CVSROOT: /cvsroot/classpath
Module name: classpath
Changes by: Raif S. Naffah <raif> 06/06/11 10:40:53
Modified files:
doc : tools.texinfo
tools/gnu/classpath/tools/keytool: Main.java
. : ChangeLog
resource/gnu/classpath/tools/keytool: messages.properties
Added files:
tools/gnu/classpath/tools/keytool: CACertCmd.java
Log message:
2006-06-11 Raif S. Naffah <[EMAIL PROTECTED]>
* doc/tools.texinfo: Added text for new -cacert command.
Re-structured sections.
* resource/gnu/classpath/tools/keytool/messages.properties:
Added messages
for -cacert command.
* tools/gnu/classpath/tools/keytool/Main.java (CACERT_CMD): New
constant.
(_CACERT): Likewise.
(shutdownThread): New field.
(Main): Install shutdown thread.
(main): Uninstall shutdown thread.
(start): Handle new -cacert command.
(getParser): Likewise.
(teardown): Increased visibility.
(ShutdownHook): New inner class.
* tools/gnu/classpath/tools/keytool/CACertCmd.java: New file.
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/classpath/doc/tools.texinfo?cvsroot=classpath&r1=1.2&r2=1.3
http://cvs.savannah.gnu.org/viewcvs/classpath/tools/gnu/classpath/tools/keytool/Main.java?cvsroot=classpath&r1=1.2&r2=1.3
http://cvs.savannah.gnu.org/viewcvs/classpath/tools/gnu/classpath/tools/keytool/CACertCmd.java?cvsroot=classpath&rev=1.1
http://cvs.savannah.gnu.org/viewcvs/classpath/ChangeLog?cvsroot=classpath&r1=1.7767&r2=1.7768
http://cvs.savannah.gnu.org/viewcvs/classpath/resource/gnu/classpath/tools/keytool/messages.properties?cvsroot=classpath&r1=1.2&r2=1.3
Patches:
Index: doc/tools.texinfo
===================================================================
RCS file: /cvsroot/classpath/classpath/doc/tools.texinfo,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -b -r1.2 -r1.3
--- doc/tools.texinfo 21 May 2006 01:49:04 -0000 1.2
+++ doc/tools.texinfo 11 Jun 2006 10:40:51 -0000 1.3
@@ -5,7 +5,7 @@
@settitle GNU Classpath Tools Guide
@c %**end of header
[EMAIL PROTECTED] off
[EMAIL PROTECTED] on
@ifinfo
This file documents the Tools included in a standard distribution of the GNU
@@ -37,6 +37,8 @@
@end titlepage
[EMAIL PROTECTED]
+
@ifinfo
@node Top, Security Tools, (dir), (dir)
@top GNU Classpath Tools Guide
@@ -62,6 +64,47 @@
* jarsigner Tool:: Sign and verify .JAR files
* keytool Tool:: Manage private keys and public certificates
+jarsigner Tool
+
+* Common jarsigner Options:: Options used when signing or verifying a file
+* Signing Options:: Options only used when signing a .JAR file
+* Verification Options:: Options only used when verifying a .JAR file
+
+keytool Tool
+
+* Getting Help:: How to get help with keytool commands
+* Common keytool Options:: Options used in more than one command
+* Distinguished Names:: X.500 Distinguished Names used in certificates
+* Add/Update Commands:: Commands for adding data to a Key Store
+* Export Commands:: Commands for exporting data from a Key Store
+* Display Commands:: Commands for displaying data in a Key Store
+* Management Commands:: Commands for managing a Key Store
+
+Add/Update Commands
+
+* Command -genkey:: Generate private key and self-signed certificate
+* Command -import:: Import certificates and certificate replies
+* Command -selfcert:: Generate self-signed certificate
+* Command -cacert:: Import a CA Trusted Certificate
+* Command -identitydb:: Import JDK-1 style identities
+
+Export Commands
+
+* Command -certreq:: Generate Certificate Signing Requests (CSR)
+* Command -export:: Export a certificate in a Key Store
+
+Display Commands
+
+* Command -list:: Display information about one or all Aliases
+* Command -printcert:: Print a certificate or a certificate fingerprint
+
+Management Commands
+
+* Command -keyclone:: Clone a Key Entry in a Key Store
+* Command -storepasswd:: Change the password protecting a Key Store
+* Command -keypasswd:: Change the password protecting a Key Entry
+* Command -delete:: Remove an entry in a Key Store
+
I18N Issues
* Language Resources:: Where resources are located
@@ -76,7 +119,7 @@
@comment node-name, next, previous, up
@chapter Security Tools
-Two Security Tools are available with GNU Classpath: @b{jarsugner} and
@b{keytool}.
+Two Security Tools are available with GNU Classpath: @b{jarsigner} and
@b{keytool}.
@menu
* jarsigner Tool:: Sign and verify .JAR files
@@ -91,22 +134,59 @@
@comment node-name, next, previous, up
@section The @code{jarsigner} Tool
[EMAIL PROTECTED] @b
+The @b{jarsigner} tool is invoked from the command line, in one of two forms,
as follows:
[EMAIL PROTECTED] SYNOPSIS
[EMAIL PROTECTED] [OPTION]... FILE [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED] [OPTION]... FILE ALIAS}
@code{jarsigner -verify [OPTION]... FILE}
[EMAIL PROTECTED] example
[EMAIL PROTECTED] DESCRIPTION
-When the first form is used, the tool signs the designated JAR file.
-
-The second form, on the other hand, is used to verify a previously signed JAR
file.
+When the first form is used, the tool signs the designated JAR file. The
second form, on the other hand, is used to verify a previously signed JAR file.
@code{FILE} is the .JAR file to process; i.e. to sign if the first syntax form
is used, or to verify if the second syntax form is used instead.
[EMAIL PROTECTED] must be a known @i{Alias} of a @i{Key Entry} in the
designated key store. The private key material associated with this @i{Alias}
is then used for signing the designated .JAR file.
[EMAIL PROTECTED] must be a known @i{Alias} of a @i{Key Entry} in the
designated @i{Key Store}. The private key material associated with this
@i{Alias} is then used for signing the designated .JAR file.
