Back to index...

	/*
	* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package sun.security.tools.keytool;

	import java.io.*;
	import java.nio.file.Files;
	import java.nio.file.Path;
	import java.security.CodeSigner;
	import java.security.CryptoPrimitive;
	import java.security.KeyStore;
	import java.security.KeyStoreException;
	import java.security.MessageDigest;
	import java.security.Key;
	import java.security.PublicKey;
	import java.security.PrivateKey;
	import java.security.Signature;
	import java.security.Timestamp;
	import java.security.UnrecoverableEntryException;
	import java.security.UnrecoverableKeyException;
	import java.security.Principal;
	import java.security.cert.Certificate;
	import java.security.cert.CertificateFactory;
	import java.security.cert.CertStoreException;
	import java.security.cert.CRL;
	import java.security.cert.X509Certificate;
	import java.security.cert.CertificateException;
	import java.security.cert.URICertStoreParameters;


	import java.text.Collator;
	import java.text.MessageFormat;
	import java.util.*;
	import java.util.jar.JarEntry;
	import java.util.jar.JarFile;
	import java.math.BigInteger;
	import java.net.URI;
	import java.net.URL;
	import java.net.URLClassLoader;
	import java.security.cert.CertStore;

	import java.security.cert.X509CRL;
	import java.security.cert.X509CRLEntry;
	import java.security.cert.X509CRLSelector;
	import javax.security.auth.x500.X500Principal;
	import java.util.Base64;

	import sun.security.util.KeyUtil;
	import sun.security.util.ObjectIdentifier;
	import sun.security.pkcs10.PKCS10;
	import sun.security.pkcs10.PKCS10Attribute;
	import sun.security.provider.X509Factory;
	import sun.security.provider.certpath.ssl.SSLServerCertStore;
	import sun.security.util.Password;
	import sun.security.util.SecurityProviderConstants;
	import javax.crypto.KeyGenerator;
	import javax.crypto.SecretKey;
	import javax.crypto.SecretKeyFactory;
	import javax.crypto.spec.PBEKeySpec;

	import sun.security.pkcs.PKCS9Attribute;
	import sun.security.tools.KeyStoreUtil;
	import sun.security.tools.PathList;
	import sun.security.util.DerValue;
	import sun.security.util.Pem;
	import sun.security.x509.*;

	import static java.security.KeyStore.*;
	import java.security.Security;
	import static sun.security.tools.keytool.Main.Command.*;
	import static sun.security.tools.keytool.Main.Option.*;
	import sun.security.util.DisabledAlgorithmConstraints;

	/**
	* This tool manages keystores.
	*
	* @author Jan Luehe
	*
	*
	* @see java.security.KeyStore
	* @see sun.security.provider.KeyProtector
	* @see sun.security.provider.JavaKeyStore
	*
	* @since 1.2
	*/
	public final class Main {

	private static final byte[] CRLF = new byte[] {'\r', '\n'};

	private boolean debug = false;
	private Command command = null;
	private String sigAlgName = null;
	private String keyAlgName = null;
	private boolean verbose = false;
	private int keysize = -1;
	private boolean rfc = false;
	private long validity = (long)90;
	private String alias = null;
	private String dname = null;
	private String dest = null;
	private String filename = null;
	private String infilename = null;
	private String outfilename = null;
	private String srcksfname = null;

	// User-specified providers are added before any command is called.
	// However, they are not removed before the end of the main() method.
	// If you're calling KeyTool.main() directly in your own Java program,
	// please programtically add any providers you need and do not specify
	// them through the command line.

	private Set<Pair <String, String>> providers = null;
	private Set<Pair <String, String>> providerClasses = null;
	private String storetype = null;
	private String srcProviderName = null;
	private String providerName = null;
	private String pathlist = null;
	private char[] storePass = null;
	private char[] storePassNew = null;
	private char[] keyPass = null;
	private char[] keyPassNew = null;
	private char[] newPass = null;
	private char[] destKeyPass = null;
	private char[] srckeyPass = null;
	private String ksfname = null;
	private File ksfile = null;
	private InputStream ksStream = null; // keystore stream
	private String sslserver = null;
	private String jarfile = null;
	private KeyStore keyStore = null;
	private boolean token = false;
	private boolean nullStream = false;
	private boolean kssave = false;
	private boolean noprompt = false;
	private boolean trustcacerts = false;
	private boolean protectedPath = false;
	private boolean srcprotectedPath = false;
	private boolean cacerts = false;
	private boolean nowarn = false;
	private CertificateFactory cf = null;
	private KeyStore caks = null; // "cacerts" keystore
	private char[] srcstorePass = null;
	private String srcstoretype = null;
	private Set<char[]> passwords = new HashSet<>();
	private String startDate = null;

	private List<String> ids = new ArrayList<>(); // used in GENCRL
	private List<String> v3ext = new ArrayList<>();

	// In-place importkeystore is special.
	// A backup is needed, and no need to prompt for deststorepass.
	private boolean inplaceImport = false;
	private String inplaceBackupName = null;

	// Warnings on weak algorithms etc
	private List<String> weakWarnings = new ArrayList<>();

	private static final DisabledAlgorithmConstraints DISABLED_CHECK =
	new DisabledAlgorithmConstraints(
	DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);

	private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
	.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));

	enum Command {
	CERTREQ("Generates.a.certificate.request",
	ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME,
	EXT, STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
	PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
	CHANGEALIAS("Changes.an.entry.s.alias",
	ALIAS, DESTALIAS, KEYPASS, KEYSTORE, CACERTS, STOREPASS,
	STORETYPE, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
	PROVIDERPATH, V, PROTECTED),
	DELETE("Deletes.an.entry",
	ALIAS, KEYSTORE, CACERTS, STOREPASS, STORETYPE,
	PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
	PROVIDERPATH, V, PROTECTED),
	EXPORTCERT("Exports.certificate",
	RFC, ALIAS, FILEOUT, KEYSTORE, CACERTS, STOREPASS,
	STORETYPE, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
	PROVIDERPATH, V, PROTECTED),
	GENKEYPAIR("Generates.a.key.pair",
	ALIAS, KEYALG, KEYSIZE, SIGALG, DESTALIAS, DNAME,
	STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
	STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
	PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
	GENSECKEY("Generates.a.secret.key",
	ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE,
	STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
	PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
	GENCERT("Generates.certificate.from.a.certificate.request",
	RFC, INFILE, OUTFILE, ALIAS, SIGALG, DNAME,
	STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
	STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
	PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
	IMPORTCERT("Imports.a.certificate.or.a.certificate.chain",
	NOPROMPT, TRUSTCACERTS, PROTECTED, ALIAS, FILEIN,
	KEYPASS, KEYSTORE, CACERTS, STOREPASS, STORETYPE,
	PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
	PROVIDERPATH, V),
	IMPORTPASS("Imports.a.password",
	ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE,
	STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
	PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
	IMPORTKEYSTORE("Imports.one.or.all.entries.from.another.keystore",
	SRCKEYSTORE, DESTKEYSTORE, SRCSTORETYPE,
	DESTSTORETYPE, SRCSTOREPASS, DESTSTOREPASS,
	SRCPROTECTED, DESTPROTECTED, SRCPROVIDERNAME, DESTPROVIDERNAME,
	SRCALIAS, DESTALIAS, SRCKEYPASS, DESTKEYPASS,
	NOPROMPT, ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH,
	V),
	KEYPASSWD("Changes.the.key.password.of.an.entry",
	ALIAS, KEYPASS, NEW, KEYSTORE, STOREPASS,
	STORETYPE, PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
	PROVIDERPATH, V),
	LIST("Lists.entries.in.a.keystore",
	RFC, ALIAS, KEYSTORE, CACERTS, STOREPASS, STORETYPE,
	PROVIDERNAME, ADDPROVIDER, PROVIDERCLASS,
	PROVIDERPATH, V, PROTECTED),
	PRINTCERT("Prints.the.content.of.a.certificate",
	RFC, FILEIN, SSLSERVER, JARFILE, V),
	PRINTCERTREQ("Prints.the.content.of.a.certificate.request",
	FILEIN, V),
	PRINTCRL("Prints.the.content.of.a.CRL.file",
	FILEIN, V),
	STOREPASSWD("Changes.the.store.password.of.a.keystore",
	NEW, KEYSTORE, CACERTS, STOREPASS, STORETYPE, PROVIDERNAME,
	ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, V),

	// Undocumented start here, KEYCLONE is used a marker in -help;

	KEYCLONE("Clones.a.key.entry",
	ALIAS, DESTALIAS, KEYPASS, NEW, STORETYPE,
	KEYSTORE, STOREPASS, PROVIDERNAME, ADDPROVIDER,
	PROVIDERCLASS, PROVIDERPATH, V),
	SELFCERT("Generates.a.self.signed.certificate",
	ALIAS, SIGALG, DNAME, STARTDATE, EXT, VALIDITY, KEYPASS,
	STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,
	ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, V),
	GENCRL("Generates.CRL",
	RFC, FILEOUT, ID,
	ALIAS, SIGALG, KEYPASS, KEYSTORE,
	STOREPASS, STORETYPE, PROVIDERNAME, ADDPROVIDER,
	PROVIDERCLASS, PROVIDERPATH, V, PROTECTED),
	IDENTITYDB("Imports.entries.from.a.JDK.1.1.x.style.identity.database",
	FILEIN, STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,
	ADDPROVIDER, PROVIDERCLASS, PROVIDERPATH, V);

	final String description;
	final Option[] options;
	final String name;

	String altName; // "genkey" is altName for "genkeypair"

	Command(String d, Option... o) {
	description = d;
	options = o;
	name = "-" + name().toLowerCase(Locale.ENGLISH);
	}
	@Override
	public String toString() {
	return name;
	}
	public String getAltName() {
	return altName;
	}
	public void setAltName(String altName) {
	this.altName = altName;
	}
	public static Command getCommand(String cmd) {
	for (Command c: Command.values()) {
	if (collator.compare(cmd, c.name) == 0
	\|\| (c.altName != null
	&& collator.compare(cmd, c.altName) == 0)) {
	return c;
	}
	}
	return null;
	}
	};

	static {
	Command.GENKEYPAIR.setAltName("-genkey");
	Command.IMPORTCERT.setAltName("-import");
	Command.EXPORTCERT.setAltName("-export");
	Command.IMPORTPASS.setAltName("-importpassword");
	}

	// If an option is allowed multiple times, remember to record it
	// in the optionsSet.contains() block in parseArgs().
	enum Option {
	ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"),
	DESTALIAS("destalias", "<alias>", "destination.alias"),
	DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"),
	DESTKEYSTORE("destkeystore", "<keystore>", "destination.keystore.name"),
	DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"),
	DESTPROVIDERNAME("destprovidername", "<name>", "destination.keystore.provider.name"),
	DESTSTOREPASS("deststorepass", "<arg>", "destination.keystore.password"),
	DESTSTORETYPE("deststoretype", "<type>", "destination.keystore.type"),
	DNAME("dname", "<name>", "distinguished.name"),
	EXT("ext", "<value>", "X.509.extension"),
	FILEOUT("file", "<file>", "output.file.name"),
	FILEIN("file", "<file>", "input.file.name"),
	ID("id", "<id:reason>", "Serial.ID.of.cert.to.revoke"),
	INFILE("infile", "<file>", "input.file.name"),
	KEYALG("keyalg", "<alg>", "key.algorithm.name"),
	KEYPASS("keypass", "<arg>", "key.password"),
	KEYSIZE("keysize", "<size>", "key.bit.size"),
	KEYSTORE("keystore", "<keystore>", "keystore.name"),
	CACERTS("cacerts", null, "access.the.cacerts.keystore"),
	NEW("new", "<arg>", "new.password"),
	NOPROMPT("noprompt", null, "do.not.prompt"),
	OUTFILE("outfile", "<file>", "output.file.name"),
	PROTECTED("protected", null, "password.through.protected.mechanism"),
	PROVIDERCLASS("providerclass", "<class>\n[-providerarg <arg>]", "provider.class.option"),
	ADDPROVIDER("addprovider", "<name>\n[-providerarg <arg>]", "addprovider.option"),
	PROVIDERNAME("providername", "<name>", "provider.name"),
	PROVIDERPATH("providerpath", "<list>", "provider.classpath"),
	RFC("rfc", null, "output.in.RFC.style"),
	SIGALG("sigalg", "<alg>", "signature.algorithm.name"),
	SRCALIAS("srcalias", "<alias>", "source.alias"),
	SRCKEYPASS("srckeypass", "<arg>", "source.key.password"),
	SRCKEYSTORE("srckeystore", "<keystore>", "source.keystore.name"),
	SRCPROTECTED("srcprotected", null, "source.keystore.password.protected"),
	SRCPROVIDERNAME("srcprovidername", "<name>", "source.keystore.provider.name"),
	SRCSTOREPASS("srcstorepass", "<arg>", "source.keystore.password"),
	SRCSTORETYPE("srcstoretype", "<type>", "source.keystore.type"),
	SSLSERVER("sslserver", "<server[:port]>", "SSL.server.host.and.port"),
	JARFILE("jarfile", "<file>", "signed.jar.file"),
	STARTDATE("startdate", "<date>", "certificate.validity.start.date.time"),
	STOREPASS("storepass", "<arg>", "keystore.password"),
	STORETYPE("storetype", "<type>", "keystore.type"),
	TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"),
	V("v", null, "verbose.output"),
	VALIDITY("validity", "<days>", "validity.number.of.days");

	final String name, arg, description;
	Option(String name, String arg, String description) {
	this.name = name;
	this.arg = arg;
	this.description = description;
	}
	@Override
	public String toString() {
	return "-" + name;
	}
	};

	private static final String NONE = "NONE";
	private static final String P11KEYSTORE = "PKCS11";
	private static final String P12KEYSTORE = "PKCS12";
	private static final String keyAlias = "mykey";

	// for i18n
	private static final java.util.ResourceBundle rb =
	java.util.ResourceBundle.getBundle(
	"sun.security.tools.keytool.Resources");
	private static final Collator collator = Collator.getInstance();
	static {
	// this is for case insensitive string comparisons
	collator.setStrength(Collator.PRIMARY);
	};

	private Main() { }

	public static void main(String[] args) throws Exception {
	Main kt = new Main();
	kt.run(args, System.out);
	}

	private void run(String[] args, PrintStream out) throws Exception {
	try {
	args = parseArgs(args);
	if (command != null) {
	doCommands(out);
	}
	} catch (Exception e) {
	System.out.println(rb.getString("keytool.error.") + e);
	if (verbose) {
	e.printStackTrace(System.out);
	}
	if (!debug) {
	System.exit(1);
	} else {
	throw e;
	}
	} finally {
	printWeakWarnings(false);
	for (char[] pass : passwords) {
	if (pass != null) {
	Arrays.fill(pass, ' ');
	pass = null;
	}
	}

	if (ksStream != null) {
	ksStream.close();
	}
	}
	}

	/**
	* Parse command line arguments.
	*/
	String[] parseArgs(String[] args) throws Exception {

	int i=0;
	boolean help = args.length == 0;

	String confFile = null;

	// Records all commands and options set. Used to check dups.
	Set<String> optionsSet = new HashSet<>();

	for (i=0; i < args.length; i++) {
	String flags = args[i];
	if (flags.startsWith("-")) {
	String lowerFlags = flags.toLowerCase(Locale.ROOT);
	if (optionsSet.contains(lowerFlags)) {
	switch (lowerFlags) {
	case "-ext":
	case "-id":
	case "-provider":
	case "-addprovider":
	case "-providerclass":
	case "-providerarg":
	// These options are allowed multiple times
	break;
	default:
	weakWarnings.add(String.format(
	rb.getString("option.1.set.twice"),
	lowerFlags));
	}
	} else {
	optionsSet.add(lowerFlags);
	}
	if (collator.compare(flags, "-conf") == 0) {
	if (i == args.length - 1) {
	errorNeedArgument(flags);
	}
	confFile = args[++i];
	} else {
	Command c = Command.getCommand(flags);
	if (c != null) {
	if (command == null) {
	command = c;
	} else {
	throw new Exception(String.format(
	rb.getString("multiple.commands.1.2"),
	command.name, c.name));
	}
	}
	}
	}
	}

	if (confFile != null && command != null) {
	args = KeyStoreUtil.expandArgs("keytool", confFile,
	command.toString(),
	command.getAltName(), args);
	}

	debug = Arrays.stream(args).anyMatch(
	x -> collator.compare(x, "-debug") == 0);

	if (debug) {
	// No need to localize debug output
	System.out.println("Command line args: " +
	Arrays.toString(args));
	}

	for (i=0; (i < args.length) && args[i].startsWith("-"); i++) {

	String flags = args[i];

	// Check if the last option needs an arg
	if (i == args.length - 1) {
	for (Option option: Option.values()) {
	// Only options with an arg need to be checked
	if (collator.compare(flags, option.toString()) == 0) {
	if (option.arg != null) errorNeedArgument(flags);
	break;
	}
	}
	}

	/*
	* Check modifiers
	*/
	String modifier = null;
	int pos = flags.indexOf(':');
	if (pos > 0) {
	modifier = flags.substring(pos+1);
	flags = flags.substring(0, pos);
	}

