Subversion Repositories openrisc

/* ImportCmd.java -- The import command handler of the keytool

   Copyright (C) 2006 Free Software Foundation, Inc.

This file is part of GNU Classpath.

GNU Classpath is free software; you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation; either version 2, or (at your option)

any later version.

GNU Classpath is distributed in the hope that it will be useful, but

WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

General Public License for more details.

You should have received a copy of the GNU General Public License

along with GNU Classpath; see the file COPYING.  If not, write to the

Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

02110-1301 USA.

Linking this library statically or dynamically with other modules is

making a combined work based on this library.  Thus, the terms and

conditions of the GNU General Public License cover the whole

combination.

As a special exception, the copyright holders of this library give you

permission to link this library with independent modules to produce an

executable, regardless of the license terms of these independent

modules, and to copy and distribute the resulting executable under

terms of your choice, provided that you also meet, for each linked

independent module, the terms and conditions of the license of that

module.  An independent module is a module which is not derived from

or based on this library.  If you modify this library, you may extend

this exception to your version of the library, but you are not

obligated to do so.  If you do not wish to do so, delete this

exception statement from your version. */

package gnu.classpath.tools.keytool;

import gnu.classpath.Configuration;

import gnu.classpath.SystemProperties;

import gnu.classpath.tools.common.ClasspathToolParser;

import gnu.classpath.tools.getopt.Option;

import gnu.classpath.tools.getopt.OptionException;

import gnu.classpath.tools.getopt.OptionGroup;

import gnu.classpath.tools.getopt.Parser;

import gnu.java.security.x509.X509CertPath;

import java.io.FileInputStream;

import java.io.IOException;

import java.security.Key;

import java.security.KeyStore;

import java.security.KeyStoreException;

import java.security.NoSuchAlgorithmException;

import java.security.Principal;

import java.security.PublicKey;

import java.security.UnrecoverableKeyException;

import java.security.cert.CertPathValidator;

import java.security.cert.CertPathValidatorException;

import java.security.cert.Certificate;

import java.security.cert.CertificateEncodingException;

import java.security.cert.CertificateException;

import java.security.cert.CertificateFactory;

import java.security.cert.PKIXCertPathValidatorResult;

import java.security.cert.PKIXParameters;

import java.security.cert.TrustAnchor;

import java.security.cert.X509Certificate;

import java.security.interfaces.DSAParams;

import java.security.interfaces.DSAPublicKey;

import java.security.interfaces.RSAPublicKey;

import java.util.Collection;

import java.util.LinkedList;

import java.util.ListIterator;

import java.util.logging.Level;

import java.util.logging.Logger;

import javax.security.auth.callback.Callback;

import javax.security.auth.callback.ConfirmationCallback;

import javax.security.auth.callback.UnsupportedCallbackException;

/**

 * The <code>-import</code> keytool command handler is used to read an X.509

 * certificate, or a PKCS#7 Certificate Reply from a designated input source and

 * incorporate the certificates into the key store.

 * <p>

 * If the <i>Alias</i> does not already exist in the key store, the tool treats

 * the certificate read from the input source as a new Trusted Certificate. It

 * then attempts to discover a chain-of-trust, starting from that certificate

 * and ending at another <i>Trusted Certificate</i>, already stored in the key

 * store.  If the <code>-trustcacerts</code> option is present, an additional

 * key store, of type <code>JKS</code> named <code>cacerts</code>, and assumed

 * to be present in <code>${JAVA_HOME}/lib/security</code> will also be

 * consulted if found --<code>${JAVA_HOME}</code> refers to the location of an

 * installed Java Runtime Environment (JRE). If no chain-of-trust can be

 * established, and unless the <code>-noprompt</code> option has been specified,

 * the certificate is printed to STDOUT and the user is prompted for a

 * confirmation.

