8062552: Support keystore type detection for JKS and PKCS12 keystores
Reviewed-by: weijun
diff --git a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
index 9eebd6c..f982b01 100644
--- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
@@ -1058,6 +1058,39 @@
}
/**
+ * Determines if the keystore {@code Entry} for the specified
+ * {@code alias} is an instance or subclass of the specified
+ * {@code entryClass}.
+ *
+ * @param alias the alias name
+ * @param entryClass the entry class
+ *
+ * @return true if the keystore {@code Entry} for the specified
+ * {@code alias} is an instance or subclass of the
+ * specified {@code entryClass}, false otherwise
+ *
+ * @since 1.5
+ */
+ @Override
+ public boolean
+ engineEntryInstanceOf(String alias,
+ Class<? extends KeyStore.Entry> entryClass)
+ {
+ if (entryClass == KeyStore.TrustedCertificateEntry.class) {
+ return engineIsCertificateEntry(alias);
+ }
+
+ Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
+ if (entryClass == KeyStore.PrivateKeyEntry.class) {
+ return (entry != null && entry instanceof PrivateKeyEntry);
+ }
+ if (entryClass == KeyStore.SecretKeyEntry.class) {
+ return (entry != null && entry instanceof SecretKeyEntry);
+ }
+ return false;
+ }
+
+ /**
* Returns the (alias) name of the first keystore entry whose certificate
* matches the given certificate.
*
@@ -1089,7 +1122,7 @@
} else {
continue;
}
- if (certElem.equals(cert)) {
+ if (certElem != null && certElem.equals(cert)) {
return alias;
}
}
@@ -1932,7 +1965,12 @@
safeContentsData = safeContents.getData();
} else if (contentType.equals((Object)ContentInfo.ENCRYPTED_DATA_OID)) {
if (password == null) {
- continue;
+
+ if (debug != null) {
+ debug.println("Warning: skipping PKCS#7 encryptedData" +
+ " content-type - no password was supplied");
+ }
+ continue;
}
if (debug != null) {
@@ -1974,8 +2012,9 @@
password = new char[1];
continue;
}
- throw new IOException(
- "failed to decrypt safe contents entry: " + e, e);
+ throw new IOException("keystore password was incorrect",
+ new UnrecoverableKeyException(
+ "failed to decrypt safe contents entry: " + e));
}
}
} else {
diff --git a/src/share/classes/sun/security/provider/JavaKeyStore.java b/src/share/classes/sun/security/provider/JavaKeyStore.java
index f7cfb19..6145666 100644
--- a/src/share/classes/sun/security/provider/JavaKeyStore.java
+++ b/src/share/classes/sun/security/provider/JavaKeyStore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -31,9 +31,10 @@
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateException;
import java.util.*;
-import sun.misc.IOUtils;
+import sun.misc.IOUtils;
import sun.security.pkcs.EncryptedPrivateKeyInfo;
+import sun.security.pkcs12.PKCS12KeyStore;
/**
* This class provides the keystore implementation referred to as "JKS".
@@ -65,6 +66,13 @@
}
}
+ // special JKS that supports JKS and PKCS12 file formats
+ public static final class DualFormatJKS extends KeyStoreDelegator {
+ public DualFormatJKS() {
+ super("JKS", JKS.class, "PKCS12", PKCS12KeyStore.class);
+ }
+ }
+
private static final int MAGIC = 0xfeedfeed;
private static final int VERSION_1 = 0x01;
private static final int VERSION_2 = 0x02;
diff --git a/src/share/classes/sun/security/provider/KeyStoreDelegator.java b/src/share/classes/sun/security/provider/KeyStoreDelegator.java
new file mode 100644
index 0000000..789d448
--- /dev/null
+++ b/src/share/classes/sun/security/provider/KeyStoreDelegator.java
@@ -0,0 +1,279 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.provider;
+
+import java.io.*;
+import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateException;
+import java.util.*;
+
+import sun.security.util.Debug;
+
+/**
+ * This class delegates to a primary or secondary keystore implementation.
+ *
+ * @since 1.8
+ */
+
+class KeyStoreDelegator extends KeyStoreSpi {
+
+ private static final String KEYSTORE_TYPE_COMPAT = "keystore.type.compat";
+ private static final Debug debug = Debug.getInstance("keystore");
+
+ private final String primaryType; // the primary keystore's type
+ private final String secondaryType; // the secondary keystore's type
+ private final Class<? extends KeyStoreSpi> primaryKeyStore;
+ // the primary keystore's class
+ private final Class<? extends KeyStoreSpi> secondaryKeyStore;
+ // the secondary keystore's class
+ private String type; // the delegate's type
+ private KeyStoreSpi keystore; // the delegate
+ private boolean compatModeEnabled = true;
+
+ public KeyStoreDelegator(
+ String primaryType,
+ Class<? extends KeyStoreSpi> primaryKeyStore,
+ String secondaryType,
+ Class<? extends KeyStoreSpi> secondaryKeyStore) {
+
+ // Check whether compatibility mode has been disabled
+ // (Use inner-class instead of lambda to avoid init/ClassLoader problem)
+ compatModeEnabled = "true".equalsIgnoreCase(
+ AccessController.doPrivileged(
+ new PrivilegedAction<String>() {
+ public String run() {
+ return Security.getProperty(KEYSTORE_TYPE_COMPAT);
+ }
+ }
+ ));
+
+ if (compatModeEnabled) {
+ this.primaryType = primaryType;
+ this.secondaryType = secondaryType;
+ this.primaryKeyStore = primaryKeyStore;
+ this.secondaryKeyStore = secondaryKeyStore;
+ } else {
+ this.primaryType = primaryType;
+ this.secondaryType = null;
+ this.primaryKeyStore = primaryKeyStore;
+ this.secondaryKeyStore = null;
+
+ if (debug != null) {
+ debug.println("WARNING: compatibility mode disabled for " +
+ primaryType + " and " + secondaryType + " keystore types");
+ }
+ }
+ }
+
+ @Override
+ public Key engineGetKey(String alias, char[] password)
+ throws NoSuchAlgorithmException, UnrecoverableKeyException {
+ return keystore.engineGetKey(alias, password);
+ }
+
+ @Override
+ public Certificate[] engineGetCertificateChain(String alias) {
+ return keystore.engineGetCertificateChain(alias);
+ }
+
+ @Override
+ public Certificate engineGetCertificate(String alias) {
+ return keystore.engineGetCertificate(alias);
+ }
+
+ @Override
+ public Date engineGetCreationDate(String alias) {
+ return keystore.engineGetCreationDate(alias);
+ }
+
+ @Override
+ public void engineSetKeyEntry(String alias, Key key, char[] password,
+ Certificate[] chain) throws KeyStoreException {
+ keystore.engineSetKeyEntry(alias, key, password, chain);
+ }
+
+ @Override
+ public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
+ throws KeyStoreException {
+ keystore.engineSetKeyEntry(alias, key, chain);
+ }
+
+ @Override
+ public void engineSetCertificateEntry(String alias, Certificate cert)
+ throws KeyStoreException {
+ keystore.engineSetCertificateEntry(alias, cert);
+ }
+
+ @Override
+ public void engineDeleteEntry(String alias) throws KeyStoreException {
+ keystore.engineDeleteEntry(alias);
+ }
+
+ @Override
+ public Enumeration<String> engineAliases() {
+ return keystore.engineAliases();
+ }
+
+ @Override
+ public boolean engineContainsAlias(String alias) {
+ return keystore.engineContainsAlias(alias);
+ }
+
+ @Override
+ public int engineSize() {
+ return keystore.engineSize();
+ }
+
+ @Override
+ public boolean engineIsKeyEntry(String alias) {
+ return keystore.engineIsKeyEntry(alias);
+ }
+
+ @Override
+ public boolean engineIsCertificateEntry(String alias) {
+ return keystore.engineIsCertificateEntry(alias);
+ }
+
+ @Override
+ public String engineGetCertificateAlias(Certificate cert) {
+ return keystore.engineGetCertificateAlias(cert);
+ }
+
+ @Override
+ public KeyStore.Entry engineGetEntry(String alias,
+ KeyStore.ProtectionParameter protParam)
+ throws KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableEntryException {
+ return keystore.engineGetEntry(alias, protParam);
+ }
+
+ @Override
+ public void engineSetEntry(String alias, KeyStore.Entry entry,
+ KeyStore.ProtectionParameter protParam)
+ throws KeyStoreException {
+ keystore.engineSetEntry(alias, entry, protParam);
+ }
+
+ @Override
+ public boolean engineEntryInstanceOf(String alias,
+ Class<? extends KeyStore.Entry> entryClass) {
+ return keystore.engineEntryInstanceOf(alias, entryClass);
+ }
+
+ @Override
+ public void engineStore(OutputStream stream, char[] password)
+ throws IOException, NoSuchAlgorithmException, CertificateException {
+
+ if (debug != null) {
+ debug.println("Storing keystore in " + type + " format");
+ }
+ keystore.engineStore(stream, password);
+ }
+
+ @Override
+ public void engineLoad(InputStream stream, char[] password)
+ throws IOException, NoSuchAlgorithmException, CertificateException {
+
+ // A new keystore is always created in the primary keystore format
+ if (stream == null || !compatModeEnabled) {
+ try {
+ keystore = primaryKeyStore.newInstance();
+
+ } catch (InstantiationException | IllegalAccessException e) {
+ // can safely ignore
+ }
+ type = primaryType;