+
[EMAIL PROTECTED]
+* Common jarsigner Options:: Options used when signing or verifying a file
+* Signing Options:: Options only used when signing a .JAR file
+* Verification Options:: Options only used when verifying a .JAR file
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Common jarsigner Options, Signing Options, jarsigner Tool,
jarsigner Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Common options
+
+The following options may be used when the tool is used for either signing, or
verifying, a .JAR file.
+
[EMAIL PROTECTED] @b
[EMAIL PROTECTED] -verbose
+Use this option to force the tool to generate more verbose messages, during
its processing.
+
[EMAIL PROTECTED] -internalsf
+When present, the tool will include --which otherwise it does not-- the
@code{.SF} file in the @code{.DSA} generated file.
+
[EMAIL PROTECTED] -sectionsonly
+When present, the tool will include in the @code{.SF} generated file --which
otherwise it does not-- a header containing a hash of the whole manifest file.
When that header is included, the tool can quickly check, during verification,
if the hash (in the header) matches or not the manifest file.
+
[EMAIL PROTECTED] -provider PROVIDER_CLASS_NAME
+A fully qualified class name of a @i{Security Provider} to add to the current
list of @i{Security Providers} already installed in the JVM in-use. If a
provider class is specified with this option, and was successfully added to the
runtime --i.e. it was not already installed-- then the tool will attempt to
remove this @i{Security Provider} before exiting.
+
[EMAIL PROTECTED] -help
+Prints a help text similar to this one.
+
[EMAIL PROTECTED] table
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Signing Options, Verification Options, Common jarsigner
Options, jarsigner Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Signing options
+
+The following options may be specified when using the tool for signing
purposes.
[EMAIL PROTECTED] SIGNING OPTIONS
@table @b
@item -keystore URL
Use this option to specify the location of the key store to use. The default
value is a file URL referencing the file named @file{.keystore} located in the
path returned by the call to @code{java.lang.System#getProperty(String)} using
@code{user.home} as argument.
@@ -129,12 +209,19 @@
If this option is missing, the first eight characters of the @code{ALIAS}
argument will be used. When this is the case, any character in @code{ALIAS}
that is outside the permissible range of characters will be replaced by an
underscore.
[EMAIL PROTECTED] -signedjar FILE_NAME
[EMAIL PROTECTED] -signedjar FILE
Use this option to specify the file name of the signed JAR. If this option is
omitted, then the signed JAR will be named the same as @code{FILE}; i.e. the
input JAR file will be replaced with the signed copy.
@end table
[EMAIL PROTECTED] VERIFICATION OPTIONS
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Verification Options, , Signing Options, jarsigner Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Verification options
+
+The following options may be specified when using the tool for verification
purposes.
+
@table @b
@item -verify
Use this option to indicate that the tool is to be used for verification
purposes.
@@ -144,44 +231,37 @@
@end table
[EMAIL PROTECTED] COMMON OPTIONS
[EMAIL PROTECTED] @b
[EMAIL PROTECTED] -verbose
-Use this option to force the tool to generate more verbose messages, during
its processing.
-
[EMAIL PROTECTED] -internalsf
-When present, the tool will include --which otherwise it does not-- the
@code{.SF} file in the @code{.DSA} generated file.
[EMAIL PROTECTED]
----------------------------------------------------------------------
[EMAIL PROTECTED] -sectionsonly
-When present, the tool will include in the @code{.SF} generated file --which
otherwise it does not-- a header containing a hash of the whole manifest file.
When that header is included, the tool can quickly check, during verification,
if the hash (in the header) matches or not the manifest file.
[EMAIL PROTECTED] keytool Tool, , jarsigner Tool, Security Tools
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] The @code{keytool} Tool
[EMAIL PROTECTED] -provider PROVIDER_CLASS_NAME
-A fully qualified class name of a @i{Security Provider} to add to the current
list of @i{Security Providers} already installed in the JVM in-use. If a
provider class is specified with this option, and was successfully added to the
runtime --i.e. it was not already installed-- then the tool will attempt to
remove this @i{Security Provider} before exiting.
+Cryptographic credentials, in a Java environment, are usually stored in a
@i{Key Store}. The Java SDK specifies a @i{Key Store} as a persistent container
of two types of objects: @i{Key Entries} and @i{Trusted Certificates}. The
security tool @b{keytool} is a Java-based application for managing those types
of objects.
[EMAIL PROTECTED] -help
-Prints a help text similar to this one.
+A @i{Key Entry} represents the private key part of a key-pair used in
Public-Key Cryptography, and a signed X.509 certificate which authenticates the
public key part for a known entity; i.e. the owner of the key-pair. The X.509
certificate itself contains the public key part of the key-pair.
[EMAIL PROTECTED] table
[EMAIL PROTECTED] table
+A @i{Trusted Certificate} is a signed X.509 certificate issued by a trusted
entity. The @i{Trust} in this context is relative to the User of the
@b{keytool}. In other words, the existence of a @i{Trusted Certificate} in the
@i{Key Store} processed by a @b{keytool} command implies that the User trusts
the @i{Issuer} of that @i{Trusted Certificate} to also sign, and hence
authenticates, other @i{Subjects} the tool may process.
[EMAIL PROTECTED]
----------------------------------------------------------------------
[EMAIL PROTECTED] Certificates} are important because they allow the tool to
mechanically construct @i{Chains of Trust} starting from one of the @i{Trusted
Certificates} in a @i{Key Store} and ending with a certificate whose @i{Issuer}
is potentially unknown. A valid chain is an ordered list, starting with a
@i{Trusted Certificate} (also called the @i{anchor}), ending with the target
certificate, and satisfying the condition that the @i{Subject} of certificate
@code{#i} is the @i{Issuer} of certificate @code{#i + 1}.
[EMAIL PROTECTED] keytool Tool, , jarsigner Tool, Security Tools
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] The @code{keytool} Tool
+The @b{keytool} is invoked from the command line as follows:
[EMAIL PROTECTED] @b
[EMAIL PROTECTED] SYNOPSIS
[EMAIL PROTECTED]
@code{keytool [COMMAND]...}
[EMAIL PROTECTED] example
[EMAIL PROTECTED] DESCRIPTION
-A Java-based tool for managing both @i{Key Entries} as well as @i{Trusted
Certificates}.