 * <p>

 * If <i>Alias</i> exists in the key store, the tool will treat the

 * certificate(s) read from the input source as a <i>Certificate Reply</i>,

 * which can be a chain of certificates, that eventually would replace the chain

 * of certificates associated with the <i>Key Entry</i> of that <i>Alias</i>.

 * The substitution of the certificates only occurs if a chain-of-trust can be

 * established between the bottom certificate of the chain read from the input

 * file and the <i>Trusted Certificates</i> already present in the key store.

 * Again, if the <code>-trustcacerts</code> option is specified, additional

 * <i>Trusted Certificates</i> in the same <code>cacerts</code> key store will

 * be considered. If no chain-of-trust can be established, the operation will

 * abort.

 * <p>

 * Possible options for this command are:

 * <p>

 * <dl>

 *      <dt>-alias ALIAS</dt>

 *      <dd>Every entry, be it a <i>Key Entry</i> or a <i>Trusted

 *      Certificate</i>, in a key store is uniquely identified by a user-defined

 *      <i>Alias</i> string. Use this option to specify the <i>Alias</i> to use

 *      when referring to an entry in the key store. Unless specified otherwise,

 *      a default value of <code>mykey</code> shall be used when this option is

 *      omitted from the command line.

 *      <p></dd>

 *

 *      <dt>-file FILE_NAME</dt>

 *      <dd>The fully qualified path of the file to read from. If omitted, the

 *      tool will process STDIN.

 *      <p></dd>

 *

 *      <dt>-keypass PASSWORD</dt>

 *      <dd>Use this option to specify the password which the tool will use to

 *      protect the <i>Key Entry</i> associated with the designated <i>Alias</i>,

 *      when replacing this <i>Alias</i>' chain of certificates with that found

 *      in the certificate reply.

 *      <p>

 *      If this option is omitted, and the chain-of-trust for the certificate

 *      reply has been established, the tool will first attempt to unlock the

 *      <i>Key Entry</i> using the same password protecting the key store. If

 *      this fails, you will then be prompted to provide a password.

 *      <p></dd>

 *

 *      <dt>-noprompt</dt>

 *      <dd>Use this option to prevent the tool from prompting the user.

 *      <p></dd>

 *

 *      <dt>-trustcacerts</dt>

 *      <dd>Use this option to indicate to the tool that a key store, of type

 *      <code>JKS</code>, named <code>cacerts</code>, and usually located in

 *      <code>lib/security</code> in an installed Java Runtime Environment

 *      should be considered when trying to establish chain-of-trusts.

 *      <p></dd>

 *

 *      <dt>-storetype STORE_TYPE</dt>

 *      <dd>Use this option to specify the type of the key store to use. The

 *      default value, if this option is omitted, is that of the property

 *      <code>keystore.type</code> in the security properties file, which is

 *      obtained by invoking the {@link java.security.KeyStore#getDefaultType()}

 *      static method.

 *      <p></dd>

 *

 *      <dt>-keystore URL</dt>

 *      <dd>Use this option to specify the location of the key store to use.

 *      The default value is a file {@link java.net.URL} referencing the file

 *      named <code>.keystore</code> located in the path returned by the call to

 *      {@link java.lang.System#getProperty(String)} using <code>user.home</code>

 *      as argument.

 *      <p>

 *      If a URL was specified, but was found to be malformed --e.g. missing

 *      protocol element-- the tool will attempt to use the URL value as a file-

 *      name (with absolute or relative path-name) of a key store --as if the

 *      protocol was <code>file:</code>.

 *      <p></dd>

 *

 *      <dt>-storepass PASSWORD</dt>

 *      <dd>Use this option to specify the password protecting the key store. If

 *      this option is omitted from the command line, you will be prompted to

 *      provide a password.

 *      <p></dd>

 *

 *      <dt>-provider PROVIDER_CLASS_NAME</dt>

 *      <dd>A fully qualified class name of a Security Provider to add to the

 *      current list of Security Providers already installed in the JVM in-use.

 *      If a provider class is specified with this option, and was successfully

 *      added to the runtime --i.e. it was not already installed-- then the tool

 *      will attempt to removed this Security Provider before exiting.

 *      <p></dd>

 *

 *      <dt>-v</dt>

 *      <dd>Use this option to enable more verbose output.</dd>

 * </dl>

 */

class ImportCmd extends Command

{

  private static final Logger log = Logger.getLogger(ImportCmd.class.getName());

  private static final String GKR = "gkr"; //$NON-NLS-1$

  private static final String JKS = "jks"; //$NON-NLS-1$

  private static final String LIB = "lib"; //$NON-NLS-1$

  private static final String SECURITY = "security"; //$NON-NLS-1$

  private static final String CACERTS = "cacerts"; //$NON-NLS-1$

  private static final String CACERTS_GKR = CACERTS + "." + GKR; //$NON-NLS-1$

  protected String _alias;

  protected String _certFileName;

  protected String _password;

  protected boolean noPrompt;

  protected boolean trustCACerts;

  protected String _ksType;

  protected String _ksURL;

  protected String _ksPassword;

  protected String _providerClassName;

  private CertificateFactory x509Factory;

  /**

   * Pathname to a GKR-type cacerts file to use when trustCACerts is true. This

   * is usually a file named "cacerts.gkr" located in lib/security in the folder

   * specified by the system-property "gnu.classpath.home".

   */

  private String gkrCaCertsPathName;

  /**

   * Pathname to a JKS-type cacerts file to use when trustCACerts is true. This

   * is usually a file named "cacerts" located in lib/security in the folder

   * specified by the system-property "java.home".

   */

  private String jksCaCertsPathName;

  /** Alias self-signed certificate.  used when importing certificate replies. */

  private X509Certificate selfSignedCertificate;

  // default 0-arguments constructor

  // public setters -----------------------------------------------------------

  /** @param alias the existing alias to use. */

  public void setAlias(String alias)

  {

    this._alias = alias;

  }

  /** @param pathName the fully qualified path name of the file to process. */

  public void setFile(String pathName)

  {

    this._certFileName = pathName;

  }

  /** @param password the existing (private) key password to use. */

  public void setKeypass(String password)

  {

    this._password = password;

  }

  /**

   * @param flag whether to prompt, or not, the user to verify certificate

   *          fingerprints.

   */

  public void setNoprompt(String flag)

  {

    this.noPrompt = Boolean.valueOf(flag).booleanValue();

  }

  /**

   * @param flag whether to trust, or not, certificates found in the

   *          <code>cacerts</code> key store.

   */

  public void setTrustcacerts(String flag)

  {

    this.trustCACerts = Boolean.valueOf(flag).booleanValue();

  }

  /** @param type the key-store type to use. */

  public void setStoretype(String type)

  {

    this._ksType = type;

  }

  /** @param url the key-store URL to use. */

  public void setKeystore(String url)

  {

    this._ksURL = url;

  }

  /** @param password the key-store password to use. */

  public void setStorepass(String password)

  {

    this._ksPassword = password;

  }

  /** @param className a security provider fully qualified class name to use. */

  public void setProvider(String className)

  {

    this._providerClassName = className;

  }

  // life-cycle methods -------------------------------------------------------

  void setup() throws Exception

  {

    setInputStreamParam(_certFileName);

    setKeyStoreParams(true, _providerClassName, _ksType, _ksPassword, _ksURL);

    setAliasParam(_alias);

    setKeyPasswordNoPrompt(_password);

    if (Configuration.DEBUG)

