changeset 3826:f4613b378874

7021789: Remove jarsigner -crl option Reviewed-by: mullan
author weijun
date Mon, 28 Feb 2011 23:02:37 +0800
parents a3b6c262195b
children f8bf888edf20
files src/share/classes/com/sun/jarsigner/ContentSignerParameters.java src/share/classes/java/security/CodeSigner.java src/share/classes/sun/misc/JavaSecurityCodeSignerAccess.java src/share/classes/sun/misc/SharedSecrets.java src/share/classes/sun/security/tools/JarSigner.java src/share/classes/sun/security/tools/JarSignerResources.java src/share/classes/sun/security/tools/KeyTool.java src/share/classes/sun/security/tools/TimestampedSigner.java src/share/classes/sun/security/util/SignatureFileVerifier.java test/sun/security/tools/jarsigner/crl.sh
diffstat 10 files changed, 28 insertions(+), 243 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/jarsigner/ContentSignerParameters.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/com/sun/jarsigner/ContentSignerParameters.java	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,9 +26,7 @@
 package com.sun.jarsigner;
 
 import java.net.URI;
-import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
-import java.util.Set;
 import java.util.zip.ZipFile;
 
 /**
@@ -83,13 +81,6 @@
     public X509Certificate[] getSignerCertificateChain();
 
     /**
-     * Retrieves the signer's X.509 CRLs.
-     *
-     * @return An unmodifiable set of X.509 CRLs (never <code>null</code>)
-     */
-    public Set<X509CRL> getCRLs();
-
-    /**
      * Retrieves the content that was signed.
      * The content is the JAR file's signature file.
      *
--- a/src/share/classes/java/security/CodeSigner.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/java/security/CodeSigner.java	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,10 +26,7 @@
 package java.security;
 
 import java.io.*;
-import java.security.cert.CRL;
 import java.security.cert.CertPath;
-import sun.misc.JavaSecurityCodeSignerAccess;
-import sun.misc.SharedSecrets;
 
 /**
  * This class encapsulates information about a code signer.
@@ -167,44 +164,6 @@
         return sb.toString();
     }
 
-    // A private attribute attached to this CodeSigner object. Can be accessed
-    // through SharedSecrets.getJavaSecurityCodeSignerAccess().[g|s]etCRLs
-    //
-    // Currently called in SignatureFileVerifier.getSigners
-    private transient CRL[] crls;
-
-    /**
-     * Sets the CRLs attached
-     * @param crls, null to clear
-     */
-    void setCRLs(CRL[] crls) {
-        this.crls = crls;
-    }
-
-    /**
-     * Returns the CRLs attached
-     * @return the crls, initially null
-     */
-    CRL[] getCRLs() {
-        return crls;
-    }
-
-    // Set up JavaSecurityCodeSignerAccess in SharedSecrets
-    static {
-        SharedSecrets.setJavaSecurityCodeSignerAccess(
-                new JavaSecurityCodeSignerAccess() {
-            @Override
-            public void setCRLs(CodeSigner signer, CRL[] crls) {
-                signer.setCRLs(crls);
-            }
-
-            @Override
-            public CRL[] getCRLs(CodeSigner signer) {
-                return signer.getCRLs();
-            }
-        });
-    }
-
     // Explicitly reset hash code value to -1
     private void readObject(ObjectInputStream ois)
         throws IOException, ClassNotFoundException {
--- a/src/share/classes/sun/misc/JavaSecurityCodeSignerAccess.java	Mon Feb 28 06:40:46 2011 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-/*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-package sun.misc;
-
-import java.security.CodeSigner;
-import java.security.cert.CRL;
-
-public interface JavaSecurityCodeSignerAccess {
-    void setCRLs(CodeSigner signer, CRL[] crls);
-    CRL[] getCRLs(CodeSigner signer);
-}
--- a/src/share/classes/sun/misc/SharedSecrets.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/sun/misc/SharedSecrets.java	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,6 @@
 import java.util.jar.JarFile;
 import java.io.Console;
 import java.io.FileDescriptor;
-import java.security.CodeSigner;
 import java.security.ProtectionDomain;
 
