changeset 7476:11438befdd4c

8007755: Support the logical grouping of keystores Reviewed-by: mullan
author vinnie
date Wed, 13 Feb 2013 19:40:51 +0000
parents 8181be9a3538
children efc66fe16f91
files src/share/classes/java/security/KeyStore.java src/share/classes/sun/security/provider/DomainKeyStore.java src/share/classes/sun/security/provider/PolicyParser.java src/share/classes/sun/security/provider/Sun.java src/share/classes/sun/security/provider/SunEntries.java src/share/classes/sun/security/util/Resources.java test/sun/security/provider/KeyStore/DKSTest.java test/sun/security/provider/KeyStore/DKSTest.sh test/sun/security/provider/KeyStore/domains.cfg test/sun/security/tools/keytool/AltProviderPath.sh test/sun/security/tools/keytool/DummyProvider.java
diffstat 11 files changed, 1614 insertions(+), 17 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/security/KeyStore.java	Wed Feb 13 21:06:30 2013 +0400
+++ b/src/share/classes/java/security/KeyStore.java	Wed Feb 13 19:40:51 2013 +0000
@@ -219,6 +219,150 @@
     }
 
     /**
+     * Configuration data that specifies the keystores in a keystore domain.
+     * A keystore domain is a collection of keystores that are presented as a
+     * single logical keystore. The configuration data is used during
+     * {@code KeyStore}
+     * {@link #load(KeyStore.LoadStoreParameter) load} and
+     * {@link #store(KeyStore.LoadStoreParameter) store} operations.
+     * <p>
+     * The following syntax is supported for configuration data:
+     * <pre>
+     *
+     *     domain <domainName> [<property> ...] {
+     *         keystore <keystoreName> [<property> ...] ;
+     *         ...
+     *     };
+     *     ...
+     *
+     * </pre>
+     * where {@code domainName} and {@code keystoreName} are identifiers
+     * and {@code property} is a key/value pairing. The key and value are
+     * separated by an 'equals' symbol and the value is enclosed in double
+     * quotes. A property value may be either a printable string or a binary
+     * string of colon-separated pairs of hexadecimal digits. Multi-valued
+     * properties are represented as a comma-separated list of values,
+     * enclosed in square brackets.
+     * See {@link Arrays#toString(java.lang.Object[])}.
+     * <p>
+     * To ensure that keystore entries are uniquely identified, each
+     * entry's alias is prefixed by its {@code keystoreName} followed
+     * by the entry name separator and each {@code keystoreName} must be
+     * unique within its domain. Entry name prefixes are omitted when
+     * storing a keystore.
+     * <p>
+     * Properties are context-sensitive: properties that apply to
+     * all the keystores in a domain are located in the domain clause,
+     * and properties that apply only to a specific keystore are located
+     * in that keystore's clause.
+     * Unless otherwise specified, a property in a keystore clause overrides
+     * a property of the same name in the domain clause. All property names
+     * are case-insensitive. The following properties are supported:
+     * <dl>
+     * <dt> {@code keystoreType="<type>"} </dt>
+     *     <dd> The keystore type. </dd>
+     * <dt> {@code keystoreURI="<url>"} </dt>
+     *     <dd> The keystore location. </dd>
+     * <dt> {@code keystoreProviderName="<name>"} </dt>
+     *     <dd> The name of the keystore's JCE provider. </dd>
+     * <dt> {@code keystorePasswordEnv="<environment-variable>"} </dt>
+     *     <dd> The environment variable that stores a keystore password.
+     *          Alternatively, passwords may be supplied to the constructor
+     *          method in a {@code Map<String, ProtectionParameter>}. </dd>
+     * <dt> {@code entryNameSeparator="<separator>"} </dt>
+     *     <dd> The separator between a keystore name prefix and an entry name.
+     *          When specified, it applies to all the entries in a domain.
+     *          Its default value is a space. </dd>
+     * </dl>
+     * <p>
+     * For example, configuration data for a simple keystore domain
+     * comprising three keystores is shown below:
+     * <pre>
+     *
+     * domain app1 {
+     *     keystore app1-truststore
+     *         keystoreURI="file:///app1/etc/truststore.jks"
+     *
+     *     keystore system-truststore
+     *         keystoreURI="${java.home}/lib/security/cacerts"
+     *
+     *     keystore app1-keystore
+     *         keystoreType="PKCS12"
+     *         keystoreURI="file:///app1/etc/keystore.p12"
+     * };
+     *
+     * </pre>
+     * @since 1.8
+     */
+    public static final class DomainLoadStoreParameter
+        implements LoadStoreParameter {
+
+        private final URI configuration;
+        private final Map<String,ProtectionParameter> protectionParams;
+
+        /**
+         * Constructs a DomainLoadStoreParameter for a keystore domain with
+         * the parameters used to protect keystore data.
+         *
+         * @param configuration identifier for the domain configuration data.
+         *     The name of the target domain should be specified in the
+         *     {@code java.net.URI} fragment component when it is necessary
+         *     to distinguish between several domain configurations at the
+         *     same location.
+         *
+         * @param protectionParams the map from keystore name to the parameter
+         *     used to protect keystore data.
+         *     A {@code java.util.Collections.EMPTY_MAP} should be used
+         *     when protection parameters are not required or when they have
+         *     been specified by properties in the domain configuration data.
+         *     It is cloned to prevent subsequent modification.
+         *
+         * @exception NullPointerExcetion if {@code configuration} or
+         *     {@code protectionParams} is {@code null}
+         */
+        public DomainLoadStoreParameter(URI configuration,
+            Map<String,ProtectionParameter> protectionParams) {
+            if (configuration == null || protectionParams == null) {
+                throw new NullPointerException("invalid null input");
+            }
+            this.configuration = configuration;
+            this.protectionParams =
+                Collections.unmodifiableMap(new HashMap<>(protectionParams));
+        }
+
+        /**
+         * Gets the identifier for the domain configuration data.
+         *
+         * @return the identifier for the configuration data
+         */
+        public URI getConfiguration() {
+            return configuration;
+        }
+
+        /**
+         * Gets the keystore protection parameters for keystores in this
+         * domain.
+         *
+         * @return an unmodifiable map of keystore names to protection
+         *     parameters
+         */
+        public Map<String,ProtectionParameter> getProtectionParams() {
+            return protectionParams;
+        }
+
+        /**
+         * Gets the keystore protection parameters for this domain.
+         * Keystore domains do not support a protection parameter.
+         *
+         * @return always returns {@code null}
+         */
+        @Override
+        public KeyStore.ProtectionParameter getProtectionParameter() {
+            return null;
+        }
+    }
+
+    /**
      * A marker interface for keystore protection parameters.
      *
      * <p> The information stored in a <code>ProtectionParameter</code>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/provider/DomainKeyStore.java	Wed Feb 13 19:40:51 2013 +0000
@@ -0,0 +1,900 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.provider;
+
+import java.io.*;
+import java.net.*;
+import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateException;
+import java.util.*;
+
+import sun.misc.IOUtils;
+import sun.security.pkcs.EncryptedPrivateKeyInfo;
+import sun.security.util.PolicyUtil;
+
+/**
+ * This class provides the domain keystore type identified as "DKS".
+ * DKS presents a collection of separate keystores as a single logical keystore.
+ * The collection of keystores is specified in a domain configuration file which
+ * is passed to DKS in a {@link KeyStore.DomainLoadStoreParameter}.
+ * <p>
+ * The following properties are supported:
+ * <dl>
+ * <dt> {@code keystoreType="<type>"} </dt>
+ *     <dd> The keystore type. </dd>
+ * <dt> {@code keystoreURI="<url>"} </dt>
+ *     <dd> The keystore location. </dd>
+ * <dt> {@code keystoreProviderName="<name>"} </dt>
+ *     <dd> The name of the keystore's JCE provider. </dd>
+ * <dt> {@code keystorePasswordEnv="<environment-variable>"} </dt>
+ *     <dd> The environment variable that stores a keystore password.
+ * <dt> {@code entryNameSeparator="<separator>"} </dt>
+ *     <dd> The separator between a keystore name prefix and an entry name.
+ *          When specified, it applies to all the entries in a domain.
+ *          Its default value is a space. </dd>
+ * </dl>
+ *
+ * @since 1.8
+ */
+
+abstract class DomainKeyStore extends KeyStoreSpi {
+
+    // regular DKS
+    public static final class DKS extends DomainKeyStore {
+        String convertAlias(String alias) {
+            return alias.toLowerCase(Locale.ENGLISH);
+        }
+    }
+
+    // DKS property names
+    private static final String ENTRY_NAME_SEPARATOR = "entrynameseparator";
+    private static final String KEYSTORE_PROVIDER_NAME = "keystoreprovidername";
+    private static final String KEYSTORE_TYPE = "keystoretype";
+    private static final String KEYSTORE_URI = "keystoreuri";
+    private static final String KEYSTORE_PASSWORD_ENV = "keystorepasswordenv";
+
+    // RegEx meta characters
+    private static final String REGEX_META = ".$|()[{^?*+\\";
+
+    // Default prefix for keystores loaded-by-stream
+    private static final String DEFAULT_STREAM_PREFIX = "iostream";
+    private int streamCounter = 1;
+    private String entryNameSeparator = " ";
+    private String entryNameSeparatorRegEx = " ";
+
+    // Default keystore type
+    private static final String DEFAULT_KEYSTORE_TYPE =
+        KeyStore.getDefaultType();
+
+    // Domain keystores