      {

        log.fine("-import handler will use the following options:"); //$NON-NLS-1$

        log.fine("  -alias=" + alias); //$NON-NLS-1$

        log.fine("  -file=" + _certFileName); //$NON-NLS-1$

        log.fine("  -noprompt=" + noPrompt); //$NON-NLS-1$

        log.fine("  -trustcacerts=" + trustCACerts); //$NON-NLS-1$

        log.fine("  -storetype=" + storeType); //$NON-NLS-1$

        log.fine("  -keystore=" + storeURL); //$NON-NLS-1$

        log.fine("  -provider=" + provider); //$NON-NLS-1$

        log.fine("  -v=" + verbose); //$NON-NLS-1$

      }

  }

  void start() throws CertificateException, KeyStoreException, IOException,

      UnsupportedCallbackException, NoSuchAlgorithmException,

      CertPathValidatorException, UnrecoverableKeyException

  {

    if (Configuration.DEBUG)

      log.entering(this.getClass().getName(), "start"); //$NON-NLS-1$

    if (trustCACerts)

      {

        String fs = SystemProperties.getProperty("file.separator"); //$NON-NLS-1$

        String classpathHome = SystemProperties.getProperty("gnu.classpath.home"); //$NON-NLS-1$

        gkrCaCertsPathName = new StringBuilder(classpathHome).append(fs)

            .append(LIB).append(fs)

            .append(SECURITY).append(fs)

            .append(CACERTS_GKR).toString();

        String javaHome = SystemProperties.getProperty("java.home"); //$NON-NLS-1$

        jksCaCertsPathName = new StringBuilder(javaHome).append(fs)

            .append(LIB).append(fs)

            .append(SECURITY).append(fs)

            .append(CACERTS).toString();

      }

    x509Factory = CertificateFactory.getInstance("X.509"); //$NON-NLS-1$

    // the alias will tell us whether we're dealing with

    // a new trusted certificate or a certificate reply

    if (! store.containsAlias(alias))

      importNewTrustedCertificate();

    else

      {

        ensureAliasIsKeyEntry();

        importCertificateReply();

      }

    if (Configuration.DEBUG)

      log.exiting(this.getClass().getName(), "start"); //$NON-NLS-1$

  }

  // own methods --------------------------------------------------------------

  Parser getParser()

  {

    if (Configuration.DEBUG)

      log.entering(this.getClass().getName(), "getParser"); //$NON-NLS-1$

    Parser result = new ClasspathToolParser(Main.IMPORT_CMD, true);

    result.setHeader(Messages.getString("ImportCmd.27")); //$NON-NLS-1$

    result.setFooter(Messages.getString("ImportCmd.26")); //$NON-NLS-1$

    OptionGroup options = new OptionGroup(Messages.getString("ImportCmd.25")); //$NON-NLS-1$

    options.add(new Option(Main.ALIAS_OPT,

                           Messages.getString("ImportCmd.24"), //$NON-NLS-1$

                           Messages.getString("ImportCmd.23")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        _alias = argument;

      }

    });

    options.add(new Option(Main.FILE_OPT,

                           Messages.getString("ImportCmd.22"), //$NON-NLS-1$

                           Messages.getString("ImportCmd.21")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        _certFileName = argument;

      }

    });

    options.add(new Option(Main.KEYPASS_OPT,

                           Messages.getString("ImportCmd.20"), //$NON-NLS-1$

                           Messages.getString("ImportCmd.19")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        _password = argument;

      }

    });

    options.add(new Option("noprompt", //$NON-NLS-1$

                           Messages.getString("ImportCmd.18")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        noPrompt = true;

      }

    });

    options.add(new Option("trustcacerts", //$NON-NLS-1$

                           Messages.getString("ImportCmd.17")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        trustCACerts = true;

      }

    });

    options.add(new Option(Main.STORETYPE_OPT,

                           Messages.getString("ImportCmd.16"), //$NON-NLS-1$

                           Messages.getString("ImportCmd.15")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        _ksType = argument;

      }

    });

    options.add(new Option(Main.KEYSTORE_OPT,

                           Messages.getString("ImportCmd.14"), //$NON-NLS-1$

                           Messages.getString("ImportCmd.13")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        _ksURL = argument;

      }

    });

    options.add(new Option(Main.STOREPASS_OPT,

                           Messages.getString("ImportCmd.12"), //$NON-NLS-1$

                           Messages.getString("ImportCmd.11")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        _ksPassword = argument;