+Multiple @code{COMMAND}s may be specified at once, each complete with its own
options. @b{keytool} will parse all the arguments, before processing, and
executing, each @code{COMMAND}. If an exception occurs while executing one
@code{COMMAND} @b{keytool} will abort. Note however that because the
implementation of the tool uses code to parse command line options that also
supports GNU-style options, you have to separate each command group with a
double-hyphen; e.g
-Multiple @code{COMMAND}s may be specified at once, each complete with its own
options. @b{keytool} will parse all the arguments, before processing, and
executing, each @code{COMMAND}. If an exception occurs while executing one
@code{COMMAND} @b{keytool} will abort.
[EMAIL PROTECTED]
[EMAIL PROTECTED] -list -- -printcert -alias mykey}
[EMAIL PROTECTED] example
-A @code{COMMAND} can be one of the followings:
+Here is a summary of the commands supported by the tool:
[EMAIL PROTECTED] @b
[EMAIL PROTECTED]
[EMAIL PROTECTED] Add/Update commands
[EMAIL PROTECTED] @bullet
@item -genkey [EMAIL PROTECTED]
Generate a new @i{Key Entry}, eventually creating a new key store.
@@ -191,22 +271,34 @@
@item -selfcert [EMAIL PROTECTED]
Generate a new self-signed @i{Trusted Certificate}.
[EMAIL PROTECTED] -cacert [EMAIL PROTECTED]
+Import a CA @i{Trusted Certificate}.
+
@item -identitydb [EMAIL PROTECTED]
@b{NOT IMPLEMENTED [EMAIL PROTECTED]
Import a JDK 1.1 style Identity Database.
[EMAIL PROTECTED] itemize
[EMAIL PROTECTED] Export commands
[EMAIL PROTECTED] @bullet
@item -certreq [EMAIL PROTECTED]
Issue a @i{Certificate Signing Request} (CSR) which can be then sent to a
@i{Certification Authority} (CA) to issue a certificate signed (by the CA) and
authenticating the @i{Subject} of the request.
@item -export [EMAIL PROTECTED]
Export a certificate from a key store.
[EMAIL PROTECTED] itemize
[EMAIL PROTECTED] Display commands
[EMAIL PROTECTED] @bullet
@item -list [EMAIL PROTECTED]
Print one or all certificates in a key store to @code{STDOUT}.
@item -printcert [EMAIL PROTECTED]
Print a human-readable form of a certificate, in a designated file, to
@code{STDOUT}.
[EMAIL PROTECTED] itemize
[EMAIL PROTECTED] Management commands
[EMAIL PROTECTED] @bullet
@item -keyclone [EMAIL PROTECTED]
Clone a @i{Key Entry} in a key store.
@@ -218,13 +310,48 @@
@item -delete [EMAIL PROTECTED]
Delete a @i{Key Entry} or a @i{Trusted Certificate} from a key store.
[EMAIL PROTECTED] itemize
[EMAIL PROTECTED] -help
-Prints a help text similar to this one.
[EMAIL PROTECTED] enumerate
[EMAIL PROTECTED] table
[EMAIL PROTECTED]
+* Getting Help:: How to get help with keytool commands
+* Common keytool Options:: Options used in more than one command
+* Distinguished Names:: X.500 Distinguished Names used in certificates
+* Add/Update Commands:: Commands for adding data to a Key Store
+* Export Commands:: Commands for exporting data from a Key Store
+* Display Commands:: Commands for displaying data in a Key Store
+* Management Commands:: Commands for managing a Key Store
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Getting Help, Common keytool Options, keytool Tool, keytool
Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Getting help
+
+To get a general help text about the tool, use the @code{-help} option; e.g.
+
[EMAIL PROTECTED]
[EMAIL PROTECTED] -help}
[EMAIL PROTECTED] example
+
+To get more specific help text about one of the tool's command use the
@code{-help} option for that command; e.g.
+
[EMAIL PROTECTED]
[EMAIL PROTECTED] -genkey -help}
[EMAIL PROTECTED] example
+
+In both instances, the tool will print a help text and then will exit the
running JVM.
+
+It is worth noting here that the help messages printed by the tool are
I18N-ready. This means that if/when the contents of the tool's @i{Message
Bundle} properties file are available in languages other than English, you may
see those messages in that language.
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Common keytool Options, Distinguished Names, Getting Help,
keytool Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Common options
[EMAIL PROTECTED] OPTIONS COMMON TO MORE THAN ONE COMMAND
The following @code{OPTION}s are used in more than one @code{COMMAND}. They
are described here to reduce redundancy.
@table @b
@@ -263,7 +390,7 @@
A fully qualified class name of a @i{Security Provider} to add to the current
list of @i{Security Providers} already installed in the JVM in-use. If a
provider class is specified with this option, and was successfully added to the
runtime --i.e. it was not already installed-- then the tool will attempt to
removed this @i{Security Provider} before exiting.
@anchor{file}
[EMAIL PROTECTED] -file FILE_NAME
[EMAIL PROTECTED] -file FILE
Use this option to designate a file to use with a command. When specified with
this option, the value is expected to be the fully qualified path of a file
accessible by the File System. Depending on the command, the file may be used
as input or as output. When this option is omitted from the command line,
@code{STDIN} will be used instead, as the source of input, and @code{STDOUT}
will be used instead as the output destination.
@anchor{verbose}
@@ -272,8 +399,13 @@
@end table
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Distinguished Names, Add/Update Commands, Common keytool
Options, keytool Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] X.500 Distinguished Names
+
@anchor{dn}
[EMAIL PROTECTED] X.500 DISTINGUISHED NAME
A @i{Distinguished Name} (or DN) MUST be supplied with some of the
@code{COMMAND}s using a @code{-dname} option. The syntax of a valid value for
this option MUST follow RFC-2253 specifications. Namely the following
components (with their accepted meaning) will be recognized. Note that the
component name is case-insensitive:
@ftable @var
@@ -299,8 +431,27 @@
@*
If the @i{Distinguished Name} is required, and no valid default value can be
used, the tool will prompt you to enter the information through the console.