+    private final Map<String, KeyStore> keystores = new HashMap<>();
+
+    DomainKeyStore() {
+    }
+
+    // convert an alias to internal form, overridden in subclasses:
+    // lower case for regular DKS
+    abstract String convertAlias(String alias);
+
+    /**
+     * Returns the key associated with the given alias, using the given
+     * password to recover it.
+     *
+     * @param alias the alias name
+     * @param password the password for recovering the key
+     *
+     * @return the requested key, or null if the given alias does not exist
+     * or does not identify a <i>key entry</i>.
+     *
+     * @exception NoSuchAlgorithmException if the algorithm for recovering the
+     * key cannot be found
+     * @exception UnrecoverableKeyException if the key cannot be recovered
+     * (e.g., the given password is wrong).
+     */
+    public Key engineGetKey(String alias, char[] password)
+        throws NoSuchAlgorithmException, UnrecoverableKeyException
+    {
+        AbstractMap.SimpleEntry<String, Collection<KeyStore>> pair =
+            getKeystoresForReading(alias);
+        Key key = null;
+
+        try {
+            String entryAlias = pair.getKey();
+            for (KeyStore keystore : pair.getValue()) {
+                key = keystore.getKey(entryAlias, password);
+                if (key != null) {
+                    break;
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return key;
+    }
+
+    /**
+     * Returns the certificate chain associated with the given alias.
+     *
+     * @param alias the alias name
+     *
+     * @return the certificate chain (ordered with the user's certificate first
+     * and the root certificate authority last), or null if the given alias
+     * does not exist or does not contain a certificate chain (i.e., the given
+     * alias identifies either a <i>trusted certificate entry</i> or a
+     * <i>key entry</i> without a certificate chain).
+     */
+    public Certificate[] engineGetCertificateChain(String alias) {
+
+        AbstractMap.SimpleEntry<String, Collection<KeyStore>> pair =
+            getKeystoresForReading(alias);
+        Certificate[] chain = null;
+
+        try {
+            String entryAlias = pair.getKey();
+            for (KeyStore keystore : pair.getValue()) {
+                chain = keystore.getCertificateChain(entryAlias);
+                if (chain != null) {
+                    break;
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return chain;
+    }
+
+    /**
+     * Returns the certificate associated with the given alias.
+     *
+     * <p>If the given alias name identifies a
+     * <i>trusted certificate entry</i>, the certificate associated with that
+     * entry is returned. If the given alias name identifies a
+     * <i>key entry</i>, the first element of the certificate chain of that
+     * entry is returned, or null if that entry does not have a certificate
+     * chain.
+     *
+     * @param alias the alias name
+     *
+     * @return the certificate, or null if the given alias does not exist or
+     * does not contain a certificate.
+     */
+    public Certificate engineGetCertificate(String alias) {
+
+        AbstractMap.SimpleEntry<String, Collection<KeyStore>> pair =
+            getKeystoresForReading(alias);
+        Certificate cert = null;
+
+        try {
+            String entryAlias = pair.getKey();
+            for (KeyStore keystore : pair.getValue()) {
+                cert = keystore.getCertificate(entryAlias);
+                if (cert != null) {
+                    break;
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return cert;
+    }
+
+    /**
+     * Returns the creation date of the entry identified by the given alias.
+     *
+     * @param alias the alias name
+     *
+     * @return the creation date of this entry, or null if the given alias does
+     * not exist
+     */
+    public Date engineGetCreationDate(String alias) {
+
+        AbstractMap.SimpleEntry<String, Collection<KeyStore>> pair =
+            getKeystoresForReading(alias);
+        Date date = null;
+
+        try {
+            String entryAlias = pair.getKey();
+            for (KeyStore keystore : pair.getValue()) {
+                date = keystore.getCreationDate(entryAlias);
+                if (date != null) {
+                    break;
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return date;
+    }
+
+    /**
+     * Assigns the given private key to the given alias, protecting
+     * it with the given password as defined in PKCS8.
+     *
+     * <p>The given java.security.PrivateKey <code>key</code> must
+     * be accompanied by a certificate chain certifying the
+     * corresponding public key.
+     *
+     * <p>If the given alias already exists, the keystore information
+     * associated with it is overridden by the given key and certificate
+     * chain.
+     *
+     * @param alias the alias name
+     * @param key the private key to be associated with the alias
+     * @param password the password to protect the key
+     * @param chain the certificate chain for the corresponding public
+     * key (only required if the given key is of type
+     * <code>java.security.PrivateKey</code>).
+     *
+     * @exception KeyStoreException if the given key is not a private key,
+     * cannot be protected, or this operation fails for some other reason
+     */
+    public void engineSetKeyEntry(String alias, Key key, char[] password,
+                                  Certificate[] chain)
+        throws KeyStoreException
+    {
+        AbstractMap.SimpleEntry<String,
+            AbstractMap.SimpleEntry<String, KeyStore>> pair =
+                getKeystoreForWriting(alias);
+
+        if (pair == null) {
+            throw new KeyStoreException("Error setting key entry for '" +
+                alias + "'");
+        }
+        String entryAlias = pair.getKey();
+        Map.Entry<String, KeyStore> keystore = pair.getValue();
+        keystore.getValue().setKeyEntry(entryAlias, key, password, chain);
+    }
+
+    /**
+     * Assigns the given key (that has already been protected) to the given
+     * alias.
+     *
+     * <p>If the protected key is of type
+     * <code>java.security.PrivateKey</code>, it must be accompanied by a
+     * certificate chain certifying the corresponding public key. If the
+     * underlying keystore implementation is of type <code>jks</code>,
+     * <code>key</code> must be encoded as an
+     * <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard.
+     *
+     * <p>If the given alias already exists, the keystore information
+     * associated with it is overridden by the given key (and possibly
+     * certificate chain).
+     *
+     * @param alias the alias name
+     * @param key the key (in protected format) to be associated with the alias
+     * @param chain the certificate chain for the corresponding public
+     * key (only useful if the protected key is of type
+     * <code>java.security.PrivateKey</code>).
+     *
+     * @exception KeyStoreException if this operation fails.
+     */
+    public void engineSetKeyEntry(String alias, byte[] key,
+                                  Certificate[] chain)
+        throws KeyStoreException
+    {
+        AbstractMap.SimpleEntry<String,
+            AbstractMap.SimpleEntry<String, KeyStore>> pair =
+                getKeystoreForWriting(alias);
+
+        if (pair == null) {
+            throw new KeyStoreException(
+                "Error setting protected key entry for '" + alias + "'");
+        }
+        String entryAlias = pair.getKey();
+        Map.Entry<String, KeyStore> keystore = pair.getValue();
+        keystore.getValue().setKeyEntry(entryAlias, key, chain);
+    }
+
+    /**
+     * Assigns the given certificate to the given alias.
+     *
+     * <p>If the given alias already exists in this keystore and identifies a
+     * <i>trusted certificate entry</i>, the certificate associated with it is
+     * overridden by the given certificate.
+     *
+     * @param alias the alias name
+     * @param cert the certificate
+     *
+     * @exception KeyStoreException if the given alias already exists and does
+     * not identify a <i>trusted certificate entry</i>, or this operation
+     * fails for some other reason.
+     */
+    public void engineSetCertificateEntry(String alias, Certificate cert)
+        throws KeyStoreException
+    {
+        AbstractMap.SimpleEntry<String,
+            AbstractMap.SimpleEntry<String, KeyStore>> pair =
+                getKeystoreForWriting(alias);
+
+        if (pair == null) {
+            throw new KeyStoreException("Error setting certificate entry for '"
+                + alias + "'");
+        }
+        String entryAlias = pair.getKey();
+        Map.Entry<String, KeyStore> keystore = pair.getValue();
+        keystore.getValue().setCertificateEntry(entryAlias, cert);
+    }
+
+    /**
+     * Deletes the entry identified by the given alias from this keystore.
+     *
+     * @param alias the alias name
+     *
+     * @exception KeyStoreException if the entry cannot be removed.
+     */
+    public void engineDeleteEntry(String alias) throws KeyStoreException
+    {
+        AbstractMap.SimpleEntry<String,
+            AbstractMap.SimpleEntry<String, KeyStore>> pair =
+                getKeystoreForWriting(alias);
+
+        if (pair == null) {
+            throw new KeyStoreException("Error deleting entry for '" + alias +
+                "'");
+        }
+        String entryAlias = pair.getKey();
+        Map.Entry<String, KeyStore> keystore = pair.getValue();
+        keystore.getValue().deleteEntry(entryAlias);
+    }
+
+    /**
+     * Lists all the alias names of this keystore.
+     *
+     * @return enumeration of the alias names
+     */
+    public Enumeration<String> engineAliases() {
+        final Iterator<Map.Entry<String, KeyStore>> iterator =
+            keystores.entrySet().iterator();
+
+        return new Enumeration<String>() {
+            private int index = 0;
+            private Map.Entry<String, KeyStore> keystoresEntry = null;