      }

    });

    options.add(new Option(Main.PROVIDER_OPT,

                           Messages.getString("ImportCmd.10"), //$NON-NLS-1$

                           Messages.getString("ImportCmd.9")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        _providerClassName = argument;

      }

    });

    options.add(new Option(Main.VERBOSE_OPT,

                           Messages.getString("ImportCmd.8")) //$NON-NLS-1$

    {

      public void parsed(String argument) throws OptionException

      {

        verbose = true;

      }

    });

    result.add(options);

    if (Configuration.DEBUG)

      log.exiting(this.getClass().getName(), "getParser", result); //$NON-NLS-1$

    return result;

  }

  /**

   * When importing a new trusted certificate, <i>alias</i> MUST NOT yet exist

   * in the key store.

   * <p>

   * Before adding the certificate to the key store and associate it with the

   * designated Alias, this method tries to verify it by attempting to construct

   * a chain of trust from that certificate to a self-signed certificate

   * (belonging to a root CA), using (already) trusted certificates that are

   * available in the key store.

   * <p>

   * If the <code>-trustcacerts</code> option was detected on the command

   * line, additional trusted certificates are considered for establishing the

   * chain of trust. Those additional certificates are assumed to be in a key

   * store, of type <code>JKS</code> named <code>cacerts</code> and usually

   * located in <code>${JAVA_HOME}/lib/security</code>, where

   * <code>${JAVA_HOME}</code> is the root folder location of a Java runtime.

   * <p>

   * If this method fails to establish a trust path from the certificate to be

   * imported up to a trusted self-signed certificate, the certificate is

   * printed to <code>STDOUT</code>, and the user is prompted to verify it,

   * with the option of aborting the import operation. If however the option

   * <code>-noprompt</code> was detected on the command line, no interaction

   * with the user will take place and the import operation will abort.

   *

   * @throws CertificateException

   * @throws KeyStoreException

   * @throws NoSuchAlgorithmException

   * @throws UnsupportedCallbackException

   * @throws IOException

   * @throws UnrecoverableKeyException

   * @throws CertPathValidatorException

   */

  private void importNewTrustedCertificate() throws CertificateException,

      KeyStoreException, NoSuchAlgorithmException, IOException,

      UnsupportedCallbackException, CertPathValidatorException,

      UnrecoverableKeyException

  {

    if (Configuration.DEBUG)

      log.entering(this.getClass().getName(), "importNewTrustedCertificate"); //$NON-NLS-1$

    Certificate certificate = x509Factory.generateCertificate(inStream);

    if (Configuration.DEBUG)

      log.fine("certificate = " + certificate); //$NON-NLS-1$

    LinkedList orderedReply = new LinkedList();

    orderedReply.addLast(certificate);

    if (findTrustAndUpdate(orderedReply, ! noPrompt))

      {

        store.setCertificateEntry(alias, certificate);

        System.out.println(Messages.getString("ImportCmd.29")); //$NON-NLS-1$

        saveKeyStore();

      }

    else

      System.out.println(Messages.getString("ImportCmd.28")); //$NON-NLS-1$

    if (Configuration.DEBUG)

      log.exiting(this.getClass().getName(), "importNewTrustedCertificate"); //$NON-NLS-1$

  }

  /**

   * A certificate reply is a certificate, whose Owner is stored in the key

   * store associated to the designated Alias, and now signed by supposedly a

   * trusted CA (Certificate Authority). In other words, the Subject in this

   * certificate reply is Alias's own and the Issuer is a CA.

   * <p>

   * When importing a certificate reply, the reply is validated using trusted

   * certificates from the key store, and optionally (if the option

   * <code>-trustcacerts</code> was detected on the command line) certificates

   * found in the key store, of type <code>JKS</code> named <code>cacerts</code>

   * located in <code>${JAVA_HOME}/lib/security</code>, where

   * <code>${JAVA_HOME}</code> is the root folder location of a Java runtime.

