/** java.security.KeyStore#size() */
public void test_size() throws Exception {
// Test for method int java.security.KeyStore.size()
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert[] = new X509Certificate[2];
cert[0] = (X509Certificate) cf.generateCertificate(certArray);
cert[1] = (X509Certificate) cf.generateCertificate(certArray2);
KeyStore keyTest = KeyStore.getInstance(KeyStore.getDefaultType());
try {
keyTest.size();
fail();
} catch (KeyStoreException expected) {
}
keyTest.load(null, null);
// alias 1
keyTest.setCertificateEntry("alias1", cert[0]);
// alias 2
keyTest.setKeyEntry("alias2", getPrivateKey(), pssWord, cert);
// alias 3
keyTest.setCertificateEntry("alias3", cert[1]);
assertEquals("the size of the keyStore is not 3", 3, keyTest.size());
}
/**
* Used to get the base ssl context in which to create the server socket. This is basically just
* so we can have a custom location for key stores.
*/
public SSLContext getSSLContext(String keyStoreName, String password) throws IOException {
try {
// Check the key manager factory
KeyManagerFactory kmf = KeyManagerFactory.getInstance(this.keyManagerType);
File ksFile = new File(keyStoreName);
if (!ksFile.exists() || !ksFile.isFile())
throw new WinstoneException(
SSL_RESOURCES.getString("HttpsListener.KeyStoreNotFound", ksFile.getPath()));
InputStream in = new FileInputStream(ksFile);
char[] passwordChars = password == null ? null : password.toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(in, passwordChars);
kmf.init(ks, passwordChars);
Logger.log(Logger.FULL_DEBUG, SSL_RESOURCES, "HttpsListener.KeyCount", ks.size() + "");
for (Enumeration e = ks.aliases(); e.hasMoreElements(); ) {
String alias = (String) e.nextElement();
Logger.log(
Logger.FULL_DEBUG,
SSL_RESOURCES,
"HttpsListener.KeyFound",
new String[] {alias, ks.getCertificate(alias) + ""});
}
SSLContext context = SSLContext.getInstance("SSL");
context.init(kmf.getKeyManagers(), null, null);
Arrays.fill(passwordChars, 'x');
return context;
} catch (IOException err) {
throw err;
} catch (Throwable err) {
throw new WinstoneException(
SSL_RESOURCES.getString("HttpsListener.ErrorGettingContext"), err);
}
}
/**
* Writes out the details of all the key store entries. This makes for a long output. For
* debugging purposes.
*/
public void printKeyStoreContents() {
try {
String alias = null;
KeyStore.TrustedCertificateEntry entry = null;
for (Enumeration<String> aliases = keyStore.aliases(); aliases.hasMoreElements(); ) {
alias = aliases.nextElement();
System.out.println("");
if (alias.startsWith(aliasPrefix)) {
System.out.print(" * ===== ");
} else {
System.out.print(" ===== ");
}
System.out.println(alias);
if (keyStore.isKeyEntry(alias)) {
System.out.println(" is a KeyEntry (details hidden)");
continue;
} else if (keyStore.isCertificateEntry(alias)) {
entry = (TrustedCertificateEntry) keyStore.getEntry(alias, null);
System.out.println(entry.toString());
}
System.out.flush();
} // end for
System.out.println("");
System.out.print("Number of entries in key store: ");
System.out.println(keyStore.size());
System.out.flush();
} catch (Exception e) {
System.err.println("ERROR: GFIPMKeystore.printKeyStoreContents failed: ");
System.err.println(e.toString());
System.err.flush();
}
} // end printKeyStoreContents
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
if (ZimbraLog.security.isDebugEnabled()) {
ZimbraLog.security.debug("Server certificate chain:");
for (int i = 0; i < chain.length; ++i) {
ZimbraLog.security.debug("X509Certificate[" + i + "]=" + chain[i]);
}
}
try {
getDefaultTrustManager().checkServerTrusted(chain, authType);
return;
} catch (CertificateException x) {
}
try {
if (keyStore.size() == 0) throw new CertificateException("key store empty");
getKeyStoreTrustManager().checkServerTrusted(chain, authType);
} catch (CertificateException x) {
String hostname =
CustomSSLSocket
.getCertificateHostname(); // stored as threadlocal if triggered from
// CustomSSLSocketUtil
if (hostname == null) hostname = SSLCertInfo.getCertificateCN(chain[0]);
String certInfo = handleCertificateCheckFailure(hostname, chain[0], false);
