Backport fa5ff82

wangweij · Jan 13, 2025 · 2591205 · 2591205
1 parent 4a623a2
commit 2591205
Show file tree

Hide file tree

Showing 12 changed files with 162 additions and 160 deletions.
diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,8 +39,8 @@
 import java.security.cert.CertificateException;
 import java.security.cert.TrustAnchor;
 import java.security.cert.URICertStoreParameters;
-
-
+import java.security.spec.ECParameterSpec;
+import java.security.spec.NamedParameterSpec;
 import java.text.Collator;
 import java.text.MessageFormat;
 import java.util.*;
@@ -61,19 +61,12 @@
 
 import sun.security.pkcs12.PKCS12KeyStore;
 import sun.security.provider.certpath.CertPathConstraintsParameters;
-import sun.security.util.ConstraintsParameters;
-import sun.security.util.ECKeySizeParameterSpec;
-import sun.security.util.KeyUtil;
-import sun.security.util.ObjectIdentifier;
+import sun.security.util.*;
 import sun.security.pkcs10.PKCS10;
 import sun.security.pkcs10.PKCS10Attribute;
 import sun.security.provider.X509Factory;
 import sun.security.provider.certpath.ssl.SSLServerCertStore;
-import sun.security.util.KnownOIDs;
-import sun.security.util.Password;
-import sun.security.util.SecurityProperties;
-import sun.security.util.SecurityProviderConstants;
-import sun.security.util.SignatureUtil;
+
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
@@ -82,15 +75,12 @@
 import sun.security.pkcs.PKCS9Attribute;
 import sun.security.tools.KeyStoreUtil;
 import sun.security.tools.PathList;
-import sun.security.util.DerValue;
-import sun.security.util.Pem;
 import sun.security.validator.Validator;
 import sun.security.x509.*;
 
 import static java.security.KeyStore.*;
 import static sun.security.tools.keytool.Main.Command.*;
 import static sun.security.tools.keytool.Main.Option.*;
-import sun.security.util.DisabledAlgorithmConstraints;
 
 /**
  * This tool manages keystores.
@@ -2035,20 +2025,18 @@ private void doGenKeyPair(String alias, String dname, String keyAlgName,
         Object[] source;
         if (signerAlias != null) {
             form = new MessageFormat(rb.getString
-                    ("Generating.keysize.bit.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.validality.days.for"));
+                    ("Generating.full.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.days.for"));
             source = new Object[]{
-                    groupName == null ? keysize : KeyUtil.getKeySize(privKey),
-                    KeyUtil.fullDisplayAlgName(privKey),
+                    fullDisplayKeyName(privKey),
                     newCert.getSigAlgName(),
                     signerAlias,
                     validity,
                     x500Name};
         } else {
             form = new MessageFormat(rb.getString
-                    ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
+                    ("Generating.full.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.days.for"));
             source = new Object[]{
-                    groupName == null ? keysize : KeyUtil.getKeySize(privKey),
-                    KeyUtil.fullDisplayAlgName(privKey),
+                    fullDisplayKeyName(privKey),
                     newCert.getSigAlgName(),
                     validity,
                     x500Name};
@@ -2073,6 +2061,38 @@ private void doGenKeyPair(String alias, String dname, String keyAlgName,
         keyStore.setKeyEntry(alias, privKey, keyPass, finalChain);
     }
 