 /** A repository of "shared secrets", which are a mechanism for
@@ -49,7 +48,6 @@
     private static JavaNioAccess javaNioAccess;
     private static JavaIOFileDescriptorAccess javaIOFileDescriptorAccess;
     private static JavaSecurityProtectionDomainAccess javaSecurityProtectionDomainAccess;
-    private static JavaSecurityCodeSignerAccess javaSecurityCodeSignerAccess;
 
     public static JavaUtilJarAccess javaUtilJarAccess() {
         if (javaUtilJarAccess == null) {
@@ -127,16 +125,4 @@
                 unsafe.ensureClassInitialized(ProtectionDomain.class);
             return javaSecurityProtectionDomainAccess;
     }
-
-    public static void setJavaSecurityCodeSignerAccess
-            (JavaSecurityCodeSignerAccess jscsa) {
-        javaSecurityCodeSignerAccess = jscsa;
-    }
-
-    public static JavaSecurityCodeSignerAccess
-            getJavaSecurityCodeSignerAccess() {
-        if (javaSecurityCodeSignerAccess == null)
-            unsafe.ensureClassInitialized(CodeSigner.class);
-        return javaSecurityCodeSignerAccess;
-    }
 }
--- a/src/share/classes/sun/security/tools/JarSigner.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/sun/security/tools/JarSigner.java	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,6 @@
 package sun.security.tools;
 
 import java.io.*;
-import java.security.cert.X509CRL;
 import java.util.*;
 import java.util.zip.*;
 import java.util.jar.*;
@@ -36,7 +35,6 @@
 import java.text.Collator;
 import java.text.MessageFormat;
 import java.security.cert.Certificate;
-import java.security.cert.CRL;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
 import java.security.*;
@@ -58,7 +56,6 @@
 import sun.security.x509.*;
 import sun.security.util.*;
 import sun.misc.BASE64Encoder;
-import sun.misc.SharedSecrets;
 
 
 /**
@@ -117,13 +114,11 @@
     static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
 
     X509Certificate[] certChain;    // signer's cert chain (when composing)
-    Set<X509CRL> crls;                 // signer provided CRLs
     PrivateKey privateKey;          // private key
     KeyStore store;                 // the keystore specified by -keystore
                                     // or the default keystore, never null
 
     String keystore; // key store file
-    List<String> crlfiles = new ArrayList<>();  // CRL files to add
     boolean nullStream = false; // null keystore input stream (NONE)
     boolean token = false; // token-based keystore
     String jarfile;  // jar files to sign or verify
@@ -151,7 +146,6 @@
     boolean signManifest = true; // "sign" the whole manifest
     boolean externalSF = true; // leave the .SF out of the PKCS7 block
     boolean strict = false;  // treat warnings as error
-    boolean autoCRL = false;    // Automatcially add CRL defined in cert
 
     // read zip entry raw bytes
     private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
@@ -232,29 +226,6 @@
             } else {
                 loadKeyStore(keystore, true);
                 getAliasInfo(alias);
-                crls = new HashSet<X509CRL>();
-                if (crlfiles.size() > 0 || autoCRL) {
-                    CertificateFactory fac =
-                            CertificateFactory.getInstance("X509");
-                    List<CRL> list = new ArrayList<>();
-                    for (String file: crlfiles) {
-                        Collection<? extends CRL> tmp = KeyTool.loadCRLs(file);
-                        for (CRL crl: tmp) {
-                            if (crl instanceof X509CRL) {
-                                crls.add((X509CRL)crl);
-                            }
-                        }
-                    }
-                    if (autoCRL) {
-                        List<CRL> crlsFromCert =
-                                KeyTool.readCRLsFromCert(certChain[0]);
-                        for (CRL crl: crlsFromCert) {
-                            if (crl instanceof X509CRL) {
-                                crls.add((X509CRL)crl);
-                            }
-                        }
-                    }
-                }
 