	/*
	* command modes
	*/
	Command c = Command.getCommand(flags);

	if (c != null) {
	command = c;
	} else if (collator.compare(flags, "--help") == 0 \|\|
	collator.compare(flags, "-h") == 0 \|\|
	collator.compare(flags, "-?") == 0 \|\|
	// -help: legacy.
	collator.compare(flags, "-help") == 0) {
	help = true;
	} else if (collator.compare(flags, "-conf") == 0) {
	i++;
	} else if (collator.compare(flags, "-nowarn") == 0) {
	nowarn = true;
	} else if (collator.compare(flags, "-keystore") == 0) {
	ksfname = args[++i];
	if (new File(ksfname).getCanonicalPath().equals(
	new File(KeyStoreUtil.getCacerts()).getCanonicalPath())) {
	System.err.println(rb.getString("warning.cacerts.option"));
	}
	} else if (collator.compare(flags, "-destkeystore") == 0) {
	ksfname = args[++i];
	} else if (collator.compare(flags, "-cacerts") == 0) {
	cacerts = true;
	} else if (collator.compare(flags, "-storepass") == 0 \|\|
	collator.compare(flags, "-deststorepass") == 0) {
	storePass = getPass(modifier, args[++i]);
	passwords.add(storePass);
	} else if (collator.compare(flags, "-storetype") == 0 \|\|
	collator.compare(flags, "-deststoretype") == 0) {
	storetype = KeyStoreUtil.niceStoreTypeName(args[++i]);
	} else if (collator.compare(flags, "-srcstorepass") == 0) {
	srcstorePass = getPass(modifier, args[++i]);
	passwords.add(srcstorePass);
	} else if (collator.compare(flags, "-srcstoretype") == 0) {
	srcstoretype = KeyStoreUtil.niceStoreTypeName(args[++i]);
	} else if (collator.compare(flags, "-srckeypass") == 0) {
	srckeyPass = getPass(modifier, args[++i]);
	passwords.add(srckeyPass);
	} else if (collator.compare(flags, "-srcprovidername") == 0) {
	srcProviderName = args[++i];
	} else if (collator.compare(flags, "-providername") == 0 \|\|
	collator.compare(flags, "-destprovidername") == 0) {
	providerName = args[++i];
	} else if (collator.compare(flags, "-providerpath") == 0) {
	pathlist = args[++i];
	} else if (collator.compare(flags, "-keypass") == 0) {
	keyPass = getPass(modifier, args[++i]);
	passwords.add(keyPass);
	} else if (collator.compare(flags, "-new") == 0) {
	newPass = getPass(modifier, args[++i]);
	passwords.add(newPass);
	} else if (collator.compare(flags, "-destkeypass") == 0) {
	destKeyPass = getPass(modifier, args[++i]);
	passwords.add(destKeyPass);
	} else if (collator.compare(flags, "-alias") == 0 \|\|
	collator.compare(flags, "-srcalias") == 0) {
	alias = args[++i];
	} else if (collator.compare(flags, "-dest") == 0 \|\|
	collator.compare(flags, "-destalias") == 0) {
	dest = args[++i];
	} else if (collator.compare(flags, "-dname") == 0) {
	dname = args[++i];
	} else if (collator.compare(flags, "-keysize") == 0) {
	keysize = Integer.parseInt(args[++i]);
	} else if (collator.compare(flags, "-keyalg") == 0) {
	keyAlgName = args[++i];
	} else if (collator.compare(flags, "-sigalg") == 0) {
	sigAlgName = args[++i];
	} else if (collator.compare(flags, "-startdate") == 0) {
	startDate = args[++i];
	} else if (collator.compare(flags, "-validity") == 0) {
	validity = Long.parseLong(args[++i]);
	} else if (collator.compare(flags, "-ext") == 0) {
	v3ext.add(args[++i]);
	} else if (collator.compare(flags, "-id") == 0) {
	ids.add(args[++i]);
	} else if (collator.compare(flags, "-file") == 0) {
	filename = args[++i];
	} else if (collator.compare(flags, "-infile") == 0) {
	infilename = args[++i];
	} else if (collator.compare(flags, "-outfile") == 0) {
	outfilename = args[++i];
	} else if (collator.compare(flags, "-sslserver") == 0) {
	sslserver = args[++i];
	} else if (collator.compare(flags, "-jarfile") == 0) {
	jarfile = args[++i];
	} else if (collator.compare(flags, "-srckeystore") == 0) {
	srcksfname = args[++i];
	} else if (collator.compare(flags, "-provider") == 0 \|\|
	collator.compare(flags, "-providerclass") == 0) {
	if (providerClasses == null) {
	providerClasses = new HashSet<Pair <String, String>> (3);
	}
	String providerClass = args[++i];
	String providerArg = null;

	if (args.length > (i+1)) {
	flags = args[i+1];
	if (collator.compare(flags, "-providerarg") == 0) {
	if (args.length == (i+2)) errorNeedArgument(flags);
	providerArg = args[i+2];
	i += 2;
	}
	}
	providerClasses.add(
	Pair.of(providerClass, providerArg));
	} else if (collator.compare(flags, "-addprovider") == 0) {
	if (providers == null) {
	providers = new HashSet<Pair <String, String>> (3);
	}
	String provider = args[++i];
	String providerArg = null;

	if (args.length > (i+1)) {
	flags = args[i+1];
	if (collator.compare(flags, "-providerarg") == 0) {
	if (args.length == (i+2)) errorNeedArgument(flags);
	providerArg = args[i+2];
	i += 2;
	}
	}
	providers.add(
	Pair.of(provider, providerArg));
	}

	/*
	* options
	*/
	else if (collator.compare(flags, "-v") == 0) {
	verbose = true;
	} else if (collator.compare(flags, "-debug") == 0) {
	// Already processed
	} else if (collator.compare(flags, "-rfc") == 0) {
	rfc = true;
	} else if (collator.compare(flags, "-noprompt") == 0) {
	noprompt = true;
	} else if (collator.compare(flags, "-trustcacerts") == 0) {
	trustcacerts = true;
	} else if (collator.compare(flags, "-protected") == 0 \|\|
	collator.compare(flags, "-destprotected") == 0) {
	protectedPath = true;
	} else if (collator.compare(flags, "-srcprotected") == 0) {
	srcprotectedPath = true;
	} else {
	System.err.println(rb.getString("Illegal.option.") + flags);
	tinyHelp();
	}
	}

	if (i<args.length) {
	System.err.println(rb.getString("Illegal.option.") + args[i]);
	tinyHelp();
	}

	if (command == null) {
	if (help) {
	usage();
	} else {
	System.err.println(rb.getString("Usage.error.no.command.provided"));
	tinyHelp();
	}
	} else if (help) {
	usage();
	command = null;
	}

	return args;
	}

	boolean isKeyStoreRelated(Command cmd) {
	return cmd != PRINTCERT && cmd != PRINTCERTREQ;
	}

	/**
	* Execute the commands.
	*/
	void doCommands(PrintStream out) throws Exception {

	if (cacerts) {
	if (ksfname != null \|\| storetype != null) {
	throw new IllegalArgumentException(rb.getString
	("the.keystore.or.storetype.option.cannot.be.used.with.the.cacerts.option"));
	}
	ksfname = KeyStoreUtil.getCacerts();
	}

	if (P11KEYSTORE.equalsIgnoreCase(storetype) \|\|
	KeyStoreUtil.isWindowsKeyStore(storetype)) {
	token = true;
	if (ksfname == null) {
	ksfname = NONE;
	}
	}
	if (NONE.equals(ksfname)) {
	nullStream = true;
	}

	if (token && !nullStream) {
	System.err.println(MessageFormat.format(rb.getString
	(".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
	System.err.println();
	tinyHelp();
	}

	if (token &&
	(command == KEYPASSWD \|\| command == STOREPASSWD)) {
	throw new UnsupportedOperationException(MessageFormat.format(rb.getString
	(".storepasswd.and.keypasswd.commands.not.supported.if.storetype.is.{0}"), storetype));
	}

	if (token && (keyPass != null \|\| newPass != null \|\| destKeyPass != null)) {
	throw new IllegalArgumentException(MessageFormat.format(rb.getString
	(".keypass.and.new.can.not.be.specified.if.storetype.is.{0}"), storetype));
	}

	if (protectedPath) {
	if (storePass != null \|\| keyPass != null \|\|
	newPass != null \|\| destKeyPass != null) {
	throw new IllegalArgumentException(rb.getString
	("if.protected.is.specified.then.storepass.keypass.and.new.must.not.be.specified"));
	}
	}

	if (srcprotectedPath) {
	if (srcstorePass != null \|\| srckeyPass != null) {
	throw new IllegalArgumentException(rb.getString
	("if.srcprotected.is.specified.then.srcstorepass.and.srckeypass.must.not.be.specified"));
	}
	}

	if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
	if (storePass != null \|\| keyPass != null \|\|
	newPass != null \|\| destKeyPass != null) {
	throw new IllegalArgumentException(rb.getString
	("if.keystore.is.not.password.protected.then.storepass.keypass.and.new.must.not.be.specified"));
	}
	}

	if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
	if (srcstorePass != null \|\| srckeyPass != null) {
	throw new IllegalArgumentException(rb.getString
	("if.source.keystore.is.not.password.protected.then.srcstorepass.and.srckeypass.must.not.be.specified"));
	}
	}

	if (validity <= (long)0) {
	throw new Exception
	(rb.getString("Validity.must.be.greater.than.zero"));
	}

	// Try to load and install specified provider
	if (providers != null) {
	for (Pair<String, String> provider : providers) {
	try {
	KeyStoreUtil.loadProviderByName(
	provider.fst, provider.snd);
	if (debug) {
	System.out.println("loadProviderByName: " + provider.fst);
	}
	} catch (IllegalArgumentException e) {
	throw new Exception(String.format(rb.getString(
	"provider.name.not.found"), provider.fst));
	}
	}
	}
	if (providerClasses != null) {
	ClassLoader cl = null;
	if (pathlist != null) {
	String path = null;
	path = PathList.appendPath(
	path, System.getProperty("java.class.path"));
	path = PathList.appendPath(
	path, System.getProperty("env.class.path"));
	path = PathList.appendPath(path, pathlist);

	URL[] urls = PathList.pathToURLs(path);
	cl = new URLClassLoader(urls);
	} else {
	cl = ClassLoader.getSystemClassLoader();
	}
	for (Pair<String, String> provider : providerClasses) {
	try {
	KeyStoreUtil.loadProviderByClass(
	provider.fst, provider.snd, cl);
	if (debug) {
	System.out.println("loadProviderByClass: " + provider.fst);
	}
	} catch (ClassCastException cce) {
	throw new Exception(String.format(rb.getString(
	"provclass.not.a.provider"), provider.fst));
	} catch (IllegalArgumentException e) {
	throw new Exception(String.format(rb.getString(
	"provider.class.not.found"), provider.fst), e.getCause());
	}
	}
	}

	if (command == LIST && verbose && rfc) {
	System.err.println(rb.getString
	("Must.not.specify.both.v.and.rfc.with.list.command"));
	tinyHelp();
	}

	// Make sure provided passwords are at least 6 characters long
	if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) {
	throw new Exception(rb.getString
	("Key.password.must.be.at.least.6.characters"));
	}
	if (newPass != null && newPass.length < 6) {
	throw new Exception(rb.getString
	("New.password.must.be.at.least.6.characters"));
	}
	if (destKeyPass != null && destKeyPass.length < 6) {
	throw new Exception(rb.getString
	("New.password.must.be.at.least.6.characters"));
	}

	// Set this before inplaceImport check so we can compare name.
	if (ksfname == null) {
	ksfname = System.getProperty("user.home") + File.separator
	+ ".keystore";
	}

	KeyStore srcKeyStore = null;
	if (command == IMPORTKEYSTORE) {
	inplaceImport = inplaceImportCheck();
	if (inplaceImport) {
	// We load srckeystore first so we have srcstorePass that
	// can be assigned to storePass
	srcKeyStore = loadSourceKeyStore();
	if (storePass == null) {
	storePass = srcstorePass;
	}
	}
	}

	// Check if keystore exists.
	// If no keystore has been specified at the command line, try to use
	// the default, which is located in $HOME/.keystore.
	// If the command is "genkey", "identitydb", "import", or "printcert",
	// it is OK not to have a keystore.

	// DO NOT open the existing keystore if this is an in-place import.
	// The keystore should be created as brand new.
	if (isKeyStoreRelated(command) && !nullStream && !inplaceImport) {
	try {
	ksfile = new File(ksfname);
	// Check if keystore file is empty
	if (ksfile.exists() && ksfile.length() == 0) {
	throw new Exception(rb.getString
	("Keystore.file.exists.but.is.empty.") + ksfname);
	}
	ksStream = new FileInputStream(ksfile);
	} catch (FileNotFoundException e) {
	if (command != GENKEYPAIR &&
	command != GENSECKEY &&
	command != IDENTITYDB &&
	command != IMPORTCERT &&
	command != IMPORTPASS &&
	command != IMPORTKEYSTORE &&
	command != PRINTCRL) {
	throw new Exception(rb.getString
	("Keystore.file.does.not.exist.") + ksfname);
	}
	}
	}

	if ((command == KEYCLONE \|\| command == CHANGEALIAS)
	&& dest == null) {
	dest = getAlias("destination");
	if ("".equals(dest)) {
	throw new Exception(rb.getString
	("Must.specify.destination.alias"));
	}
	}

	if (command == DELETE && alias == null) {
	alias = getAlias(null);
	if ("".equals(alias)) {
	throw new Exception(rb.getString("Must.specify.alias"));
	}
	}

	// Create new keystore
	// Probe for keystore type when filename is available
	if (ksfile != null && ksStream != null && providerName == null &&
	storetype == null && !inplaceImport) {
	keyStore = KeyStore.getInstance(ksfile, storePass);
	storetype = keyStore.getType();
	} else {
	if (storetype == null) {
	storetype = KeyStore.getDefaultType();
	}
	if (providerName == null) {
	keyStore = KeyStore.getInstance(storetype);
	} else {
	keyStore = KeyStore.getInstance(storetype, providerName);
	}

	/*
	* Load the keystore data.
	*
	* At this point, it's OK if no keystore password has been provided.
	* We want to make sure that we can load the keystore data, i.e.,
	* the keystore data has the right format. If we cannot load the
	* keystore, why bother asking the user for his or her password?
	* Only if we were able to load the keystore, and no keystore
	* password has been provided, will we prompt the user for the
	* keystore password to verify the keystore integrity.
	* This means that the keystore is loaded twice: first load operation
	* checks the keystore format, second load operation verifies the
	* keystore integrity.
	*
	* If the keystore password has already been provided (at the
	* command line), however, the keystore is loaded only once, and the
	* keystore format and integrity are checked "at the same time".
	*
	* Null stream keystores are loaded later.
	*/
	if (!nullStream) {
	if (inplaceImport) {
	keyStore.load(null, storePass);
	} else {
	keyStore.load(ksStream, storePass);
	}
	if (ksStream != null) {
	ksStream.close();
	}
	}
	}

	if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) {
	throw new UnsupportedOperationException(rb.getString
	(".keypasswd.commands.not.supported.if.storetype.is.PKCS12"));
	}

	// All commands that create or modify the keystore require a keystore
	// password.

	if (nullStream && storePass != null) {
	keyStore.load(null, storePass);
	} else if (!nullStream && storePass != null) {
	// If we are creating a new non nullStream-based keystore,
	// insist that the password be at least 6 characters
	if (ksStream == null && storePass.length < 6) {
	throw new Exception(rb.getString
	("Keystore.password.must.be.at.least.6.characters"));
	}
	} else if (storePass == null) {

	// only prompt if (protectedPath == false)

	if (!protectedPath && !KeyStoreUtil.isWindowsKeyStore(storetype) &&
	(command == CERTREQ \|\|
	command == DELETE \|\|
	command == GENKEYPAIR \|\|
	command == GENSECKEY \|\|
	command == IMPORTCERT \|\|
	command == IMPORTPASS \|\|
	command == IMPORTKEYSTORE \|\|
	command == KEYCLONE \|\|
	command == CHANGEALIAS \|\|
	command == SELFCERT \|\|
	command == STOREPASSWD \|\|
	command == KEYPASSWD \|\|
	command == IDENTITYDB)) {
	int count = 0;
	do {
	if (command == IMPORTKEYSTORE) {
	System.err.print
	(rb.getString("Enter.destination.keystore.password."));
	} else {
	System.err.print
	(rb.getString("Enter.keystore.password."));
	}
	System.err.flush();
	storePass = Password.readPassword(System.in);
	passwords.add(storePass);

	// If we are creating a new non nullStream-based keystore,
	// insist that the password be at least 6 characters
	if (!nullStream && (storePass == null \|\| storePass.length < 6)) {
	System.err.println(rb.getString
	("Keystore.password.is.too.short.must.be.at.least.6.characters"));
	storePass = null;
	}

	// If the keystore file does not exist and needs to be
	// created, the storepass should be prompted twice.
	if (storePass != null && !nullStream && ksStream == null) {
	System.err.print(rb.getString("Re.enter.new.password."));
	char[] storePassAgain = Password.readPassword(System.in);
	passwords.add(storePassAgain);
	if (!Arrays.equals(storePass, storePassAgain)) {
	System.err.println
	(rb.getString("They.don.t.match.Try.again"));
	storePass = null;
	}
	}

	count++;
	} while ((storePass == null) && count < 3);


	if (storePass == null) {
	System.err.println
	(rb.getString("Too.many.failures.try.later"));
	return;
	}
	} else if (!protectedPath
	&& !KeyStoreUtil.isWindowsKeyStore(storetype)
	&& isKeyStoreRelated(command)) {
	// here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
	if (command != PRINTCRL) {
	System.err.print(rb.getString("Enter.keystore.password."));
	System.err.flush();
	storePass = Password.readPassword(System.in);
	passwords.add(storePass);
	}
	}

	// Now load a nullStream-based keystore,
	// or verify the integrity of an input stream-based keystore
	if (nullStream) {
	keyStore.load(null, storePass);
	} else if (ksStream != null) {
	ksStream = new FileInputStream(ksfile);
	keyStore.load(ksStream, storePass);
	ksStream.close();
	}
	}

	if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) {
	MessageFormat form = new MessageFormat(rb.getString(
	"Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value."));
	if (keyPass != null && !Arrays.equals(storePass, keyPass)) {
	Object[] source = {"-keypass"};
	System.err.println(form.format(source));
	keyPass = storePass;
	}
	if (destKeyPass != null && !Arrays.equals(storePass, destKeyPass)) {
	Object[] source = {"-destkeypass"};
	System.err.println(form.format(source));
	destKeyPass = storePass;
	}
	}

	// Create a certificate factory
	if (command == PRINTCERT \|\| command == IMPORTCERT
	\|\| command == IDENTITYDB \|\| command == PRINTCRL) {
	cf = CertificateFactory.getInstance("X509");
	}

