diff --git a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java --- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java +++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java @@ -58,6 +58,7 @@ import sun.security.util.DerOutputStream; import sun.security.util.DerValue; import sun.security.util.ObjectIdentifier; +import sun.security.util.Asn1Value; import sun.security.pkcs.ContentInfo; import sun.security.x509.AlgorithmId; import sun.security.pkcs.EncryptedPrivateKeyInfo; @@ -634,8 +635,13 @@ KeyEntry entry = entries.get(alias.toLowerCase()); if (entry != null) { throw new KeyStoreException("Cannot overwrite own certificate"); - } else - throw new KeyStoreException("TrustedCertEntry not supported"); + } else { + KeyEntry ke = new KeyEntry(); + ke.alias = alias.toLowerCase(); + ke.date = new Date(); + ke.chain = new Certificate[] { cert }; + entries.put(ke.alias, ke); + } } /** @@ -689,7 +695,7 @@ */ public boolean engineIsKeyEntry(String alias) { KeyEntry entry = entries.get(alias.toLowerCase()); - if (entry != null) { + if (entry != null && entry.protectedPrivKey != null) { return true; } else { return false; @@ -704,8 +710,12 @@ * <i>trusted certificate entry</i>, false otherwise. */ public boolean engineIsCertificateEntry(String alias) { - // TrustedCertEntry is not supported - return false; + KeyEntry entry = entries.get(alias.toLowerCase()); + if (entry != null && entry.protectedPrivKey == null) { + return true; + } else { + return false; + } } /** @@ -1029,8 +1039,13 @@ byte[] bagAttrs = null; String friendlyName = cert.getSubjectX500Principal().getName(); if (i == 0) { - // Only End-Entity Cert should have a localKeyId. - bagAttrs = getBagAttributes(friendlyName, entry.keyId); + if (entry.protectedPrivKey == null) { + // This is a TrustedCertificateEntry + bagAttrs = getBagAttributes(alias, null); + } else { + // Only End-Entity Cert should have a localKeyId. + bagAttrs = getBagAttributes(friendlyName, entry.keyId); + } } else { // Trusted root CA certs and Intermediate CA certs do not // need to have a localKeyId, and hence localKeyId is null @@ -1081,6 +1096,7 @@ String alias = e.nextElement(); KeyEntry entry = entries.get(alias); + if (entry.protectedPrivKey == null) continue; // Create SafeBag of type pkcs8ShroudedKeyBag DerOutputStream safeBag = new DerOutputStream(); safeBag.putOID(PKCS8ShroudedKeyBag_OID); @@ -1276,6 +1292,9 @@ Cipher cipher = Cipher.getInstance(algOid.toString()); cipher.init(Cipher.DECRYPT_MODE, skey, algParams); safeContentsData = cipher.doFinal(safeContentsData); + if (System.getProperty("pkcs12.debug") != null) + Asn1Value.walkThroughStream(safeContentsData, + new Asn1Value.InsiderWalker(true, 10)); } catch (Exception e) { IOException ioe = new IOException("failed to decrypt safe" @@ -1328,12 +1347,15 @@ * Match up private keys with certificate chains. */ KeyEntry[] list = keyList.toArray(new KeyEntry[keyList.size()]); + Set<Certificate> allcerts = new HashSet<Certificate>(); + allcerts.addAll(certs.values()); for (int m = 0; m < list.length; m++) { KeyEntry entry = list[m]; if (entry.keyId != null) { ArrayList<X509Certificate> chain = new ArrayList<X509Certificate>(); X509Certificate cert = certs.get(new KeyId(entry.keyId)); + allcerts.remove(cert); while (cert != null) { chain.add(cert); X500Principal issuerDN = cert.getIssuerX500Principal(); @@ -1341,12 +1363,34 @@ break; } cert = certs.get(issuerDN); + allcerts.remove(cert); } /* Update existing KeyEntry in entries table */ if (chain.size() > 0) entry.chain = chain.toArray(new Certificate[chain.size()]); } } + /* + int pos = 0; + for (Certificate c: allcerts) { + KeyEntry ke = new KeyEntry(); + String alias = "tc" + pos++; + for (Object o: certs.keySet()) { + if (certs.get(o).equals(c)) { + if (o instanceof String) { + String a = (String)o; + int equalspos = a.lastIndexOf('='); + if (equalspos >= 0) alias = a.substring(equalspos+1); + else alias = a; + break; + } + } + } + ke.alias = alias.toLowerCase(); + ke.date = new Date(); + ke.chain = new Certificate[] { c }; + entries.put(ke.alias, ke); + }*/ certs.clear(); keyList.clear(); } @@ -1505,6 +1549,13 @@ if (!certs.containsKey(subjectDN)) certs.put(subjectDN, cert); } + if (alias.indexOf('=') < 0) { + KeyEntry ke = new KeyEntry(); + ke.alias = alias.toLowerCase(); + ke.date = new Date(); + ke.chain = new Certificate[] { cert }; + entries.put(ke.alias, ke); + } } } }