+    /**
+     * Returns the full display name of the given key object. Could be
+     * - "X25519", if its getParams() is NamedParameterSpec
+     * - "EC (secp256r1)", if it's an EC key
+     * - "1024-bit RSA", other known keys
+     * - plain algorithm name, otherwise
+     *
+     * Note: the same method appears in keytool and jarsigner which uses
+     * same resource string defined in their own Resources.java.
+     *
+     * @param key the key object, cannot be null
+     * @return the full name
+     */
+    private static String fullDisplayKeyName(Key key) {
+        var alg = key.getAlgorithm();
+        if (key instanceof AsymmetricKey ak) {
+            var params = ak.getParams();
+            if (params instanceof NamedParameterSpec nps) {
+                return nps.getName(); // directly return
+            } else if (params instanceof ECParameterSpec eps) {
+                var nc = CurveDB.lookup(eps);
+                if (nc != null) {
+                    alg += " (" + nc.getNameAndAliases()[0] + ")"; // append name
+                }
+            }
+        }
+        var size = KeyUtil.getKeySize(key);
+        return size >= 0
+                ? String.format(rb.getString("size.bit.alg"), size, alg)
+                : alg;
+    }
+
     private String ecGroupNameForSize(int size) throws Exception {
         AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
         ap.init(new ECKeySizeParameterSpec(size));
@@ -3598,22 +3618,17 @@ private String withWeak(String alg) {
 
     private String withWeakConstraint(Key key,
             CertPathConstraintsParameters cpcp) {
-        int kLen = KeyUtil.getKeySize(key);
-        String displayAlg = KeyUtil.fullDisplayAlgName(key);
+        String displayAlg = fullDisplayKeyName(key);
         try {
             DISABLED_CHECK.permits(key.getAlgorithm(), cpcp, true);
         } catch (CertPathValidatorException e) {
-            return String.format(rb.getString("key.bit.disabled"), kLen, displayAlg);
+            return String.format(rb.getString("key.bit.disabled"), displayAlg);
         }
         try {
             LEGACY_CHECK.permits(key.getAlgorithm(), cpcp, true);
-            if (kLen >= 0) {
-                return String.format(rb.getString("key.bit"), kLen, displayAlg);
-            } else {
-                return String.format(rb.getString("unknown.size.1"), displayAlg);
-            }
+            return String.format(rb.getString("key.bit"), displayAlg);
         } catch (CertPathValidatorException e) {
-            return String.format(rb.getString("key.bit.weak"), kLen, displayAlg);
+            return String.format(rb.getString("key.bit.weak"), displayAlg);
         }
     }
 
@@ -4977,14 +4992,12 @@ private void checkWeakConstraint(String label, String sigAlg, Key key,
                 } catch (CertPathValidatorException e) {
                     weakWarnings.add(String.format(
                             rb.getString("whose.key.weak"), label,
-                            String.format(rb.getString("key.bit"),
-                            KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
+                            String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
                 }
             } catch (CertPathValidatorException e) {
                 weakWarnings.add(String.format(
                         rb.getString("whose.key.disabled"), label,
-                        String.format(rb.getString("key.bit"),
-                        KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
+                        String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
             }
         }
     }
@@ -5004,13 +5017,11 @@ private void checkWeak(String label, String sigAlg, Key key) {
             if (!DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
                 weakWarnings.add(String.format(
                     rb.getString("whose.key.disabled"), label,
-                    String.format(rb.getString("key.bit"),
-                    KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
+                    String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
             } else if (!LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
                 weakWarnings.add(String.format(
                     rb.getString("whose.key.weak"), label,
-                    String.format(rb.getString("key.bit"),
-                    KeyUtil.getKeySize(key), KeyUtil.fullDisplayAlgName(key))));
+                    String.format(rb.getString("key.bit"), fullDisplayKeyName(key))));
             }
         }
     }
@@ -5075,7 +5086,7 @@ private void checkWeakConstraint(String label, SecretKey secKey,
                 weakWarnings.add(String.format(
                         rb.getString("key.size.weak"), label,
                         String.format(rb.getString("key.bit"),
-                        KeyUtil.getKeySize(secKey), secKeyAlg)));
+                        fullDisplayKeyName(secKey))));
             } else {
                 weakWarnings.add(String.format(
                         rb.getString("key.algorithm.weak"), label, secKeyAlg));

diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Resources.java b/src/java.base/share/classes/sun/security/tools/keytool/Resources.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -307,10 +307,12 @@ public class Resources extends java.util.ListResourceBundle {
                 "Specifying -keysize for generating EC keys is deprecated, please use \"-groupname %s\" instead."},
         {"Key.pair.not.generated.alias.alias.already.exists",
                 "Key pair not generated, alias <{0}> already exists"},
-        {"Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for",
-                "Generating {0} bit {1} key pair and self-signed certificate ({2}) with a validity of {3} days\n\tfor: {4}"},
-        {"Generating.keysize.bit.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.validality.days.for",
-                "Generating {0} bit {1} key pair and a certificate ({2}) issued by <{3}> with a validity of {4} days\n\tfor: {5}"},
+        {"size.bit.alg",
+                "%1$d-bit %2$s"},
+        {"Generating.full.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.days.for",
+                "Generating {0} key pair and self-signed certificate ({1}) with a validity of {2} days\n\tfor: {3}"},
+        {"Generating.full.keyAlgName.key.pair.and.a.certificate.sigAlgName.issued.by.signerAlias.with.a.validity.of.days.for",
+                "Generating {0} key pair and a certificate ({1}) issued by <{2}> with a validity of {3} days\n\tfor: {4}"},
         {"Enter.key.password.for.alias.", "Enter key password for <{0}>"},
         {".RETURN.if.same.as.keystore.password.",
                 "\t(RETURN if same as keystore password):  "},
@@ -479,10 +481,9 @@ public class Resources extends java.util.ListResourceBundle {
         {"alias.in.keystore", "Issuer <%s>"},
         {"with.weak", "%s (weak)"},
         {"with.disabled", "%s (disabled)"},
-        {"key.bit", "%1$d-bit %2$s key"},
-        {"key.bit.weak", "%1$d-bit %2$s key (weak)"},
-        {"key.bit.disabled", "%1$d-bit %2$s key (disabled)"},
-        {"unknown.size.1", "%s key of unknown size"},
+        {"key.bit", "%s key"},
+        {"key.bit.weak", "%s key (weak)"},
+        {"key.bit.disabled", "%s key (disabled)"},
         {".PATTERN.printX509Cert.with.weak",
                 "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t SHA1: {5}\n\t SHA256: {6}\nSignature algorithm name: {7}\nSubject Public Key Algorithm: {8}\nVersion: {9}"},
         {"PKCS.10.with.weak",
@@ -494,7 +495,7 @@ public class Resources extends java.util.ListResourceBundle {
         {"Unable.to.parse.denyAfter.string.in.exception.message", "Unable to parse denyAfter date string in exception message"},
         {"whose.sigalg.weak", "%1$s uses the %2$s signature algorithm which is considered a security risk."},
         {"whose.key.disabled", "%1$s uses a %2$s which is considered a security risk and is disabled."},
-        {"whose.key.weak", "%1$s uses a %2$s which is considered a security risk. This key size will be disabled in a future update."},
+        {"whose.key.weak", "%1$s uses a %2$s which is considered a security risk. It will be disabled in a future update."},
         {"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
         {"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
         {"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},

diff --git a/src/java.base/share/classes/sun/security/util/KeyUtil.java b/src/java.base/share/classes/sun/security/util/KeyUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -174,27 +174,6 @@ public static final int getKeySize(AlgorithmParameters parameters) {
         return -1;
     }
 
-    /**
-     * Returns the algorithm name of the given key object. If an EC key is
-     * specified, returns the algorithm name and its named curve.
-     *
-     * @param key the key object, cannot be null
-     * @return the algorithm name of the given key object, or return in the
-     *       form of "EC (named curve)" if the given key object is an EC key
-     */
-    public static final String fullDisplayAlgName(Key key) {
-        String result = key.getAlgorithm();
-        if (key instanceof AsymmetricKey ak) {
-            AlgorithmParameterSpec paramSpec = ak.getParams();
-            if (paramSpec instanceof NamedCurve nc) {
-                result += " (" + nc.getNameAndAliases()[0] + ")";
-            } else if (paramSpec instanceof NamedParameterSpec nps) {
-                result = nps.getName();
-            }
-        }
-        return result;
-    }
-
     /**
      * Returns whether the key is valid or not.
      * <P>