	// -trustcacerts can only be specified on -importcert.
	// Reset it so that warnings on CA cert will remain for
	// -printcert, etc.
	if (command != IMPORTCERT) {
	trustcacerts = false;
	}

	if (trustcacerts) {
	caks = KeyStoreUtil.getCacertsKeyStore();
	}

	// Perform the specified command
	if (command == CERTREQ) {
	if (filename != null) {
	try (PrintStream ps = new PrintStream(new FileOutputStream
	(filename))) {
	doCertReq(alias, sigAlgName, ps);
	}
	} else {
	doCertReq(alias, sigAlgName, out);
	}
	if (verbose && filename != null) {
	MessageFormat form = new MessageFormat(rb.getString
	("Certification.request.stored.in.file.filename."));
	Object[] source = {filename};
	System.err.println(form.format(source));
	System.err.println(rb.getString("Submit.this.to.your.CA"));
	}
	} else if (command == DELETE) {
	doDeleteEntry(alias);
	kssave = true;
	} else if (command == EXPORTCERT) {
	if (filename != null) {
	try (PrintStream ps = new PrintStream(new FileOutputStream
	(filename))) {
	doExportCert(alias, ps);
	}
	} else {
	doExportCert(alias, out);
	}
	if (filename != null) {
	MessageFormat form = new MessageFormat(rb.getString
	("Certificate.stored.in.file.filename."));
	Object[] source = {filename};
	System.err.println(form.format(source));
	}
	} else if (command == GENKEYPAIR) {
	if (keyAlgName == null) {
	keyAlgName = "DSA";
	}
	doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
	kssave = true;
	} else if (command == GENSECKEY) {
	if (keyAlgName == null) {
	keyAlgName = "DES";
	}
	doGenSecretKey(alias, keyAlgName, keysize);
	kssave = true;
	} else if (command == IMPORTPASS) {
	if (keyAlgName == null) {
	keyAlgName = "PBE";
	}
	// password is stored as a secret key
	doGenSecretKey(alias, keyAlgName, keysize);
	kssave = true;
	} else if (command == IDENTITYDB) {
	if (filename != null) {
	try (InputStream inStream = new FileInputStream(filename)) {
	doImportIdentityDatabase(inStream);
	}
	} else {
	doImportIdentityDatabase(System.in);
	}
	} else if (command == IMPORTCERT) {
	InputStream inStream = System.in;
	if (filename != null) {
	inStream = new FileInputStream(filename);
	}
	String importAlias = (alias!=null)?alias:keyAlias;
	try {
	if (keyStore.entryInstanceOf(
	importAlias, KeyStore.PrivateKeyEntry.class)) {
	kssave = installReply(importAlias, inStream);
	if (kssave) {
	System.err.println(rb.getString
	("Certificate.reply.was.installed.in.keystore"));
	} else {
	System.err.println(rb.getString
	("Certificate.reply.was.not.installed.in.keystore"));
	}
	} else if (!keyStore.containsAlias(importAlias) \|\|
	keyStore.entryInstanceOf(importAlias,
	KeyStore.TrustedCertificateEntry.class)) {
	kssave = addTrustedCert(importAlias, inStream);
	if (kssave) {
	System.err.println(rb.getString
	("Certificate.was.added.to.keystore"));
	} else {
	System.err.println(rb.getString
	("Certificate.was.not.added.to.keystore"));
	}
	}
	} finally {
	if (inStream != System.in) {
	inStream.close();
	}
	}
	} else if (command == IMPORTKEYSTORE) {
	// When not in-place import, srcKeyStore is not loaded yet.
	if (srcKeyStore == null) {
	srcKeyStore = loadSourceKeyStore();
	}
	doImportKeyStore(srcKeyStore);
	kssave = true;
	} else if (command == KEYCLONE) {
	keyPassNew = newPass;

	// added to make sure only key can go thru
	if (alias == null) {
	alias = keyAlias;
	}
	if (keyStore.containsAlias(alias) == false) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.does.not.exist"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}
	if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
	MessageFormat form = new MessageFormat(rb.getString(
	"Alias.alias.references.an.entry.type.that.is.not.a.private.key.entry.The.keyclone.command.only.supports.cloning.of.private.key"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	doCloneEntry(alias, dest, true); // Now everything can be cloned
	kssave = true;
	} else if (command == CHANGEALIAS) {
	if (alias == null) {
	alias = keyAlias;
	}
	doCloneEntry(alias, dest, false);
	// in PKCS11, clone a PrivateKeyEntry will delete the old one
	if (keyStore.containsAlias(alias)) {
	doDeleteEntry(alias);
	}
	kssave = true;
	} else if (command == KEYPASSWD) {
	keyPassNew = newPass;
	doChangeKeyPasswd(alias);
	kssave = true;
	} else if (command == LIST) {
	if (storePass == null
	&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
	printNoIntegrityWarning();
	}

	if (alias != null) {
	doPrintEntry(rb.getString("the.certificate"), alias, out);
	} else {
	doPrintEntries(out);
	}
	} else if (command == PRINTCERT) {
	doPrintCert(out);
	} else if (command == SELFCERT) {
	doSelfCert(alias, dname, sigAlgName);
	kssave = true;
	} else if (command == STOREPASSWD) {
	doChangeStorePasswd();
	kssave = true;
	} else if (command == GENCERT) {
	if (alias == null) {
	alias = keyAlias;
	}
	InputStream inStream = System.in;
	if (infilename != null) {
	inStream = new FileInputStream(infilename);
	}
	PrintStream ps = null;
	if (outfilename != null) {
	ps = new PrintStream(new FileOutputStream(outfilename));
	out = ps;
	}
	try {
	doGenCert(alias, sigAlgName, inStream, out);
	} finally {
	if (inStream != System.in) {
	inStream.close();
	}
	if (ps != null) {
	ps.close();
	}
	}
	} else if (command == GENCRL) {
	if (alias == null) {
	alias = keyAlias;
	}
	if (filename != null) {
	try (PrintStream ps =
	new PrintStream(new FileOutputStream(filename))) {
	doGenCRL(ps);
	}
	} else {
	doGenCRL(out);
	}
	} else if (command == PRINTCERTREQ) {
	if (filename != null) {
	try (InputStream inStream = new FileInputStream(filename)) {
	doPrintCertReq(inStream, out);
	}
	} else {
	doPrintCertReq(System.in, out);
	}
	} else if (command == PRINTCRL) {
	doPrintCRL(filename, out);
	}

	// If we need to save the keystore, do so.
	if (kssave) {
	if (verbose) {
	MessageFormat form = new MessageFormat
	(rb.getString(".Storing.ksfname."));
	Object[] source = {nullStream ? "keystore" : ksfname};
	System.err.println(form.format(source));
	}

	if (token) {
	keyStore.store(null, null);
	} else {
	char[] pass = (storePassNew!=null) ? storePassNew : storePass;
	if (nullStream) {
	keyStore.store(null, pass);
	} else {
	ByteArrayOutputStream bout = new ByteArrayOutputStream();
	keyStore.store(bout, pass);
	try (FileOutputStream fout = new FileOutputStream(ksfname)) {
	fout.write(bout.toByteArray());
	}
	}
	}
	}

	if (isKeyStoreRelated(command)
	&& !token && !nullStream && ksfname != null) {

	// JKS storetype warning on the final result keystore
	File f = new File(ksfname);
	char[] pass = (storePassNew!=null) ? storePassNew : storePass;
	if (f.exists()) {
	// Probe for real type. A JKS can be loaded as PKCS12 because
	// DualFormat support, vice versa.
	keyStore = KeyStore.getInstance(f, pass);
	String realType = keyStore.getType();
	if (realType.equalsIgnoreCase("JKS")
	\|\| realType.equalsIgnoreCase("JCEKS")) {
	boolean allCerts = true;
	for (String a : Collections.list(keyStore.aliases())) {
	if (!keyStore.entryInstanceOf(
	a, TrustedCertificateEntry.class)) {
	allCerts = false;
	break;
	}
	}
	// Don't warn for "cacerts" style keystore.
	if (!allCerts) {
	weakWarnings.add(String.format(
	rb.getString("jks.storetype.warning"),
	realType, ksfname));
	}
	}
	if (inplaceImport) {
	String realSourceStoreType = KeyStore.getInstance(
	new File(inplaceBackupName), srcstorePass).getType();
	String format =
	realType.equalsIgnoreCase(realSourceStoreType) ?
	rb.getString("backup.keystore.warning") :
	rb.getString("migrate.keystore.warning");
	weakWarnings.add(
	String.format(format,
	srcksfname,
	realSourceStoreType,
	inplaceBackupName,
	realType));
	}
	}
	}
	}

	/**
	* Generate a certificate: Read PKCS10 request from in, and print
	* certificate to out. Use alias as CA, sigAlgName as the signature
	* type.
	*/
	private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStream out)
	throws Exception {


	if (keyStore.containsAlias(alias) == false) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.does.not.exist"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}
	Certificate signerCert = keyStore.getCertificate(alias);
	byte[] encoded = signerCert.getEncoded();
	X509CertImpl signerCertImpl = new X509CertImpl(encoded);
	X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
	X509CertImpl.NAME + "." + X509CertImpl.INFO);
	X500Name issuer = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
	X509CertInfo.DN_NAME);

	Date firstDate = getStartDate(startDate);
	Date lastDate = new Date();
	lastDate.setTime(firstDate.getTime() + validity1000L24L60L60L);
	CertificateValidity interval = new CertificateValidity(firstDate,
	lastDate);

	PrivateKey privateKey =
	(PrivateKey)recoverKey(alias, storePass, keyPass).fst;
	if (sigAlgName == null) {
	sigAlgName = getCompatibleSigAlgName(privateKey);
	}
	Signature signature = Signature.getInstance(sigAlgName);
	signature.initSign(privateKey);

	X509CertInfo info = new X509CertInfo();
	info.set(X509CertInfo.VALIDITY, interval);
	info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
	new java.util.Random().nextInt() & 0x7fffffff));
	info.set(X509CertInfo.VERSION,
	new CertificateVersion(CertificateVersion.V3));
	info.set(X509CertInfo.ALGORITHM_ID,
	new CertificateAlgorithmId(
	AlgorithmId.get(sigAlgName)));
	info.set(X509CertInfo.ISSUER, issuer);

	BufferedReader reader = new BufferedReader(new InputStreamReader(in));
	boolean canRead = false;
	StringBuffer sb = new StringBuffer();
	while (true) {
	String s = reader.readLine();
	if (s == null) break;
	// OpenSSL does not use NEW
	//if (s.startsWith("-----BEGIN NEW CERTIFICATE REQUEST-----")) {
	if (s.startsWith("-----BEGIN") && s.indexOf("REQUEST") >= 0) {
	canRead = true;
	//} else if (s.startsWith("-----END NEW CERTIFICATE REQUEST-----")) {
	} else if (s.startsWith("-----END") && s.indexOf("REQUEST") >= 0) {
	break;
	} else if (canRead) {
	sb.append(s);
	}
	}
	byte[] rawReq = Pem.decode(new String(sb));
	PKCS10 req = new PKCS10(rawReq);

	checkWeak(rb.getString("the.certificate.request"), req);

	info.set(X509CertInfo.KEY, new CertificateX509Key(req.getSubjectPublicKeyInfo()));
	info.set(X509CertInfo.SUBJECT,
	dname==null?req.getSubjectName():new X500Name(dname));
	CertificateExtensions reqex = null;
	Iterator<PKCS10Attribute> attrs = req.getAttributes().getAttributes().iterator();
	while (attrs.hasNext()) {
	PKCS10Attribute attr = attrs.next();
	if (attr.getAttributeId().equals(PKCS9Attribute.EXTENSION_REQUEST_OID)) {
	reqex = (CertificateExtensions)attr.getAttributeValue();
	}
	}
	CertificateExtensions ext = createV3Extensions(
	reqex,
	null,
	v3ext,
	req.getSubjectPublicKeyInfo(),
	signerCert.getPublicKey());
	info.set(X509CertInfo.EXTENSIONS, ext);
	X509CertImpl cert = new X509CertImpl(info);
	cert.sign(privateKey, sigAlgName);
	dumpCert(cert, out);
	for (Certificate ca: keyStore.getCertificateChain(alias)) {
	if (ca instanceof X509Certificate) {
	X509Certificate xca = (X509Certificate)ca;
	if (!KeyStoreUtil.isSelfSigned(xca)) {
	dumpCert(xca, out);
	}
	}
	}

	checkWeak(rb.getString("the.issuer"), keyStore.getCertificateChain(alias));
	checkWeak(rb.getString("the.generated.certificate"), cert);
	}

	private void doGenCRL(PrintStream out)
	throws Exception {
	if (ids == null) {
	throw new Exception("Must provide -id when -gencrl");
	}
	Certificate signerCert = keyStore.getCertificate(alias);
	byte[] encoded = signerCert.getEncoded();
	X509CertImpl signerCertImpl = new X509CertImpl(encoded);
	X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
	X509CertImpl.NAME + "." + X509CertImpl.INFO);
	X500Name owner = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
	X509CertInfo.DN_NAME);

	Date firstDate = getStartDate(startDate);
	Date lastDate = (Date) firstDate.clone();
	lastDate.setTime(lastDate.getTime() + validity1000246060);
	CertificateValidity interval = new CertificateValidity(firstDate,
	lastDate);


	PrivateKey privateKey =
	(PrivateKey)recoverKey(alias, storePass, keyPass).fst;
	if (sigAlgName == null) {
	sigAlgName = getCompatibleSigAlgName(privateKey);
	}

	X509CRLEntry[] badCerts = new X509CRLEntry[ids.size()];
	for (int i=0; i<ids.size(); i++) {
	String id = ids.get(i);
	int d = id.indexOf(':');
	if (d >= 0) {
	CRLExtensions ext = new CRLExtensions();
	ext.set("Reason", new CRLReasonCodeExtension(Integer.parseInt(id.substring(d+1))));
	badCerts[i] = new X509CRLEntryImpl(new BigInteger(id.substring(0, d)),
	firstDate, ext);
	} else {
	badCerts[i] = new X509CRLEntryImpl(new BigInteger(ids.get(i)), firstDate);
	}
	}
	X509CRLImpl crl = new X509CRLImpl(owner, firstDate, lastDate, badCerts);
	crl.sign(privateKey, sigAlgName);
	if (rfc) {
	out.println("-----BEGIN X509 CRL-----");
	out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(crl.getEncodedInternal()));
	out.println("-----END X509 CRL-----");
	} else {
	out.write(crl.getEncodedInternal());
	}
	checkWeak(rb.getString("the.generated.crl"), crl, privateKey);
	}

	/**
	* Creates a PKCS#10 cert signing request, corresponding to the
	* keys (and name) associated with a given alias.
	*/
	private void doCertReq(String alias, String sigAlgName, PrintStream out)
	throws Exception
	{
	if (alias == null) {
	alias = keyAlias;
	}

	Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
	PrivateKey privKey = (PrivateKey)objs.fst;
	if (keyPass == null) {
	keyPass = objs.snd;
	}

	Certificate cert = keyStore.getCertificate(alias);
	if (cert == null) {
	MessageFormat form = new MessageFormat
	(rb.getString("alias.has.no.public.key.certificate."));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}
	PKCS10 request = new PKCS10(cert.getPublicKey());
	CertificateExtensions ext = createV3Extensions(null, null, v3ext, cert.getPublicKey(), null);
	// Attribute name is not significant
	request.getAttributes().setAttribute(X509CertInfo.EXTENSIONS,
	new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ext));

	// Construct a Signature object, so that we can sign the request
	if (sigAlgName == null) {
	sigAlgName = getCompatibleSigAlgName(privKey);
	}

	Signature signature = Signature.getInstance(sigAlgName);
	signature.initSign(privKey);
	X500Name subject = dname == null?
	new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
	new X500Name(dname);

	// Sign the request and base-64 encode it
	request.encodeAndSign(subject, signature);
	request.print(out);

	checkWeak(rb.getString("the.generated.certificate.request"), request);
	}

	/**
	* Deletes an entry from the keystore.
	*/
	private void doDeleteEntry(String alias) throws Exception {
	if (keyStore.containsAlias(alias) == false) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.does.not.exist"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}
	keyStore.deleteEntry(alias);
	}

	/**
	* Exports a certificate from the keystore.
	*/
	private void doExportCert(String alias, PrintStream out)
	throws Exception
	{
	if (storePass == null
	&& !KeyStoreUtil.isWindowsKeyStore(storetype)) {
	printNoIntegrityWarning();
	}
	if (alias == null) {
	alias = keyAlias;
	}
	if (keyStore.containsAlias(alias) == false) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.does.not.exist"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias);
	if (cert == null) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.has.no.certificate"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}
	dumpCert(cert, out);
	checkWeak(rb.getString("the.certificate"), cert);
	}

	/**
	* Prompt the user for a keypass when generating a key entry.
	* @param alias the entry we will set password for
	* @param orig the original entry of doing a dup, null if generate new
	* @param origPass the password to copy from if user press ENTER
	*/
	private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{
	if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
	return origPass;
	} else if (!token && !protectedPath) {
	// Prompt for key password
	int count;
	for (count = 0; count < 3; count++) {
	MessageFormat form = new MessageFormat(rb.getString
	("Enter.key.password.for.alias."));
	Object[] source = {alias};
	System.err.println(form.format(source));
	if (orig == null) {
	System.err.print(rb.getString
	(".RETURN.if.same.as.keystore.password."));
	} else {
	form = new MessageFormat(rb.getString
	(".RETURN.if.same.as.for.otherAlias."));
	Object[] src = {orig};
	System.err.print(form.format(src));
	}
	System.err.flush();
	char[] entered = Password.readPassword(System.in);
	passwords.add(entered);
	if (entered == null) {
	return origPass;
	} else if (entered.length >= 6) {
	System.err.print(rb.getString("Re.enter.new.password."));
	char[] passAgain = Password.readPassword(System.in);
	passwords.add(passAgain);
	if (!Arrays.equals(entered, passAgain)) {
	System.err.println
	(rb.getString("They.don.t.match.Try.again"));
	continue;
	}
	return entered;
	} else {
	System.err.println(rb.getString
	("Key.password.is.too.short.must.be.at.least.6.characters"));
	}
	}
	if (count == 3) {
	if (command == KEYCLONE) {
	throw new Exception(rb.getString
	("Too.many.failures.Key.entry.not.cloned"));
	} else {
	throw new Exception(rb.getString
	("Too.many.failures.key.not.added.to.keystore"));
	}
	}
	}
	return null; // PKCS11, MSCAPI, or -protected
	}

	/*
	* Prompt the user for the password credential to be stored.
	*/
	private char[] promptForCredential() throws Exception {
	// Handle password supplied via stdin
	if (System.console() == null) {
	char[] importPass = Password.readPassword(System.in);
	passwords.add(importPass);
	return importPass;
	}

	int count;
	for (count = 0; count < 3; count++) {
	System.err.print(
	rb.getString("Enter.the.password.to.be.stored."));
	System.err.flush();
	char[] entered = Password.readPassword(System.in);
	passwords.add(entered);
	System.err.print(rb.getString("Re.enter.password."));
	char[] passAgain = Password.readPassword(System.in);
	passwords.add(passAgain);
	if (!Arrays.equals(entered, passAgain)) {
	System.err.println(rb.getString("They.don.t.match.Try.again"));
	continue;
	}
	return entered;
	}

	if (count == 3) {
	throw new Exception(rb.getString
	("Too.many.failures.key.not.added.to.keystore"));
	}

	return null;
	}

	/**
	* Creates a new secret key.
	*/
	private void doGenSecretKey(String alias, String keyAlgName,
	int keysize)
	throws Exception
	{
	if (alias == null) {
	alias = keyAlias;
	}
	if (keyStore.containsAlias(alias)) {
	MessageFormat form = new MessageFormat(rb.getString
	("Secret.key.not.generated.alias.alias.already.exists"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	// Use the keystore's default PBE algorithm for entry protection
	boolean useDefaultPBEAlgorithm = true;
	SecretKey secKey = null;

	if (keyAlgName.toUpperCase(Locale.ENGLISH).startsWith("PBE")) {
	SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE");

	// User is prompted for PBE credential
	secKey =
	factory.generateSecret(new PBEKeySpec(promptForCredential()));

	// Check whether a specific PBE algorithm was specified
	if (!"PBE".equalsIgnoreCase(keyAlgName)) {
	useDefaultPBEAlgorithm = false;
	}

	if (verbose) {
	MessageFormat form = new MessageFormat(rb.getString(
	"Generated.keyAlgName.secret.key"));
	Object[] source =
	{useDefaultPBEAlgorithm ? "PBE" : secKey.getAlgorithm()};
	System.err.println(form.format(source));
	}
	} else {
	KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName);
	if (keysize == -1) {
	if ("DES".equalsIgnoreCase(keyAlgName)) {
	keysize = 56;
	} else if ("DESede".equalsIgnoreCase(keyAlgName)) {
	keysize = 168;
	} else {
	throw new Exception(rb.getString
	("Please.provide.keysize.for.secret.key.generation"));
	}
	}
	keygen.init(keysize);
	secKey = keygen.generateKey();

	if (verbose) {
	MessageFormat form = new MessageFormat(rb.getString
	("Generated.keysize.bit.keyAlgName.secret.key"));
	Object[] source = {keysize,
	secKey.getAlgorithm()};
	System.err.println(form.format(source));
	}
	}

	if (keyPass == null) {
	keyPass = promptForKeyPass(alias, null, storePass);
	}

	if (useDefaultPBEAlgorithm) {
	keyStore.setKeyEntry(alias, secKey, keyPass, null);
	} else {
	keyStore.setEntry(alias, new KeyStore.SecretKeyEntry(secKey),
	new KeyStore.PasswordProtection(keyPass, keyAlgName, null));
	}
	}

	/**
	* If no signature algorithm was specified at the command line,
	* we choose one that is compatible with the selected private key
	*/
	private static String getCompatibleSigAlgName(PrivateKey key)
	throws Exception {
	String result = AlgorithmId.getDefaultSigAlgForKey(key);
	if (result != null) {
	return result;
	} else {
	throw new Exception(rb.getString
	("Cannot.derive.signature.algorithm"));
	}
	}

	/**
	* Creates a new key pair and self-signed certificate.
	*/
	private void doGenKeyPair(String alias, String dname, String keyAlgName,
	int keysize, String sigAlgName)
	throws Exception
	{
	if (keysize == -1) {
	if ("EC".equalsIgnoreCase(keyAlgName)) {
	keysize = SecurityProviderConstants.DEF_EC_KEY_SIZE;
	} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
	keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE;
	} else if ("DSA".equalsIgnoreCase(keyAlgName)) {
	keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE;
	}
	}

	if (alias == null) {
	alias = keyAlias;
	}

	if (keyStore.containsAlias(alias)) {
	MessageFormat form = new MessageFormat(rb.getString
	("Key.pair.not.generated.alias.alias.already.exists"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	CertAndKeyGen keypair =
	new CertAndKeyGen(keyAlgName, sigAlgName, providerName);


	// If DN is provided, parse it. Otherwise, prompt the user for it.
	X500Name x500Name;
	if (dname == null) {
	x500Name = getX500Name();
	} else {
	x500Name = new X500Name(dname);
	}

	keypair.generate(keysize);
	PrivateKey privKey = keypair.getPrivateKey();

	CertificateExtensions ext = createV3Extensions(
	null,
	null,
	v3ext,
	keypair.getPublicKeyAnyway(),
	null);

	X509Certificate[] chain = new X509Certificate[1];
	chain[0] = keypair.getSelfCertificate(
	x500Name, getStartDate(startDate), validity24L60L*60L, ext);

	if (verbose) {
	MessageFormat form = new MessageFormat(rb.getString
	("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
	Object[] source = {keysize,
	privKey.getAlgorithm(),
	chain[0].getSigAlgName(),
	validity,
	x500Name};
	System.err.println(form.format(source));
	}

	if (keyPass == null) {
	keyPass = promptForKeyPass(alias, null, storePass);
	}
	checkWeak(rb.getString("the.generated.certificate"), chain[0]);
	keyStore.setKeyEntry(alias, privKey, keyPass, chain);
	}

	/**
	* Clones an entry
	* @param orig original alias
	* @param dest destination alias
	* @changePassword if the password can be changed
	*/
	private void doCloneEntry(String orig, String dest, boolean changePassword)
	throws Exception
	{
	if (orig == null) {
	orig = keyAlias;
	}

	if (keyStore.containsAlias(dest)) {
	MessageFormat form = new MessageFormat
	(rb.getString("Destination.alias.dest.already.exists"));
	Object[] source = {dest};
	throw new Exception(form.format(source));
	}

	Pair<Entry,char[]> objs = recoverEntry(keyStore, orig, storePass, keyPass);
	Entry entry = objs.fst;
	keyPass = objs.snd;

	PasswordProtection pp = null;

	if (keyPass != null) { // protected
	if (!changePassword \|\| P12KEYSTORE.equalsIgnoreCase(storetype)) {
	keyPassNew = keyPass;
	} else {
	if (keyPassNew == null) {
	keyPassNew = promptForKeyPass(dest, orig, keyPass);
	}
	}
	pp = new PasswordProtection(keyPassNew);
	}
	keyStore.setEntry(dest, entry, pp);
	}

	/**
	* Changes a key password.
	*/
	private void doChangeKeyPasswd(String alias) throws Exception
	{

	if (alias == null) {
	alias = keyAlias;
	}
	Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
	Key privKey = objs.fst;
	if (keyPass == null) {
	keyPass = objs.snd;
	}

	if (keyPassNew == null) {
	MessageFormat form = new MessageFormat
	(rb.getString("key.password.for.alias."));
	Object[] source = {alias};
	keyPassNew = getNewPasswd(form.format(source), keyPass);
	}
	keyStore.setKeyEntry(alias, privKey, keyPassNew,
	keyStore.getCertificateChain(alias));
	}

	/**
	* Imports a JDK 1.1-style identity database. We can only store one
	* certificate per identity, because we use the identity's name as the
	* alias (which references a keystore entry), and aliases must be unique.
	*/
	private void doImportIdentityDatabase(InputStream in)
	throws Exception
	{
	System.err.println(rb.getString
	("No.entries.from.identity.database.added"));
	}

	/**
	* Prints a single keystore entry.
	*/
	private void doPrintEntry(String label, String alias, PrintStream out)
	throws Exception
	{
	if (keyStore.containsAlias(alias) == false) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.does.not.exist"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	if (verbose \|\| rfc \|\| debug) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.name.alias"));
	Object[] source = {alias};
	out.println(form.format(source));

	if (!token) {
	form = new MessageFormat(rb.getString
	("Creation.date.keyStore.getCreationDate.alias."));
	Object[] src = {keyStore.getCreationDate(alias)};
	out.println(form.format(src));
	}
	} else {
	if (!token) {
	MessageFormat form = new MessageFormat
	(rb.getString("alias.keyStore.getCreationDate.alias."));
	Object[] source = {alias, keyStore.getCreationDate(alias)};
	out.print(form.format(source));
	} else {
	MessageFormat form = new MessageFormat
	(rb.getString("alias."));
	Object[] source = {alias};
	out.print(form.format(source));
	}
	}

	if (keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
	if (verbose \|\| rfc \|\| debug) {
	Object[] source = {"SecretKeyEntry"};
	out.println(new MessageFormat(
	rb.getString("Entry.type.type.")).format(source));
	} else {
	out.println("SecretKeyEntry, ");
	}
	} else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
	if (verbose \|\| rfc \|\| debug) {
	Object[] source = {"PrivateKeyEntry"};
	out.println(new MessageFormat(
	rb.getString("Entry.type.type.")).format(source));
	} else {
	out.println("PrivateKeyEntry, ");
	}

	// Get the chain
	Certificate[] chain = keyStore.getCertificateChain(alias);
	if (chain != null) {
	if (verbose \|\| rfc \|\| debug) {
	out.println(rb.getString
	("Certificate.chain.length.") + chain.length);
	for (int i = 0; i < chain.length; i ++) {
	MessageFormat form = new MessageFormat
	(rb.getString("Certificate.i.1."));
	Object[] source = {(i + 1)};
	out.println(form.format(source));
	if (verbose && (chain[i] instanceof X509Certificate)) {
	printX509Cert((X509Certificate)(chain[i]), out);
	} else if (debug) {
	out.println(chain[i].toString());
	} else {
	dumpCert(chain[i], out);
	}
	checkWeak(label, chain[i]);
	}
	} else {
	// Print the digest of the user cert only
	out.println
	(rb.getString("Certificate.fingerprint.SHA.256.") +
	getCertFingerPrint("SHA-256", chain[0]));
	checkWeak(label, chain);
	}
	}
	} else if (keyStore.entryInstanceOf(alias,
	KeyStore.TrustedCertificateEntry.class)) {
	// We have a trusted certificate entry
	Certificate cert = keyStore.getCertificate(alias);
	Object[] source = {"trustedCertEntry"};
	String mf = new MessageFormat(
	rb.getString("Entry.type.type.")).format(source) + "\n";
	if (verbose && (cert instanceof X509Certificate)) {
	out.println(mf);
	printX509Cert((X509Certificate)cert, out);
	} else if (rfc) {
	out.println(mf);
	dumpCert(cert, out);
	} else if (debug) {
	out.println(cert.toString());
	} else {
	out.println("trustedCertEntry, ");
	out.println(rb.getString("Certificate.fingerprint.SHA.256.")
	+ getCertFingerPrint("SHA-256", cert));
	}
	checkWeak(label, cert);
	} else {
	out.println(rb.getString("Unknown.Entry.Type"));
	}
	}

	boolean inplaceImportCheck() throws Exception {
	if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) \|\|
	KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
	return false;
	}

	if (srcksfname != null) {
	File srcksfile = new File(srcksfname);
	if (srcksfile.exists() && srcksfile.length() == 0) {
	throw new Exception(rb.getString
	("Source.keystore.file.exists.but.is.empty.") +
	srcksfname);
	}
	if (srcksfile.getCanonicalFile()
	.equals(new File(ksfname).getCanonicalFile())) {
	return true;
	} else {
	// Informational, especially if destkeystore is not
	// provided, which default to ~/.keystore.
	System.err.println(String.format(rb.getString(
	"importing.keystore.status"), srcksfname, ksfname));
	return false;
	}
	} else {
	throw new Exception(rb.getString
	("Please.specify.srckeystore"));
	}
	}

	/**
	* Load the srckeystore from a stream, used in -importkeystore
	* @return the src KeyStore
	*/
	KeyStore loadSourceKeyStore() throws Exception {

	InputStream is = null;
	File srcksfile = null;

	if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) \|\|
	KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
	if (!NONE.equals(srcksfname)) {
	System.err.println(MessageFormat.format(rb.getString
	(".keystore.must.be.NONE.if.storetype.is.{0}"), srcstoretype));
	System.err.println();
	tinyHelp();
	}
	} else {
	srcksfile = new File(srcksfname);
	is = new FileInputStream(srcksfile);
	}

	KeyStore store;
	try {
	// Probe for keystore type when filename is available
	if (srcksfile != null && is != null && srcProviderName == null &&
	srcstoretype == null) {
	store = KeyStore.getInstance(srcksfile, srcstorePass);
	srcstoretype = store.getType();
	} else {
	if (srcstoretype == null) {
	srcstoretype = KeyStore.getDefaultType();
	}
	if (srcProviderName == null) {
	store = KeyStore.getInstance(srcstoretype);
	} else {
	store = KeyStore.getInstance(srcstoretype, srcProviderName);
	}
	}

	if (srcstorePass == null
	&& !srcprotectedPath
	&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
	System.err.print(rb.getString("Enter.source.keystore.password."));
	System.err.flush();
	srcstorePass = Password.readPassword(System.in);
	passwords.add(srcstorePass);
	}

	// always let keypass be storepass when using pkcs12
	if (P12KEYSTORE.equalsIgnoreCase(srcstoretype)) {
	if (srckeyPass != null && srcstorePass != null &&
	!Arrays.equals(srcstorePass, srckeyPass)) {
	MessageFormat form = new MessageFormat(rb.getString(
	"Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value."));
	Object[] source = {"-srckeypass"};
	System.err.println(form.format(source));
	srckeyPass = srcstorePass;
	}
	}

	store.load(is, srcstorePass); // "is" already null in PKCS11
	} finally {
	if (is != null) {
	is.close();
	}
	}

	if (srcstorePass == null
	&& !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
	// anti refactoring, copied from printNoIntegrityWarning(),
	// but change 2 lines
	System.err.println();
	System.err.println(rb.getString
	(".WARNING.WARNING.WARNING."));
	System.err.println(rb.getString
	(".The.integrity.of.the.information.stored.in.the.srckeystore."));
	System.err.println(rb.getString
	(".WARNING.WARNING.WARNING."));
	System.err.println();
	}

	return store;
	}

	/**
	* import all keys and certs from importkeystore.
	* keep alias unchanged if no name conflict, otherwise, prompt.
	* keep keypass unchanged for keys
	*/
	private void doImportKeyStore(KeyStore srcKS) throws Exception {

	if (alias != null) {
	doImportKeyStoreSingle(srcKS, alias);
	} else {
	if (dest != null \|\| srckeyPass != null) {
	throw new Exception(rb.getString(
	"if.alias.not.specified.destalias.and.srckeypass.must.not.be.specified"));
	}
	doImportKeyStoreAll(srcKS);
	}

	if (inplaceImport) {
	// Backup to file.old or file.old2...
	// The keystore is not rewritten yet now.
	for (int n = 1; /* forever */; n++) {
	inplaceBackupName = srcksfname + ".old" + (n == 1 ? "" : n);
	File bkFile = new File(inplaceBackupName);
	if (!bkFile.exists()) {
	Files.copy(Path.of(srcksfname), bkFile.toPath());
	break;
	}
	}

	}

	/*
	* Information display rule of -importkeystore
	* 1. inside single, shows failure
	* 2. inside all, shows sucess
	* 3. inside all where there is a failure, prompt for continue
	* 4. at the final of all, shows summary
	*/
	}

	/**
	* Import a single entry named alias from srckeystore
	* @return 1 if the import action succeed
	* 0 if user choose to ignore an alias-dumplicated entry
	* 2 if setEntry throws Exception
	*/
	private int doImportKeyStoreSingle(KeyStore srckeystore, String alias)
	throws Exception {

	String newAlias = (dest==null) ? alias : dest;

	if (keyStore.containsAlias(newAlias)) {
	Object[] source = {alias};
	if (noprompt) {
	System.err.println(new MessageFormat(rb.getString(
	"Warning.Overwriting.existing.alias.alias.in.destination.keystore")).format(source));
	} else {
	String reply = getYesNoReply(new MessageFormat(rb.getString(
	"Existing.entry.alias.alias.exists.overwrite.no.")).format(source));
	if ("NO".equals(reply)) {
	newAlias = inputStringFromStdin(rb.getString
	("Enter.new.alias.name.RETURN.to.cancel.import.for.this.entry."));
	if ("".equals(newAlias)) {
	System.err.println(new MessageFormat(rb.getString(
	"Entry.for.alias.alias.not.imported.")).format(
	source));
	return 0;
	}
	}
	}
	}

	Pair<Entry,char[]> objs = recoverEntry(srckeystore, alias, srcstorePass, srckeyPass);
	Entry entry = objs.fst;

	PasswordProtection pp = null;

	// According to keytool.html, "The destination entry will be protected
	// using destkeypass. If destkeypass is not provided, the destination
	// entry will be protected with the source entry password."
	// so always try to protect with destKeyPass.
	char[] newPass = null;
	if (destKeyPass != null) {
	newPass = destKeyPass;
	pp = new PasswordProtection(destKeyPass);
	} else if (objs.snd != null) {
	newPass = P12KEYSTORE.equalsIgnoreCase(storetype) ?
	storePass : objs.snd;
	pp = new PasswordProtection(newPass);
	}

	try {
	Certificate c = srckeystore.getCertificate(alias);
	if (c != null) {
	checkWeak("<" + newAlias + ">", c);
	}
	keyStore.setEntry(newAlias, entry, pp);
	// Place the check so that only successful imports are blocked.
	// For example, we don't block a failed SecretEntry import.
	if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
	if (newPass != null && !Arrays.equals(newPass, storePass)) {
	throw new Exception(rb.getString(
	"The.destination.pkcs12.keystore.has.different.storepass.and.keypass.Please.retry.with.destkeypass.specified."));
	}
	}
	return 1;
	} catch (KeyStoreException kse) {
	Object[] source2 = {alias, kse.toString()};
	MessageFormat form = new MessageFormat(rb.getString(
	"Problem.importing.entry.for.alias.alias.exception.Entry.for.alias.alias.not.imported."));
	System.err.println(form.format(source2));
	return 2;
	}
	}

	private void doImportKeyStoreAll(KeyStore srckeystore) throws Exception {

	int ok = 0;
	int count = srckeystore.size();
	for (Enumeration<String> e = srckeystore.aliases();
	e.hasMoreElements(); ) {
	String alias = e.nextElement();
	int result = doImportKeyStoreSingle(srckeystore, alias);
	if (result == 1) {
	ok++;
	Object[] source = {alias};
	MessageFormat form = new MessageFormat(rb.getString("Entry.for.alias.alias.successfully.imported."));
	System.err.println(form.format(source));
	} else if (result == 2) {
	if (!noprompt) {
	String reply = getYesNoReply("Do you want to quit the import process? [no]: ");
	if ("YES".equals(reply)) {
	break;
	}
	}
	}
	}
	Object[] source = {ok, count-ok};
	MessageFormat form = new MessageFormat(rb.getString(
	"Import.command.completed.ok.entries.successfully.imported.fail.entries.failed.or.cancelled"));
	System.err.println(form.format(source));
	}

	/**
	* Prints all keystore entries.
	*/
	private void doPrintEntries(PrintStream out)
	throws Exception
	{
	out.println(rb.getString("Keystore.type.") + keyStore.getType());
	out.println(rb.getString("Keystore.provider.") +
	keyStore.getProvider().getName());
	out.println();

	MessageFormat form;
	form = (keyStore.size() == 1) ?
	new MessageFormat(rb.getString
	("Your.keystore.contains.keyStore.size.entry")) :
	new MessageFormat(rb.getString
	("Your.keystore.contains.keyStore.size.entries"));
	Object[] source = {keyStore.size()};
	out.println(form.format(source));
	out.println();

	for (Enumeration<String> e = keyStore.aliases();
	e.hasMoreElements(); ) {
	String alias = e.nextElement();
	doPrintEntry("<" + alias + ">", alias, out);
	if (verbose \|\| rfc) {
	out.println(rb.getString("NEWLINE"));
	out.println(rb.getString
	("STAR"));
	out.println(rb.getString
	("STARNN"));
	}
	}
	}

	private static <T> Iterable<T> e2i(final Enumeration<T> e) {
	return new Iterable<T>() {
	@Override
	public Iterator<T> iterator() {
	return new Iterator<T>() {
	@Override
	public boolean hasNext() {
	return e.hasMoreElements();
	}
	@Override
	public T next() {
	return e.nextElement();
	}
	public void remove() {
	throw new UnsupportedOperationException("Not supported yet.");
	}
	};
	}
	};
	}

	/**
	* Loads CRLs from a source. This method is also called in JarSigner.
	* @param src the source, which means System.in if null, or a URI,
	* or a bare file path name
	*/
	public static Collection<? extends CRL> loadCRLs(String src) throws Exception {
	InputStream in = null;
	URI uri = null;
	if (src == null) {
	in = System.in;
	} else {
	try {
	uri = new URI(src);
	if (uri.getScheme().equals("ldap")) {
	// No input stream for LDAP
	} else {
	in = uri.toURL().openStream();
	}
	} catch (Exception e) {
	try {
	in = new FileInputStream(src);
	} catch (Exception e2) {
	if (uri == null \|\| uri.getScheme() == null) {
	throw e2; // More likely a bare file path
	} else {
	throw e; // More likely a protocol or network problem
	}
	}
	}
	}
	if (in != null) {
	try {
	// Read the full stream before feeding to X509Factory,
	// otherwise, keytool -gencrl \| keytool -printcrl
	// might not work properly, since -gencrl is slow
	// and there's no data in the pipe at the beginning.
	ByteArrayOutputStream bout = new ByteArrayOutputStream();
	byte[] b = new byte[4096];
	while (true) {
	int len = in.read(b);
	if (len < 0) break;
	bout.write(b, 0, len);
	}
	return CertificateFactory.getInstance("X509").generateCRLs(
	new ByteArrayInputStream(bout.toByteArray()));
	} finally {
	if (in != System.in) {
	in.close();
	}
	}
	} else { // must be LDAP, and uri is not null
	URICertStoreParameters params =
	new URICertStoreParameters(uri);
	CertStore s = CertStore.getInstance("LDAP", params);
	return s.getCRLs(new X509CRLSelector());
	}
	}

	/**
	* Returns CRLs described in a X509Certificate's CRLDistributionPoints
	* Extension. Only those containing a general name of type URI are read.
	*/
	public static List<CRL> readCRLsFromCert(X509Certificate cert)
	throws Exception {
	List<CRL> crls = new ArrayList<>();
	CRLDistributionPointsExtension ext =
	X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension();
	if (ext == null) return crls;
	List<DistributionPoint> distPoints =
	ext.get(CRLDistributionPointsExtension.POINTS);
	for (DistributionPoint o: distPoints) {
	GeneralNames names = o.getFullName();
	if (names != null) {
	for (GeneralName name: names.names()) {
	if (name.getType() == GeneralNameInterface.NAME_URI) {
	URIName uriName = (URIName)name.getName();
	for (CRL crl: loadCRLs(uriName.getName())) {
	if (crl instanceof X509CRL) {
	crls.add((X509CRL)crl);
	}
	}
	break; // Different name should point to same CRL
	}
	}
	}
	}
	return crls;
	}

	private static String verifyCRL(KeyStore ks, CRL crl)
	throws Exception {
	X509CRLImpl xcrl = (X509CRLImpl)crl;
	X500Principal issuer = xcrl.getIssuerX500Principal();
	for (String s: e2i(ks.aliases())) {
	Certificate cert = ks.getCertificate(s);
	if (cert instanceof X509Certificate) {
	X509Certificate xcert = (X509Certificate)cert;
	if (xcert.getSubjectX500Principal().equals(issuer)) {
	try {
	((X509CRLImpl)crl).verify(cert.getPublicKey());
	return s;
	} catch (Exception e) {
	}
	}
	}
	}
	return null;
	}

	private void doPrintCRL(String src, PrintStream out)
	throws Exception {
	for (CRL crl: loadCRLs(src)) {
	printCRL(crl, out);
	String issuer = null;
	Certificate signer = null;
	if (caks != null) {
	issuer = verifyCRL(caks, crl);
	if (issuer != null) {
	signer = caks.getCertificate(issuer);
	out.printf(rb.getString(
	"verified.by.s.in.s.weak"),
	issuer,
	"cacerts",
	withWeak(signer.getPublicKey()));
	out.println();
	}
	}
	if (issuer == null && keyStore != null) {
	issuer = verifyCRL(keyStore, crl);
	if (issuer != null) {
	signer = keyStore.getCertificate(issuer);
	out.printf(rb.getString(
	"verified.by.s.in.s.weak"),
	issuer,
	"keystore",
	withWeak(signer.getPublicKey()));
	out.println();
	}
	}
	if (issuer == null) {
	out.println(rb.getString
	("STAR"));
	out.println(rb.getString
	("warning.not.verified.make.sure.keystore.is.correct"));
	out.println(rb.getString
	("STARNN"));
	}
	checkWeak(rb.getString("the.crl"), crl, signer == null ? null : signer.getPublicKey());
	}
	}

	private void printCRL(CRL crl, PrintStream out)
	throws Exception {
	X509CRL xcrl = (X509CRL)crl;
	if (rfc) {
	out.println("-----BEGIN X509 CRL-----");
	out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(xcrl.getEncoded()));
	out.println("-----END X509 CRL-----");
	} else {
	String s;
	if (crl instanceof X509CRLImpl) {
	X509CRLImpl x509crl = (X509CRLImpl) crl;
	s = x509crl.toStringWithAlgName(withWeak("" + x509crl.getSigAlgId()));
	} else {
	s = crl.toString();
	}
	out.println(s);
	}
	}

	private void doPrintCertReq(InputStream in, PrintStream out)
	throws Exception {

	BufferedReader reader = new BufferedReader(new InputStreamReader(in));
	StringBuffer sb = new StringBuffer();
	boolean started = false;
	while (true) {
	String s = reader.readLine();
	if (s == null) break;
	if (!started) {
	if (s.startsWith("-----")) {
	started = true;
	}
	} else {
	if (s.startsWith("-----")) {
	break;
	}
	sb.append(s);
	}
	}
	PKCS10 req = new PKCS10(Pem.decode(new String(sb)));

	PublicKey pkey = req.getSubjectPublicKeyInfo();
	out.printf(rb.getString("PKCS.10.with.weak"),
	req.getSubjectName(),
	pkey.getFormat(),
	withWeak(pkey),
	withWeak(req.getSigAlg()));
	for (PKCS10Attribute attr: req.getAttributes().getAttributes()) {
	ObjectIdentifier oid = attr.getAttributeId();
	if (oid.equals(PKCS9Attribute.EXTENSION_REQUEST_OID)) {
	CertificateExtensions exts = (CertificateExtensions)attr.getAttributeValue();
	if (exts != null) {
	printExtensions(rb.getString("Extension.Request."), exts, out);
	}
	} else {
	out.println("Attribute: " + attr.getAttributeId());
	PKCS9Attribute pkcs9Attr =
	new PKCS9Attribute(attr.getAttributeId(),
	attr.getAttributeValue());
	out.print(pkcs9Attr.getName() + ": ");
	Object attrVal = attr.getAttributeValue();
	out.println(attrVal instanceof String[] ?
	Arrays.toString((String[]) attrVal) :
	attrVal);
	}
	}
	if (debug) {
	out.println(req); // Just to see more, say, public key length...
	}
	checkWeak(rb.getString("the.certificate.request"), req);
	}

	/**
	* Reads a certificate (or certificate chain) and prints its contents in
	* a human readable format.
	*/
	private void printCertFromStream(InputStream in, PrintStream out)
	throws Exception
	{
	Collection<? extends Certificate> c = null;
	try {
	c = cf.generateCertificates(in);
	} catch (CertificateException ce) {
	throw new Exception(rb.getString("Failed.to.parse.input"), ce);
	}
	if (c.isEmpty()) {
	throw new Exception(rb.getString("Empty.input"));
	}
	Certificate[] certs = c.toArray(new Certificate[c.size()]);
	for (int i=0; i<certs.length; i++) {
	X509Certificate x509Cert = null;
	try {
	x509Cert = (X509Certificate)certs[i];
	} catch (ClassCastException cce) {
	throw new Exception(rb.getString("Not.X.509.certificate"));
	}
	if (certs.length > 1) {
	MessageFormat form = new MessageFormat
	(rb.getString("Certificate.i.1."));
	Object[] source = {i + 1};
	out.println(form.format(source));
	}
	if (rfc)
	dumpCert(x509Cert, out);
	else
	printX509Cert(x509Cert, out);
	if (i < (certs.length-1)) {
	out.println();
	}
	checkWeak(oneInMany(rb.getString("the.certificate"), i, certs.length), x509Cert);
	}
	}

	private static String oneInMany(String label, int i, int num) {
	if (num == 1) {
	return label;
	} else {
	return String.format(rb.getString("one.in.many"), label, i+1, num);
	}
	}

	private void doPrintCert(final PrintStream out) throws Exception {
	if (jarfile != null) {
	// reset "jdk.certpath.disabledAlgorithms" security property
	// to be able to read jars which were signed with weak algorithms
	Security.setProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS, "");

	JarFile jf = new JarFile(jarfile, true);
	Enumeration<JarEntry> entries = jf.entries();
	Set<CodeSigner> ss = new HashSet<>();
	byte[] buffer = new byte[8192];
	int pos = 0;
	while (entries.hasMoreElements()) {
	JarEntry je = entries.nextElement();
	try (InputStream is = jf.getInputStream(je)) {
	while (is.read(buffer) != -1) {
	// we just read. this will throw a SecurityException
	// if a signature/digest check fails. This also
	// populate the signers
	}
	}
	CodeSigner[] signers = je.getCodeSigners();
	if (signers != null) {
	for (CodeSigner signer: signers) {
	if (!ss.contains(signer)) {
	ss.add(signer);
	out.printf(rb.getString("Signer.d."), ++pos);
	out.println();
	out.println();
	out.println(rb.getString("Signature."));
	out.println();

	List<? extends Certificate> certs
	= signer.getSignerCertPath().getCertificates();
	int cc = 0;
	for (Certificate cert: certs) {
	X509Certificate x = (X509Certificate)cert;
	if (rfc) {
	out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
	dumpCert(x, out);
	} else {
	printX509Cert(x, out);
	}
	out.println();
	checkWeak(oneInMany(rb.getString("the.certificate"), cc++, certs.size()), x);
	}
	Timestamp ts = signer.getTimestamp();
	if (ts != null) {
	out.println(rb.getString("Timestamp."));
	out.println();
	certs = ts.getSignerCertPath().getCertificates();
	cc = 0;
	for (Certificate cert: certs) {
	X509Certificate x = (X509Certificate)cert;
	if (rfc) {
	out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
	dumpCert(x, out);
	} else {
	printX509Cert(x, out);
	}
	out.println();
	checkWeak(oneInMany(rb.getString("the.tsa.certificate"), cc++, certs.size()), x);
	}
	}
	}
	}
	}
	}
	jf.close();
	if (ss.isEmpty()) {
	out.println(rb.getString("Not.a.signed.jar.file"));
	}
	} else if (sslserver != null) {
	CertStore cs = SSLServerCertStore.getInstance(new URI("https://" + sslserver));
	Collection<? extends Certificate> chain;
	try {
	chain = cs.getCertificates(null);
	if (chain.isEmpty()) {
	// If the certs are not retrieved, we consider it an error
	// even if the URL connection is successful.
	throw new Exception(rb.getString(
	"No.certificate.from.the.SSL.server"));
	}
	} catch (CertStoreException cse) {
	if (cse.getCause() instanceof IOException) {
	throw new Exception(rb.getString(
	"No.certificate.from.the.SSL.server"),
	cse.getCause());
	} else {
	throw cse;
	}
	}

	int i = 0;
	for (Certificate cert : chain) {
	try {
	if (rfc) {
	dumpCert(cert, out);
	} else {
	out.println("Certificate #" + i);
	out.println("====================================");
	printX509Cert((X509Certificate)cert, out);
	out.println();
	}
	checkWeak(oneInMany(rb.getString("the.certificate"), i++, chain.size()), cert);
	} catch (Exception e) {
	if (debug) {
	e.printStackTrace();
	}
	}
	}
	} else {
	if (filename != null) {
	try (FileInputStream inStream = new FileInputStream(filename)) {
	printCertFromStream(inStream, out);
	}
	} else {
	printCertFromStream(System.in, out);
	}
	}
	}

	private void doChangeStorePasswd() throws Exception {
	storePassNew = newPass;
	if (storePassNew == null) {
	storePassNew = getNewPasswd("keystore password", storePass);
	}
	if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
	// When storetype is PKCS12, we need to change all keypass as well
	for (String alias : Collections.list(keyStore.aliases())) {
	if (!keyStore.isCertificateEntry(alias)) {
	// keyPass should be either null or same with storePass,
	// but keep it in case one day we want to "normalize"
	// a PKCS12 keystore having different passwords.
	Pair<Entry, char[]> objs
	= recoverEntry(keyStore, alias, storePass, keyPass);
	keyStore.setEntry(alias, objs.fst,
	new PasswordProtection(storePassNew));
	}
	}
	}
	}

	/**
	* Creates a self-signed certificate, and stores it as a single-element
	* certificate chain.
	*/
	private void doSelfCert(String alias, String dname, String sigAlgName)
	throws Exception
	{
	if (alias == null) {
	alias = keyAlias;
	}

	Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
	PrivateKey privKey = (PrivateKey)objs.fst;
	if (keyPass == null)
	keyPass = objs.snd;

	// Determine the signature algorithm
	if (sigAlgName == null) {
	sigAlgName = getCompatibleSigAlgName(privKey);
	}

	// Get the old certificate
	Certificate oldCert = keyStore.getCertificate(alias);
	if (oldCert == null) {
	MessageFormat form = new MessageFormat
	(rb.getString("alias.has.no.public.key"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}
	if (!(oldCert instanceof X509Certificate)) {
	MessageFormat form = new MessageFormat
	(rb.getString("alias.has.no.X.509.certificate"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	// convert to X509CertImpl, so that we can modify selected fields
	// (no public APIs available yet)
	byte[] encoded = oldCert.getEncoded();
	X509CertImpl certImpl = new X509CertImpl(encoded);
	X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME
	+ "." +
	X509CertImpl.INFO);

	// Extend its validity
	Date firstDate = getStartDate(startDate);
	Date lastDate = new Date();
	lastDate.setTime(firstDate.getTime() + validity1000L24L60L60L);
	CertificateValidity interval = new CertificateValidity(firstDate,
	lastDate);
	certInfo.set(X509CertInfo.VALIDITY, interval);

	// Make new serial number
	certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
	new java.util.Random().nextInt() & 0x7fffffff));

	// Set owner and issuer fields
	X500Name owner;
	if (dname == null) {
	// Get the owner name from the certificate
	owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." +
	X509CertInfo.DN_NAME);
	} else {
	// Use the owner name specified at the command line
	owner = new X500Name(dname);
	certInfo.set(X509CertInfo.SUBJECT + "." +
	X509CertInfo.DN_NAME, owner);
	}
	// Make issuer same as owner (self-signed!)
	certInfo.set(X509CertInfo.ISSUER + "." +
	X509CertInfo.DN_NAME, owner);

	// The inner and outer signature algorithms have to match.
	// The way we achieve that is really ugly, but there seems to be no
	// other solution: We first sign the cert, then retrieve the
	// outer sigalg and use it to set the inner sigalg
	X509CertImpl newCert = new X509CertImpl(certInfo);
	newCert.sign(privKey, sigAlgName);
	AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG);
	certInfo.set(CertificateAlgorithmId.NAME + "." +
	CertificateAlgorithmId.ALGORITHM, sigAlgid);

	certInfo.set(X509CertInfo.VERSION,
	new CertificateVersion(CertificateVersion.V3));

