Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8246269

keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 16
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      add/remove/modify command line option
    • Scope:
      JDK

      Description

      Summary

      Add the support of -trustcacerts and -keystore options to -printcert and -printcrl commands for keytool.

      Problem

      The -printcert and -printcrl commands in keytool do not support the -trustcacerts and -keystore options. Hence, those commands won't be able to use trusted certificates when verifying untrusted artifacts that are signed by CAs. It would also cause warnings when the root CA is using a disabled or weak algorithm even that shouldn't be an issue as the key is being trusted.

      Solution

      Provide the support of -trustcacerts and -keystore options in keytool for -printcert and -printcrl commands.

      Specification

      Note that when a command in keytool supports the -keystore option, it will also support the provider-related options, -storepass, -storetype and -protected options as those options are used in loading the keystore.

      The following changes will be made to the keytool manpage.

      @@ -833,6 +833,27 @@
      
           -   {`-jarfile` *JAR\_file*}: Signed `.jar` file
      
      +    -   {`-keystore` *keystore*}: Keystore name
      +
      +    -   {`-trustcacerts`}: Trust certificates from cacerts
      +
      +    -   \[`-storepass` *arg*\]: Keystore password
      +
      +    -   {`-storetype` *type*}: Keystore type
      +
      +    -   {`-providername` *name*}: Provider name
      +
      +    -   {`-addprovider` *name* \[`-providerarg` *arg*\]}: Add security provider
      +        by name (such as SunPKCS11) with an optional configure argument.
      +
      +    -   {`-providerclass` *class* \[`-providerarg` *arg*\]}: Add security
      +        provider by fully qualified class name with an optional configure
      +        argument.
      +
      +    -   {`-providerpath` *list*}: Provider classpath
      +
      +    -   {`-protected`}: Password is provided through protected mechanism
      +
           -   {`-v`}: Verbose output
      
           Use the `-printcert` command to read and print the certificate from `-file`
      @@ -860,7 +881,10 @@
      
           **Note:**
      
      -    This option can be used independently of a keystore.
      +    This command can be used independently of a keystore. This command does not
      +    check for the weakness of a certificate's signature algorithm if it is a
      +    trusted certificate in the user keystore (specified by `-keystore`) or in
      +    the `cacerts` keystore (if `-trustcacerts` is specified).
      
       `-printcertreq`
       :   The following are the available options for the `-printcertreq` command:
      @@ -879,6 +903,27 @@
      
           -   {`-file crl`}: Input file name
      
      +    -   {`-keystore` *keystore*}: Keystore name
      +
      +    -   {`-trustcacerts`}: Trust certificates from cacerts
      +
      +    -   \[`-storepass` *arg*\]: Keystore password
      +
      +    -   {`-storetype` *type*}: Keystore type
      +
      +    -   {`-providername` *name*}: Provider name
      +
      +    -   {`-addprovider` *name* \[`-providerarg` *arg*\]}: Add security provider
      +        by name (such as SunPKCS11) with an optional configure argument.
      +
      +    -   {`-providerclass` *class* \[`-providerarg` *arg*\]}: Add security
      +        provider by fully qualified class name with an optional configure
      +        argument.
      +
      +    -   {`-providerpath` *list*}: Provider classpath
      +
      +    -   {`-protected`}: Password is provided through protected mechanism
      +
           -   {`-v`}: Verbose output
      
           Use the `-printcrl` command to read the Certificate Revocation List (CRL)
      @@ -887,7 +932,10 @@
      
           **Note:**
      
      -    This option can be used independently of a keystore.
      +    This command can be used independently of a keystore. This command attempts
      +    to verify the CRL using a certificate from the user keystore (specified by
      +    `-keystore`) or the `cacerts` keystore (if `-trustcacerts` is specified), and
      +    will print out a warning if it cannot be verified.
      
       ## Commands for Managing the Keystore

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              hchao Haimay Chao
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: