changeset 4559:0e6076fed003

7047200: keytool safe store Reviewed-by: xuelei
author weijun
date Fri, 09 Sep 2011 11:18:18 +0800
parents 6dab08f1cabb
children 0ba4b29c7d9a
files src/share/classes/sun/security/tools/KeyTool.java test/sun/security/tools/keytool/trystore.sh
diffstat 2 files changed, 75 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/KeyTool.java	Thu Sep 08 09:04:28 2011 +0800
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Fri Sep 09 11:18:18 2011 +0800
@@ -1141,17 +1141,14 @@
             if (token) {
                 keyStore.store(null, null);
             } else {
-                FileOutputStream fout = null;
-                try {
-                    fout = (nullStream ?
-                                        (FileOutputStream)null :
-                                        new FileOutputStream(ksfname));
-                    keyStore.store
-                        (fout,
-                        (storePassNew!=null) ? storePassNew : storePass);
-                } finally {
-                    if (fout != null) {
-                        fout.close();
+                char[] pass = (storePassNew!=null) ? storePassNew : storePass;
+                if (nullStream) {
+                    keyStore.store(null, pass);
+                } else {
+                    ByteArrayOutputStream bout = new ByteArrayOutputStream();
+                    keyStore.store(bout, pass);
+                    try (FileOutputStream fout = new FileOutputStream(ksfname)) {
+                        fout.write(bout.toByteArray());
                     }
                 }
             }
@@ -1399,7 +1396,7 @@
     private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{
         if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
             return origPass;
-        } else if (!token) {
+        } else if (!token && !protectedPath) {
             // Prompt for key password
             int count;
             for (count = 0; count < 3; count++) {
@@ -1446,7 +1443,7 @@
                 }
             }
         }
-        return null;    // PKCS11
+        return null;    // PKCS11, MSCAPI, or -protected
     }
     /**
      * Creates a new secret key.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/keytool/trystore.sh	Fri Sep 09 11:18:18 2011 +0800
@@ -0,0 +1,65 @@
+#
+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# @test
+# @bug 7047200
+# @summary keytool can try save to a byte array before overwrite the file
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+
+rm trystore.jks 2> /dev/null
+
+KEYTOOL="${TESTJAVA}${FS}bin${FS}keytool -storetype jks -keystore trystore.jks"
+$KEYTOOL -genkeypair -alias a -dname CN=A -storepass changeit -keypass changeit
+$KEYTOOL -genkeypair -alias b -dname CN=B -storepass changeit -keypass changeit
+
+# We use -protected for JKS keystore. This is illegal so the command should
+# fail. Then we can check if the keystore is damaged.
+
+$KEYTOOL -genkeypair -protected -alias b -delete -debug
+
+if [ $? = 0 ]; then
+    echo "What? -protected works for JKS?"
+    exit 1
+fi
+
+$KEYTOOL -list -storepass changeit
+
+if [ $? != 0 ]; then
+    echo "Keystore file damaged"
+    exit 2
+fi