diff --git a/test/jdk/ProblemList.txt b/test/jdk/ProblemList.txt index 3c003107629..33af3a2bcff 100644 --- a/test/jdk/ProblemList.txt +++ b/test/jdk/ProblemList.txt @@ -635,8 +635,6 @@ com/sun/nio/sctp/SctpChannel/SocketOptionTests.java 8141694 linux-al sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java 8161536 generic-all -sun/security/tools/keytool/ListKeychainStore.sh 8156889 macosx-all - javax/net/ssl/DTLS/CipherSuite.java 8202059 macosx-x64 sun/security/smartcardio/TestChannel.java 8039280 generic-all diff --git a/test/jdk/sun/security/tools/keytool/ExportPrivateKeyNoPwd.java b/test/jdk/sun/security/tools/keytool/ExportPrivateKeyNoPwd.java deleted file mode 100644 index 799bf455b23..00000000000 --- a/test/jdk/sun/security/tools/keytool/ExportPrivateKeyNoPwd.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -import java.security.*; - -/* - * Export a private key from the named keychain entry without supplying a - * password. See JDK-8062264. - * - * NOTE: Keychain access controls must already have been lowered to permit - * the target entry to be accessed. - */ -public class ExportPrivateKeyNoPwd { - - public static final void main(String[] args) throws Exception { - - if (args.length != 1) { - throw new Exception( - "ExportPrivateKeyNoPwd: must supply name of a keystore entry"); - } - String alias = args[0]; - - KeyStore ks = KeyStore.getInstance("KeychainStore"); - System.out.println("ExportPrivateKeyNoPwd: loading keychains..."); - ks.load(null, null); - - System.out.println("ExportPrivateKeyNoPwd: exporting key..."); - Key key = ks.getKey(alias, null); - if (key instanceof PrivateKey) { - System.out.println("ExportPrivateKeyNoPwd: exported " + - key.getAlgorithm() + " private key from '" + alias + "'"); - } else { - throw new Exception("Error exporting private key from keychain"); - } - } -} - diff --git a/test/jdk/sun/security/tools/keytool/ListKeyChainStore.java b/test/jdk/sun/security/tools/keytool/ListKeyChainStore.java new file mode 100644 index 00000000000..39626b8dfc5 --- /dev/null +++ b/test/jdk/sun/security/tools/keytool/ListKeyChainStore.java @@ -0,0 +1,202 @@ +/* + * Copyright (c) 2012, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 7133495 8062264 8046777 8153005 + * @summary KeyChain KeyStore implementation retrieves only one private key entry + * @requires (os.family == "mac") + * @library /test/lib + * @run main/othervm/manual ListKeyChainStore + */ + +import jdk.test.lib.SecurityTools; +import jdk.test.lib.process.ProcessTools; + +import java.io.*; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.security.Key; +import java.security.KeyStore; +import java.security.PrivateKey; + +public class ListKeyChainStore { + private static final String PWD = "xxxxxx"; + private static final String DEFAULT_KEYTOOL = "-list -storetype KeychainStore " + + "-keystore NONE -storepass " + PWD; + private static final String USER_DIR = System.getProperty("user.dir", "."); + private static final String FS = System.getProperty("file.separator"); + private static final String PKCS12_KEYSTORE = USER_DIR + FS + "7133495.p12"; + private static final String KEYCHAIN_FILE = USER_DIR + FS + "7133495.keychain"; + private static final String TEMPORARY_FILE = USER_DIR + FS + "7133495.tmp"; + private static final String USER_KEYCHAIN_LIST = USER_DIR + FS + "user.keychain.list"; + private static final String PRIVATE_KEY_ENTRY = "PrivateKeyEntry"; + + public static void main(String[] args) throws Throwable { + LOG_MSG("WARNING: This test doesn't