Backport 82c8b28f4005c3c335d4fd60c2e3b55adfd200c6

TheRealMDoerr · Aug 9, 2023 · b2bafb9 · b2bafb9
1 parent 9c8731b
commit b2bafb9
Show file tree

Hide file tree

Showing 4 changed files with 202 additions and 247 deletions.
diff --git a/test/jdk/ProblemList.txt b/test/jdk/ProblemList.txt
@@ -635,8 +635,6 @@ com/sun/nio/sctp/SctpChannel/SocketOptionTests.java             8141694 linux-al
 
 sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java            8161536 generic-all
 
-sun/security/tools/keytool/ListKeychainStore.sh                 8156889 macosx-all
-
 javax/net/ssl/DTLS/CipherSuite.java                             8202059 macosx-x64
 
 sun/security/smartcardio/TestChannel.java                       8039280 generic-all

diff --git a/test/jdk/sun/security/tools/keytool/ExportPrivateKeyNoPwd.java b/test/jdk/sun/security/tools/keytool/ExportPrivateKeyNoPwd.java
diff --git a/test/jdk/sun/security/tools/keytool/ListKeyChainStore.java b/test/jdk/sun/security/tools/keytool/ListKeyChainStore.java
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 2012, 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7133495 8062264 8046777 8153005
+ * @summary KeyChain KeyStore implementation retrieves only one private key entry
+ * @requires (os.family == "mac")
+ * @library /test/lib
+ * @run main/othervm/manual ListKeyChainStore
+ */
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.process.ProcessTools;
+
+import java.io.*;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+
+public class ListKeyChainStore {
+    private static final String PWD = "xxxxxx";
+    private static final String DEFAULT_KEYTOOL = "-list -storetype KeychainStore " +
+            "-keystore NONE -storepass " + PWD;
+    private static final String USER_DIR = System.getProperty("user.dir", ".");
+    private static final String FS = System.getProperty("file.separator");
+    private static final String PKCS12_KEYSTORE = USER_DIR + FS + "7133495.p12";
+    private static final String KEYCHAIN_FILE = USER_DIR + FS + "7133495.keychain";
+    private static final String TEMPORARY_FILE = USER_DIR + FS + "7133495.tmp";
+    private static final String USER_KEYCHAIN_LIST = USER_DIR + FS + "user.keychain.list";
+    private static final String PRIVATE_KEY_ENTRY = "PrivateKeyEntry";
+
+    public static void main(String[] args) throws Throwable {
+        LOG_MSG("WARNING: This test doesn't work on macOS virtualized environment. " +
+                "`security list-keychains -s` doesn't update the search order.");
+
+        deleteTestTempFilesIfExists();
+
+        // Get the old security keychain list to restore later
+        try (PrintStream printStream = new PrintStream(USER_KEYCHAIN_LIST)) {
+            ProcessTools.executeCommand("sh", "-c", "security list-keychains")
+                    .shouldHaveExitValue(0).outputTo(printStream);
+        }
+
+        try {
+            try (PrintStream printStream = new PrintStream(TEMPORARY_FILE)) {
+                SecurityTools.keytool(DEFAULT_KEYTOOL).shouldHaveExitValue(0)
+                        .outputTo(printStream);
+            }
+            int oldPrivateKeyCount = countOccurrences(TEMPORARY_FILE, PRIVATE_KEY_ENTRY);
+            LOG_MSG("Found " + oldPrivateKeyCount + " private key entries in the " +
+                    "Keychain keystore");
+
+            // Create the PKCS12 keystore containing 3 public/private key pairs
+            LOG_MSG("Creating PKCS12 keystore: " + PKCS12_KEYSTORE);
+            for (int i = 0; i < 3; i++) {
+                // Use legacy encryption and MAC algorithms, refer macOS open radar FB8988319
+                // macOS security framework doesn't work with the latest algorithms
+                SecurityTools.keytool(String.format("-J-Dkeystore.pkcs12.legacy -genkeypair" +
+                                " -storetype PKCS12 -keystore %s -storepass %s -keyalg rsa  -dname " +
+                                "CN=CN%d,OU=OU%d,O=O%d,ST=ST%d,C=US -alias 7133495-%d",
+                        PKCS12_KEYSTORE, PWD, i, i, i, i, i)).shouldHaveExitValue(0);
+            }
+
+            // Create the keychain
+            LOG_MSG("Creating keychain: " + KEYCHAIN_FILE);
+            ProcessTools.executeCommand("sh", "-c", String.format("security create-keychain" +
+                    " -p %s %s", PWD, KEYCHAIN_FILE)).shouldHaveExitValue(0);
+
+            // Unlock the keychain
+            LOG_MSG("Unlock keychain: " + KEYCHAIN_FILE);
+            ProcessTools.executeCommand("sh", "-c", String.format("security unlock-keychain" +
+                    " -p %s %s", PWD, KEYCHAIN_FILE)).shouldHaveExitValue(0);
+
+            // Import the key pairs from the PKCS12 keystore into the keychain
+            // The '-A' option is used to lower the keychain's access controls
+            LOG_MSG("Importing the key pairs from " + PKCS12_KEYSTORE