                 // load the alternative signing mechanism
                 if (altSignerClass != null) {
@@ -396,13 +367,6 @@
             } else if (collator.compare(flags, "-digestalg") ==0) {
                 if (++n == args.length) usageNoArg();
                 digestalg = args[n];
-            } else if (collator.compare(flags, "-crl") ==0) {
-                if ("auto".equals(modifier)) {
-                    autoCRL = true;
-                } else {
-                    if (++n == args.length) usageNoArg();
-                    crlfiles.add(args[n]);
-                }
             } else if (collator.compare(flags, "-certs") ==0) {
                 showcerts = true;
             } else if (collator.compare(flags, "-strict") ==0) {
@@ -549,9 +513,6 @@
                 (".sigalg.algorithm.name.of.signature.algorithm"));
         System.out.println();
         System.out.println(rb.getString
-                (".crl.auto.file.include.CRL.in.signed.jar"));
-        System.out.println();
-        System.out.println(rb.getString
                 (".verify.verify.a.signed.JAR.file"));
         System.out.println();
         System.out.println(rb.getString
@@ -691,20 +652,6 @@
                             if (showcerts) {
                                 sb.append(si);
                                 sb.append('\n');
-                                CRL[] crls = SharedSecrets
-                                        .getJavaSecurityCodeSignerAccess()
-                                        .getCRLs(signer);
-                                if (crls != null) {
-                                    for (CRL crl: crls) {
-                                        if (crl instanceof X509CRLImpl) {
-                                            sb.append(tab).append("[");
-                                            sb.append(String.format(
-                                                    rb.getString("with.a.CRL.including.d.entries"),
-                                                    ((X509CRLImpl)crl).getRevokedCertificates().size()))
-                                                .append("]\n");
-                                        }
-                                    }
-                                }
                             }
                         }
                     } else if (showcerts && !verbose.equals("all")) {
@@ -1284,7 +1231,7 @@
 
             try {
                 block =
-                    sf.generateBlock(privateKey, sigalg, certChain, crls,
+                    sf.generateBlock(privateKey, sigalg, certChain,
                         externalSF, tsaUrl, tsaCert, signingMechanism, args,
                         zipFile);
             } catch (SocketTimeoutException e) {
@@ -2249,7 +2196,6 @@
     public Block generateBlock(PrivateKey privateKey,
                                String sigalg,
                                X509Certificate[] certChain,
-                               Set<X509CRL> crls,
                                boolean externalSF, String tsaUrl,
                                X509Certificate tsaCert,
                                ContentSigner signingMechanism,
@@ -2257,7 +2203,7 @@
         throws NoSuchAlgorithmException, InvalidKeyException, IOException,
             SignatureException, CertificateException
     {
-        return new Block(this, privateKey, sigalg, certChain, crls, externalSF,
+        return new Block(this, privateKey, sigalg, certChain, externalSF,
                 tsaUrl, tsaCert, signingMechanism, args, zipFile);
     }
 
@@ -2271,8 +2217,7 @@
          * Construct a new signature block.
          */
         Block(SignatureFile sfg, PrivateKey privateKey, String sigalg,
-            X509Certificate[] certChain, Set<X509CRL> crls,
-            boolean externalSF, String tsaUrl,
+            X509Certificate[] certChain, boolean externalSF, String tsaUrl,
             X509Certificate tsaCert, ContentSigner signingMechanism,
             String[] args, ZipFile zipFile)
             throws NoSuchAlgorithmException, InvalidKeyException, IOException,
@@ -2359,7 +2304,7 @@
             // Assemble parameters for the signing mechanism
             ContentSignerParameters params =
                 new JarSignerParameters(args, tsaUri, tsaCert, signature,
-                    signatureAlgorithm, certChain, crls, content, zipFile);
+                    signatureAlgorithm, certChain, content, zipFile);
 
             // Generate the signature block
             block = signingMechanism.generateSignedData(
@@ -2400,7 +2345,6 @@
     private byte[] signature;
     private String signatureAlgorithm;
     private X509Certificate[] signerCertificateChain;
-    private Set<X509CRL> crls;
     private byte[] content;
     private ZipFile source;
 