[EMAIL PROTECTED] -genkey COMMAND
-Generate a new key-pair (both private and public keys), and save these
credentials in the key store as a @i{Key Entry}, associated with the designated
(if was specified in the @code{-alias} option) or default (if the @code{-alias}
option is omitted) @i{Alias}.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Add/Update Commands, Export Commands, Distinguished Names,
keytool Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Add/Update commands
+
[EMAIL PROTECTED]
+* Command -genkey:: Generate private key and self-signed certificate
+* Command -import:: Import certificates and certificate replies
+* Command -selfcert:: Generate self-signed certificate
+* Command -cacert:: Import a CA Trusted Certificate
+* Command -identitydb:: Import JDK-1 style identities
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -genkey, Command -import, Add/Update Commands,
Add/Update Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-genkey} command
+
+Use this command to generate a new key-pair (both private and public keys),
and save these credentials in the key store as a @i{Key Entry}, associated with
the designated (if was specified with the @code{-alias} option) or default (if
the @code{-alias} option is omitted) @i{Alias}.
The private key material will be protected with a user-defined password (see
@code{-keypass} option). The public key on the other hand will be part of a
self-signed X.509 certificate, which will form a 1-element chain and will be
saved in the key store.
@@ -347,8 +498,13 @@
@end table
[EMAIL PROTECTED] -import COMMAND
-Read an X.509 certificate, or a PKCS#7 @i{Certificate Reply} from a designated
input source and incorporate the certificates into the key store.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -import, Command -selfcert, Command -genkey,
Add/Update Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-import} command
+
+Use this command to read an X.509 certificate, or a PKCS#7 @i{Certificate
Reply} from a designated input source and incorporate the certificates into the
key store.
If the @i{Alias} does not already exist in the key store, the tool treats the
certificate read from the input source as a new @i{Trusted Certificate}. It
then attempts to discover a chain-of-trust, starting from that certificate and
ending at another @i{Trusted Certificate}, already stored in the key store. If
the @code{-trustcacerts} option is present, an additional key store, of type
@code{JKS} named @file{cacerts}, and assumed to be present in @[EMAIL
PROTECTED]@}/lib/security} will also be consulted if found [EMAIL
PROTECTED]@[EMAIL PROTECTED] refers to the location of an installed @i{Java
Runtime Environment} (JRE). If no chain-of-trust can be established, and unless
the @code{-noprompt} option has been specified, the certificate is printed to
@code{STDOUT} and the user is prompted for a confirmation.
@@ -358,8 +514,8 @@
@item -alias ALIAS
For more details @pxref{alias,, ALIAS}.
[EMAIL PROTECTED] -file FILE_NAME
-For more details @pxref{file,, FILE_NAME}.
[EMAIL PROTECTED] -file FILE
+For more details @pxref{file,, FILE}.
@item -keypass PASSWORD
Use this option to specify the password which the tool will use to protect the
@i{Key Entry} associated with the designated @i{Alias}, when replacing this
@i{Alias}' chain of certificates with that found in the certificate reply.
@@ -389,8 +545,13 @@
@end table
[EMAIL PROTECTED] -selfcert COMMAND
-Generate a self-signed X.509 version 1 certificate. The newly generated
certificate will form a chain of one element which will replace the previous
chain associated with the designated @i{Alias} (if @code{-alias} option was
specified), or the default @i{Alias} (if @code{-alias} option was omitted).
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -selfcert, Command -cacert, Command -import,
Add/Update Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-selfcert} command
+
+Use this command to generate a self-signed X.509 version 1 certificate. The
newly generated certificate will form a chain of one element which will replace
the previous chain associated with the designated @i{Alias} (if @code{-alias}
option was specified), or the default @i{Alias} (if @code{-alias} option was
omitted).
@table @b
@item -alias ALIAS
@@ -429,14 +590,50 @@
@end table
[EMAIL PROTECTED] -identitydb COMMAND
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -cacert, Command -identitydb, Command -selfcert,
Add/Update Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-cacert} command
+
+Use this command to import, a CA certificate and add it to the key store as a
@i{Trusted Certificate}. The @i{Alias} for this new entry will be constructed
from the FILE's base-name after replacing hyphens and dots with underscores.
+
+This command is useful when used in a script that recursively visits a
directory of CA certificates to populate a @code{cacerts.gkr} @i{Key Store} of
trusted certificates which can then be used commands that specify the
@code{-trustcacerts} option.
+
[EMAIL PROTECTED] @b
[EMAIL PROTECTED] -file FILE
+For more details @pxref{file,, FILE}.
+
[EMAIL PROTECTED] -storetype STORE_TYPE
+For more details @pxref{storetype,, STORE_TYPE}.
+
[EMAIL PROTECTED] -keystore URL
+For more details @pxref{keystore,, URL}.
+
[EMAIL PROTECTED] -storepass PASSWORD
+For more details @pxref{storepass,, PASSWORD}.
+
[EMAIL PROTECTED] -provider PROVIDER_CLASS_NAME
+For more details @pxref{provider,, PROVIDER_CLASS_NAME}.
+
[EMAIL PROTECTED] -v
+For more details @pxref{verbose}.
+
[EMAIL PROTECTED] table
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -identitydb, , Command -cacert, Add/Update Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-identitydb} command
+
@b{NOT IMPLEMENTED YET}.
-Import a JDK 1.1 style Identity Database.
+Use this command to import a JDK 1.1 style Identity Database.
@table @b
[EMAIL PROTECTED] -file FILE_NAME
-For more details @pxref{file,, FILE_NAME}.
[EMAIL PROTECTED] -file FILE
+For more details @pxref{file,, FILE}.
@item -storetype STORE_TYPE
For more details @pxref{storetype,, STORE_TYPE}.