+            private String prefix = null;
+            private Enumeration<String> aliases = null;
+
+            public boolean hasMoreElements() {
+                try {
+                    if (aliases == null) {
+                        if (iterator.hasNext()) {
+                            keystoresEntry = iterator.next();
+                            prefix = keystoresEntry.getKey() +
+                                entryNameSeparator;
+                            aliases = keystoresEntry.getValue().aliases();
+                        } else {
+                            return false;
+                        }
+                    }
+                    if (aliases.hasMoreElements()) {
+                        return true;
+                    } else {
+                        if (iterator.hasNext()) {
+                            keystoresEntry = iterator.next();
+                            prefix = keystoresEntry.getKey() +
+                                entryNameSeparator;
+                            aliases = keystoresEntry.getValue().aliases();
+                        } else {
+                            return false;
+                        }
+                    }
+                } catch (KeyStoreException e) {
+                    return false;
+                }
+
+                return aliases.hasMoreElements();
+            }
+
+            public String nextElement() {
+                if (hasMoreElements()) {
+                    return prefix + aliases.nextElement();
+                }
+                throw new NoSuchElementException();
+            }
+        };
+    }
+
+    /**
+     * Checks if the given alias exists in this keystore.
+     *
+     * @param alias the alias name
+     *
+     * @return true if the alias exists, false otherwise
+     */
+    public boolean engineContainsAlias(String alias) {
+
+        AbstractMap.SimpleEntry<String, Collection<KeyStore>> pair =
+            getKeystoresForReading(alias);
+
+        try {
+            String entryAlias = pair.getKey();
+            for (KeyStore keystore : pair.getValue()) {
+                if (keystore.containsAlias(entryAlias)) {
+                    return true;
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return false;
+    }
+
+    /**
+     * Retrieves the number of entries in this keystore.
+     *
+     * @return the number of entries in this keystore
+     */
+    public int engineSize() {
+
+        int size = 0;
+        try {
+            for (KeyStore keystore : keystores.values()) {
+                size += keystore.size();
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return size;
+    }
+
+    /**
+     * Returns true if the entry identified by the given alias is a
+     * <i>key entry</i>, and false otherwise.
+     *
+     * @return true if the entry identified by the given alias is a
+     * <i>key entry</i>, false otherwise.
+     */
+    public boolean engineIsKeyEntry(String alias) {
+
+        AbstractMap.SimpleEntry<String, Collection<KeyStore>> pair =
+            getKeystoresForReading(alias);
+
+        try {
+            String entryAlias = pair.getKey();
+            for (KeyStore keystore : pair.getValue()) {
+                if (keystore.isKeyEntry(entryAlias)) {
+                    return true;
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return false;
+    }
+
+    /**
+     * Returns true if the entry identified by the given alias is a
+     * <i>trusted certificate entry</i>, and false otherwise.
+     *
+     * @return true if the entry identified by the given alias is a
+     * <i>trusted certificate entry</i>, false otherwise.
+     */
+    public boolean engineIsCertificateEntry(String alias) {
+
+        AbstractMap.SimpleEntry<String, Collection<KeyStore>> pair =
+            getKeystoresForReading(alias);
+
+        try {
+            String entryAlias = pair.getKey();
+            for (KeyStore keystore : pair.getValue()) {
+                if (keystore.isCertificateEntry(entryAlias)) {
+                    return true;
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        return false;
+    }
+
+    /*
+     * Returns a keystore entry alias and a list of target keystores.
+     * When the supplied alias prefix identifies a keystore then that single
+     * keystore is returned. When no alias prefix is supplied then all the
+     * keystores are returned.
+     */
+    private AbstractMap.SimpleEntry<String, Collection<KeyStore>>
+        getKeystoresForReading(String alias) {
+
+        String[] splits = alias.split(this.entryNameSeparatorRegEx, 2);
+        if (splits.length == 2) { // prefixed alias
+            KeyStore keystore = keystores.get(splits[0]);
+            if (keystore != null) {
+                return new AbstractMap.SimpleEntry<>(splits[1],
+                    (Collection<KeyStore>) Collections.singleton(keystore));
+            }
+        } else if (splits.length == 1) { // unprefixed alias
+            // Check all keystores for the first occurrence of the alias
+            return new AbstractMap.SimpleEntry<>(alias, keystores.values());
+        }
+        return new AbstractMap.SimpleEntry<>("",
+            (Collection<KeyStore>) Collections.<KeyStore>emptyList());
+    }
+
+    /*
+     * Returns a keystore entry alias and a single target keystore.
+     * An alias prefix must be supplied.
+     */
+    private
+    AbstractMap.SimpleEntry<String, AbstractMap.SimpleEntry<String, KeyStore>>
+        getKeystoreForWriting(String alias) {
+
+        String[] splits = alias.split(this.entryNameSeparator, 2);
+        if (splits.length == 2) { // prefixed alias
+            KeyStore keystore = keystores.get(splits[0]);
+            if (keystore != null) {
+                return new AbstractMap.SimpleEntry<>(splits[1],
+                    new AbstractMap.SimpleEntry<>(splits[0], keystore));
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Returns the (alias) name of the first keystore entry whose certificate
+     * matches the given certificate.
+     *
+     * <p>This method attempts to match the given certificate with each
+     * keystore entry. If the entry being considered
+     * is a <i>trusted certificate entry</i>, the given certificate is
+     * compared to that entry's certificate. If the entry being considered is
+     * a <i>key entry</i>, the given certificate is compared to the first
+     * element of that entry's certificate chain (if a chain exists).
+     *
+     * @param cert the certificate to match with.
+     *
+     * @return the (alias) name of the first entry with matching certificate,
+     * or null if no such entry exists in this keystore.
+     */
+    public String engineGetCertificateAlias(Certificate cert) {
+
+        try {
+
+            String alias = null;
+            for (KeyStore keystore : keystores.values()) {
+                if ((alias = keystore.getCertificateAlias(cert)) != null) {
+                    break;
+                }
+            }
+            return alias;
+
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
+    /**
+     * Stores this keystore to the given output stream, and protects its
+     * integrity with the given password.
+     *
+     * @param stream the output stream to which this keystore is written.
+     * @param password the password to generate the keystore integrity check
+     *
+     * @exception IOException if there was an I/O problem with data
+     * @exception NoSuchAlgorithmException if the appropriate data integrity
+     * algorithm could not be found
+     * @exception CertificateException if any of the certificates included in
+     * the keystore data could not be stored
+     */
+    public void engineStore(OutputStream stream, char[] password)
+        throws IOException, NoSuchAlgorithmException, CertificateException
+    {
+        // Support storing to a stream only when a single keystore has been
+        // configured
+        try {
+            if (keystores.size() == 1) {
+                keystores.values().iterator().next().store(stream, password);
+                return;
+            }
+        } catch (KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+
+        throw new UnsupportedOperationException(
+            "This keystore must be stored using a " +
+            "KeyStore.DomainLoadStoreParameter");
+    }
+
+    @Override
+    public void engineStore(KeyStore.LoadStoreParameter param)
+        throws IOException, NoSuchAlgorithmException, CertificateException
+    {
+        if (param instanceof KeyStore.DomainLoadStoreParameter) {
+            KeyStore.DomainLoadStoreParameter domainParameter =
+                (KeyStore.DomainLoadStoreParameter) param;
+            List<KeyStoreBuilderComponents> builders = getBuilders(
+                domainParameter.getConfiguration(),
+                    domainParameter.getProtectionParams());
+
+            for (KeyStoreBuilderComponents builder : builders) {
+
+                try {
+
+                    KeyStore.ProtectionParameter pp = builder.protection;
+                    if (!(pp instanceof KeyStore.PasswordProtection)) {
+                        throw new KeyStoreException(
+                            new IllegalArgumentException("ProtectionParameter" +
+                                " must be a KeyStore.PasswordPartection"));
+                    }
+                    char[] password =
+                        ((KeyStore.PasswordProtection) builder.protection)
+                            .getPassword();
+
+                    // Store the keystores
+                    KeyStore keystore = keystores.get(builder.name);
+                    keystore.store(new FileOutputStream(builder.file),
+                        password);
+
+                } catch (KeyStoreException e) {
+                    throw new IOException(e);
+                }
+            }
+        } else {
+            throw new UnsupportedOperationException(
+                "This keystore must be stored using a " +
+                "KeyStore.DomainLoadStoreParameter");
+        }
+    }
+
+    /**
+     * Loads the keystore from the given input stream.
+     *
+     * <p>If a password is given, it is used to check the integrity of the
+     * keystore data. Otherwise, the integrity of the keystore is not checked.
+     *
+     * @param stream the input stream from which the keystore is loaded
+     * @param password the (optional) password used to check the integrity of
+     * the keystore.
+     *
+     * @exception IOException if there is an I/O or format problem with the
+     * keystore data
+     * @exception NoSuchAlgorithmException if the algorithm used to check
+     * the integrity of the keystore cannot be found
+     * @exception CertificateException if any of the certificates in the
+     * keystore could not be loaded
+     */
+    public void engineLoad(InputStream stream, char[] password)
+        throws IOException, NoSuchAlgorithmException, CertificateException
+    {
+        // Support loading from a stream only for a JKS or default type keystore
+        try {
+            KeyStore keystore = null;
+
+            try {
+                keystore = KeyStore.getInstance("JKS");
+                keystore.load(stream, password);
+
+            } catch (Exception e) {
+                // Retry
+                if (!"JKS".equalsIgnoreCase(DEFAULT_KEYSTORE_TYPE)) {
+                    keystore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE);
+                    keystore.load(stream, password);
+                } else {
+                    throw e;
+                }
+            }
+            String keystoreName = DEFAULT_STREAM_PREFIX + streamCounter++;
+            keystores.put(keystoreName, keystore);
+
+        } catch (Exception e) {
+            throw new UnsupportedOperationException(
+                "This keystore must be loaded using a " +
+                "KeyStore.DomainLoadStoreParameter");
+        }
+    }
+
+    @Override
+    public void engineLoad(KeyStore.LoadStoreParameter param)
+        throws IOException, NoSuchAlgorithmException, CertificateException
+    {
+        if (param instanceof KeyStore.DomainLoadStoreParameter) {
+            KeyStore.DomainLoadStoreParameter domainParameter =
+                (KeyStore.DomainLoadStoreParameter) param;
+            List<KeyStoreBuilderComponents> builders = getBuilders(
+                domainParameter.getConfiguration(),
+                    domainParameter.getProtectionParams());
+
+            for (KeyStoreBuilderComponents builder : builders) {
+
+                try {
+                    // Load the keystores (file-based and non-file-based)
+                    if (builder.file != null) {
+                        keystores.put(builder.name,
+                            KeyStore.Builder.newInstance(builder.type,
+                                builder.provider, builder.file,
+                                builder.protection)
+                                    .getKeyStore());
+                    } else {
+                        keystores.put(builder.name,
+                            KeyStore.Builder.newInstance(builder.type,
+                                builder.provider, builder.protection)
+                                    .getKeyStore());
+                    }
+                } catch (KeyStoreException e) {
+                    throw new IOException(e);
+                }
+            }
+        } else {
+            throw new UnsupportedOperationException(
+                "This keystore must be loaded using a " +
+                "KeyStore.DomainLoadStoreParameter");
+        }
+    }
+
+    /*
+     * Parse a keystore domain configuration file and associated collection
+     * of keystore passwords to create a collection of KeyStore.Builder.
+     */
+    private List<KeyStoreBuilderComponents> getBuilders(URI configuration,
+        Map<String, KeyStore.ProtectionParameter> passwords)
+            throws IOException {
+
+        PolicyParser parser = new PolicyParser(true); // expand properties
+        Collection<PolicyParser.DomainEntry> domains = null;
+        List<KeyStoreBuilderComponents> builders = new ArrayList<>();
+        String uriDomain = configuration.getFragment();
+
+        try (InputStreamReader configurationReader =
+            new InputStreamReader(
+                PolicyUtil.getInputStream(configuration.toURL()), "UTF-8")) {
+            parser.read(configurationReader);
+            domains = parser.getDomainEntries();
+
+        } catch (MalformedURLException mue) {
+            throw new IOException(mue);
+
+        } catch (PolicyParser.ParsingException pe) {
+            throw new IOException(pe);
+        }
+
+        for (PolicyParser.DomainEntry domain : domains) {
+            Map<String, String> domainProperties = domain.getProperties();
+
+            if (uriDomain != null &&
+                (!uriDomain.equalsIgnoreCase(domain.getName()))) {
+                continue; // skip this domain
+            }
+
+            if (domainProperties.containsKey(ENTRY_NAME_SEPARATOR)) {
+                this.entryNameSeparator =
+                    domainProperties.get(ENTRY_NAME_SEPARATOR);
+                // escape any regex meta characters
+                char ch = 0;
+                StringBuilder s = new StringBuilder();
+                for (int i = 0; i < this.entryNameSeparator.length(); i++) {
+                    ch = this.entryNameSeparator.charAt(i);
+                    if (REGEX_META.indexOf(ch) != -1) {
+                        s.append('\\');
+                    }
+                    s.append(ch);
+                }
+                this.entryNameSeparatorRegEx = s.toString();
+            }
+
+            Collection<PolicyParser.KeyStoreEntry> keystores =
+                domain.getEntries();
+            for (PolicyParser.KeyStoreEntry keystore : keystores) {
+                String keystoreName = keystore.getName();
+                Map<String, String> properties =
+                    new HashMap<>(domainProperties);
+                properties.putAll(keystore.getProperties());
+
+                String keystoreType = DEFAULT_KEYSTORE_TYPE;
+                if (properties.containsKey(KEYSTORE_TYPE)) {
+                    keystoreType = properties.get(KEYSTORE_TYPE);
+                }
+
+                Provider keystoreProvider = null;
+                if (properties.containsKey(KEYSTORE_PROVIDER_NAME)) {
+                    String keystoreProviderName =
+                        properties.get(KEYSTORE_PROVIDER_NAME);
+                    keystoreProvider =
+                        Security.getProvider(keystoreProviderName);
+                    if (keystoreProvider == null) {
+                        throw new IOException("Error locating JCE provider: " +
+                            keystoreProviderName);
+                    }
+                }
+
+                File keystoreFile = null;
+                if (properties.containsKey(KEYSTORE_URI)) {
+                    String uri = properties.get(KEYSTORE_URI);
+
+                    try {
+                        if (uri.startsWith("file://")) {
+                            keystoreFile = new File(new URI(uri));
+                        } else {
+                            keystoreFile = new File(uri);
+                        }
+
+                    } catch (URISyntaxException | IllegalArgumentException e) {
+                        throw new IOException(
+                            "Error processing keystore property: " +
+                                "keystoreURI=\"" + uri + "\"", e);
+                    }
+                }
+
+                KeyStore.ProtectionParameter keystoreProtection = null;
+                if (passwords.containsKey(keystoreName)) {
+                    keystoreProtection = passwords.get(keystoreName);
+
+                } else if (properties.containsKey(KEYSTORE_PASSWORD_ENV)) {
+                    String env = properties.get(KEYSTORE_PASSWORD_ENV);
+                    String pwd = System.getenv(env);
+                    if (pwd != null) {
+                        keystoreProtection =
+                            new KeyStore.PasswordProtection(pwd.toCharArray());
+                    } else {
+                        throw new IOException(
+                            "Error processing keystore property: " +
+                                "keystorePasswordEnv=\"" + env + "\"");
+                    }
+                } else {
+                    keystoreProtection = new KeyStore.PasswordProtection(null);
+                }
+
+                builders.add(new KeyStoreBuilderComponents(keystoreName,
+                    keystoreType, keystoreProvider, keystoreFile,
+                    keystoreProtection));
+            }
+            break; // skip other domains
+        }
+        if (builders.isEmpty()) {
+            throw new IOException("Error locating domain configuration data " +
+                "for: " + configuration);
+        }
+
+        return builders;
+    }
+
+/*
+ * Utility class that holds the components used to construct a KeyStore.Builder
+ */
+class KeyStoreBuilderComponents {
+    String name;
+    String type;
+    Provider provider;
+    File file;
+    KeyStore.ProtectionParameter protection;
+
+    KeyStoreBuilderComponents(String name, String type, Provider provider,
+        File file, KeyStore.ProtectionParameter protection) {
+        this.name = name;
+        this.type = type;
+        this.provider = provider;
+        this.file = file;
+        this.protection = protection;
+    }
+}
+}
--- a/src/share/classes/sun/security/provider/PolicyParser.java	Wed Feb 13 21:06:30 2013 +0400
+++ b/src/share/classes/sun/security/provider/PolicyParser.java	Wed Feb 13 19:40:51 2013 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,12 +32,7 @@
 import java.security.GeneralSecurityException;
 import java.security.Principal;
 import java.text.MessageFormat;
-import java.util.Enumeration;
-import java.util.Hashtable;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.Vector;
-import java.util.StringTokenizer;
+import java.util.*;
 import javax.security.auth.x500.X500Principal;
 
