changeset 1497:29b076bfeafd

6561126: keytool should use larger default keysize for keypairs Reviewed-by: mullan
author weijun
date Wed, 22 Jul 2009 16:41:14 +0800
parents f4f55c2473b6
children dba7dc47b78e cd7758c85d13
files src/share/classes/sun/security/tools/JarSigner.java src/share/classes/sun/security/tools/KeyTool.java src/share/classes/sun/security/util/Resources.java test/sun/security/tools/jarsigner/newsize7.sh test/sun/security/tools/keytool/NewSize7.java
diffstat 5 files changed, 136 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/JarSigner.java	Wed Jul 22 16:40:39 2009 +0800
+++ b/src/share/classes/sun/security/tools/JarSigner.java	Wed Jul 22 16:41:14 2009 +0800
@@ -136,7 +136,7 @@
     char[] keypass; // private key password
     String sigfile; // name of .SF file
     String sigalg; // name of signature algorithm
-    String digestalg = "SHA1"; // name of digest algorithm
+    String digestalg = "SHA-256"; // name of digest algorithm
     String signedjar; // output filename
     String tsaUrl; // location of the Timestamping Authority
     String tsaAlias; // alias for the Timestamping Authority's certificate
@@ -2205,7 +2205,7 @@
                 if (keyAlgorithm.equalsIgnoreCase("DSA"))
                     digestAlgorithm = "SHA1";
                 else if (keyAlgorithm.equalsIgnoreCase("RSA"))
-                    digestAlgorithm = "SHA1";
+                    digestAlgorithm = "SHA256";
                 else {
                     throw new RuntimeException("private key is not a DSA or "
                                                + "RSA key");
--- a/src/share/classes/sun/security/tools/KeyTool.java	Wed Jul 22 16:40:39 2009 +0800
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Wed Jul 22 16:41:14 2009 +0800
@@ -1318,7 +1318,7 @@
         if ("DSA".equalsIgnoreCase(keyAlgName)) {
             return "SHA1WithDSA";
         } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
-            return "SHA1WithRSA";
+            return "SHA256WithRSA";
         } else if ("EC".equalsIgnoreCase(keyAlgName)) {
             return "SHA1withECDSA";
         } else {
@@ -1336,6 +1336,8 @@
         if (keysize == -1) {
             if ("EC".equalsIgnoreCase(keyAlgName)) {
                 keysize = 256;
+            } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+                keysize = 2048;
             } else {
                 keysize = 1024;
             }
@@ -2499,6 +2501,7 @@
                         cert.getNotAfter().toString(),
                         getCertFingerPrint("MD5", cert),
                         getCertFingerPrint("SHA1", cert),
+                        getCertFingerPrint("SHA-256", cert),
                         cert.getSigAlgName(),
                         cert.getVersion()
                         };
--- a/src/share/classes/sun/security/util/Resources.java	Wed Jul 22 16:40:39 2009 +0800
+++ b/src/share/classes/sun/security/util/Resources.java	Wed Jul 22 16:41:14 2009 +0800
@@ -215,7 +215,7 @@
         {"\t(RETURN if same as for <otherAlias>)",
                 "\t(RETURN if same as for <{0}>)"},
         {"*PATTERN* printX509Cert",
-                "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t MD5:  {5}\n\t SHA1: {6}\n\t Signature algorithm name: {7}\n\t Version: {8}"},
+                "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t MD5:  {5}\n\t SHA1: {6}\n\t SHA256: {7}\n\t Signature algorithm name: {8}\n\t Version: {9}"},
         {"What is your first and last name?",
                 "What is your first and last name?"},
         {"What is the name of your organizational unit?",
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/jarsigner/newsize7.sh	Wed Jul 22 16:41:14 2009 +0800
@@ -0,0 +1,73 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6561126
+# @summary keytool should use larger default keysize for keypairs
+#
+# @run shell newsize7.sh
+
+# set a few environment variables so that the shell-script can run stand-alone
+# in the source directory
+if [ "${TESTSRC}" = "" ] ; then
+   TESTSRC="."
+fi
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVA_CMD=`which java`
+  TESTJAVA=`dirname $JAVA_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+
+KSFILE=ns7.jks
+
+KT="${TESTJAVA}${FS}bin${FS}keytool -keystore ns7.jks -storepass changeit -keypass changeit"
+JAR="${TESTJAVA}${FS}bin${FS}jar"
+JS="${TESTJAVA}${FS}bin${FS}jarsigner -keystore ns7.jks -storepass changeit"
+
+rm ns7.*
+
+$KT -genkeypair -alias me -dname CN=Me
+
+touch ns7.txt
+$JAR cvf ns7.jar ns7.txt
+
+$JS ns7.jar me
+$JAR xvf ns7.jar
+
+grep SHA-256 META-INF/MANIFEST.MF || exit 1
+grep SHA-256 META-INF/ME.SF || exit 2
+
+#rm -rf META-INF
+
+exit 0
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/keytool/NewSize7.java	Wed Jul 22 16:41:14 2009 +0800
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6561126
+ * @summary keytool should use larger default keysize for keypairs
+ */
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+import sun.security.tools.KeyTool;
+
+public class NewSize7 {
+    public static void main(String[] args) throws Exception {
+        String FILE = "newsize7-ks";
+        new File(FILE).delete();
+        KeyTool.main(("-debug -genkeypair -keystore " + FILE +
+                " -alias a -dname cn=c -storepass changeit" +
+                " -keypass changeit -keyalg rsa").split(" "));
+        KeyStore ks = KeyStore.getInstance("JKS");
+        ks.load(new FileInputStream(FILE), null);
+        new File(FILE).delete();
+        RSAPublicKey r = (RSAPublicKey)ks.getCertificate("a").getPublicKey();
+        if (r.getModulus().bitLength() != 2048) {
+            throw new Exception("Bad keysize");
+        }
+        X509Certificate x = (X509Certificate)ks.getCertificate("a");
+        if (!x.getSigAlgName().equals("SHA256withRSA")) {
+            throw new Exception("Bad sigalg");
+        }
+    }
+}