@@ -455,8 +652,24 @@
@end table
[EMAIL PROTECTED] -certreq COMMAND
-Generate a PKCS#10 @i{Certificate Signing Request} (CSR) and writes it to a
designated output destination. The contents of the destination should look
something like the following:
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Export Commands, Display Commands, Add/Update Commands,
keytool Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Export commands
+
[EMAIL PROTECTED]
+* Command -certreq:: Generate Certificate Signing Requests (CSR)
+* Command -export:: Export a certificate in a Key Store
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -certreq, Command -export, Export Commands, Export
Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-certreq} command
+
+Use this command to generate a PKCS#10 @i{Certificate Signing Request} (CSR)
and write it to a designated output destination. The contents of the
destination should look something like the following:
@example
-----BEGIN NEW CERTIFICATE REQUEST-----
@@ -476,8 +689,8 @@
@item -sigalg ALGORITHM
The canonical name of the digital signature algorithm to use for signing the
certificate. If this option is omitted, a default value will be chosen based on
the type of the private key associated with the designated @i{Alias}. If the
private key is a @code{DSA} one, the value for the signature algorithm will be
@code{SHA1withDSA}. If on the other hand the private key is an @code{RSA} one,
then the tool will use @code{MD5withRSA} as the signature algorithm.
[EMAIL PROTECTED] -file FILE_NAME
-For more details @pxref{file,, FILE_NAME}.
[EMAIL PROTECTED] -file FILE
+For more details @pxref{file,, FILE}.
@item -keypass PASSWORD
Use this option to specify the password which the tool will use to unlock the
@i{Key Entry} associated with the designated @i{Alias}.
@@ -504,16 +717,20 @@
@end table
[EMAIL PROTECTED] -export COMMAND
-Export a certificate stored in the key store to a designated output
destination, either in binary format (if the @code{-v} option is specified), or
in RFC-1421 compliant encoding (if the @code{-rfc} option is specified
-instead).
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -export, , Command -certreq, Export Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-export} command
+
+Use this command to export a certificate stored in a key store to a designated
output destination, either in binary format (if the @code{-v} option is
specified), or in RFC-1421 compliant encoding (if the @code{-rfc} option is
specified instead).
@table @b
@item -alias ALIAS
For more details @pxref{alias,, ALIAS}.
[EMAIL PROTECTED] -file FILE_NAME
-For more details @pxref{file,, FILE_NAME}.
[EMAIL PROTECTED] -file FILE
+For more details @pxref{file,, FILE}.
@item -storetype STORE_TYPE
For more details @pxref{storetype,, STORE_TYPE}.
@@ -535,8 +752,24 @@
@end table
[EMAIL PROTECTED] -list COMMAND
-Print one or all of the key store entries to @code{STDOUT}. Usually this
command will only print a @i{fingerprint} of the certificate, unless either the
@code{-rfc} or the @code{-v} option is specified.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Display Commands, Management Commands, Export Commands,
keytool Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Display commands
+
[EMAIL PROTECTED]
+* Command -list:: Display information about one or all Aliases
+* Command -printcert:: Print a certificate or a certificate fingerprint
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -list, Command -printcert, Display Commands, Display
Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-list} command
+
+Use this command to print one or all of a key store entries to @code{STDOUT}.
Usually this command will only print a @i{fingerprint} of the certificate,
unless either the @code{-rfc} or the @code{-v} option is specified.
@table @b
@item -alias ALIAS
@@ -564,20 +797,43 @@
@end table
[EMAIL PROTECTED] -printcert COMMAND
-Read a certificate from a designated input source and print it to
@code{STDOUT} in a human-readable form.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -printcert, , Command -list, Display Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-printcert} command
+
+Use this command to read a certificate from a designated input source and
print it to @code{STDOUT} in a human-readable form.
@table @b
[EMAIL PROTECTED] -file FILE_NAME
-For more details @pxref{file,, FILE_NAME}.
[EMAIL PROTECTED] -file FILE
+For more details @pxref{file,, FILE}.
@item -v
For more details @pxref{verbose}.
@end table
[EMAIL PROTECTED] -keyclone COMMAND
-Clone an existing @i{Key Entry} and store it under a new (different) @i{Alias}
protecting, its private key material with possibly a new password.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Management Commands, , Display Commands, keytool Tool
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] Management commands
+
[EMAIL PROTECTED]
+* Command -keyclone:: Clone a Key Entry in a Key Store
+* Command -storepasswd:: Change the password protecting a Key Store
+* Command -keypasswd:: Change the password protecting a Key Entry
+* Command -delete:: Remove an entry in a Key Store
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -keyclone, Command -storepasswd, Management Commands,
Management Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-keyclone} command
+
+Use this command to clone an existing @i{Key Entry} and store it under a new
(different) @i{Alias} protecting, its private key material with possibly a new
password.
@table @b
@item -alias ALIAS
@@ -611,8 +867,13 @@
@end table
[EMAIL PROTECTED] -storepasswd COMMAND
-Change the password protecting a key store.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -storepasswd, Command -keypasswd, Command -keyclone,
Management Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-storepasswd} command
+
+Use this command to change the password protecting a key store.
@table @b
@item -new PASSWORD
@@ -635,14 +896,18 @@
@end table
[EMAIL PROTECTED] -keypasswd COMMAND
-Change the password protecting the private key material of a designated @i{Key
Entry}.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -keypasswd, Command -delete, Command -storepasswd,
Management Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-keypasswd} command
+
+Use this command to change the password protecting the private key material of
a designated @i{Key Entry}.
@table @b
@item -alias ALIAS
For more details @pxref{alias,, ALIAS}.
[EMAIL PROTECTED] -keypass PASSWORD
Use this option to specify the password which the tool will use to unlock the
@i{Key Entry} associated with the designated @i{Alias}.
If this option is omitted, the tool will first attempt to unlock the @i{Key
Entry} using the same password protecting the key store. If this fails, you
will then be prompted to provide a password.
@@ -667,8 +932,13 @@
@end table
[EMAIL PROTECTED] -delete COMMAND
-Delete a designated key store entry.
[EMAIL PROTECTED]
----------------------------------------------------------------------
+
[EMAIL PROTECTED] Command -delete, , Command -keypasswd, Management Commands
[EMAIL PROTECTED] node-name, next, previous, up
[EMAIL PROTECTED] @code{-delete} command
+
+Use this command to delete a designated key store entry.
@table @b
@item -alias ALIAS
@@ -690,7 +960,6 @@
For more details @pxref{verbose}.