@@ -2409,8 +2353,7 @@
      */
     JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
         byte[] signature, String signatureAlgorithm,
-        X509Certificate[] signerCertificateChain, Set<X509CRL> crls,
-        byte[] content,
+        X509Certificate[] signerCertificateChain, byte[] content,
         ZipFile source) {
 
         if (signature == null || signatureAlgorithm == null ||
@@ -2423,7 +2366,6 @@
         this.signature = signature;
         this.signatureAlgorithm = signatureAlgorithm;
         this.signerCertificateChain = signerCertificateChain;
-        this.crls = crls;
         this.content = content;
         this.source = source;
     }
@@ -2499,13 +2441,4 @@
     public ZipFile getSource() {
         return source;
     }
-
-    @Override
-    public Set<X509CRL> getCRLs() {
-        if (crls == null) {
-            return Collections.emptySet();
-        } else {
-            return Collections.unmodifiableSet(crls);
-        }
-    }
 }
--- a/src/share/classes/sun/security/tools/JarSignerResources.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/sun/security/tools/JarSignerResources.java	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -74,8 +74,6 @@
                 "[-digestalg <algorithm>]    name of digest algorithm"},
         {".sigalg.algorithm.name.of.signature.algorithm",
                 "[-sigalg <algorithm>]       name of signature algorithm"},
-        {".crl.auto.file.include.CRL.in.signed.jar",
-                "[-crl[:auto| <file>]        include CRL in signed jar"},
         {".verify.verify.a.signed.JAR.file",
                 "[-verify]                   verify a signed JAR file"},
         {".verbose.suboptions.verbose.output.when.signing.verifying.",
@@ -193,7 +191,6 @@
         {"using.an.alternative.signing.mechanism",
                 "using an alternative signing mechanism"},
         {"entry.was.signed.on", "entry was signed on {0}"},
-        {"with.a.CRL.including.d.entries", "with a CRL including %d entries"},
         {"Warning.", "Warning: "},
         {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                 "This jar contains unsigned entries which have not been integrity-checked. "},
--- a/src/share/classes/sun/security/tools/KeyTool.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,6 @@
 
 package sun.security.tools;
 
-import sun.misc.SharedSecrets;
 import java.io.*;
 import java.security.CodeSigner;
 import java.security.KeyStore;
@@ -2311,16 +2310,6 @@
                                     out.println();
                                 }
                             }
-                            CRL[] crls = SharedSecrets
-                                    .getJavaSecurityCodeSignerAccess()
-                                    .getCRLs(signer);
-                            if (crls != null) {
-                                out.println(rb.getString("CRLs."));
-                                out.println();
-                                for (CRL crl: crls) {
-                                    printCRL(crl, out);
-                                }
-                            }
                         }
                     }
                 }
--- a/src/share/classes/sun/security/tools/TimestampedSigner.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/sun/security/tools/TimestampedSigner.java	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,6 @@
 import java.util.List;
 
 import com.sun.jarsigner.*;
-import java.security.cert.X509CRL;
 import java.util.Arrays;
 import sun.security.pkcs.*;
 import sun.security.timestamp.*;
@@ -238,9 +237,8 @@
         AlgorithmId[] algorithms = {digestAlgorithmId};
 
         // Create the PKCS #7 signed data message
-        PKCS7 p7 =
-            new PKCS7(algorithms, contentInfo, signerCertificateChain,
-                    parameters.getCRLs().toArray(new X509CRL[parameters.getCRLs().size()]), signerInfos);
+        PKCS7 p7 = new PKCS7(algorithms, contentInfo, signerCertificateChain,
+                null, signerInfos);
         ByteArrayOutputStream p7out = new ByteArrayOutputStream();
         p7.encodeSignedData(p7out);
 
--- a/src/share/classes/sun/security/util/SignatureFileVerifier.java	Mon Feb 28 06:40:46 2011 -0500
+++ b/src/share/classes/sun/security/util/SignatureFileVerifier.java	Mon Feb 28 23:02:37 2011 +0800
@@ -37,7 +37,6 @@
 import sun.security.pkcs.*;
 import sun.security.timestamp.TimestampToken;
 import sun.misc.BASE64Decoder;
-import sun.misc.SharedSecrets;
 
 import sun.security.jca.Providers;
 