   *

   * @throws CertificateException

   * @throws UnsupportedCallbackException

   * @throws IOException

   * @throws KeyStoreException

   * @throws CertPathValidatorException

   * @throws NoSuchAlgorithmException

   * @throws UnrecoverableKeyException

   */

  private void importCertificateReply() throws CertificateException,

      IOException, UnsupportedCallbackException, KeyStoreException,

      NoSuchAlgorithmException, CertPathValidatorException,

      UnrecoverableKeyException

  {

    if (Configuration.DEBUG)

      log.entering(this.getClass().getName(), "importCertificateReply"); //$NON-NLS-1$

    Collection certificates = x509Factory.generateCertificates(inStream);

    ensureReplyIsOurs(certificates);

    // we now have established that the public keys are the same.

    // find a chain-of-trust if one exists

    if (certificates.size() == 1)

      importCertificate((Certificate) certificates.iterator().next());

    else

      importChain(certificates);

    if (Configuration.DEBUG)

      log.exiting(this.getClass().getName(), "importCertificateReply"); //$NON-NLS-1$

  }

  /**

   * If the reply is a single X.509 certificate, keytool attempts to establish a

   * trust chain, starting at the certificate reply and ending at a self-signed

   * certificate (belonging to a root CA). The certificate reply and the

   * hierarchy of certificates used to authenticate the certificate reply form

   * the new certificate chain of alias. If a trust chain cannot be established,

   * the certificate reply is not imported. In this case, keytool does not print

   * out the certificate, nor does it prompt the user to verify it. This is

   * because it is very hard (if not impossible) for a user to determine the

   * authenticity of the certificate reply.

   *

   * @param certificate the certificate reply to import into the key store.

   * @throws NoSuchAlgorithmException

   * @throws CertPathValidatorException

   * @throws UnsupportedCallbackException

   * @throws IOException

   * @throws UnrecoverableKeyException

   * @throws KeyStoreException

   * @throws CertificateException

   */

  private void importCertificate(Certificate certificate)

      throws NoSuchAlgorithmException, CertPathValidatorException,

      KeyStoreException, UnrecoverableKeyException, IOException,

      UnsupportedCallbackException, CertificateException

  {

    if (Configuration.DEBUG)

      log.entering(this.getClass().getName(), "importCertificate", certificate); //$NON-NLS-1$

    LinkedList reply = new LinkedList();

    reply.addLast(certificate);

    if (! findTrustAndUpdate(reply, false))

      throw new CertPathValidatorException(Messages.getString("ImportCmd.34")); //$NON-NLS-1$

    Certificate[] newChain = (Certificate[]) reply.toArray(new Certificate[0]);

    Key privateKey = getAliasPrivateKey();

    store.setKeyEntry(alias, privateKey, keyPasswordChars, newChain);

    saveKeyStore();

    if (Configuration.DEBUG)

      log.exiting(this.getClass().getName(), "importCertificate"); //$NON-NLS-1$

  }

  /**

   * If the reply is a PKCS#7 formatted certificate chain, the chain is first

   * ordered (with the user certificate first and the self-signed root CA

   * certificate last), before keytool attempts to match the root CA certificate

   * provided in the reply with any of the trusted certificates in the key store

   * or the "cacerts" keystore file (if the -trustcacerts option was specified).

   * If no match can be found, the information of the root CA certificate is

   * printed out, and the user is prompted to verify it, e.g., by comparing the

   * displayed certificate fingerprints with the fingerprints obtained from some

   * other (trusted) source of information, which might be the root CA itself.

   * The user then has the option of aborting the import operation. If the

   * -noprompt option is given, however, there will be no interaction with the

   * user.

   *

   * @param chain the collection of certificates parsed from the user

   *          designated input.