+
+ if (debug != null && stream == null) {
+ debug.println("Creating a new keystore in " + type + " format");
+ }
+ keystore.engineLoad(stream, password);
+
+ } else {
+ // First try the primary keystore then try the secondary keystore
+ try (InputStream bufferedStream = new BufferedInputStream(stream)) {
+ bufferedStream.mark(Integer.MAX_VALUE);
+
+ try {
+ keystore = primaryKeyStore.newInstance();
+ type = primaryType;
+ keystore.engineLoad(bufferedStream, password);
+
+ } catch (Exception e) {
+
+ // incorrect password
+ if (e instanceof IOException &&
+ e.getCause() instanceof UnrecoverableKeyException) {
+ throw (IOException)e;
+ }
+
+ try {
+ keystore = secondaryKeyStore.newInstance();
+ type = secondaryType;
+ bufferedStream.reset();
+ keystore.engineLoad(bufferedStream, password);
+
+ if (debug != null) {
+ debug.println("WARNING: switching from " +
+ primaryType + " to " + secondaryType +
+ " keystore file format has altered the " +
+ "keystore security level");
+ }
+
+ } catch (InstantiationException |
+ IllegalAccessException e2) {
+ // can safely ignore
+
+ } catch (IOException |
+ NoSuchAlgorithmException |
+ CertificateException e3) {
+
+ // incorrect password
+ if (e3 instanceof IOException &&
+ e3.getCause() instanceof
+ UnrecoverableKeyException) {
+ throw (IOException)e3;
+ }
+ // rethrow the outer exception
+ if (e instanceof IOException) {
+ throw (IOException)e;
+ } else if (e instanceof CertificateException) {
+ throw (CertificateException)e;
+ } else if (e instanceof NoSuchAlgorithmException) {
+ throw (NoSuchAlgorithmException)e;
+ }
+ }
+ }
+ }
+
+ if (debug != null) {
+ debug.println("Loaded a keystore in " + type + " format");
+ }
+ }
+ }
+}
diff --git a/src/share/classes/sun/security/provider/SunEntries.java b/src/share/classes/sun/security/provider/SunEntries.java
index 5a14e7b..0e33ad8 100644
--- a/src/share/classes/sun/security/provider/SunEntries.java
+++ b/src/share/classes/sun/security/provider/SunEntries.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -228,7 +228,8 @@
/*
* KeyStore
*/
- map.put("KeyStore.JKS", "sun.security.provider.JavaKeyStore$JKS");
+ map.put("KeyStore.JKS",
+ "sun.security.provider.JavaKeyStore$DualFormatJKS");
map.put("KeyStore.CaseExactJKS",
"sun.security.provider.JavaKeyStore$CaseExactJKS");
map.put("KeyStore.DKS", "sun.security.provider.DomainKeyStore$DKS");
diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix
index f0d295c..571ff4f 100644
--- a/src/share/lib/security/java.security-aix
+++ b/src/share/lib/security/java.security-aix
@@ -171,6 +171,15 @@
keystore.type=jks
#
+# Controls compatibility mode for the JKS keystore type.
+#
+# When set to 'true', the JKS keystore type supports loading
+# keystore files in either JKS or PKCS12 format. When set to 'false'
+# it supports loading only JKS keystore files.
+#
+keystore.type.compat=true
+
+#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux
index f0d295c..571ff4f 100644
--- a/src/share/lib/security/java.security-linux
+++ b/src/share/lib/security/java.security-linux
@@ -171,6 +171,15 @@
keystore.type=jks
#
+# Controls compatibility mode for the JKS keystore type.
+#
+# When set to 'true', the JKS keystore type supports loading
+# keystore files in either JKS or PKCS12 format. When set to 'false'
+# it supports loading only JKS keystore files.
+#
+keystore.type.compat=true
+
+#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx
index d07ad76..b462d13 100644
--- a/src/share/lib/security/java.security-macosx
+++ b/src/share/lib/security/java.security-macosx
@@ -172,6 +172,15 @@
keystore.type=jks
#
+# Controls compatibility mode for the JKS keystore type.
+#
+# When set to 'true', the JKS keystore type supports loading
+# keystore files in either JKS or PKCS12 format. When set to 'false'
+# it supports loading only JKS keystore files.
+#
+keystore.type.compat=true
+
+#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris
index ae866ff..41ef6f8 100644
--- a/src/share/lib/security/java.security-solaris
+++ b/src/share/lib/security/java.security-solaris
@@ -173,6 +173,15 @@
keystore.type=jks
#
+# Controls compatibility mode for the JKS keystore type.
+#
+# When set to 'true', the JKS keystore type supports loading
+# keystore files in either JKS or PKCS12 format. When set to 'false'
+# it supports loading only JKS keystore files.
+#
+keystore.type.compat=true
+
+#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows
index fc61a5e..f860aca 100644
--- a/src/share/lib/security/java.security-windows
+++ b/src/share/lib/security/java.security-windows
@@ -172,6 +172,15 @@
keystore.type=jks
#
+# Controls compatibility mode for the JKS keystore type.
+#
+# When set to 'true', the JKS keystore type supports loading
+# keystore files in either JKS or PKCS12 format. When set to 'false'
+# it supports loading only JKS keystore files.
+#
+keystore.type.compat=true
+
+#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the