Summary
-------
Add the support of `-trustcacerts` and `-keystore` options to `-printcert` and `-printcrl` commands for keytool.
Problem
-------
The `-printcert` and `-printcrl` commands in keytool do not support the `-trustcacerts` and `-keystore` options. Hence, those commands won't be able to use trusted certificates when verifying untrusted artifacts that are signed by CAs. It would also cause warnings when the root CA is using a disabled or weak algorithm even that shouldn't be an issue as the key is being trusted.
Solution
--------
Provide the support of `-trustcacerts` and `-keystore` options in keytool for `-printcert` and `-printcrl` commands.
Specification
-------------
Note that when a command in keytool supports the `-keystore` option, it will also support the provider-related options, `-storepass`, `-storetype` and `-protected` options as those options are used in loading the keystore.
The following changes will be made to the keytool manpage.
@@ -833,6 +833,27 @@
- {`-jarfile` *JAR\_file*}: Signed `.jar` file
+ - {`-keystore` *keystore*}: Keystore name
+
+ - {`-trustcacerts`}: Trust certificates from cacerts
+
+ - \[`-storepass` *arg*\]: Keystore password
+
+ - {`-storetype` *type*}: Keystore type
+
+ - {`-providername` *name*}: Provider name
+
+ - {`-addprovider` *name* \[`-providerarg` *arg*\]}: Add security provider
+ by name (such as SunPKCS11) with an optional configure argument.
+
+ - {`-providerclass` *class* \[`-providerarg` *arg*\]}: Add security
+ provider by fully qualified class name with an optional configure
+ argument.
+
+ - {`-providerpath` *list*}: Provider classpath
+
+ - {`-protected`}: Password is provided through protected mechanism
+
- {`-v`}: Verbose output
Use the `-printcert` command to read and print the certificate from `-file`
@@ -860,7 +881,10 @@
**Note:**
- This option can be used independently of a keystore.
+ This command can be used independently of a keystore. This command does not
+ check for the weakness of a certificate's signature algorithm if it is a
+ trusted certificate in the user keystore (specified by `-keystore`) or in
+ the `cacerts` keystore (if `-trustcacerts` is specified).
`-printcertreq`
: The following are the available options for the `-printcertreq` command:
@@ -879,6 +903,27 @@
- {`-file crl`}: Input file name
+ - {`-keystore` *keystore*}: Keystore name
+
+ - {`-trustcacerts`}: Trust certificates from cacerts
+
+ - \[`-storepass` *arg*\]: Keystore password
+
+ - {`-storetype` *type*}: Keystore type
+
+ - {`-providername` *name*}: Provider name
+
+ - {`-addprovider` *name* \[`-providerarg` *arg*\]}: Add security provider
+ by name (such as SunPKCS11) with an optional configure argument.
+
+ - {`-providerclass` *class* \[`-providerarg` *arg*\]}: Add security
+ provider by fully qualified class name with an optional configure
+ argument.
+
+ - {`-providerpath` *list*}: Provider classpath
+
+ - {`-protected`}: Password is provided through protected mechanism
+
- {`-v`}: Verbose output
Use the `-printcrl` command to read the Certificate Revocation List (CRL)
@@ -887,7 +932,10 @@
**Note:**
- This option can be used independently of a keystore.
+ This command can be used independently of a keystore. This command attempts
+ to verify the CRL using a certificate from the user keystore (specified by
+ `-keystore`) or the `cacerts` keystore (if `-trustcacerts` is specified), and
+ will print out a warning if it cannot be verified.
## Commands for Managing the Keystore