throw new CertificateException(certInfo);
} catch (KeyStoreException x) {
throw new CertificateException(x);
}
}
/** Writes out the alias names of all the key store entries. For debugging purposes. */
public void printKeyStoreAliases() {
try {
String alias = null;
for (Enumeration<String> aliases = keyStore.aliases(); aliases.hasMoreElements(); ) {
alias = aliases.nextElement();
if (alias.startsWith(aliasPrefix)) {
System.out.print(" * ");
} else {
System.out.print(" ");
}
System.out.println(alias);
}
System.out.println("");
System.out.print("Number of entries in key store: ");
System.out.println(keyStore.size());
System.out.flush();
} catch (KeyStoreException e) {
System.err.println("ERROR: GFIPMKeystore.printKeyStoreAliases failed: ");
System.err.println(e.toString());
System.err.flush();
}
} // end printKeyStoreAliases
@SuppressWarnings("unchecked")
private static void printKeyStoreInfo(KeyStore keystore) throws KeyStoreException {
log.debug("Provider : " + keystore.getProvider().getName());
log.debug("Type : " + keystore.getType());
log.debug("Size : " + keystore.size());
Enumeration en = keystore.aliases();
while (en.hasMoreElements()) {
System.out.println("Alias: " + en.nextElement());
}
}
private static TrustManager[] createTrustManagers() throws GeneralSecurityException, IOException {
InputStream keyStoreStream =
Thread.currentThread().getContextClassLoader().getResourceAsStream("ssltest-keystore.jks");
char[] keyStorePassword = "******".toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(keyStoreStream, keyStorePassword);
assert (ks.size() > 0);
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
return tmf.getTrustManagers();
}
/**
* Writes out the certificates of all the key store entries. For debugging purposes.
*
* @param certformat If "rawcert", writes out the text information (long) about the certificates.
* If "enccert" [default], writes out the certificates in base64 (short).
*/
public void printKeyStoreCertificates(String certformat) {
try {
String alias = null;
Certificate cert;
for (Enumeration<String> aliases = keyStore.aliases(); aliases.hasMoreElements(); ) {
alias = aliases.nextElement();
System.out.println("");
if (alias.startsWith(aliasPrefix)) {
System.out.print(" * ===== ");
} else {
System.out.print(" ===== ");
}
System.out.println(alias);
// entry = (TrustedCertificateEntry) keyStore.getEntry(alias, null);
System.out.print(" Creation Date: ");
System.out.println(keyStore.getCreationDate(alias));
System.out.print(" Certificate type: ");
cert = keyStore.getCertificate(alias);
System.out.print(cert.getType());
if (keyStore.isKeyEntry(alias)) {
System.out.println(" (details hidden)");
continue;
} else {
System.out.println("");
}
if (keyStore.isCertificateEntry(alias)) {
if ((certformat != null) && (certformat.equals("rawcert"))) {
System.out.println(cert.toString());
} else // enccert, encoded certificate
{
// String encoded = javax.xml.bind.DatatypeConverter.printBase64Binary(data);
// byte[] decoded = javax.xml.bind.DatatypeConverter.parseBase64Binary(encoded);
System.out.println(DatatypeConverter.printBase64Binary(cert.getEncoded()));
}
}
System.out.flush();
} // end for
System.out.println("");
System.out.print("Number of entries in key store: ");
System.out.println(keyStore.size());
System.out.flush();
} catch (Exception e) {
System.err.println("ERROR: GFIPMKeystore.printKeyStoreContents failed: ");
System.err.println(e.toString());
System.err.flush();
}
} // end printKeyStoreCertificates
private static KeyManager[] createKeyManagers() throws GeneralSecurityException, IOException {
InputStream keyStoreStream =
Thread.currentThread().getContextClassLoader().getResourceAsStream("ssltest-cacerts.jks");
char[] keyStorePassword = "******".toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(keyStoreStream, keyStorePassword);
assert (ks.size() > 0);
// Set up key manager factory to use our key store
char[] certificatePassword = "******".toCharArray();
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, certificatePassword);
// Initialize the SSLContext to work with our key managers.
return kmf.getKeyManagers();
}
@GET
@Produces({MediaType.APPLICATION_JSON})
public Response getKeyList(@Context UriInfo uriInfo) throws Exception {
List<SslKeyStoreEntry> result = new ArrayList<SslKeyStoreEntry>(keystore.size());
Enumeration<String> e = keystore.aliases();
while (e.hasMoreElements()) {
String alias = e.nextElement();
SslKeyStoreEntry sslKeyStoreEntry =
DtoFactory.getInstance()
.createDto(SslKeyStoreEntry.class)
.withAlias(alias)
.withType(keystore.isKeyEntry(alias) ? "Key" : "Certificate");
result.add(sslKeyStoreEntry);
}
return Response.ok().entity(result).type(MediaType.APPLICATION_JSON).build();
}
private void logKeyStore(KeyStore store) throws KeyStoreException {
LOG.trace("Certificates count: " + store.size());
Enumeration aliases = store.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
Certificate[] certs = store.getCertificateChain(alias);
if (certs != null) {
LOG.debug("Certificate chain '" + alias + "':");
for (int c = 0; c < certs.length; c++) {
if (certs[c] instanceof X509Certificate) {
X509Certificate cert = (X509Certificate) certs[c];
LOG.trace(" Certificate " + (c + 1) + ":");
LOG.trace(" Subject DN: " + cert.getSubjectDN());
LOG.trace(" Signature Algorithm: " + cert.getSigAlgName());
LOG.trace(" Valid from: " + cert.getNotBefore());
LOG.trace(" Valid until: " + cert.getNotAfter());
LOG.trace(" Issuer: " + cert.getIssuerDN());
}
}
}
}
}
private void readTest(String inKeyStore) throws Exception {
KeyStore inputKeyStore;
// Initialize KeyStore
String dir = System.getProperty("test.src", ".");
String keystorePath = dir + File.separator + "certs" + File.separator + "readP12";
inputKeyStore = KeyStore.getInstance(IN_KEYSTORE_TYPE);
// KeyStore have encoded by Base64.getMimeEncoder().encode(),need decode
// first.
byte[] input = Files.readAllBytes(Paths.get(keystorePath, inKeyStore));
ByteArrayInputStream arrayIn = new ByteArrayInputStream(Base64.getMimeDecoder().decode(input));
inputKeyStore.load(arrayIn, IN_STORE_PASS.toCharArray());
out.println("Initialize KeyStore : " + inKeyStore + " success");
out.println("getProvider : " + inputKeyStore.getProvider());
out.println("getType : " + inputKeyStore.getType());
out.println("getDefaultType : " + KeyStore.getDefaultType());
int idx = 0;
Enumeration<String> e = inputKeyStore.aliases();
String alias;
while (e.hasMoreElements()) {
alias = e.nextElement();
out.println("Alias " + idx + " : " + alias);
if (inputKeyStore.containsAlias(alias) == false) {
throw new RuntimeException("Alias not found");
}
out.println("getCreationDate : " + inputKeyStore.getCreationDate(alias));
X509Certificate cert = (X509Certificate) inputKeyStore.getCertificate(alias);
out.println("getCertificate : " + cert.getSubjectDN());
String retAlias = inputKeyStore.getCertificateAlias(cert);
if (!retAlias.equals(alias)) {
throw new RuntimeException("Alias mismatch");
}
out.println("getCertificateAlias : " + retAlias);
Certificate[] certs = inputKeyStore.getCertificateChain(alias);
for (int i = 0; i < certs.length; i++) {
out.println(
"getCertificateChain " + i + " : " + ((X509Certificate) certs[i]).getSubjectDN());
}
boolean isCertEntry = inputKeyStore.isCertificateEntry(alias);
// test KeyStore only contain key pair entries.
if (isCertEntry == true) {
throw new RuntimeException(
"inputKeystore should not be certEntry because test keystore only contain key pair entries.");
}
boolean isKeyEntry = inputKeyStore.isKeyEntry(alias);
if (isKeyEntry) {
Key key = inputKeyStore.getKey(alias, IN_STORE_PASS.toCharArray());
out.println("Key : " + key.toString());
} else {
throw new RuntimeException("Entry type unknown\n");
}
idx++;
}
int size = inputKeyStore.size();
if (idx != size) {
throw new RuntimeException("Size not match");
}
}