 import sun.security.util.Debug;
@@ -97,6 +92,7 @@
 
 
     private Vector<GrantEntry> grantEntries;
+    private Map<String, DomainEntry> domainEntries;
 
     // Convenience variables for parsing
     private static final Debug debug = Debug.getInstance("parser",
@@ -195,9 +191,10 @@
          */
 
         lookahead = st.nextToken();
+        GrantEntry ge = null;
         while (lookahead != StreamTokenizer.TT_EOF) {
             if (peek("grant")) {
-                GrantEntry ge = parseGrantEntry();
+                ge = parseGrantEntry();
                 // could be null if we couldn't expand a property
                 if (ge != null)
                     add(ge);
@@ -209,6 +206,24 @@
                 // only one keystore passwordURL per policy file, others will be
                 // ignored
                 parseStorePassURL();
+            } else if (ge == null && keyStoreUrlString == null &&
+                storePassURL == null && peek("domain")) {
+                if (domainEntries == null) {
+                    domainEntries = new TreeMap<>();
+                }
+                DomainEntry de = parseDomainEntry();
+                if (de != null) {
+                    String domainName = de.getName();
+                    if (!domainEntries.containsKey(domainName)) {
+                        domainEntries.put(domainName, de);
+                    } else {
+                        MessageFormat form =
+                            new MessageFormat(ResourcesMgr.getString(
+                                "duplicate.keystore.domain.name"));
+                        Object[] source = {domainName};
+                        throw new ParsingException(form.format(source));
+                    }
+                }
             } else {
                 // error?
             }
@@ -304,6 +319,10 @@
         return grantEntries.elements();
     }
 
