changeset 1495:8bb89d9fd061

6847026: keytool should be able to generate certreq and cert without subject name Reviewed-by: xuelei
author weijun
date Wed, 22 Jul 2009 16:40:04 +0800
parents 81e3117803a5
children f4f55c2473b6
files src/share/classes/sun/security/tools/KeyTool.java src/share/classes/sun/security/util/Resources.java test/sun/security/tools/keytool/emptysubject.sh
diffstat 3 files changed, 81 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/KeyTool.java	Wed Jul 22 16:39:34 2009 +0800
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Wed Jul 22 16:40:04 2009 +0800
@@ -1052,7 +1052,7 @@
         X509CertImpl signerCertImpl = new X509CertImpl(encoded);
         X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
                 X509CertImpl.NAME + "." + X509CertImpl.INFO);
-        X500Name owner = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
+        X500Name issuer = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
                                            CertificateSubjectName.DN_NAME);
 
         Date firstDate = getStartDate(startDate);
@@ -1068,7 +1068,7 @@
         Signature signature = Signature.getInstance(sigAlgName);
         signature.initSign(privateKey);
 
-        X500Signer signer = new X500Signer(signature, owner);
+        X500Signer signer = new X500Signer(signature, issuer);
 
         X509CertInfo info = new X509CertInfo();
         info.set(X509CertInfo.VALIDITY, interval);
@@ -1102,7 +1102,8 @@
         PKCS10 req = new PKCS10(rawReq);
 
         info.set(X509CertInfo.KEY, new CertificateX509Key(req.getSubjectPublicKeyInfo()));
-        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(req.getSubjectName()));
+        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(
+                dname==null?req.getSubjectName():new X500Name(dname)));
         CertificateExtensions reqex = null;
         Iterator<PKCS10Attribute> attrs = req.getAttributes().getAttributes().iterator();
         while (attrs.hasNext()) {
@@ -1160,8 +1161,9 @@
 
         Signature signature = Signature.getInstance(sigAlgName);
         signature.initSign(privKey);
-        X500Name subject =
-            new X500Name(((X509Certificate)cert).getSubjectDN().toString());
+        X500Name subject = dname == null?
+                new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
+                new X500Name(dname);
         X500Signer signer = new X500Signer(signature, subject);
 
         // Sign the request and base-64 encode it
@@ -3428,7 +3430,7 @@
 
                 int colonpos = name.indexOf(':');
                 if (colonpos >= 0) {
-                    if (name.substring(colonpos+1).equalsIgnoreCase("critical")) {
+                    if (oneOf(name.substring(colonpos+1), "critical") == 0) {
                         isCritical = true;
                     }
                     name = name.substring(0, colonpos);
@@ -3689,6 +3691,8 @@
         System.err.println(rb.getString
                 ("\t     [-alias <alias>] [-sigalg <sigalg>]"));
         System.err.println(rb.getString
+                ("\t     [-dname <dname>]"));
+        System.err.println(rb.getString
                 ("\t     [-file <csr_file>] [-keypass <keypass>]"));
         System.err.println(rb.getString
                 ("\t     [-keystore <keystore>] [-storepass <storepass>]"));
@@ -3771,6 +3775,8 @@
         System.err.println(rb.getString
                 ("\t     [-alias <alias>]"));
         System.err.println(rb.getString
+                ("\t     [-dname <dname>]"));
+        System.err.println(rb.getString
                 ("\t     [-sigalg <sigalg>]"));
         System.err.println(rb.getString
                 ("\t     [-startdate <startdate>]"));
--- a/src/share/classes/sun/security/util/Resources.java	Wed Jul 22 16:39:34 2009 +0800
+++ b/src/share/classes/sun/security/util/Resources.java	Wed Jul 22 16:40:04 2009 +0800
@@ -301,6 +301,7 @@
                 "-certreq     [-v] [-protected]"},
         {"\t     [-alias <alias>] [-sigalg <sigalg>]",
                 "\t     [-alias <alias>] [-sigalg <sigalg>]"},
+        {"\t     [-dname <dname>]", "\t     [-dname <dname>]"},
         {"\t     [-file <csr_file>] [-keypass <keypass>]",
                 "\t     [-file <csr_file>] [-keypass <keypass>]"},
         {"\t     [-keystore <keystore>] [-storepass <storepass>]",
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/keytool/emptysubject.sh	Wed Jul 22 16:40:04 2009 +0800
@@ -0,0 +1,68 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6847026
+# @summary keytool should be able to generate certreq and cert without subject name
+#
+# @run shell emptysubject.sh
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+
+KS=emptysubject.jks
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS"
+
+rm $KS
+
+$KT -alias ca -dname CN=CA -genkeypair
+$KT -alias me -dname CN=Me -genkeypair
+
+# When -dname is recognized, SAN must be specfied, otherwise, -printcert fails.
+$KT -alias me -certreq -dname "" | \
+        $KT -alias ca -gencert | $KT -printcert && exit 1
+$KT -alias me -certreq | \
+        $KT -alias ca -gencert -dname "" | $KT -printcert && exit 2
+$KT -alias me -certreq -dname "" | \
+        $KT -alias ca -gencert -ext san:c=email:me@me.com | \
+        $KT -printcert || exit 3
+$KT -alias me -certreq | \
+        $KT -alias ca -gencert -dname "" -ext san:c=email:me@me.com | \
+        $KT -printcert || exit 4
+
+exit 0
+