   * @throws UnsupportedCallbackException

   * @throws IOException

   * @throws UnrecoverableKeyException

   * @throws KeyStoreException

   * @throws CertPathValidatorException

   * @throws NoSuchAlgorithmException

   * @throws CertificateException

   */

  private void importChain(Collection chain) throws NoSuchAlgorithmException,

      CertPathValidatorException, KeyStoreException, UnrecoverableKeyException,

      IOException, UnsupportedCallbackException, CertificateException

  {

    if (Configuration.DEBUG)

      log.entering(this.getClass().getName(), "importChain", chain); //$NON-NLS-1$

    LinkedList reply = orderChain(chain);

    if (findTrustAndUpdate(reply, ! noPrompt))

      {

        Certificate[] newChain = (Certificate[]) reply.toArray(new Certificate[0]);

        Key privateKey = getAliasPrivateKey();

        store.setKeyEntry(alias, privateKey, keyPasswordChars, newChain);

        saveKeyStore();

      }

    if (Configuration.DEBUG)

      log.exiting(this.getClass().getName(), "importChain"); //$NON-NLS-1$

  }

  /**

   * Check to ensure that alias's public key is the subject of the first

   * certificate in the passed certificate collection. Throws an exception if

   * the public keys do not match.

   *

   * @param certificates a {@link Collection} of certificate replies (either a

   *          signle certificate reply, or a PKCS#7 certificate reply chain)

   *          usually sent by a CA as a response to a Certificate Signing

   *          Request (CSR).

   * @throws IOException

   * @throws UnsupportedCallbackException

   * @throws KeyStoreException

   */

  private void ensureReplyIsOurs(Collection certificates) throws IOException,

      UnsupportedCallbackException, KeyStoreException

  {

    if (Configuration.DEBUG)

      log.entering(this.getClass().getName(), "ensureReplyIsOurs"); //$NON-NLS-1$

    Certificate certificate = (Certificate) certificates.iterator().next();

    if (Configuration.DEBUG)

      log.fine("certificate = " + certificate); //$NON-NLS-1$

    Certificate[] chain = store.getCertificateChain(alias);

    if (chain == null)

      throw new IllegalArgumentException(Messages.getFormattedString("ImportCmd.37", //$NON-NLS-1$

                                                                     alias));

    selfSignedCertificate = (X509Certificate) chain[0];

    PublicKey anchorPublicKey = selfSignedCertificate.getPublicKey();

    PublicKey certPublicKey = certificate.getPublicKey();

    boolean sameKey;

    if (anchorPublicKey instanceof DSAPublicKey)

      {

        DSAPublicKey pk1 = (DSAPublicKey) anchorPublicKey;

        if (!(certPublicKey instanceof DSAPublicKey))

          throw new IllegalArgumentException(Messages.getString("ImportCmd.38")); //$NON-NLS-1$

        sameKey = areEqual(pk1, (DSAPublicKey) certPublicKey);

      }

    else if (anchorPublicKey instanceof RSAPublicKey)

      {

        RSAPublicKey pk1 = (RSAPublicKey) anchorPublicKey;

        if (!(certPublicKey instanceof RSAPublicKey))

          throw new IllegalArgumentException(Messages.getString("ImportCmd.38")); //$NON-NLS-1$

        sameKey = areEqual(pk1, (RSAPublicKey) certPublicKey);

      }

    else

      throw new IllegalArgumentException(

          Messages.getFormattedString("ImportCmd.40", //$NON-NLS-1$

                                      new String[] { alias,

                                                     anchorPublicKey.getClass().getName() }));

    if (! sameKey)

      throw new IllegalArgumentException(Messages.getString("ImportCmd.41")); //$NON-NLS-1$

    if (Configuration.DEBUG)

      log.exiting(this.getClass().getName(), "ensureReplyIsOurs"); //$NON-NLS-1$

  }

  private boolean areEqual(DSAPublicKey pk1, DSAPublicKey pk2)

  {

    if (pk1.getY().compareTo(pk2.getY()) != 0)

      return false;

    DSAParams p1 = pk1.getParams();