+    public Collection<DomainEntry> getDomainEntries() {
+        return domainEntries.values();
+    }
+
     /**
      * write out the policy
      */
@@ -633,6 +652,67 @@
         return e;
     }
 
+    /**
+     * parse a domain entry
+     */
+    private DomainEntry parseDomainEntry()
+        throws ParsingException, IOException
+    {
+        boolean ignoreEntry = false;
+        DomainEntry domainEntry;
+        String name = null;
+        Map<String, String> properties = new HashMap<>();
+
+        match("domain");
+        name = match("domain name");
+
+        while(!peek("{")) {
+            // get the domain properties
+            properties = parseProperties("{");
+        }
+        match("{");
+        domainEntry = new DomainEntry(name, properties);
+
+        while(!peek("}")) {
+
+            match("keystore");
+            name = match("keystore name");
+            // get the keystore properties
+            if (!peek("}")) {
+                properties = parseProperties(";");
+            }
+            match(";");
+            domainEntry.add(new KeyStoreEntry(name, properties));
+        }
+        match("}");
+
+        return (ignoreEntry == true) ? null : domainEntry;
+    }
+
+    /*
+     * Return a collection of domain properties or keystore properties.
+     */
+    private Map<String, String> parseProperties(String terminator)
+        throws ParsingException, IOException {
+
+        Map<String, String> properties = new HashMap<>();
+        String key;
+        String value;
+        while (!peek(terminator)) {
+            key = match("property name");
+            match("=");
+
+            try {
+                value = expand(match("quoted string"));
+            } catch (PropertyExpander.ExpandException peee) {
+                throw new IOException(peee.getLocalizedMessage());
+            }
+            properties.put(key.toLowerCase(), value);
+        }
+
+        return properties;
+    }
+
     // package-private: used by PolicyFile for static policy
     static String[] parseExtDirs(String codebase, int start) {
 
@@ -708,6 +788,10 @@
             if (expect.equalsIgnoreCase("*"))
                 found = true;
             break;
+        case ';':
+            if (expect.equalsIgnoreCase(";"))
+                found = true;
+            break;
         default:
 
         }
@@ -739,6 +823,11 @@
             } else if (expect.equalsIgnoreCase("principal type")) {
                 value = st.sval;
                 lookahead = st.nextToken();
+            } else if (expect.equalsIgnoreCase("domain name") ||
+                       expect.equalsIgnoreCase("keystore name") ||
+                       expect.equalsIgnoreCase("property name")) {
+                value = st.sval;
+                lookahead = st.nextToken();
             } else {
                  throw new ParsingException(st.lineno(), expect,
                                             st.sval);
@@ -788,6 +877,12 @@
             else
                 throw new ParsingException(st.lineno(), expect, "*");
             break;
+        case '=':
+            if (expect.equalsIgnoreCase("="))
+                lookahead = st.nextToken();
+            else
+                throw new ParsingException(st.lineno(), expect, "=");
+            break;
         default:
             throw new ParsingException(st.lineno(), expect,
                                new String(new char[] {(char)lookahead}));
@@ -1185,6 +1280,108 @@
         }
     }
 
+    /**
+     * Each domain entry in the keystore domain configuration file is
+     * represented by a DomainEntry object.
+     */
+    static class DomainEntry {
+        private final String name;
+        private final Map<String, String> properties;
+        private final Map<String, KeyStoreEntry> entries;
+
+        DomainEntry(String name, Map<String, String> properties) {
+            this.name = name;
+            this.properties = properties;
+            entries = new HashMap<>();
+        }
+
+        String getName() {
+            return name;
+        }
+
+        Map<String, String> getProperties() {
+            return properties;
+        }
+
+        Collection<KeyStoreEntry> getEntries() {
+            return entries.values();
+        }
+
+        void add(KeyStoreEntry entry) throws ParsingException {
+            String keystoreName = entry.getName();
+            if (!entries.containsKey(keystoreName)) {
+                entries.put(keystoreName, entry);
+            } else {
+                MessageFormat form = new MessageFormat(ResourcesMgr.getString(
+                    "duplicate.keystore.name"));
+                Object[] source = {keystoreName};
+                throw new ParsingException(form.format(source));
+            }
+        }
+
+        @Override
+        public String toString() {
+            StringBuilder s =
+                new StringBuilder("\ndomain ").append(name);
+
+            if (properties != null) {
+                for (Map.Entry<String, String> property :
+                    properties.entrySet()) {
+                    s.append("\n        ").append(property.getKey()).append('=')
+                        .append(property.getValue());
+                }
+            }
+            s.append(" {\n");
+
+            if (entries != null) {
+                for (KeyStoreEntry entry : entries.values()) {
+                    s.append(entry).append("\n");
+                }
+            }
+            s.append("}");
+
+            return s.toString();
+        }
+    }
+
+    /**
+     * Each keystore entry in the keystore domain configuration file is
+     * represented by a KeyStoreEntry object.
+     */
+
+    static class KeyStoreEntry {
+        private final String name;
+        private final Map<String, String> properties;
+
+        KeyStoreEntry(String name, Map<String, String> properties) {
+            this.name = name;
+            this.properties = properties;
+        }
+
+        String getName() {
+            return name;
+        }
+
+        Map<String, String>  getProperties() {
+            return properties;
+        }
+
+        @Override
+        public String toString() {
+            StringBuilder s = new StringBuilder("\n    keystore ").append(name);
+            if (properties != null) {
+                for (Map.Entry<String, String> property :
+                    properties.entrySet()) {
+                    s.append("\n        ").append(property.getKey()).append('=')
+                        .append(property.getValue());
+                }
+            }
+            s.append(";");
+
+            return s.toString();
+        }
+    }
+
     public static class ParsingException extends GeneralSecurityException {
 
         private static final long serialVersionUID = -4330692689482574072L;
--- a/src/share/classes/sun/security/provider/Sun.java	Wed Feb 13 21:06:30 2013 +0400
+++ b/src/share/classes/sun/security/provider/Sun.java	Wed Feb 13 19:40:51 2013 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,13 +40,14 @@
 
     private static final String INFO = "SUN " +
     "(DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; " +
-    "SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; " +
+    "SecureRandom; X.509 certificates; JKS & DKS keystores; " +
+    "PKIX CertPathValidator; " +
     "PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; " +
     "JavaLoginConfig Configuration)";
 
     public Sun() {
         /* We are the SUN provider */
-        super("SUN", 1.7, INFO);
+        super("SUN", 1.8, INFO);
 
         // if there is no security manager installed, put directly into
         // the provider. Otherwise, create a temporary map and use a
--- a/src/share/classes/sun/security/provider/SunEntries.java	Wed Feb 13 21:06:30 2013 +0400
+++ b/src/share/classes/sun/security/provider/SunEntries.java	Wed Feb 13 19:40:51 2013 +0000
@@ -208,6 +208,7 @@
         map.put("KeyStore.JKS", "sun.security.provider.JavaKeyStore$JKS");
         map.put("KeyStore.CaseExactJKS",
                         "sun.security.provider.JavaKeyStore$CaseExactJKS");
+        map.put("KeyStore.DKS", "sun.security.provider.DomainKeyStore$DKS");
 