@end table
[EMAIL PROTECTED] table
@comment ----------------------------------------------------------------------
@@ -709,7 +978,7 @@
@node Language Resources, Message Formats, I18N Issues, I18N Issues
@comment node-name, next, previous, up
[EMAIL PROTECTED] Language-Specific Resources
[EMAIL PROTECTED] Language-specific resources
The Tools use Java @code{ResourceBundle}s to store messages, and message
templates they use at runtime to generate the message text itself, depending on
the locale in use at the time.
@@ -761,7 +1030,7 @@
@node Message Formats, , Language Resources, I18N Issues
@comment node-name, next, previous, up
[EMAIL PROTECTED] Message Formats
[EMAIL PROTECTED] Message formats
If you open any of the @file{messages.properties} described in the previous
section, you may see properties that look like so:
Index: tools/gnu/classpath/tools/keytool/Main.java
===================================================================
RCS file:
/cvsroot/classpath/classpath/tools/gnu/classpath/tools/keytool/Main.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -b -r1.2 -r1.3
--- tools/gnu/classpath/tools/keytool/Main.java 14 May 2006 08:20:18 -0000
1.2
+++ tools/gnu/classpath/tools/keytool/Main.java 11 Jun 2006 10:40:51 -0000
1.3
@@ -74,6 +74,7 @@
static final String STOREPASSWD_CMD = "storepasswd"; //$NON-NLS-1$
static final String KEYPASSWD_CMD = "keypasswd"; //$NON-NLS-1$
static final String DELETE_CMD = "delete"; //$NON-NLS-1$
+ static final String CACERT_CMD = "cacert"; //$NON-NLS-1$
static final String _GENKEY = "-" + GENKEY_CMD; //$NON-NLS-1$
static final String _IMPORT = "-" + IMPORT_CMD; //$NON-NLS-1$
@@ -88,6 +89,7 @@
static final String _KEYPASSWD = "-" + KEYPASSWD_CMD; //$NON-NLS-1$
static final String _DELETE = "-" + DELETE_CMD; //$NON-NLS-1$
static final String _HELP = "-help"; //$NON-NLS-1$
+ static final String _CACERT = "-" + CACERT_CMD; //$NON-NLS-1$
static final String ALIAS_OPT = "alias"; //$NON-NLS-1$
static final String SIGALG_OPT = "sigalg"; //$NON-NLS-1$
@@ -119,10 +121,14 @@
private int gnuCallbacksNdx = -2;
/** The command line parser. */
private Parser cmdLineParser;
+ /** The shutdown hook. */
+ private ShutdownHook shutdownThread;
private Main()
{
super();
+ shutdownThread = new ShutdownHook();
+ Runtime.getRuntime().addShutdownHook(shutdownThread);
}
public static final void main(String[] args)
@@ -157,6 +163,8 @@
finally
{
tool.teardown();
+ if (tool.shutdownThread != null)
+ Runtime.getRuntime().removeShutdownHook(tool.shutdownThread);
}
log.exiting(Main.class.getName(), "main", Integer.valueOf(result));
//$NON-NLS-1$
@@ -213,6 +221,8 @@
cmd = new KeyPasswdCmd();
else if (_DELETE.equals(opt))
cmd = new DeleteCmd();
+ else if (_CACERT.equals(opt))
+ cmd = new CACertCmd();
else if (_HELP.equals(opt))
throw new OptionException(""); //$NON-NLS-1$
else
@@ -260,13 +270,15 @@
Messages.getString("Main.32")));
//$NON-NLS-1$
cmdGroup.add(new NoParseOption(DELETE_CMD,
Messages.getString("Main.33")));
//$NON-NLS-1$
+ cmdGroup.add(new NoParseOption(CACERT_CMD,
+ Messages.getString("Main.5")));
//$NON-NLS-1$
result.add(cmdGroup);
log.exiting(this.getClass().getName(), "getParser", result); //$NON-NLS-1$
return result;
}
- private void teardown()
+ void teardown()
{
log.entering(this.getClass().getName(), "teardown"); //$NON-NLS-1$
@@ -309,4 +321,13 @@
// do nothing
}
}
+
+ private class ShutdownHook
+ extends Thread
+ {
+ public void run()
+ {
+ teardown();
+ }
+ }
}
Index: ChangeLog
===================================================================
RCS file: /cvsroot/classpath/classpath/ChangeLog,v
retrieving revision 1.7767
retrieving revision 1.7768
diff -u -b -r1.7767 -r1.7768
--- ChangeLog 11 Jun 2006 08:29:56 -0000 1.7767
+++ ChangeLog 11 Jun 2006 10:40:52 -0000 1.7768
@@ -1,3 +1,20 @@
+2006-06-11 Raif S. Naffah <[EMAIL PROTECTED]>
+
+ * doc/tools.texinfo: Added text for new -cacert command.
+ Re-structured sections.
+ * resource/gnu/classpath/tools/keytool/messages.properties: Added
messages
+ for -cacert command.
+ * tools/gnu/classpath/tools/keytool/Main.java (CACERT_CMD): New
constant.
+ (_CACERT): Likewise.
+ (shutdownThread): New field.
+ (Main): Install shutdown thread.
+ (main): Uninstall shutdown thread.
+ (start): Handle new -cacert command.
+ (getParser): Likewise.
+ (teardown): Increased visibility.
+ (ShutdownHook): New inner class.
+ * tools/gnu/classpath/tools/keytool/CACertCmd.java: New file.
+
2006-06-11 Sven de Marothy <[EMAIL PROTECTED]>
* gnu/java/awt/peer/gtk/FreetypeGlyphVector.java
Index: resource/gnu/classpath/tools/keytool/messages.properties
===================================================================
RCS file:
/cvsroot/classpath/classpath/resource/gnu/classpath/tools/keytool/messages.properties,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -b -r1.2 -r1.3
--- resource/gnu/classpath/tools/keytool/messages.properties 28 May 2006
10:35:48 -0000 1.2
+++ resource/gnu/classpath/tools/keytool/messages.properties 11 Jun 2006
10:40:52 -0000 1.3
@@ -40,6 +40,9 @@
Main.6=keytool: {0}
Main.8=keytool error: {0}
+Main.5=Import a CA's Trusted Certificate.\n\
+[-file FILE] [-storetype STORE_TYPE] [-keystore URL]\n\
+[-storepass PASSWORD] [-provider PROVIDER_CLASS_NAME] [-v].
