Summary

Add the support of -trustcacerts and -keystore options to -printcert and -printcrl commands for keytool.

Problem

The -printcert and -printcrl commands in keytool do not support the -trustcacerts and -keystore options. Hence, those commands won't be able to use trusted certificates when verifying untrusted artifacts that are signed by CAs. It would also cause warnings when the root CA is using a disabled or weak algorithm even that shouldn't be an issue as the key is being trusted.

Solution

Provide the support of -trustcacerts and -keystore options in keytool for -printcert and -printcrl commands.

Specification

Note that when a command in keytool supports the -keystore option, it will also support the provider-related options, -storepass, -storetype and -protected options as those options are used in loading the keystore.

The following changes will be made to the keytool manpage.

@@ -833,6 +833,27 @@

     -   {`-jarfile` *JAR\_file*}: Signed `.jar` file

+    -   {`-keystore` *keystore*}: Keystore name
+
+    -   {`-trustcacerts`}: Trust certificates from cacerts
+
+    -   \[`-storepass` *arg*\]: Keystore password
+
+    -   {`-storetype` *type*}: Keystore type
+
+    -   {`-providername` *name*}: Provider name
+
+    -   {`-addprovider` *name* \[`-providerarg` *arg*\]}: Add security provider
+        by name (such as SunPKCS11) with an optional configure argument.
+
+    -   {`-providerclass` *class* \[`-providerarg` *arg*\]}: Add security
+        provider by fully qualified class name with an optional configure
+        argument.
+
+    -   {`-providerpath` *list*}: Provider classpath
+
+    -   {`-protected`}: Password is provided through protected mechanism
+
     -   {`-v`}: Verbose output

     Use the `-printcert` command to read and print the certificate from `-file`
@@ -860,7 +881,10 @@

     **Note:**

-    This option can be used independently of a keystore.
+    This command can be used independently of a keystore. This command does not
+    check for the weakness of a certificate's signature algorithm if it is a
+    trusted certificate in the user keystore (specified by `-keystore`) or in
+    the `cacerts` keystore (if `-trustcacerts` is specified).

 `-printcertreq`
 :   The following are the available options for the `-printcertreq` command:
@@ -879,6 +903,27 @@

     -   {`-file crl`}: Input file name

+    -   {`-keystore` *keystore*}: Keystore name
+
+    -   {`-trustcacerts`}: Trust certificates from cacerts
+
+    -   \[`-storepass` *arg*\]: Keystore password
+
+    -   {`-storetype` *type*}: Keystore type
+
+    -   {`-providername` *name*}: Provider name
+
+    -   {`-addprovider` *name* \[`-providerarg` *arg*\]}: Add security provider
+        by name (such as SunPKCS11) with an optional configure argument.
+
+    -   {`-providerclass` *class* \[`-providerarg` *arg*\]}: Add security
+        provider by fully qualified class name with an optional configure
+        argument.
+
+    -   {`-providerpath` *list*}: Provider classpath
+
+    -   {`-protected`}: Password is provided through protected mechanism
+
     -   {`-v`}: Verbose output

     Use the `-printcrl` command to read the Certificate Revocation List (CRL)
@@ -887,7 +932,10 @@

     **Note:**

-    This option can be used independently of a keystore.
+    This command can be used independently of a keystore. This command attempts
+    to verify the CRL using a certificate from the user keystore (specified by
+    `-keystore`) or the `cacerts` keystore (if `-trustcacerts` is specified), and
+    will print out a warning if it cannot be verified.

 ## Commands for Managing the Keystore