 234 parseArgsLine(result, s); 235 } 236 237 // Cannot provide both -genkey and -genkeypair 238 String s1 = p.getProperty(tool + "." + c1.substring(1)); 239 String s2 = null; 240 if (c2 != null) { 241 s2 = p.getProperty(tool + "." + c2.substring(1)); 242 } 243 if (s1 != null && s2 != null) { 244 throw new IOException("Cannot have both " + c1 + " and " 245 + c2 + " as pre-configured options"); 246 } 247 if (s1 == null) { 248 s1 = s2; 249 } 250 if (s1 != null) { 251 parseArgsLine(result, s1); 252 } 253 254 if (result.isEmpty()) { 255 return args; 256 } else { 257 result.addAll(Arrays.asList(args)); 258 return result.toArray(new String[result.size()]); 259 } 260 } 261 262 /** 263 * Loads a security provider as a service. 264 * 265 * @param provName the name 266 * @param arg optional arg 267 * @throws IllegalArgumentException if no provider matches the name 268 */ loadProviderByName(String provName, String arg)269 public static void loadProviderByName(String provName, String arg) { 270 Provider loaded = Security.getProvider(provName); 271 if (loaded != null) { 272 if (arg != null) { 273 loaded = loaded.configure(arg); 274 Security.addProvider(loaded); 275 } 276 return; 277 } 278 for (Provider p : ServiceLoader.load(Provider.class, 279 ClassLoader.getSystemClassLoader())) { 280 if (p.getName().equals(provName)) { 281 if (arg != null) { 282 p = p.configure(arg); 283 } 284 Security.addProvider(p); 285 return; 286 } 287 } 288 throw new IllegalArgumentException("No provider found"); 289 } 290 291 /** 292 * Loads a security provider by a fully-qualified class name. 293 * 294 * @param provClass the class name 295 * @param arg optional arg 296 * @param cl optional class loader 297 * @throws IllegalArgumentException if no provider matches the class name 298 * @throws ClassCastException if the class has not extended Provider 299 */ loadProviderByClass( String provClass, String arg, ClassLoader cl)300 public static void loadProviderByClass( 301 String provClass, String arg, ClassLoader cl) { 302 303 // For compatibility, SunPKCS11 and OracleUcrypto can still be 304 // loadable with -providerClass. 305 if (provClass.equals("sun.security.pkcs11.SunPKCS11")) { 306 loadProviderByName("SunPKCS11", arg); 307 return; 308 } else if (provClass.equals("com.oracle.security.crypto.UcryptoProvider")) { 309 loadProviderByName("OracleUcrypto", arg); 310 return; 311 } 312 313 Provider prov; 314 try { 315 Class<?> clazz = Class.forName(provClass, false, cl); 316 prov = (Provider) clazz.getConstructor().newInstance(); 317 } catch (ReflectiveOperationException e) { 318 throw new IllegalArgumentException(e); 319 } 320 if (arg != null) { 321 prov = prov.configure(arg); 322 } 323 Security.addProvider(prov); 324 } 325 } 326