	CertificateExtensions ext = createV3Extensions(
	null,
	(CertificateExtensions)certInfo.get(X509CertInfo.EXTENSIONS),
	v3ext,
	oldCert.getPublicKey(),
	null);
	certInfo.set(X509CertInfo.EXTENSIONS, ext);
	// Sign the new certificate
	newCert = new X509CertImpl(certInfo);
	newCert.sign(privKey, sigAlgName);

	// Store the new certificate as a single-element certificate chain
	keyStore.setKeyEntry(alias, privKey,
	(keyPass != null) ? keyPass : storePass,
	new Certificate[] { newCert } );

	if (verbose) {
	System.err.println(rb.getString("New.certificate.self.signed."));
	System.err.print(newCert.toString());
	System.err.println();
	}
	}

	/**
	* Processes a certificate reply from a certificate authority.
	*
	* <p>Builds a certificate chain on top of the certificate reply,
	* using trusted certificates from the keystore. The chain is complete
	* after a self-signed certificate has been encountered. The self-signed
	* certificate is considered a root certificate authority, and is stored
	* at the end of the chain.
	*
	* <p>The newly generated chain replaces the old chain associated with the
	* key entry.
	*
	* @return true if the certificate reply was installed, otherwise false.
	*/
	private boolean installReply(String alias, InputStream in)
	throws Exception
	{
	if (alias == null) {
	alias = keyAlias;
	}

	Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
	PrivateKey privKey = (PrivateKey)objs.fst;
	if (keyPass == null) {
	keyPass = objs.snd;
	}

	Certificate userCert = keyStore.getCertificate(alias);
	if (userCert == null) {
	MessageFormat form = new MessageFormat
	(rb.getString("alias.has.no.public.key.certificate."));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	// Read the certificates in the reply
	Collection<? extends Certificate> c = cf.generateCertificates(in);
	if (c.isEmpty()) {
	throw new Exception(rb.getString("Reply.has.no.certificates"));
	}
	Certificate[] replyCerts = c.toArray(new Certificate[c.size()]);
	Certificate[] newChain;
	if (replyCerts.length == 1) {
	// single-cert reply
	newChain = establishCertChain(userCert, replyCerts[0]);
	} else {
	// cert-chain reply (e.g., PKCS#7)
	newChain = validateReply(alias, userCert, replyCerts);
	}

	// Now store the newly established chain in the keystore. The new
	// chain replaces the old one. The chain can be null if user chooses no.
	if (newChain != null) {
	keyStore.setKeyEntry(alias, privKey,
	(keyPass != null) ? keyPass : storePass,
	newChain);
	return true;
	} else {
	return false;
	}
	}

	/**
	* Imports a certificate and adds it to the list of trusted certificates.
	*
	* @return true if the certificate was added, otherwise false.
	*/
	private boolean addTrustedCert(String alias, InputStream in)
	throws Exception
	{
	if (alias == null) {
	throw new Exception(rb.getString("Must.specify.alias"));
	}
	if (keyStore.containsAlias(alias)) {
	MessageFormat form = new MessageFormat(rb.getString
	("Certificate.not.imported.alias.alias.already.exists"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	// Read the certificate
	X509Certificate cert = null;
	try {
	cert = (X509Certificate)cf.generateCertificate(in);
	} catch (ClassCastException \| CertificateException ce) {
	throw new Exception(rb.getString("Input.not.an.X.509.certificate"));
	}

	if (noprompt) {
	checkWeak(rb.getString("the.input"), cert);
	keyStore.setCertificateEntry(alias, cert);
	return true;
	}

	// if certificate is self-signed, make sure it verifies
	boolean selfSigned = false;
	if (KeyStoreUtil.isSelfSigned(cert)) {
	cert.verify(cert.getPublicKey());
	selfSigned = true;
	}

	// check if cert already exists in keystore
	String reply = null;
	String trustalias = keyStore.getCertificateAlias(cert);
	if (trustalias != null) {
	MessageFormat form = new MessageFormat(rb.getString
	("Certificate.already.exists.in.keystore.under.alias.trustalias."));
	Object[] source = {trustalias};
	System.err.println(form.format(source));
	checkWeak(rb.getString("the.input"), cert);
	printWeakWarnings(true);
	reply = getYesNoReply
	(rb.getString("Do.you.still.want.to.add.it.no."));
	} else if (selfSigned) {
	if (trustcacerts && (caks != null) &&
	((trustalias=caks.getCertificateAlias(cert)) != null)) {
	MessageFormat form = new MessageFormat(rb.getString
	("Certificate.already.exists.in.system.wide.CA.keystore.under.alias.trustalias."));
	Object[] source = {trustalias};
	System.err.println(form.format(source));
	checkWeak(rb.getString("the.input"), cert);
	printWeakWarnings(true);
	reply = getYesNoReply
	(rb.getString("Do.you.still.want.to.add.it.to.your.own.keystore.no."));
	}
	if (trustalias == null) {
	// Print the cert and ask user if they really want to add
	// it to their keystore
	printX509Cert(cert, System.out);
	checkWeak(rb.getString("the.input"), cert);
	printWeakWarnings(true);
	reply = getYesNoReply
	(rb.getString("Trust.this.certificate.no."));
	}
	}
	if (reply != null) {
	if ("YES".equals(reply)) {
	keyStore.setCertificateEntry(alias, cert);
	return true;
	} else {
	return false;
	}
	}

	// Not found in this keystore and not self-signed
	// Try to establish trust chain
	try {
	Certificate[] chain = establishCertChain(null, cert);
	if (chain != null) {
	keyStore.setCertificateEntry(alias, cert);
	return true;
	}
	} catch (Exception e) {
	// Print the cert and ask user if they really want to add it to
	// their keystore
	printX509Cert(cert, System.out);
	checkWeak(rb.getString("the.input"), cert);
	printWeakWarnings(true);
	reply = getYesNoReply
	(rb.getString("Trust.this.certificate.no."));
	if ("YES".equals(reply)) {
	keyStore.setCertificateEntry(alias, cert);
	return true;
	} else {
	return false;
	}
	}

	return false;
	}

	/**
	* Prompts user for new password. New password must be different from
	* old one.
	*
	* @param prompt the message that gets prompted on the screen
	* @param oldPasswd the current (i.e., old) password
	*/
	private char[] getNewPasswd(String prompt, char[] oldPasswd)
	throws Exception
	{
	char[] entered = null;
	char[] reentered = null;

	for (int count = 0; count < 3; count++) {
	MessageFormat form = new MessageFormat
	(rb.getString("New.prompt."));
	Object[] source = {prompt};
	System.err.print(form.format(source));
	entered = Password.readPassword(System.in);
	passwords.add(entered);
	if (entered == null \|\| entered.length < 6) {
	System.err.println(rb.getString
	("Password.is.too.short.must.be.at.least.6.characters"));
	} else if (Arrays.equals(entered, oldPasswd)) {
	System.err.println(rb.getString("Passwords.must.differ"));
	} else {
	form = new MessageFormat
	(rb.getString("Re.enter.new.prompt."));
	Object[] src = {prompt};
	System.err.print(form.format(src));
	reentered = Password.readPassword(System.in);
	passwords.add(reentered);
	if (!Arrays.equals(entered, reentered)) {
	System.err.println
	(rb.getString("They.don.t.match.Try.again"));
	} else {
	Arrays.fill(reentered, ' ');
	return entered;
	}
	}
	if (entered != null) {
	Arrays.fill(entered, ' ');
	entered = null;
	}
	if (reentered != null) {
	Arrays.fill(reentered, ' ');
	reentered = null;
	}
	}
	throw new Exception(rb.getString("Too.many.failures.try.later"));
	}

	/**
	* Prompts user for alias name.
	* @param prompt the {0} of "Enter {0} alias name: " in prompt line
	* @return the string entered by the user, without the \n at the end
	*/
	private String getAlias(String prompt) throws Exception {
	if (prompt != null) {
	MessageFormat form = new MessageFormat
	(rb.getString("Enter.prompt.alias.name."));
	Object[] source = {prompt};
	System.err.print(form.format(source));
	} else {
	System.err.print(rb.getString("Enter.alias.name."));
	}
	return (new BufferedReader(new InputStreamReader(
	System.in))).readLine();
	}

	/**
	* Prompts user for an input string from the command line (System.in)
	* @prompt the prompt string printed
	* @return the string entered by the user, without the \n at the end
	*/
	private String inputStringFromStdin(String prompt) throws Exception {
	System.err.print(prompt);
	return (new BufferedReader(new InputStreamReader(
	System.in))).readLine();
	}

	/**
	* Prompts user for key password. User may select to choose the same
	* password (<code>otherKeyPass</code>) as for <code>otherAlias</code>.
	*/
	private char[] getKeyPasswd(String alias, String otherAlias,
	char[] otherKeyPass)
	throws Exception
	{
	int count = 0;
	char[] keyPass = null;

	do {
	if (otherKeyPass != null) {
	MessageFormat form = new MessageFormat(rb.getString
	("Enter.key.password.for.alias."));
	Object[] source = {alias};
	System.err.println(form.format(source));

	form = new MessageFormat(rb.getString
	(".RETURN.if.same.as.for.otherAlias."));
	Object[] src = {otherAlias};
	System.err.print(form.format(src));
	} else {
	MessageFormat form = new MessageFormat(rb.getString
	("Enter.key.password.for.alias."));
	Object[] source = {alias};
	System.err.print(form.format(source));
	}
	System.err.flush();
	keyPass = Password.readPassword(System.in);
	passwords.add(keyPass);
	if (keyPass == null) {
	keyPass = otherKeyPass;
	}
	count++;
	} while ((keyPass == null) && count < 3);

	if (keyPass == null) {
	throw new Exception(rb.getString("Too.many.failures.try.later"));
	}

	return keyPass;
	}

	private String withWeak(String alg) {
	if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
	return alg;
	} else {
	return String.format(rb.getString("with.weak"), alg);
	}
	}

	private String withWeak(PublicKey key) {
	if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
	int kLen = KeyUtil.getKeySize(key);
	if (kLen >= 0) {
	return String.format(rb.getString("key.bit"),
	kLen, key.getAlgorithm());
	} else {
	return String.format(
	rb.getString("unknown.size.1"), key.getAlgorithm());
	}
	} else {
	return String.format(rb.getString("key.bit.weak"),
	KeyUtil.getKeySize(key), key.getAlgorithm());
	}
	}

	/**
	* Prints a certificate in a human readable format.
	*/
	private void printX509Cert(X509Certificate cert, PrintStream out)
	throws Exception
	{

	MessageFormat form = new MessageFormat
	(rb.getString(".PATTERN.printX509Cert.with.weak"));
	PublicKey pkey = cert.getPublicKey();
	String sigName = cert.getSigAlgName();
	// No need to warn about sigalg of a trust anchor
	if (!isTrustedCert(cert)) {
	sigName = withWeak(sigName);
	}
	Object[] source = {cert.getSubjectDN().toString(),
	cert.getIssuerDN().toString(),
	cert.getSerialNumber().toString(16),
	cert.getNotBefore().toString(),
	cert.getNotAfter().toString(),
	getCertFingerPrint("SHA-1", cert),
	getCertFingerPrint("SHA-256", cert),
	sigName,
	withWeak(pkey),
	cert.getVersion()
	};
	out.println(form.format(source));

	if (cert instanceof X509CertImpl) {
	X509CertImpl impl = (X509CertImpl)cert;
	X509CertInfo certInfo = (X509CertInfo)impl.get(X509CertImpl.NAME
	+ "." +
	X509CertImpl.INFO);
	CertificateExtensions exts = (CertificateExtensions)
	certInfo.get(X509CertInfo.EXTENSIONS);
	if (exts != null) {
	printExtensions(rb.getString("Extensions."), exts, out);
	}
	}
	}

	private static void printExtensions(String title, CertificateExtensions exts, PrintStream out)
	throws Exception {
	int extnum = 0;
	Iterator<Extension> i1 = exts.getAllExtensions().iterator();
	Iterator<Extension> i2 = exts.getUnparseableExtensions().values().iterator();
	while (i1.hasNext() \|\| i2.hasNext()) {
	Extension ext = i1.hasNext()?i1.next():i2.next();
	if (extnum == 0) {
	out.println();
	out.println(title);
	out.println();
	}
	out.print("#"+(++extnum)+": "+ ext);
	if (ext.getClass() == Extension.class) {
	byte[] v = ext.getExtensionValue();
	if (v.length == 0) {
	out.println(rb.getString(".Empty.value."));
	} else {
	new sun.security.util.HexDumpEncoder().encodeBuffer(ext.getExtensionValue(), out);
	out.println();
	}
	}
	out.println();
	}
	}

	/**
	* Locates a signer for a given certificate from a given keystore and
	* returns the signer's certificate.
	* @param cert the certificate whose signer is searched, not null
	* @param ks the keystore to search with, not null
	* @return <code>cert</code> itself if it's already inside <code>ks</code>,
	* or a certificate inside <code>ks</code> who signs <code>cert</code>,
	* or null otherwise. A label is added.
	*/
	private static Pair<String,Certificate>
	getSigner(Certificate cert, KeyStore ks) throws Exception {
	if (ks.getCertificateAlias(cert) != null) {
	return new Pair<>("", cert);
	}
	for (Enumeration<String> aliases = ks.aliases();
	aliases.hasMoreElements(); ) {
	String name = aliases.nextElement();
	Certificate trustedCert = ks.getCertificate(name);
	if (trustedCert != null) {
	try {
	cert.verify(trustedCert.getPublicKey());
	return new Pair<>(name, trustedCert);
	} catch (Exception e) {
	// Not verified, skip to the next one
	}
	}
	}
	return null;
	}

	/**
	* Gets an X.500 name suitable for inclusion in a certification request.
	*/
	private X500Name getX500Name() throws IOException {
	BufferedReader in;
	in = new BufferedReader(new InputStreamReader(System.in));
	String commonName = "Unknown";
	String organizationalUnit = "Unknown";
	String organization = "Unknown";
	String city = "Unknown";
	String state = "Unknown";
	String country = "Unknown";
	X500Name name;
	String userInput = null;

	int maxRetry = 20;
	do {
	if (maxRetry-- < 0) {
	throw new RuntimeException(rb.getString(
	"Too.many.retries.program.terminated"));
	}
	commonName = inputString(in,
	rb.getString("What.is.your.first.and.last.name."),
	commonName);
	organizationalUnit = inputString(in,
	rb.getString
	("What.is.the.name.of.your.organizational.unit."),
	organizationalUnit);
	organization = inputString(in,
	rb.getString("What.is.the.name.of.your.organization."),
	organization);
	city = inputString(in,
	rb.getString("What.is.the.name.of.your.City.or.Locality."),
	city);
	state = inputString(in,
	rb.getString("What.is.the.name.of.your.State.or.Province."),
	state);
	country = inputString(in,
	rb.getString
	("What.is.the.two.letter.country.code.for.this.unit."),
	country);
	name = new X500Name(commonName, organizationalUnit, organization,
	city, state, country);
	MessageFormat form = new MessageFormat
	(rb.getString("Is.name.correct."));
	Object[] source = {name};
	userInput = inputString
	(in, form.format(source), rb.getString("no"));
	} while (collator.compare(userInput, rb.getString("yes")) != 0 &&
	collator.compare(userInput, rb.getString("y")) != 0);

	System.err.println();
	return name;
	}

	private String inputString(BufferedReader in, String prompt,
	String defaultValue)
	throws IOException
	{
	System.err.println(prompt);
	MessageFormat form = new MessageFormat
	(rb.getString(".defaultValue."));
	Object[] source = {defaultValue};
	System.err.print(form.format(source));
	System.err.flush();

	String value = in.readLine();
	if (value == null \|\| collator.compare(value, "") == 0) {
	value = defaultValue;
	}
	return value;
	}

	/**
	* Writes an X.509 certificate in base64 or binary encoding to an output
	* stream.
	*/
	private void dumpCert(Certificate cert, PrintStream out)
	throws IOException, CertificateException
	{
	if (rfc) {
	out.println(X509Factory.BEGIN_CERT);
	out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(cert.getEncoded()));
	out.println(X509Factory.END_CERT);
	} else {
	out.write(cert.getEncoded()); // binary
	}
	}

	/**
	* Converts a byte to hex digit and writes to the supplied buffer
	*/
	private void byte2hex(byte b, StringBuffer buf) {
	char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
	'9', 'A', 'B', 'C', 'D', 'E', 'F' };
	int high = ((b & 0xf0) >> 4);
	int low = (b & 0x0f);
	buf.append(hexChars[high]);
	buf.append(hexChars[low]);
	}

	/**
	* Converts a byte array to hex string
	*/
	private String toHexString(byte[] block) {
	StringBuffer buf = new StringBuffer();
	int len = block.length;
	for (int i = 0; i < len; i++) {
	byte2hex(block[i], buf);
	if (i < len-1) {
	buf.append(":");
	}
	}
	return buf.toString();
	}

	/**
	* Recovers (private) key associated with given alias.
	*
	* @return an array of objects, where the 1st element in the array is the
	* recovered private key, and the 2nd element is the password used to
	* recover it.
	*/
	private Pair<Key,char[]> recoverKey(String alias, char[] storePass,
	char[] keyPass)
	throws Exception
	{
	Key key = null;

	if (keyStore.containsAlias(alias) == false) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.does.not.exist"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}
	if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class) &&
	!keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.has.no.key"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	if (keyPass == null) {
	// Try to recover the key using the keystore password
	try {
	key = keyStore.getKey(alias, storePass);

	keyPass = storePass;
	passwords.add(keyPass);
	} catch (UnrecoverableKeyException e) {
	// Did not work out, so prompt user for key password
	if (!token) {
	keyPass = getKeyPasswd(alias, null, null);
	key = keyStore.getKey(alias, keyPass);
	} else {
	throw e;
	}
	}
	} else {
	key = keyStore.getKey(alias, keyPass);
	}

	return Pair.of(key, keyPass);
	}

	/**
	* Recovers entry associated with given alias.
	*
	* @return an array of objects, where the 1st element in the array is the
	* recovered entry, and the 2nd element is the password used to
	* recover it (null if no password).
	*/
	private Pair<Entry,char[]> recoverEntry(KeyStore ks,
	String alias,
	char[] pstore,
	char[] pkey) throws Exception {

	if (ks.containsAlias(alias) == false) {
	MessageFormat form = new MessageFormat
	(rb.getString("Alias.alias.does.not.exist"));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	PasswordProtection pp = null;
	Entry entry;

	try {
	// First attempt to access entry without key password
	// (PKCS11 entry or trusted certificate entry, for example)

	entry = ks.getEntry(alias, pp);
	pkey = null;
	} catch (UnrecoverableEntryException une) {

	if(P11KEYSTORE.equalsIgnoreCase(ks.getType()) \|\|
	KeyStoreUtil.isWindowsKeyStore(ks.getType())) {
	// should not happen, but a possibility
	throw une;
	}

