1   /*
2    * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4    *
5    * This code is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU General Public License version 2 only, as
7    * published by the Free Software Foundation.
8    *
9    * This code is distributed in the hope that it will be useful, but WITHOUT
10   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11   * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12   * version 2 for more details (a copy is included in the LICENSE file that
13   * accompanied this code).
14   *
15   * You should have received a copy of the GNU General Public License version
16   * 2 along with this work; if not, write to the Free Software Foundation,
17   * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18   *
19   * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20   * or visit www.oracle.com if you need additional information or have any
21   * questions.
22   */
23  
24  /*
25   * @test
26   * @bug 6958026
27   * @summary Problem with PKCS12 keystore
28   */
29  
30  import java.io.File;
31  import java.io.FileInputStream;
32  import java.io.FileOutputStream;
33  import java.security.AlgorithmParameters;
34  import java.security.KeyStore;
35  import java.security.cert.Certificate;
36  import java.security.cert.X509Certificate;
37  import javax.crypto.Cipher;
38  import javax.crypto.SecretKey;
39  import javax.crypto.SecretKeyFactory;
40  import javax.crypto.spec.PBEKeySpec;
41  import javax.crypto.spec.PBEParameterSpec;
42  import sun.security.pkcs.EncryptedPrivateKeyInfo;
43  import sun.security.tools.KeyTool;
44  import sun.security.util.ObjectIdentifier;
45  import sun.security.x509.AlgorithmId;
46  import sun.security.x509.X500Name;
47  
48  public class PKCS12SameKeyId {
49  
50      private static final String JKSFILE = "PKCS12SameKeyId.jks";
51      private static final String P12FILE = "PKCS12SameKeyId.p12";
52      private static final char[] PASSWORD = "changeit".toCharArray();
53      private static final int SIZE = 10;
54  
55      public static void main(String[] args) throws Exception {
56  
57          // Prepare a JKS keystore with many entries
58          new File(JKSFILE).delete();
59          for (int i=0; i<SIZE; i++) {
60              System.err.print(".");
61              String cmd = "-keystore " + JKSFILE
62                      + " -storepass changeit -keypass changeit "
63                      + "-genkeypair -alias p" + i + " -dname CN=" + i;
64              KeyTool.main(cmd.split(" "));
65          }
66  
67          // Prepare EncryptedPrivateKeyInfo parameters, copied from various
68          // places in PKCS12KeyStore.java
69          AlgorithmParameters algParams =
70                  AlgorithmParameters.getInstance("PBEWithSHA1AndDESede");
71          algParams.init(new PBEParameterSpec("12345678".getBytes(), 1024));
72          AlgorithmId algid = new AlgorithmId(
73                  new ObjectIdentifier("1.2.840.113549.1.12.1.3"), algParams);
74  
75          PBEKeySpec keySpec = new PBEKeySpec(PASSWORD);
76          SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
77          SecretKey skey = skFac.generateSecret(keySpec);
78  
79          Cipher cipher = Cipher.getInstance("PBEWithSHA1AndDESede");
80          cipher.init(Cipher.ENCRYPT_MODE, skey, algParams);
81  
82          // Pre-calculated keys and certs and aliases
83          byte[][] keys = new byte[SIZE][];
84          Certificate[][] certChains = new Certificate[SIZE][];
85          String[] aliases = new String[SIZE];
86  
87          // Reads from JKS keystore and pre-calculate
88          KeyStore ks = KeyStore.getInstance("jks");
89          ks.load(new FileInputStream(JKSFILE), PASSWORD);
90          for (int i=0; i<SIZE; i++) {
91              aliases[i] = "p" + i;
92              byte[] enckey = cipher.doFinal(
93                      ks.getKey(aliases[i], PASSWORD).getEncoded());
94              keys[i] = new EncryptedPrivateKeyInfo(algid, enckey).getEncoded();
95              certChains[i] = ks.getCertificateChain(aliases[i]);
96          }
97  
98          // Write into PKCS12 keystore. Use this overloaded version of
99          // setKeyEntry() to be as fast as possible, so that they would
100         // have same localKeyId.
101         KeyStore p12 = KeyStore.getInstance("pkcs12");
102         p12.load(null, PASSWORD);
103         for (int i=0; i<SIZE; i++) {
104             p12.setKeyEntry(aliases[i], keys[i], certChains[i]);
105         }
106         p12.store(new FileOutputStream(P12FILE), PASSWORD);
107 
108         // Check private keys still match certs
109         p12 = KeyStore.getInstance("pkcs12");
110         p12.load(new FileInputStream(P12FILE), PASSWORD);
111         for (int i=0; i<SIZE; i++) {
112             String a = "p" + i;
113             X509Certificate x = (X509Certificate)p12.getCertificate(a);
114             X500Name name = (X500Name)x.getSubjectDN();
115             if (!name.getCommonName().equals(""+i)) {
116                 throw new Exception(a + "'s cert is " + name);
117             }
118         }
119     }
120 }