Main.18=Unrecognized command: {0}
Main.19=Usage: keytool [COMMAND] [-- COMMAND]...\n\
Manage private keys and public certificates.
@@ -540,3 +543,28 @@
JVM in-use.
SelfCertCmd.34=PROVIDER_CLASS_NAME
SelfCertCmd.35=Emit more verbose messages.
+
+CACertCmd.0=Alias [{0}] is already present in key store
+CACertCmd.1=Certificate in file "{0}" was added to the key store under the
alias "{1}"
+CACertCmd.2=Usage: keytool -cacert [OPTION]...\n\
+Import a trusted CA certificate.
+CACertCmd.3=Please report bugs at
http://www.gnu.org/software/classpath/bugs.html
+CACertCmd.4=Command options
+CACertCmd.5=Location of the trusted CA certificate to import.
+CACertCmd.6=FILE
+CACertCmd.7=Type of the key store to use. If omitted, the default value is \
+that of the property "keystore.type" in the security properties file.
+CACertCmd.8=STORE_TYPE
+CACertCmd.9=Location of the key store to use. The default value is a \
+file-based scheme whose path is the file named ".keystore" in your home \
+directory.\n\
+If URL is malformed, the tool will use URL as a file-name of a key store; \
+i.e. as if the protocol was "file:".
+CACertCmd.10=URL
+CACertCmd.11=Password to unlock the key store. If omitted, you will be \
+prompted for one.
+CACertCmd.12=PASSWORD
+CACertCmd.13=Fully qualified class name of a Security Provider to add to the \
+JVM in-use.
+CACertCmd.14=PROVIDER_CLASS_NAME
+CACertCmd.15=Emit more verbose messages.
Index: tools/gnu/classpath/tools/keytool/CACertCmd.java
===================================================================
RCS file: tools/gnu/classpath/tools/keytool/CACertCmd.java
diff -N tools/gnu/classpath/tools/keytool/CACertCmd.java
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tools/gnu/classpath/tools/keytool/CACertCmd.java 11 Jun 2006 10:40:51
-0000 1.1
@@ -0,0 +1,302 @@
+/* CACertCmd.java -- GNU specific cacert handler
+ Copyright (C) 2006 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package gnu.classpath.tools.keytool;
+
+import gnu.classpath.tools.getopt.ClasspathToolParser;
+import gnu.classpath.tools.getopt.Option;
+import gnu.classpath.tools.getopt.OptionException;
+import gnu.classpath.tools.getopt.OptionGroup;
+import gnu.classpath.tools.getopt.Parser;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.util.logging.Logger;
+
+/**
+ * The <code>-cacert</code> keytol command handler is used to import a CA
+ * trusted X.509 certificate into a key store.
+ * <p>
+ * Possible options for this command are:
+ * <p>
+ * <dl>
+ * <dt>-file FILE_NAME</dt>
+ * <dd>The fully qualified path of the file containing the trusted CA
+ * certificate to import. If omitted, the tool will process STDIN.
+ * <p></dd>
+ *
+ * <dt>-storetype STORE_TYPE</dt>
+ * <dd>Use this option to specify the type of the key store to use. The
+ * default value, if this option is omitted, is that of the property
+ * <code>keystore.type</code> in the security properties file, which is
+ * obtained by invoking the [EMAIL PROTECTED]
java.security.KeyStore#getDefaultType()}
+ * static method.
+ * <p></dd>
+ *
+ * <dt>-keystore URL</dt>
+ * <dd>Use this option to specify the location of the key store to use.
+ * The default value is a file [EMAIL PROTECTED] java.net.URL}
referencing the file
+ * named <code>.keystore</code> located in the path returned by the call
to
+ * [EMAIL PROTECTED] java.lang.System#getProperty(String)} using
<code>user.home</code>
+ * as argument.
+ * <p>
+ * If a URL was specified, but was found to be malformed --e.g. missing
+ * protocol element-- the tool will attempt to use the URL value as a
file-
+ * name (with absolute or relative path-name) of a key store --as if the
+ * protocol was <code>file:</code>.
+ * <p></dd>
+ *
+ * <dt>-storepass PASSWORD</dt>
+ * <dd>Use this option to specify the password protecting the key store.
If
+ * this option is omitted from the command line, you will be prompted to
+ * provide a password.
+ * <p></dd>
+ *
+ * <dt>-provider PROVIDER_CLASS_NAME</dt>
+ * <dd>A fully qualified class name of a Security Provider to add to the
+ * current list of Security Providers already installed in the JVM in-use.
+ * If a provider class is specified with this option, and was successfully
+ * added to the runtime --i.e. it was not already installed-- then the
tool
+ * will attempt to removed this Security Provider before exiting.
+ * <p></dd>
+ *
+ * <dt>-v</dt>
+ * <dd>Use this option to enable more verbose output.</dd>
+ * </dl>
+ */
+public class CACertCmd
+ extends Command
+{
+ private static final Logger log =
Logger.getLogger(CACertCmd.class.getName());
+ /** Pathname of the file containing the CA certificate to import. */
+ protected String _certFileName;
+ /** Type of the key store to use. */
+ protected String _ksType;
+ /** The URL to the keystore where the trusted certificates will be added. */
+ protected String _ksURL;
+ /** The password protecting the keystore. */
+ protected String _ksPassword;
+ /** Class name of a security provider to use. */
+ protected String _providerClassName;
+ /** Reference to the X.509 factory. */
+ private CertificateFactory x509Factory;
+
+ // default 0-arguments constructor
+
+ // public setters -----------------------------------------------------------
+
+ /** @param pathName the fully qualified path name of the file to process. */
+ public void setFile(String pathName)
+ {
+ this._certFileName = pathName;
+ }
+
+ /** @param type the key-store type to use. */
+ public void setStoretype(String type)
+ {
+ this._ksType = type;
+ }
+
+ /** @param url the key-store URL to use. */
+ public void setKeystore(String url)
+ {
+ this._ksURL = url;
+ }
+
+ /** @param password the key-store password to use. */
+ public void setStorepass(String password)
+ {
+ this._ksPassword = password;
+ }
+
+ /** @param className a security provider fully qualified class name to use.