	// entry is protected

	if (pkey != null) {

	// try provided key password

	pp = new PasswordProtection(pkey);
	entry = ks.getEntry(alias, pp);

	} else {

	// try store pass

	try {
	pp = new PasswordProtection(pstore);
	entry = ks.getEntry(alias, pp);
	pkey = pstore;
	} catch (UnrecoverableEntryException une2) {
	if (P12KEYSTORE.equalsIgnoreCase(ks.getType())) {

	// P12 keystore currently does not support separate
	// store and entry passwords

	throw une2;
	} else {

	// prompt for entry password

	pkey = getKeyPasswd(alias, null, null);
	pp = new PasswordProtection(pkey);
	entry = ks.getEntry(alias, pp);
	}
	}
	}
	}

	return Pair.of(entry, pkey);
	}
	/**
	* Gets the requested finger print of the certificate.
	*/
	private String getCertFingerPrint(String mdAlg, Certificate cert)
	throws Exception
	{
	byte[] encCertInfo = cert.getEncoded();
	MessageDigest md = MessageDigest.getInstance(mdAlg);
	byte[] digest = md.digest(encCertInfo);
	return toHexString(digest);
	}

	/**
	* Prints warning about missing integrity check.
	*/
	private void printNoIntegrityWarning() {
	System.err.println();
	System.err.println(rb.getString
	(".WARNING.WARNING.WARNING."));
	System.err.println(rb.getString
	(".The.integrity.of.the.information.stored.in.your.keystore."));
	System.err.println(rb.getString
	(".WARNING.WARNING.WARNING."));
	System.err.println();
	}

	/**
	* Validates chain in certification reply, and returns the ordered
	* elements of the chain (with user certificate first, and root
	* certificate last in the array).
	*
	* @param alias the alias name
	* @param userCert the user certificate of the alias
	* @param replyCerts the chain provided in the reply
	*/
	private Certificate[] validateReply(String alias,
	Certificate userCert,
	Certificate[] replyCerts)
	throws Exception
	{

	checkWeak(rb.getString("reply"), replyCerts);

	// order the certs in the reply (bottom-up).
	// we know that all certs in the reply are of type X.509, because
	// we parsed them using an X.509 certificate factory
	int i;
	PublicKey userPubKey = userCert.getPublicKey();

	// Remove duplicated certificates.
	HashSet<Certificate> nodup = new HashSet<>(Arrays.asList(replyCerts));
	replyCerts = nodup.toArray(new Certificate[nodup.size()]);

	for (i=0; i<replyCerts.length; i++) {
	if (userPubKey.equals(replyCerts[i].getPublicKey())) {
	break;
	}
	}
	if (i == replyCerts.length) {
	MessageFormat form = new MessageFormat(rb.getString
	("Certificate.reply.does.not.contain.public.key.for.alias."));
	Object[] source = {alias};
	throw new Exception(form.format(source));
	}

	Certificate tmpCert = replyCerts[0];
	replyCerts[0] = replyCerts[i];
	replyCerts[i] = tmpCert;

	X509Certificate thisCert = (X509Certificate)replyCerts[0];

	for (i=1; i < replyCerts.length-1; i++) {
	// find a cert in the reply who signs thisCert
	int j;
	for (j=i; j<replyCerts.length; j++) {
	if (KeyStoreUtil.signedBy(thisCert, (X509Certificate)replyCerts[j])) {
	tmpCert = replyCerts[i];
	replyCerts[i] = replyCerts[j];
	replyCerts[j] = tmpCert;
	thisCert = (X509Certificate)replyCerts[i];
	break;
	}
	}
	if (j == replyCerts.length) {
	throw new Exception
	(rb.getString("Incomplete.certificate.chain.in.reply"));
	}
	}

	if (noprompt) {
	return replyCerts;
	}

	// do we trust the cert at the top?
	Certificate topCert = replyCerts[replyCerts.length-1];
	boolean fromKeyStore = true;
	Pair<String,Certificate> root = getSigner(topCert, keyStore);
	if (root == null && trustcacerts && caks != null) {
	root = getSigner(topCert, caks);
	fromKeyStore = false;
	}
	if (root == null) {
	System.err.println();
	System.err.println
	(rb.getString("Top.level.certificate.in.reply."));
	printX509Cert((X509Certificate)topCert, System.out);
	System.err.println();
	System.err.print(rb.getString(".is.not.trusted."));
	printWeakWarnings(true);
	String reply = getYesNoReply
	(rb.getString("Install.reply.anyway.no."));
	if ("NO".equals(reply)) {
	return null;
	}
	} else {
	if (root.snd != topCert) {
	// append the root CA cert to the chain
	Certificate[] tmpCerts =
	new Certificate[replyCerts.length+1];
	System.arraycopy(replyCerts, 0, tmpCerts, 0,
	replyCerts.length);
	tmpCerts[tmpCerts.length-1] = root.snd;
	replyCerts = tmpCerts;
	checkWeak(String.format(rb.getString(fromKeyStore ?
	"alias.in.keystore" :
	"alias.in.cacerts"),
	root.fst),
	root.snd);
	}
	}
	return replyCerts;
	}

	/**
	* Establishes a certificate chain (using trusted certificates in the
	* keystore and cacerts), starting with the reply (certToVerify)
	* and ending at a self-signed certificate found in the keystore.
	*
	* @param userCert optional existing certificate, mostly likely be the
	* original self-signed cert created by -genkeypair.
	* It must have the same public key as certToVerify
	* but cannot be the same cert.
	* @param certToVerify the starting certificate to build the chain
	* @returns the established chain, might be null if user decides not
	*/
	private Certificate[] establishCertChain(Certificate userCert,
	Certificate certToVerify)
	throws Exception
	{
	if (userCert != null) {
	// Make sure that the public key of the certificate reply matches
	// the original public key in the keystore
	PublicKey origPubKey = userCert.getPublicKey();
	PublicKey replyPubKey = certToVerify.getPublicKey();
	if (!origPubKey.equals(replyPubKey)) {
	throw new Exception(rb.getString
	("Public.keys.in.reply.and.keystore.don.t.match"));
	}

	// If the two certs are identical, we're done: no need to import
	// anything
	if (certToVerify.equals(userCert)) {
	throw new Exception(rb.getString
	("Certificate.reply.and.certificate.in.keystore.are.identical"));
	}
	}

	// Build a hash table of all certificates in the keystore.
	// Use the subject distinguished name as the key into the hash table.
	// All certificates associated with the same subject distinguished
	// name are stored in the same hash table entry as a vector.
	Hashtable<Principal, Vector<Pair<String,X509Certificate>>> certs = null;
	if (keyStore.size() > 0) {
	certs = new Hashtable<>(11);
	keystorecerts2Hashtable(keyStore, certs);
	}
	if (trustcacerts) {
	if (caks!=null && caks.size()>0) {
	if (certs == null) {
	certs = new Hashtable<>(11);
	}
	keystorecerts2Hashtable(caks, certs);
	}
	}

	// start building chain
	Vector<Pair<String,X509Certificate>> chain = new Vector<>(2);
	if (buildChain(
	new Pair<>(rb.getString("the.input"),
	(X509Certificate) certToVerify),
	chain, certs)) {
	for (Pair<String,X509Certificate> p : chain) {
	checkWeak(p.fst, p.snd);
	}
	Certificate[] newChain =
	new Certificate[chain.size()];
	// buildChain() returns chain with self-signed root-cert first and
	// user-cert last, so we need to invert the chain before we store
	// it
	int j=0;
	for (int i=chain.size()-1; i>=0; i--) {
	newChain[j] = chain.elementAt(i).snd;
	j++;
	}
	return newChain;
	} else {
	throw new Exception
	(rb.getString("Failed.to.establish.chain.from.reply"));
	}
	}

	/**
	* Recursively tries to establish chain from pool of certs starting from
	* certToVerify until a self-signed cert is found, and fill the certs found
	* into chain. Each cert in the chain signs the next one.
	*
	* This method is able to recover from an error, say, if certToVerify
	* is signed by certA but certA has no issuer in certs and itself is not
	* self-signed, the method can try another certB that also signs
	* certToVerify and look for signer of certB, etc, etc.
	*
	* Each cert in chain comes with a label showing its origin. The label is
	* used in the warning message when the cert is considered a risk.
	*
	* @param certToVerify the cert that needs to be verified.
	* @param chain the chain that's being built.
	* @param certs the pool of trusted certs
	*
	* @return true if successful, false otherwise.
	*/
	private boolean buildChain(Pair<String,X509Certificate> certToVerify,
	Vector<Pair<String,X509Certificate>> chain,
	Hashtable<Principal, Vector<Pair<String,X509Certificate>>> certs) {
	if (KeyStoreUtil.isSelfSigned(certToVerify.snd)) {
	// reached self-signed root cert;
	// no verification needed because it's trusted.
	chain.addElement(certToVerify);
	return true;
	}

	Principal issuer = certToVerify.snd.getIssuerDN();

	// Get the issuer's certificate(s)
	Vector<Pair<String,X509Certificate>> vec = certs.get(issuer);
	if (vec == null) {
	return false;
	}

	// Try out each certificate in the vector, until we find one
	// whose public key verifies the signature of the certificate
	// in question.
	for (Enumeration<Pair<String,X509Certificate>> issuerCerts = vec.elements();
	issuerCerts.hasMoreElements(); ) {
	Pair<String,X509Certificate> issuerCert = issuerCerts.nextElement();
	PublicKey issuerPubKey = issuerCert.snd.getPublicKey();
	try {
	certToVerify.snd.verify(issuerPubKey);
	} catch (Exception e) {
	continue;
	}
	if (buildChain(issuerCert, chain, certs)) {
	chain.addElement(certToVerify);
	return true;
	}
	}
	return false;
	}

	/**
	* Prompts user for yes/no decision.
	*
	* @return the user's decision, can only be "YES" or "NO"
	*/
	private String getYesNoReply(String prompt)
	throws IOException
	{
	String reply = null;
	int maxRetry = 20;
	do {
	if (maxRetry-- < 0) {
	throw new RuntimeException(rb.getString(
	"Too.many.retries.program.terminated"));
	}
	System.err.print(prompt);
	System.err.flush();
	reply = (new BufferedReader(new InputStreamReader
	(System.in))).readLine();
	if (reply == null \|\|
	collator.compare(reply, "") == 0 \|\|
	collator.compare(reply, rb.getString("n")) == 0 \|\|
	collator.compare(reply, rb.getString("no")) == 0) {
	reply = "NO";
	} else if (collator.compare(reply, rb.getString("y")) == 0 \|\|
	collator.compare(reply, rb.getString("yes")) == 0) {
	reply = "YES";
	} else {
	System.err.println(rb.getString("Wrong.answer.try.again"));
	reply = null;
	}
	} while (reply == null);
	return reply;
	}

	/**
	* Stores the (leaf) certificates of a keystore in a hashtable.
	* All certs belonging to the same CA are stored in a vector that
	* in turn is stored in the hashtable, keyed by the CA's subject DN.
	* Each cert comes with a string label that shows its origin and alias.
	*/
	private void keystorecerts2Hashtable(KeyStore ks,
	Hashtable<Principal, Vector<Pair<String,X509Certificate>>> hash)
	throws Exception {

	for (Enumeration<String> aliases = ks.aliases();
	aliases.hasMoreElements(); ) {
	String alias = aliases.nextElement();
	Certificate cert = ks.getCertificate(alias);
	if (cert != null) {
	Principal subjectDN = ((X509Certificate)cert).getSubjectDN();
	Pair<String,X509Certificate> pair = new Pair<>(
	String.format(
	rb.getString(ks == caks ?
	"alias.in.cacerts" :
	"alias.in.keystore"),
	alias),
	(X509Certificate)cert);
	Vector<Pair<String,X509Certificate>> vec = hash.get(subjectDN);
	if (vec == null) {
	vec = new Vector<>();
	vec.addElement(pair);
	} else {
	if (!vec.contains(pair)) {
	vec.addElement(pair);
	}
	}
	hash.put(subjectDN, vec);
	}
	}
	}

	/**
	* Returns the issue time that's specified the -startdate option
	* @param s the value of -startdate option
	*/
	private static Date getStartDate(String s) throws IOException {
	Calendar c = new GregorianCalendar();
	if (s != null) {
	IOException ioe = new IOException(
	rb.getString("Illegal.startdate.value"));
	int len = s.length();
	if (len == 0) {
	throw ioe;
	}
	if (s.charAt(0) == '-' \|\| s.charAt(0) == '+') {
	// Form 1: ([+-]nnn[ymdHMS])+
	int start = 0;
	while (start < len) {
	int sign = 0;
	switch (s.charAt(start)) {
	case '+': sign = 1; break;
	case '-': sign = -1; break;
	default: throw ioe;
	}
	int i = start+1;
	for (; i<len; i++) {
	char ch = s.charAt(i);
	if (ch < '0' \|\| ch > '9') break;
	}
	if (i == start+1) throw ioe;
	int number = Integer.parseInt(s.substring(start+1, i));
	if (i >= len) throw ioe;
	int unit = 0;
	switch (s.charAt(i)) {
	case 'y': unit = Calendar.YEAR; break;
	case 'm': unit = Calendar.MONTH; break;
	case 'd': unit = Calendar.DATE; break;
	case 'H': unit = Calendar.HOUR; break;
	case 'M': unit = Calendar.MINUTE; break;
	case 'S': unit = Calendar.SECOND; break;
	default: throw ioe;
	}
	c.add(unit, sign * number);
	start = i + 1;
	}
	} else {
	// Form 2: [yyyy/mm/dd] [HH:MM:SS]
	String date = null, time = null;
	if (len == 19) {
	date = s.substring(0, 10);
	time = s.substring(11);
	if (s.charAt(10) != ' ')
	throw ioe;
	} else if (len == 10) {
	date = s;
	} else if (len == 8) {
	time = s;
	} else {
	throw ioe;
	}
	if (date != null) {
	if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) {
	c.set(Integer.valueOf(date.substring(0, 4)),
	Integer.valueOf(date.substring(5, 7))-1,
	Integer.valueOf(date.substring(8, 10)));
	} else {
	throw ioe;
	}
	}
	if (time != null) {
	if (time.matches("\\d\\d:\\d\\d:\\d\\d")) {
	c.set(Calendar.HOUR_OF_DAY, Integer.valueOf(time.substring(0, 2)));
	c.set(Calendar.MINUTE, Integer.valueOf(time.substring(3, 5)));
	c.set(Calendar.SECOND, Integer.valueOf(time.substring(6, 8)));
	c.set(Calendar.MILLISECOND, 0);
	} else {
	throw ioe;
	}
	}
	}
	}
	return c.getTime();
	}

	/**
	* Match a command (may be abbreviated) with a command set.
	* @param s the command provided
	* @param list the legal command set. If there is a null, commands after it
	* are regarded experimental, which means they are supported but their
	* existence should not be revealed to user.
	* @return the position of a single match, or -1 if none matched
	* @throws Exception if s is ambiguous
	*/
	private static int oneOf(String s, String... list) throws Exception {
	int[] match = new int[list.length];
	int nmatch = 0;
	int experiment = Integer.MAX_VALUE;
	for (int i = 0; i<list.length; i++) {
	String one = list[i];
	if (one == null) {
	experiment = i;
	continue;
	}
	if (one.toLowerCase(Locale.ENGLISH)
	.startsWith(s.toLowerCase(Locale.ENGLISH))) {
	match[nmatch++] = i;
	} else {
	StringBuilder sb = new StringBuilder();
	boolean first = true;
	for (char c: one.toCharArray()) {
	if (first) {
	sb.append(c);
	first = false;
	} else {
	if (!Character.isLowerCase(c)) {
	sb.append(c);
	}
	}
	}
	if (sb.toString().equalsIgnoreCase(s)) {
	match[nmatch++] = i;
	}
	}
	}
	if (nmatch == 0) {
	return -1;
	} else if (nmatch == 1) {
	return match[0];
	} else {
	// If multiple matches is in experimental commands, ignore them
	if (match[1] > experiment) {
	return match[0];
	}
	StringBuilder sb = new StringBuilder();
	MessageFormat form = new MessageFormat(rb.getString
	("command.{0}.is.ambiguous."));
	Object[] source = {s};
	sb.append(form.format(source));
	sb.append("\n ");
	for (int i=0; i<nmatch && match[i]<experiment; i++) {
	sb.append(' ');
	sb.append(list[match[i]]);
	}
	throw new Exception(sb.toString());
	}
	}

	/**
	* Create a GeneralName object from known types
	* @param t one of 5 known types
	* @param v value
	* @return which one
	*/
	private GeneralName createGeneralName(String t, String v)
	throws Exception {
	GeneralNameInterface gn;
	int p = oneOf(t, "EMAIL", "URI", "DNS", "IP", "OID");
	if (p < 0) {
	throw new Exception(rb.getString(
	"Unrecognized.GeneralName.type.") + t);
	}
	switch (p) {
	case 0: gn = new RFC822Name(v); break;
	case 1: gn = new URIName(v); break;
	case 2: gn = new DNSName(v); break;
	case 3: gn = new IPAddressName(v); break;
	default: gn = new OIDName(v); break; //4
	}
	return new GeneralName(gn);
	}

	private static final String[] extSupported = {
	"BasicConstraints",
	"KeyUsage",
	"ExtendedKeyUsage",
	"SubjectAlternativeName",
	"IssuerAlternativeName",
	"SubjectInfoAccess",
	"AuthorityInfoAccess",
	null,
	"CRLDistributionPoints",
	};

	private ObjectIdentifier findOidForExtName(String type)
	throws Exception {
	switch (oneOf(type, extSupported)) {
	case 0: return PKIXExtensions.BasicConstraints_Id;
	case 1: return PKIXExtensions.KeyUsage_Id;
	case 2: return PKIXExtensions.ExtendedKeyUsage_Id;
	case 3: return PKIXExtensions.SubjectAlternativeName_Id;
	case 4: return PKIXExtensions.IssuerAlternativeName_Id;
	case 5: return PKIXExtensions.SubjectInfoAccess_Id;
	case 6: return PKIXExtensions.AuthInfoAccess_Id;
	case 8: return PKIXExtensions.CRLDistributionPoints_Id;
	default: return new ObjectIdentifier(type);
	}
	}