         /*
          * Policy
--- a/src/share/classes/sun/security/util/Resources.java	Wed Feb 13 21:06:30 2013 +0400
+++ b/src/share/classes/sun/security/util/Resources.java	Wed Feb 13 19:40:51 2013 +0000
@@ -127,6 +127,8 @@
         {"multiple.Codebase.expressions",
                 "multiple Codebase expressions"},
         {"multiple.SignedBy.expressions","multiple SignedBy expressions"},
+        {"duplicate.keystore.domain.name","duplicate keystore domain name: {0}"},
+        {"duplicate.keystore.name","duplicate keystore name: {0}"},
         {"SignedBy.has.empty.alias","SignedBy has empty alias"},
         {"can.not.specify.Principal.with.a.wildcard.class.without.a.wildcard.name",
                 "can not specify Principal with a wildcard class without a wildcard name"},
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/provider/KeyStore/DKSTest.java	Wed Feb 13 19:40:51 2013 +0000
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * see ./DKSTest.sh
+ */
+
+import java.io.*;
+import java.net.*;
+import java.security.*;
+import java.security.KeyStore;
+import java.security.cert.*;
+import java.security.cert.Certificate;
+import java.util.*;
+
+// Load and store entries in domain keystores
+
+public class DKSTest {
+
+    private static final String TEST_SRC = System.getProperty("test.src");
+    private static final String CERT = TEST_SRC + "/../../pkcs12/trusted.pem";
+    private static final String CONFIG = "file://" + TEST_SRC + "/domains.cfg";
+    private static final Map<String, KeyStore.ProtectionParameter> PASSWORDS =
+        new HashMap<String, KeyStore.ProtectionParameter>() {{
+            put("keystore",
+                new KeyStore.PasswordProtection("test123".toCharArray()));
+            put("policy_keystore",
+                new KeyStore.PasswordProtection(
+                    "Alias.password".toCharArray()));
+            put("pw_keystore",
+                new KeyStore.PasswordProtection("test12".toCharArray()));
+            put("eckeystore1",
+                new KeyStore.PasswordProtection("password".toCharArray()));
+            put("eckeystore2",
+                new KeyStore.PasswordProtection("password".toCharArray()));
+            put("truststore",
+                new KeyStore.PasswordProtection("changeit".toCharArray()));
+            put("empty",
+                new KeyStore.PasswordProtection("passphrase".toCharArray()));
+        }};
+
+    public static void main(String[] args) throws Exception {
+        try {
+            main0();
+        } finally {
+            // cleanup
+            new File(TEST_SRC + "/empty.jks").delete();
+            new File(TEST_SRC + "/Alias.keystore_tmp").delete();
+            new File(TEST_SRC + "/pw.jks_tmp").delete();
+            new File(TEST_SRC + "/secp256r1server-secp384r1ca.p12_tmp").delete();
+            new File(TEST_SRC + "/sect193r1server-rsa1024ca.p12_tmp").delete();
+        }
+    }
+
+    private static void main0() throws Exception {
+        /*
+         * domain keystore: system
+         */
+        URI config = new URI(CONFIG + "#system");
+        int cacertsCount;
+        int expected;
+        KeyStore keystore = KeyStore.getInstance("DKS");
+        // load entries
+        keystore.load(
+            new KeyStore.DomainLoadStoreParameter(config, PASSWORDS));
+        cacertsCount = expected = keystore.size();
+        System.out.println("\nLoading domain keystore: " + config + "\t[" +
+            expected + " entries]");
+        checkEntries(keystore, expected);
+
+        /*
+         * domain keystore: system_plus
+         */
+        config = new URI(CONFIG + "#system_plus");
+        expected = cacertsCount + 1;
+        keystore = KeyStore.getInstance("DKS");
+        // load entries
+        keystore.load(
+            new KeyStore.DomainLoadStoreParameter(config, PASSWORDS));
+        System.out.println("\nLoading domain keystore: " + config + "\t[" +
+            expected + " entries]");
+        checkEntries(keystore, expected);
+
+        /*
+         * domain keystore: system_env
+         */
+        config = new URI(CONFIG + "#system_env");
+        expected = 1 + cacertsCount;
+        keystore = KeyStore.getInstance("DKS");
+        // load entries
+        keystore.load(
+            new KeyStore.DomainLoadStoreParameter(config,
+                Collections.<String, KeyStore.ProtectionParameter>emptyMap()));
+        System.out.println("\nLoading domain keystore: " + config + "\t[" +
+            expected + " entries]");
+        checkEntries(keystore, expected);
+
+        /*
+         * domain keystore: empty
+         */
+        KeyStore empty = KeyStore.getInstance("JKS");
+        empty.load(null, null);
+
+        try (OutputStream outStream =
+            new FileOutputStream(TEST_SRC + "/empty.jks")) {
+            empty.store(outStream, "passphrase".toCharArray());
+        }
+        config = new URI(CONFIG + "#empty");
+        expected = 0;
+        keystore = KeyStore.getInstance("DKS");
+        // load entries
+        keystore.load(
+            new KeyStore.DomainLoadStoreParameter(config, PASSWORDS));
+        System.out.println("\nLoading domain keystore: " + config + "\t[" +
+            expected + " entries]");
+        checkEntries(keystore, expected);
+
+        /*
+         * domain keystore: keystores
+         */
+        config = new URI(CONFIG + "#keystores");
+        expected = 2 + 1 + 1 + 1;
+        keystore = KeyStore.getInstance("DKS");
+        // load entries
+        keystore.load(
+            new KeyStore.DomainLoadStoreParameter(config, PASSWORDS));
+        System.out.println("\nLoading domain keystore: " + config + "\t[" +
+            expected + " entries]");
+        checkEntries(keystore, expected);
+        // set a new trusted certificate entry
+        Certificate cert = loadCertificate(CERT);
+        String alias = "pw_keystore tmp-cert";
+        System.out.println("Setting new trusted certificate entry: " + alias);
+        keystore.setEntry(alias,
+            new KeyStore.TrustedCertificateEntry(cert), null);
+        expected++;
+        // store entries
+        config = new URI(CONFIG + "#keystores_tmp");
+        System.out.println("Storing domain keystore: " + config + "\t[" +
+            expected + " entries]");
+        keystore.store(
+            new KeyStore.DomainLoadStoreParameter(config, PASSWORDS));
+        keystore = KeyStore.getInstance("DKS");
+        // reload entries
+        keystore.load(
+            new KeyStore.DomainLoadStoreParameter(config, PASSWORDS));
+        System.out.println("Reloading domain keystore: " + config + "\t[" +
+            expected + " entries]");
+        checkEntries(keystore, expected);
+        // get the new trusted certificate entry
+        System.out.println("Getting new trusted certificate entry: " + alias);
+        if (!keystore.isCertificateEntry(alias)) {
+            throw new Exception("Error: cannot retrieve certificate entry: " +
+                alias);
+        }
+        keystore.setEntry(alias,
+            new KeyStore.TrustedCertificateEntry(cert), null);
+    }
+
+    private static void checkEntries(KeyStore keystore, int expected)
+        throws Exception {
+        int i = 0;
+        for (String alias : Collections.list(keystore.aliases())) {
+            System.out.print(".");
+            i++;
+        }
+        System.out.println();
+        if (expected != i) {
+            throw new Exception("Error: unexpected entry count in keystore: " +
+                "loaded=" + i + ", expected=" + expected);
+        }
+    }
+
+    private static Certificate loadCertificate(String certFile)
+        throws Exception {
+        X509Certificate cert = null;
+        try (FileInputStream certStream = new FileInputStream(certFile)) {
+            CertificateFactory factory =
+                CertificateFactory.getInstance("X.509");
+            return factory.generateCertificate(certStream);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/provider/KeyStore/DKSTest.sh	Wed Feb 13 19:40:51 2013 +0000
@@ -0,0 +1,84 @@
+#! /bin/sh
+
+#
+# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# @test
+# @bug 8007755
+# @summary Support the logical grouping of keystores
+
+# set a few environment variables so that the shell-script can run stand-alone
+# in the source directory
+if [ "${TESTSRC}" = "" ] ; then
+   TESTSRC="."
+fi
+
+if [ "${TESTCLASSES}" = "" ] ; then
+   TESTCLASSES="."
+fi
+
+if [ "${TESTJAVA}" = "" ] ; then
+   echo "TESTJAVA not set.  Test cannot execute."
+   echo "FAILED!!!"
+   exit 1
+fi
+
+if [ "${COMPILEJAVA}" = "" ]; then
+    COMPILEJAVA="${TESTJAVA}"
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  SunOS )
+    PS=":"
+    FS="/"
+    ;;
+  Linux )
+    PS=":"
+    FS="/"
+    ;;
+  Darwin )
+    PS=":"
+    FS="/"
+    ;;
+  CYGWIN* )
+    PS=";"
+    FS="/"
+    ;;
+  Windows* )
+    PS=";"
+    FS="\\"
+    ;;
+  * )
+    echo "Unrecognized system!"
+    exit 1;
+    ;;
+esac
+
+${COMPILEJAVA}${FS}bin${FS}javac -d .  ${TESTSRC}${FS}DKSTest.java
+
+KEYSTORE_PWD=test12 TRUSTSTORE_PWD=changeit \
+  ${TESTJAVA}${FS}bin${FS}java ${TESTVMOPTS} -Dtest.src=${TESTSRC} DKSTest
+
+exit $status
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/provider/KeyStore/domains.cfg	Wed Feb 13 19:40:51 2013 +0000
@@ -0,0 +1,65 @@
+// domain containing a single keystore
+domain system {
+    keystore truststore 
+        keystoreType="JKS"
+        keystoreURI="${java.home}/lib/security/cacerts";
+};
+
+// domain containing two JKS keystores
+domain system_plus {
+    keystore truststore 
+        keystoreType="JKS"
+        keystoreURI="${java.home}/lib/security/cacerts";
+    keystore pw_keystore 
+        keystoreType="JKS"
+        keystoreURI="${test.src}/pw.jks";
+};
+
+// domain containing a mixture of keystores
+domain keystores
+    keystoreType="PKCS12" {
+        keystore policy_keystore 
+            keystoreType="JKS"
+            keystoreURI="${test.src}/../PolicyFile/Alias.keystore";
+        keystore pw_keystore 
+            keystoreType="CaseExactJKS"
+            keystoreURI="${test.src}/pw.jks";
+        keystore eckeystore1
+            keystoreURI="${test.src}/../../pkcs11/ec/pkcs12/sect193r1server-rsa1024ca.p12";
+        keystore eckeystore2 
+            keystoreURI="${test.src}/../../pkcs11/ec/pkcs12/secp256r1server-secp384r1ca.p12";
+};
+
+// domain containing a mixture of keystores
+domain keystores_tmp
+    keystoreType="PKCS12" {
+        keystore policy_keystore 
+            keystoreType="JKS"
+            keystoreURI="${test.src}/Alias.keystore_tmp";
+        keystore pw_keystore 
+            keystoreType="CaseExactJKS"
+            keystoreURI="${test.src}/pw.jks_tmp";
+        keystore eckeystore1
+            keystoreURI="${test.src}/sect193r1server-rsa1024ca.p12_tmp";
+        keystore eckeystore2 
+            keystoreURI="${test.src}/secp256r1server-secp384r1ca.p12_tmp";
+};
+
+// domain where passwords are supplied via environment variables
+domain system_env 
+    keystoreType="JKS"
+    keystorePasswordEnv="KEYSTORE_PWD" {
+        keystore env_keystore
+            keystoreURI="${test.src}/pw.jks";
+        keystore env_truststore
+            keystoreURI="${java.home}/lib/security/cacerts"
+            keystorePasswordEnv="TRUSTSTORE_PWD";
+};
+
+// empty domain
+domain empty
+    keystoreType="JKS"
+    keystoreProviderName="SUN" {
+        keystore empty
+            keystoreURI="${test.src}/empty.jks";
+};
--- a/test/sun/security/tools/keytool/AltProviderPath.sh	Wed Feb 13 21:06:30 2013 +0400
+++ b/test/sun/security/tools/keytool/AltProviderPath.sh	Wed Feb 13 19:40:51 2013 +0000
@@ -73,7 +73,7 @@
     -keyalg "RSA" -keysize 1024 -sigalg "ShA1WithRSA" \
     -dname "cn=Dummy Test CA, ou=JSN, o=JavaSoft, c=US" -validity 3650 \
     -keypass storepass -keystore keystoreCA.dks -storepass storepass \
-    -storetype "dks" -provider "org.test.dummy.DummyProvider" \
+    -storetype "dummyks" -provider "org.test.dummy.DummyProvider" \
     -providerPath ${TESTCLASSES}
 
 if [ $? -ne 0 ]; then
@@ -82,7 +82,7 @@
 
 #Change keystore password
 ${TESTJAVA}${FS}bin${FS}keytool -storepasswd -new storepass2 \
-    -keystore keystoreCA.dks -storetype "dks" -storepass storepass \
+    -keystore keystoreCA.dks -storetype "dummyks" -storepass storepass \
     -provider "org.test.dummy.DummyProvider" -providerPath ${TESTCLASSES}
 
 if [ $? -ne 0 ]; then
@@ -93,7 +93,7 @@
 #Change keystore key password
 ${TESTJAVA}${FS}bin${FS}keytool -keypasswd -alias "dummyTestCA" \
     -keypass storepass -new keypass -keystore keystoreCA.dks \
-    -storetype "dks" -storepass storepass2 \
+    -storetype "dummyks" -storepass storepass2 \
     -provider "org.test.dummy.DummyProvider" -providerPath ${TESTCLASSES}
 
 if [ $? -ne 0 ]; then
@@ -102,7 +102,7 @@
 
 #Export certificate
 ${TESTJAVA}${FS}bin${FS}keytool -v -export -rfc -alias "dummyTestCA" \
-    -file "dummyTestCA.der" -keystore keystoreCA.dks -storetype "dks" \
+    -file "dummyTestCA.der" -keystore keystoreCA.dks -storetype "dummyks" \
     -storepass storepass2 -provider "org.test.dummy.DummyProvider" \
     -providerPath ${TESTCLASSES}
 
@@ -112,7 +112,7 @@
 
 #list keystore
 ${TESTJAVA}${FS}bin${FS}keytool -v -list -keystore keystoreCA.dks \
-    -storetype "dks" -storepass storepass2 \
+    -storetype "dummyks" -storepass storepass2 \
     -provider "org.test.dummy.DummyProvider" -providerPath ${TESTCLASSES}
 
 if [ $? -ne 0 ]; then
--- a/test/sun/security/tools/keytool/DummyProvider.java	Wed Feb 13 21:06:30 2013 +0400
+++ b/test/sun/security/tools/keytool/DummyProvider.java	Wed Feb 13 19:40:51 2013 +0000
@@ -40,7 +40,7 @@
         //
         // KeyStore
         //
-        put("KeyStore.DKS", "sun.security.provider.JavaKeyStore$JKS");
+        put("KeyStore.DummyKS", "sun.security.provider.JavaKeyStore$JKS");
 
         //
         // Signature engines