work on macOS virtualized environment. " + + "`security list-keychains -s` doesn't update the search order."); + + deleteTestTempFilesIfExists(); + + // Get the old security keychain list to restore later + try (PrintStream printStream = new PrintStream(USER_KEYCHAIN_LIST)) { + ProcessTools.executeCommand("sh", "-c", "security list-keychains") + .shouldHaveExitValue(0).outputTo(printStream); + } + + try { + try (PrintStream printStream = new PrintStream(TEMPORARY_FILE)) { + SecurityTools.keytool(DEFAULT_KEYTOOL).shouldHaveExitValue(0) + .outputTo(printStream); + } + int oldPrivateKeyCount = countOccurrences(TEMPORARY_FILE, PRIVATE_KEY_ENTRY); + LOG_MSG("Found " + oldPrivateKeyCount + " private key entries in the " + + "Keychain keystore"); + + // Create the PKCS12 keystore containing 3 public/private key pairs + LOG_MSG("Creating PKCS12 keystore: " + PKCS12_KEYSTORE); + for (int i = 0; i < 3; i++) { + // Use legacy encryption and MAC algorithms, refer macOS open radar FB8988319 + // macOS security framework doesn't work with the latest algorithms + SecurityTools.keytool(String.format("-J-Dkeystore.pkcs12.legacy -genkeypair" + + " -storetype PKCS12 -keystore %s -storepass %s -keyalg rsa -dname " + + "CN=CN%d,OU=OU%d,O=O%d,ST=ST%d,C=US -alias 7133495-%d", + PKCS12_KEYSTORE, PWD, i, i, i, i, i)).shouldHaveExitValue(0); + } + + // Create the keychain + LOG_MSG("Creating keychain: " + KEYCHAIN_FILE); + ProcessTools.executeCommand("sh", "-c", String.format("security create-keychain" + + " -p %s %s", PWD, KEYCHAIN_FILE)).shouldHaveExitValue(0); + + // Unlock the keychain + LOG_MSG("Unlock keychain: " + KEYCHAIN_FILE); + ProcessTools.executeCommand("sh", "-c", String.format("security unlock-keychain" + + " -p %s %s", PWD, KEYCHAIN_FILE)).shouldHaveExitValue(0); + + // Import the key pairs from the PKCS12 keystore into the keychain + // The '-A' option is used to lower the keychain's access controls + LOG_MSG("Importing the key pairs from " + PKCS12_KEYSTORE + + " to " + KEYCHAIN_FILE); + ProcessTools.executeCommand("sh", "-c", String.format("security import %s -k %s" + + " -f pkcs12 -P %s -A", PKCS12_KEYSTORE, KEYCHAIN_FILE, PWD)).shouldHaveExitValue(0); + + // Generate a 2048-bit RSA keypair and import into the keychain + // Its private key is configured with non-default key usage settings + ProcessTools.executeCommand("sh", "-c", String.format("certtool ca k=%s " + + "< " + msg); + } +} diff --git a/test/jdk/sun/security/tools/keytool/ListKeychainStore.sh b/test/jdk/sun/security/tools/keytool/ListKeychainStore.sh deleted file mode 100644 index 6ab1be90065..00000000000 --- a/test/jdk/sun/security/tools/keytool/ListKeychainStore.sh +++ /dev/null @@ -1,188 +0,0 @@ -# -# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -# @test -# @bug 7133495 8041740 8062264 8046777 -# @summary [macosx] KeyChain KeyStore implementation retrieves only one private key entry - -if [ "${TESTJAVA}" = "" ] ; then - JAVAC_CMD=`which javac` - TESTJAVA=`dirname $JAVAC_CMD`/.. -fi - -if [ "${TESTSRC}" = "" ] ; then - TESTSRC="." -fi -if [ "${TESTCLASSES}" = "" ] ; then - TESTCLASSES=`pwd` -fi - -# Only run on MacOS -OS=`uname -s` -case "$OS" in - Darwin ) - ;; - * ) - echo "Will not run test on: ${OS}" - exit 0; - ;; -esac - -PWD="xxxxxx" -KEYTOOL="${TESTJAVA}/bin/keytool ${TESTTOOLVMOPTS} -storetype KeychainStore -keystore NONE -storepass $PWD" -TEMPORARY_P12="$TESTCLASSES/7133495.p12" -TEMPORARY_KC="$TESTCLASSES/7133495.keychain" -TEMPORARY_LIST="$TESTCLASSES/7133495.tmp" -CLEANUP_P12="rm -f $TEMPORARY_P12" -CLEANUP_KC="security delete-keychain $TEMPORARY_KC" -CLEANUP_LIST="rm -f $TEMPORARY_LIST" - -# Count the number of private key entries in the Keychain keystores - -COUNT=`$KEYTOOL -list | grep PrivateKeyEntry | wc -l` -echo "Found $COUNT private key entries in the Keychain keystores" - -# Create a temporary PKCS12 keystore containing 3 public/private keypairs - -RESULT=`$CLEANUP_P12` - -for i in X Y Z -do - ${TESTJAVA}/bin/keytool ${TESTTOOLVMOPTS} -genkeypair \ - -storetype PKCS12 \ - -keystore $TEMPORARY_P12 \ - -storepass $PWD \ - -keyalg rsa \ - -dname "CN=$i,OU=$i,O=$i,ST=$i,C=US" \ - -alias 7133495-$i - - if [ $? -ne 0 ]; then - echo "Error: cannot create keypair $i in the temporary PKCS12 keystore" - RESULT=`$CLEANUP_P12` - exit 1 - fi -done -echo "Created a temporary PKCS12 keystore: $TEMPORARY_P12" - -# Create a temporary keychain - -security create-keychain -p $PWD $TEMPORARY_KC -if [ $? -ne 0 ]; then - echo "Error: cannot create the temporary keychain" - RESULT=`$CLEANUP_P12` - exit 2 -fi -echo "Created a temporary keychain: $TEMPORARY_KC" - -# Unlock the temporary keychain - -security unlock-keychain -p $PWD $TEMPORARY_KC -if [ $? -ne 0 ]; then - echo "Error: cannot unlock the temporary keychain" - RESULT=`$CLEANUP_P12` - RESULT=`$CLEANUP_KC` - exit 3 -fi -echo "Unlocked the temporary keychain" - -# Import the keypairs from the PKCS12 keystore into the keychain -# (The '-A' option is used to lower the temporary keychain's access controls) - -security import $TEMPORARY_P12 -k $TEMPORARY_KC -f pkcs12 -P $PWD -A -if [ $? -ne 0 ]; then - echo "Error: cannot import keypairs from PKCS12 keystore into the keychain" - RESULT=`$CLEANUP_P12` - RESULT=`$CLEANUP_KC` - exit 4 -fi -echo "Imported keypairs from PKCS12 keystore into the keychain" - -# Generate a 2048-bit RSA keypair and import into the temporary keychain -# (its private key is configured with non-default key usage settings) - -certtool c k=$TEMPORARY_KC < $TEMPORARY_LIST -security list-keychains >> $TEMPORARY_LIST -security list-keychains -s `xargs < ${TEMPORARY_LIST}` -`$CLEANUP_LIST` -echo "Temporary keychain search order:" -security list-keychains - -# Recount the number of private key entries in the Keychain keystores -# (3 private keys imported from PKCS12, 1 private key generated by 'certtool') - -RECOUNT=`$KEYTOOL -list | grep PrivateKeyEntry | wc -l` -echo "Found $RECOUNT private key entries in the Keychain keystore" -if [ $RECOUNT -lt `expr $COUNT + 4` ]; then - echo "Error: expected >$COUNT private key entries in the Keychain keystores" - RESULT=`$CLEANUP_P12` - RESULT=`$CLEANUP_KC` - exit 5 -fi - -# Export a private key from the keychain (without supplying a password) -# Access controls have already been lowered (see 'security import ... -A' above) - -${TESTJAVA}/bin/javac ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} -d . ${TESTSRC}/ExportPrivateKeyNoPwd.java || exit 6 -${TESTJAVA}/bin/java ${TESTVMOPTS} ExportPrivateKeyNoPwd x -if [ $? -ne 0 ]; then - echo "Error exporting private key from the temporary keychain" - RESULT=`$CLEANUP_P12` - RESULT=`$CLEANUP_KC` - exit 6 -fi -echo "Exported a private key from the temporary keychain" - -RESULT=`$CLEANUP_P12` -if [ $? -ne 0 ]; then - echo "Error: cannot remove the temporary PKCS12 keystore" - exit 7 -fi -echo "Removed the temporary PKCS12 keystore" - -RESULT=`$CLEANUP_KC` -if [ $? -ne 0 ]; then - echo "Error: cannot remove the temporary keychain" - exit 8 -fi -echo "Removed the temporary keychain" - -exit 0