	// Add an extension into a CertificateExtensions, always using OID as key
	private static void setExt(CertificateExtensions result, Extension ex)
	throws IOException {
	result.set(ex.getId(), ex);
	}

	/**
	* Create X509v3 extensions from a string representation. Note that the
	* SubjectKeyIdentifierExtension will always be created non-critical besides
	* the extension requested in the <code>extstr</code> argument.
	*
	* @param requestedEx the requested extensions, can be null, used for -gencert
	* @param existingEx the original extensions, can be null, used for -selfcert
	* @param extstrs -ext values, Read keytool doc
	* @param pkey the public key for the certificate
	* @param akey the public key for the authority (issuer)
	* @return the created CertificateExtensions
	*/
	private CertificateExtensions createV3Extensions(
	CertificateExtensions requestedEx,
	CertificateExtensions existingEx,
	List <String> extstrs,
	PublicKey pkey,
	PublicKey akey) throws Exception {

	// By design, inside a CertificateExtensions object, all known
	// extensions uses name (say, "BasicConstraints") as key and
	// a child Extension type (say, "BasicConstraintsExtension")
	// as value, unknown extensions uses OID as key and bare
	// Extension object as value. This works fine inside JDK.
	//
	// However, in keytool, there is no way to prevent people
	// using OID in -ext, either as a new extension, or in a
	// honored value. Thus here we (ab)use CertificateExtensions
	// by always using OID as key and value can be of any type.

	if (existingEx != null && requestedEx != null) {
	// This should not happen
	throw new Exception("One of request and original should be null.");
	}
	// A new extensions always using OID as key
	CertificateExtensions result = new CertificateExtensions();
	if (existingEx != null) {
	for (Extension ex: existingEx.getAllExtensions()) {
	setExt(result, ex);
	}
	}
	try {
	// name{:critical}{=value}
	// Honoring requested extensions
	if (requestedEx != null) {
	// The existing requestedEx might use names as keys,
	// translate to all-OID first.
	CertificateExtensions request2 = new CertificateExtensions();
	for (sun.security.x509.Extension ex: requestedEx.getAllExtensions()) {
	request2.set(ex.getId(), ex);
	}
	for(String extstr: extstrs) {
	if (extstr.toLowerCase(Locale.ENGLISH).startsWith("honored=")) {
	List<String> list = Arrays.asList(
	extstr.toLowerCase(Locale.ENGLISH).substring(8).split(","));
	// First check existence of "all"
	if (list.contains("all")) {
	for (Extension ex: request2.getAllExtensions()) {
	setExt(result, ex);
	}
	}
	// one by one for others
	for (String item: list) {
	if (item.equals("all")) continue;

	// add or remove
	boolean add;
	// -1, unchanged, 0 critical, 1 non-critical
	int action = -1;
	String type = null;
	if (item.startsWith("-")) {
	add = false;
	type = item.substring(1);
	} else {
	add = true;
	int colonpos = item.indexOf(':');
	if (colonpos >= 0) {
	type = item.substring(0, colonpos);
	action = oneOf(item.substring(colonpos+1),
	"critical", "non-critical");
	if (action == -1) {
	throw new Exception(rb.getString
	("Illegal.value.") + item);
	}
	} else {
	type = item;
	}
	}
	String n = findOidForExtName(type).toString();
	if (add) {
	Extension e = request2.get(n);
	if (!e.isCritical() && action == 0
	\|\| e.isCritical() && action == 1) {
	e = Extension.newExtension(
	e.getExtensionId(),
	!e.isCritical(),
	e.getExtensionValue());
	}
	setExt(result, e);
	} else {
	result.delete(n);
	}
	}
	break;
	}
	}
	}
	for(String extstr: extstrs) {
	String name, value;
	boolean isCritical = false;

	int eqpos = extstr.indexOf('=');
	if (eqpos >= 0) {
	name = extstr.substring(0, eqpos);
	value = extstr.substring(eqpos+1);
	} else {
	name = extstr;
	value = null;
	}

	int colonpos = name.indexOf(':');
	if (colonpos >= 0) {
	if (oneOf(name.substring(colonpos+1), "critical") == 0) {
	isCritical = true;
	}
	name = name.substring(0, colonpos);
	}

	if (name.equalsIgnoreCase("honored")) {
	continue;
	}
	int exttype = oneOf(name, extSupported);
	switch (exttype) {
	case 0: // BC
	int pathLen = -1;
	boolean isCA = false;
	if (value == null) {
	isCA = true;
	} else {
	try { // the abbr format
	pathLen = Integer.parseInt(value);
	isCA = true;
	} catch (NumberFormatException ufe) {
	// ca:true,pathlen:1
	for (String part: value.split(",")) {
	String[] nv = part.split(":");
	if (nv.length != 2) {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	} else {
	if (nv[0].equalsIgnoreCase("ca")) {
	isCA = Boolean.parseBoolean(nv[1]);
	} else if (nv[0].equalsIgnoreCase("pathlen")) {
	pathLen = Integer.parseInt(nv[1]);
	} else {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	}
	}
	}
	}
	}
	setExt(result, new BasicConstraintsExtension(isCritical, isCA,
	pathLen));
	break;
	case 1: // KU
	if(value != null) {
	boolean[] ok = new boolean[9];
	for (String s: value.split(",")) {
	int p = oneOf(s,
	"digitalSignature", // (0),
	"nonRepudiation", // (1)
	"keyEncipherment", // (2),
	"dataEncipherment", // (3),
	"keyAgreement", // (4),
	"keyCertSign", // (5),
	"cRLSign", // (6),
	"encipherOnly", // (7),
	"decipherOnly", // (8)
	"contentCommitment" // also (1)
	);
	if (p < 0) {
	throw new Exception(rb.getString("Unknown.keyUsage.type.") + s);
	}
	if (p == 9) p = 1;
	ok[p] = true;
	}
	KeyUsageExtension kue = new KeyUsageExtension(ok);
	// The above KeyUsageExtension constructor does not
	// allow isCritical value, so...
	setExt(result, Extension.newExtension(
	kue.getExtensionId(),
	isCritical,
	kue.getExtensionValue()));
	} else {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	}
	break;
	case 2: // EKU
	if(value != null) {
	Vector<ObjectIdentifier> v = new Vector<>();
	for (String s: value.split(",")) {
	int p = oneOf(s,
	"anyExtendedKeyUsage",
	"serverAuth", //1
	"clientAuth", //2
	"codeSigning", //3
	"emailProtection", //4
	"", //5
	"", //6
	"", //7
	"timeStamping", //8
	"OCSPSigning" //9
	);
	if (p < 0) {
	try {
	v.add(new ObjectIdentifier(s));
	} catch (Exception e) {
	throw new Exception(rb.getString(
	"Unknown.extendedkeyUsage.type.") + s);
	}
	} else if (p == 0) {
	v.add(new ObjectIdentifier("2.5.29.37.0"));
	} else {
	v.add(new ObjectIdentifier("1.3.6.1.5.5.7.3." + p));
	}
	}
	setExt(result, new ExtendedKeyUsageExtension(isCritical, v));
	} else {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	}
	break;
	case 3: // SAN
	case 4: // IAN
	if(value != null) {
	String[] ps = value.split(",");
	GeneralNames gnames = new GeneralNames();
	for(String item: ps) {
	colonpos = item.indexOf(':');
	if (colonpos < 0) {
	throw new Exception("Illegal item " + item + " in " + extstr);
	}
	String t = item.substring(0, colonpos);
	String v = item.substring(colonpos+1);
	gnames.add(createGeneralName(t, v));
	}
	if (exttype == 3) {
	setExt(result, new SubjectAlternativeNameExtension(
	isCritical, gnames));
	} else {
	setExt(result, new IssuerAlternativeNameExtension(
	isCritical, gnames));
	}
	} else {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	}
	break;
	case 5: // SIA, always non-critical
	case 6: // AIA, always non-critical
	if (isCritical) {
	throw new Exception(rb.getString(
	"This.extension.cannot.be.marked.as.critical.") + extstr);
	}
	if(value != null) {
	List<AccessDescription> accessDescriptions =
	new ArrayList<>();
	String[] ps = value.split(",");
	for(String item: ps) {
	colonpos = item.indexOf(':');
	int colonpos2 = item.indexOf(':', colonpos+1);
	if (colonpos < 0 \|\| colonpos2 < 0) {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	}
	String m = item.substring(0, colonpos);
	String t = item.substring(colonpos+1, colonpos2);
	String v = item.substring(colonpos2+1);
	int p = oneOf(m,
	"",
	"ocsp", //1
	"caIssuers", //2
	"timeStamping", //3
	"",
	"caRepository" //5
	);
	ObjectIdentifier oid;
	if (p < 0) {
	try {
	oid = new ObjectIdentifier(m);
	} catch (Exception e) {
	throw new Exception(rb.getString(
	"Unknown.AccessDescription.type.") + m);
	}
	} else {
	oid = new ObjectIdentifier("1.3.6.1.5.5.7.48." + p);
	}
	accessDescriptions.add(new AccessDescription(
	oid, createGeneralName(t, v)));
	}
	if (exttype == 5) {
	setExt(result, new SubjectInfoAccessExtension(accessDescriptions));
	} else {
	setExt(result, new AuthorityInfoAccessExtension(accessDescriptions));
	}
	} else {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	}
	break;
	case 8: // CRL, experimental, only support 1 distributionpoint
	if(value != null) {
	String[] ps = value.split(",");
	GeneralNames gnames = new GeneralNames();
	for(String item: ps) {
	colonpos = item.indexOf(':');
	if (colonpos < 0) {
	throw new Exception("Illegal item " + item + " in " + extstr);
	}
	String t = item.substring(0, colonpos);
	String v = item.substring(colonpos+1);
	gnames.add(createGeneralName(t, v));
	}
	setExt(result, new CRLDistributionPointsExtension(
	isCritical, Collections.singletonList(
	new DistributionPoint(gnames, null, null))));
	} else {
	throw new Exception(rb.getString
	("Illegal.value.") + extstr);
	}
	break;
	case -1:
	ObjectIdentifier oid = new ObjectIdentifier(name);
	byte[] data = null;
	if (value != null) {
	data = new byte[value.length() / 2 + 1];
	int pos = 0;
	for (char c: value.toCharArray()) {
	int hex;
	if (c >= '0' && c <= '9') {
	hex = c - '0' ;
	} else if (c >= 'A' && c <= 'F') {
	hex = c - 'A' + 10;
	} else if (c >= 'a' && c <= 'f') {
	hex = c - 'a' + 10;
	} else {
	continue;
	}
	if (pos % 2 == 0) {
	data[pos/2] = (byte)(hex << 4);
	} else {
	data[pos/2] += hex;
	}
	pos++;
	}
	if (pos % 2 != 0) {
	throw new Exception(rb.getString(
	"Odd.number.of.hex.digits.found.") + extstr);
	}
	data = Arrays.copyOf(data, pos/2);
	} else {
	data = new byte[0];
	}
	setExt(result, new Extension(oid, isCritical,
	new DerValue(DerValue.tag_OctetString, data)
	.toByteArray()));
	break;
	default:
	throw new Exception(rb.getString(
	"Unknown.extension.type.") + extstr);
	}
	}
	// always non-critical
	setExt(result, new SubjectKeyIdentifierExtension(
	new KeyIdentifier(pkey).getIdentifier()));
	if (akey != null && !pkey.equals(akey)) {
	setExt(result, new AuthorityKeyIdentifierExtension(
	new KeyIdentifier(akey), null, null));
	}
	} catch(IOException e) {
	throw new RuntimeException(e);
	}
	return result;
	}

	private boolean isTrustedCert(Certificate cert) throws KeyStoreException {
	if (caks != null && caks.getCertificateAlias(cert) != null) {
	return true;
	} else {
	String inKS = keyStore.getCertificateAlias(cert);
	return inKS != null && keyStore.isCertificateEntry(inKS);
	}
	}

	private void checkWeak(String label, String sigAlg, Key key) {

	if (sigAlg != null && !DISABLED_CHECK.permits(
	SIG_PRIMITIVE_SET, sigAlg, null)) {
	weakWarnings.add(String.format(
	rb.getString("whose.sigalg.risk"), label, sigAlg));
	}
	if (key != null && !DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
	weakWarnings.add(String.format(
	rb.getString("whose.key.risk"),
	label,
	String.format(rb.getString("key.bit"),
	KeyUtil.getKeySize(key), key.getAlgorithm())));
	}
	}

	private void checkWeak(String label, Certificate[] certs)
	throws KeyStoreException {
	for (int i = 0; i < certs.length; i++) {
	Certificate cert = certs[i];
	if (cert instanceof X509Certificate) {
	X509Certificate xc = (X509Certificate)cert;
	String fullLabel = label;
	if (certs.length > 1) {
	fullLabel = oneInMany(label, i, certs.length);
	}
	checkWeak(fullLabel, xc);
	}
	}
	}

	private void checkWeak(String label, Certificate cert)
	throws KeyStoreException {
	if (cert instanceof X509Certificate) {
	X509Certificate xc = (X509Certificate)cert;
	// No need to check the sigalg of a trust anchor
	String sigAlg = isTrustedCert(cert) ? null : xc.getSigAlgName();
	checkWeak(label, sigAlg, xc.getPublicKey());
	}
	}

	private void checkWeak(String label, PKCS10 p10) {
	checkWeak(label, p10.getSigAlg(), p10.getSubjectPublicKeyInfo());
	}

	private void checkWeak(String label, CRL crl, Key key) {
	if (crl instanceof X509CRLImpl) {
	X509CRLImpl impl = (X509CRLImpl)crl;
	checkWeak(label, impl.getSigAlgName(), key);
	}
	}

	private void printWeakWarnings(boolean newLine) {
	if (!weakWarnings.isEmpty() && !nowarn) {
	System.err.println("\nWarning:");
	for (String warning : weakWarnings) {
	System.err.println(warning);
	}
	if (newLine) {
	// When calling before a yes/no prompt, add a new line
	System.err.println();
	}
	}
	weakWarnings.clear();
	}

	/**
	* Prints the usage of this tool.
	*/
	private void usage() {
	if (command != null) {
	System.err.println("keytool " + command +
	rb.getString(".OPTION."));
	System.err.println();
	System.err.println(rb.getString(command.description));
	System.err.println();
	System.err.println(rb.getString("Options."));
	System.err.println();

	// Left and right sides of the options list. Both might
	// contain "\n" and span multiple lines
	String[] left = new String[command.options.length];
	String[] right = new String[command.options.length];

	// Length of left side of options list
	int lenLeft = 0;

	for (int j = 0; j < command.options.length; j++) {
	Option opt = command.options[j];
	left[j] = opt.toString();
	if (opt.arg != null) {
	left[j] += " " + opt.arg;
	}
	String[] lefts = left[j].split("\n");
	for (String s : lefts) {
	if (s.length() > lenLeft) {
	lenLeft = s.length();
	}
	}
	right[j] = rb.getString(opt.description);
	}
	for (int j = 0; j < left.length; j++) {
	String[] lefts = left[j].split("\n");
	String[] rights = right[j].split("\n");
	for (int i = 0; i < lefts.length && i < rights.length; i++) {
	String s1 = i < lefts.length ? lefts[i] : "";
	String s2 = i < rights.length ? rights[i] : "";
	if (i == 0) {
	System.err.printf(" %-" + lenLeft + "s %s\n", s1, s2);
	} else {
	System.err.printf(" %-" + lenLeft + "s %s\n", s1, s2);
	}
	}
	}
	System.err.println();
	System.err.println(rb.getString(
	"Use.keytool.help.for.all.available.commands"));
	} else {
	System.err.println(rb.getString(
	"Key.and.Certificate.Management.Tool"));
	System.err.println();
	System.err.println(rb.getString("Commands."));
	System.err.println();
	for (Command c: Command.values()) {
	if (c == KEYCLONE) break;
	System.err.printf(" %-20s%s\n", c, rb.getString(c.description));
	}
	System.err.println();
	System.err.println(rb.getString(
	"Use.keytool.help.for.all.available.commands"));
	System.err.println(rb.getString(
	"Use.keytool.command.name.help.for.usage.of.command.name"));
	}
	}

	private void tinyHelp() {
	usage();
	if (debug) {
	throw new RuntimeException("NO BIG ERROR, SORRY");
	} else {
	System.exit(1);
	}
	}

	private void errorNeedArgument(String flag) {
	Object[] source = {flag};
	System.err.println(new MessageFormat(
	rb.getString("Command.option.flag.needs.an.argument.")).format(source));
	tinyHelp();
	}

	private char[] getPass(String modifier, String arg) {
	char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb);
	if (output != null) return output;
	tinyHelp();
	return null; // Useless, tinyHelp() already exits.
	}
	}

	// This class is exactly the same as com.sun.tools.javac.util.Pair,
	// it's copied here since the original one is not included in JRE.
	class Pair<A, B> {

	public final A fst;
	public final B snd;

	public Pair(A fst, B snd) {
	this.fst = fst;
	this.snd = snd;
	}

	public String toString() {
	return "Pair[" + fst + "," + snd + "]";
	}

	public boolean equals(Object other) {
	return
	other instanceof Pair &&
	Objects.equals(fst, ((Pair)other).fst) &&
	Objects.equals(snd, ((Pair)other).snd);
	}

	public int hashCode() {
	if (fst == null) return (snd == null) ? 0 : snd.hashCode() + 1;
	else if (snd == null) return fst.hashCode() + 2;
	else return fst.hashCode() * 17 + snd.hashCode();
	}

	public static <A,B> Pair<A,B> of(A a, B b) {
	return new Pair<>(a,b);
	}
	}

Back to index...