*/
+ public void setProvider(String className)
+ {
+ this._providerClassName = className;
+ }
+
+ // life-cycle methods -------------------------------------------------------
+
+ /* (non-Javadoc)
+ * @see gnu.classpath.tools.keytool.Command#setup()
+ */
+ void setup() throws Exception
+ {
+ setInputStreamParam(_certFileName);
+ setKeyStoreParams(_providerClassName, _ksType, _ksPassword, _ksURL);
+ log.finer("-cacert handler will use the following options:"); //$NON-NLS-1$
+ log.finer(" -file=" + _certFileName); //$NON-NLS-1$
+ log.finer(" -storetype=" + storeType); //$NON-NLS-1$
+ log.finer(" -keystore=" + storeURL); //$NON-NLS-1$
+ log.finer(" -provider=" + provider); //$NON-NLS-1$
+ log.finer(" -v=" + verbose); //$NON-NLS-1$
+ }
+
+ void start() throws CertificateException, KeyStoreException,
+ NoSuchAlgorithmException, IOException
+ {
+ log.entering(this.getClass().getName(), "start"); //$NON-NLS-1$
+ alias = getAliasFromFileName(_certFileName);
+ if (store.containsAlias(alias))
+ throw new
IllegalArgumentException(Messages.getFormattedString("CACertCmd.0",
//$NON-NLS-1$
+ alias));
+ x509Factory = CertificateFactory.getInstance("X.509"); //$NON-NLS-1$
+ Certificate certificate = x509Factory.generateCertificate(inStream);
+ log.finest("certificate = " + certificate); //$NON-NLS-1$
+ store.setCertificateEntry(alias, certificate);
+ saveKeyStore();
+ if (verbose)
+ System.out.println(Messages.getFormattedString("CACertCmd.1",
//$NON-NLS-1$
+ new Object[] {
_certFileName,
+ alias }));
+ log.exiting(this.getClass().getName(), "start"); //$NON-NLS-1$
+ }
+
+ // own methods --------------------------------------------------------------
+
+ /* (non-Javadoc)
+ * @see gnu.classpath.tools.keytool.Command#getParser()
+ */
+ Parser getParser()
+ {
+ log.entering(this.getClass().getName(), "getParser"); //$NON-NLS-1$
+ Parser result = new ClasspathToolParser(Main.CACERT_CMD, true);
+ result.setHeader(Messages.getString("CACertCmd.2")); //$NON-NLS-1$
+ result.setFooter(Messages.getString("CACertCmd.3")); //$NON-NLS-1$
+ OptionGroup options = new OptionGroup(Messages.getString("CACertCmd.4"));
//$NON-NLS-1$
+ options.add(new Option(Main.FILE_OPT,
+ Messages.getString("CACertCmd.5"), //$NON-NLS-1$
+ Messages.getString("CACertCmd.6")) //$NON-NLS-1$
+ {
+ public void parsed(String argument) throws OptionException
+ {
+ _certFileName = argument;
+ }
+ });
+ options.add(new Option(Main.STORETYPE_OPT,
+ Messages.getString("CACertCmd.7"), //$NON-NLS-1$
+ Messages.getString("CACertCmd.8")) //$NON-NLS-1$
+ {
+ public void parsed(String argument) throws OptionException
+ {
+ _ksType = argument;
+ }
+ });
+ options.add(new Option(Main.KEYSTORE_OPT,
+ Messages.getString("CACertCmd.9"), //$NON-NLS-1$
+ Messages.getString("CACertCmd.10")) //$NON-NLS-1$
+ {
+ public void parsed(String argument) throws OptionException
+ {
+ _ksURL = argument;
+ }
+ });
+ options.add(new Option(Main.STOREPASS_OPT,
+ Messages.getString("CACertCmd.11"), //$NON-NLS-1$
+ Messages.getString("CACertCmd.12")) //$NON-NLS-1$
+ {
+ public void parsed(String argument) throws OptionException
+ {
+ _ksPassword = argument;
+ }
+ });
+ options.add(new Option(Main.PROVIDER_OPT,
+ Messages.getString("CACertCmd.13"), //$NON-NLS-1$
+ Messages.getString("CACertCmd.14")) //$NON-NLS-1$
+ {
+ public void parsed(String argument) throws OptionException
+ {
+ _providerClassName = argument;
+ }
+ });
+ options.add(new Option(Main.VERBOSE_OPT,
+ Messages.getString("CACertCmd.15")) //$NON-NLS-1$
+ {
+ public void parsed(String argument) throws OptionException
+ {
+ verbose = true;
+ }
+ });
+ result.add(options);
+ log.exiting(this.getClass().getName(), "getParser", result); //$NON-NLS-1$
+ return result;
+ }
+
+ /**
+ * Construct an Alias string from the name of the file containing the
+ * certificate to import. This method first removes the last dot (".")
+ * character and any subsequent characters from the input name, and then
+ * replaces any space and dot characters with underscores. For example the
+ * input string <code>brasil.gov.br.cert</code> will result in
+ * <code>brasil_gov_br</code> as its alias.
+ *
+ * @param fileName the name of the file containing the CA certificate
+ * @return a string which can, and will, be used as the Alias of this CA
+ * certificate.
+ */
+ private String getAliasFromFileName(String fileName)
+ {
+ log.entering(this.getClass().getName(), "getAliasFromFileName", fileName);
//$NON-NLS-1$
+ // get the basename
+ fileName = new File(fileName).getName();
+ // remove '.' if at start
+ if (fileName.startsWith(".")) //$NON-NLS-1$
+ fileName = fileName.substring(1);
+
+ // remove last \..+
+ int ndx = fileName.lastIndexOf('.');
+ if (ndx > 0)
+ fileName = fileName.substring(0, ndx);
+ // replace spaces and dots with underscores
+ char[] chars = fileName.toCharArray();
+ for (int i = 0; i < chars.length; i++)
+ {
+ char c = chars[i];
+ if (c == ' ' || c == '.')
+ chars[i] = '_';
+ }
+ String result = new String(chars);
+ log.exiting(this.getClass().getName(), "getAliasFromFileName", result);
//$NON-NLS-1$
+ return result;
+ }
+}