+                    + " to " + KEYCHAIN_FILE);
+            ProcessTools.executeCommand("sh", "-c", String.format("security import %s -k %s" +
+                    " -f pkcs12 -P %s -A", PKCS12_KEYSTORE, KEYCHAIN_FILE, PWD)).shouldHaveExitValue(0);
+
+            // Generate a 2048-bit RSA keypair and import into the keychain
+            // Its private key is configured with non-default key usage settings
+            ProcessTools.executeCommand("sh", "-c", String.format("certtool ca k=%s " +
+                    "<<EOF\n" +
+                    "test\n" +
+                    "r\n" +
+                    "2048\n" +
+                    "y\n" +
+                    "b\n" +
+                    "s\n" +
+                    "y\n" +
+                    "A\n" +
+                    "US\n" +
+                    "A\n" +
+                    "A\n" +
+                    "\n" +
+                    "\n" +
+                    "y\n" +
+                    "EOF", KEYCHAIN_FILE)).shouldHaveExitValue(0);
+
+            // Adjust the keychain search order to add KEYCHAIN_FILE to top
+            try (PrintStream printStream = new PrintStream(TEMPORARY_FILE)) {
+                printStream.println("\"" + KEYCHAIN_FILE + "\"");
+                printStream.println(ProcessTools.executeCommand("sh", "-c", "security list-keychains")
+                        .shouldHaveExitValue(0).getOutput());
+            }
+            ProcessTools.executeCommand("sh", "-c", String.format("security list-keychains -s %s",
+                    ProcessTools.executeCommand("sh", "-c", String.format("xargs < %s",
+                            TEMPORARY_FILE)).getOutput()));
+            LOG_MSG("Keychain search order:");
+            ProcessTools.executeCommand("sh", "-c", "security list-keychains");
+
+            // Recount the number of private key entries in the Keychain keystore
+            // 3 private keys imported from PKCS12, 1 private key generated by 'certtool'
+            Files.deleteIfExists(Paths.get(TEMPORARY_FILE));
+            try (PrintStream printStream = new PrintStream(TEMPORARY_FILE)) {
+                SecurityTools.keytool(DEFAULT_KEYTOOL).shouldHaveExitValue(0)
+                        .outputTo(printStream);
+            }
+            int newPrivateKeyCount = countOccurrences(TEMPORARY_FILE, PRIVATE_KEY_ENTRY);
+            LOG_MSG("Found " + newPrivateKeyCount + " private key entries in " +
+                    "the Keychain keystore");
+            if (newPrivateKeyCount < (oldPrivateKeyCount + 4)) {
+                throw new RuntimeException("Error: expected more private key entries in the " +
+                        "Keychain keystore");
+            }
+
+            // Export a private key from the keychain (without supplying a password)
+            // Access controls have already been lowered (see 'security import ... -A' above)
+            LOG_MSG("Exporting a private key from the keychain");
+            KeyStore ks = KeyStore.getInstance("KeychainStore");
+            ks.load(null, null);
+            Key key = ks.getKey("CN0", null);
+            if (key instanceof PrivateKey) {
+                LOG_MSG("Exported " + key.getAlgorithm() + " private key from CN0");
+            } else {
+                throw new RuntimeException("Error exporting private key from keychain");
+            }
+        } finally {
+            // Reset earlier keychain list
+            ProcessTools.executeCommand("sh", "-c", String.format("security list-keychains -s %s",
+                    ProcessTools.executeCommand("sh", "-c", String.format("xargs < %s",
+                            USER_KEYCHAIN_LIST)).getOutput()));
+
+            deleteTestTempFilesIfExists();
+        }
+    }
+
+    private static void deleteTestTempFilesIfExists() throws Throwable {
+        Files.deleteIfExists(Paths.get(USER_KEYCHAIN_LIST));
+        Files.deleteIfExists(Paths.get(PKCS12_KEYSTORE));
+        if (Files.exists(Paths.get(KEYCHAIN_FILE))) {
+            ProcessTools.executeCommand("sh", "-c", String.format("security delete-keychain" +
+                    " %s", KEYCHAIN_FILE)).shouldHaveExitValue(0);
+        }
+        Files.deleteIfExists(Paths.get(TEMPORARY_FILE));
+    }
+
+    private static int countOccurrences(String filePath, String word) throws IOException {
+        int count = 0;
+        try (BufferedReader reader = new BufferedReader(new FileReader(filePath))) {
+            String line;
+            while ((line = reader.readLine()) != null) {
+                if (line.contains(word)) {
+                    count++;
+                }
+            }
+        }
+
+        return count;
+    }
+
+    private static void LOG_MSG(String msg) {
+        // ProcessTools and SecurityTools log a lot of messages so pretty format
+        // messages logged from this test
+        System.out.println();
+        System.out.println("==> " + msg);
+    }
+}