@@ -486,12 +485,7 @@
                 signers = new ArrayList<CodeSigner>();
             }
             // Append the new code signer
-            CodeSigner signer = new CodeSigner(certChain, getTimestamp(info));
-            if (block.getCRLs() != null) {
-                SharedSecrets.getJavaSecurityCodeSignerAccess().setCRLs(
-                        signer, block.getCRLs());
-            }
-            signers.add(signer);
+            signers.add(new CodeSigner(certChain, getTimestamp(info)));
 
             if (debug != null) {
                 debug.println("Signature Block Certificate: " +
--- a/test/sun/security/tools/jarsigner/crl.sh	Mon Feb 28 06:40:46 2011 -0500
+++ b/test/sun/security/tools/jarsigner/crl.sh	Mon Feb 28 23:02:37 2011 +0800
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -32,9 +32,6 @@
 fi
 
 # set platform-dependent variables
-# PF: platform name, say, solaris-sparc
-
-PF=""
 
 OS=`uname -s`
 case "$OS" in
@@ -47,54 +44,28 @@
 esac
 
 KS=crl.jks
-JFILE=crl.jar
 
 KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS"
-JAR=$TESTJAVA${FS}bin${FS}jar
-JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
 
-rm $KS $JFILE 2> /dev/null
+rm $KS 2> /dev/null
 
-# Generates some crl files, each containing two entries
+# Test keytool -gencrl
 
 $KT -alias a -dname CN=a -keyalg rsa -genkey -validity 300
-$KT -alias a -gencrl -id 1:1 -id 2:2 -file crl1
-$KT -alias a -gencrl -id 3:3 -id 4:4 -file crl2
-$KT -alias b -dname CN=b -keyalg rsa -genkey -validity 300
-$KT -alias b -gencrl -id 5:1 -id 6:2 -file crl3
+$KT -alias a -gencrl -id 1:1 -id 2:2 -file crl1 || exit 1
+$KT -alias a -gencrl -id 3:3 -id 4:4 -file crl2 || exit 2
+$KT -alias a -gencrl -id 5:1 -id 6:2 -file crl3 || exit 4
 
-cat > ToURI.java <<EOF
-class ToURI {
-    public static void main(String[] args) throws Exception {
-        System.out.println(new java.io.File("crl1").toURI());
-    }
-}
-EOF
-$TESTJAVA${FS}bin${FS}javac ToURI.java
-$TESTJAVA${FS}bin${FS}java ToURI > uri
-$KT -alias c -dname CN=c -keyalg rsa -genkey -validity 300 \
-    -ext crl=uri:`cat uri`
+# Test keytool -printcrl
 
-echo A > A
+$KT -printcrl -file crl1 || exit 5
+$KT -printcrl -file crl2 || exit 6
+$KT -printcrl -file crl3 || exit 7
 
-# Test -crl:auto, cRLDistributionPoints is a local file
 
-$JAR cvf $JFILE A
-$JARSIGNER -keystore $KS -storepass changeit $JFILE c \
-        -crl:auto || exit 1
-$JARSIGNER -keystore $KS -verify -debug -strict $JFILE || exit 6
-$KT -printcert -jarfile $JFILE | grep CRLs || exit 7
+# Test keytool -ext crl
 
-# Test -crl <file>
-
-$JAR cvf $JFILE A
-$JARSIGNER -keystore $KS -storepass changeit $JFILE a \
-        -crl crl1 -crl crl2 || exit 2
-$JARSIGNER -keystore $KS -storepass changeit $JFILE b \
-        -crl crl3 -crl crl2 || exit 3
-$JARSIGNER -keystore $KS -verify -debug -strict $JFILE || exit 3
-$KT -printcert -jarfile $JFILE | grep CRLs || exit 4
-CRLCOUNT=`$KT -printcert -jarfile $JFILE | grep SerialNumber | wc -l`
-if [ $CRLCOUNT != 8 ]; then exit 5; fi
+$KT -alias b -dname CN=c -keyalg rsa -genkey -validity 300 \
+    -ext crl=uri:http://www.example.com/crl || exit 10
 
 exit 0