Fix up library versions and classpath
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / utils / ExtKeyTool.java
index 89f6ba4..2dade76 100755 (executable)
@@ -1,50 +1,17 @@
-/* 
- * The Shibboleth License, Version 1. 
- * Copyright (c) 2002 
- * University Corporation for Advanced Internet Development, Inc. 
- * All rights reserved
- * 
- * 
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions are met:
- * 
- * Redistributions of source code must retain the above copyright notice, this 
- * list of conditions and the following disclaimer.
- * 
- * Redistributions in binary form must reproduce the above copyright notice, 
- * this list of conditions and the following disclaimer in the documentation 
- * and/or other materials provided with the distribution, if any, must include 
- * the following acknowledgment: "This product includes software developed by 
- * the University Corporation for Advanced Internet Development 
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement 
- * may appear in the software itself, if and wherever such third-party 
- * acknowledgments normally appear.
- * 
- * Neither the name of Shibboleth nor the names of its contributors, nor 
- * Internet2, nor the University Corporation for Advanced Internet Development, 
- * Inc., nor UCAID may be used to endorse or promote products derived from this 
- * software without specific prior written permission. For written permission, 
- * please contact shibboleth@shibboleth.org
- * 
- * Products derived from this software may not be called Shibboleth, Internet2, 
- * UCAID, or the University Corporation for Advanced Internet Development, nor 
- * may Shibboleth appear in their name, without prior written permission of the 
- * University Corporation for Advanced Internet Development.
- * 
- * 
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK 
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. 
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY 
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, 
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+/*
+ * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package edu.internet2.middleware.shibboleth.utils;
@@ -59,6 +26,7 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.io.OutputStream;
 import java.io.PrintStream;
 import java.security.Key;
 import java.security.KeyFactory;
@@ -71,27 +39,33 @@ import java.security.Provider;
 import java.security.PublicKey;
 import java.security.Security;
 import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAKey;
+import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Properties;
 
 import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.DESKeySpec;
+import javax.crypto.spec.DESedeKeySpec;
 
 import org.apache.log4j.ConsoleAppender;
 import org.apache.log4j.Level;
 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
 import org.apache.log4j.PatternLayout;
-import sun.misc.BASE64Encoder;
+import org.bouncycastle.util.encoders.Base64;
 
 /**
- * Extension utility for use alongside Sun's keytool program.  Performs useful functions not found
- * in original.
- * 
+ * Extension utility for use alongside Sun's keytool program. Performs useful functions not found in original.
+ *
  * @author Walter Hoehn
  */
 
@@ -99,23 +73,23 @@ public class ExtKeyTool {
 
        protected static Logger log = Logger.getLogger(ExtKeyTool.class.getName());
 
-       /** 
+       /**
         * Creates and initializes a java <code>KeyStore</code>
         * 
-        * @param provider                      name of the jce provider to use in loading the keystore
-        * @param keyStoreStream        stream used to retrieve the keystore
-        * @param storeType             the type of the keystore
-        * @param keyStorePassword      password used to verify the integrity of the keystore
-        * 
-        * @throws ExtKeyToolException if a problem is encountered loading the keystore
+        * @param provider
+        *            name of the jce provider to use in loading the keystore
+        * @param keyStoreStream
+        *            stream used to retrieve the keystore
+        * @param storeType
+        *            the type of the keystore
+        * @param keyStorePassword
+        *            password used to verify the integrity of the keystore
+        * @throws ExtKeyToolException
+        *             if a problem is encountered loading the keystore
         */
 
-       protected KeyStore loadKeyStore(
-               String provider,
-               InputStream keyStoreStream,
-               String storeType,
-               char[] keyStorePassword)
-               throws ExtKeyToolException {
+       protected KeyStore loadKeyStore(String provider, InputStream keyStoreStream, String storeType,
+                       char[] keyStorePassword) throws ExtKeyToolException {
 
                try {
                        if (storeType == null) {
@@ -128,6 +102,8 @@ public class ExtKeyTool {
                        KeyStore keyStore;
                        if (storeType.equals("JKS")) {
                                keyStore = KeyStore.getInstance(storeType, "SUN");
+                       } else if (storeType.equals("JCEKS")) {
+                               keyStore = KeyStore.getInstance(storeType, "SunJCE");
                        } else {
                                keyStore = KeyStore.getInstance(storeType, provider);
                        }
@@ -161,31 +137,45 @@ public class ExtKeyTool {
                }
        }
 
-       /** 
+       private void writeWithWrapping(byte[] base64text, int linesize, OutputStream out)
+       throws IOException
+       {
+               int length = base64text.length;
+               if (length == 0) return;
+
+               out.write( (int)base64text[0] );
+               for (int i=1; i < length; i++)
+               {
+                       if (i%linesize == 0) out.write('\n');
+                       out.write( (int)base64text[i] );
+               }
+       }
+
+       /**
         * Retrieves a private key from a java keystore and writes it to an <code>PrintStream</code>
         * 
-        * @param provider                      name of the jce provider to use in retrieving the key
-        * @param outStream             stream that should be used to output the retrieved key
-        * @param keyStoreStream        stream used to retrieve the keystore
-        * @param storeType             the type of the keystore
-        * @param keyStorePassword      password used to verify the integrity of the keystore
-        * @param keyAlias                      the alias under which the key is stored
-        * @param keyPassword           the password for recovering the key
-        * @param rfc boolean           indicator of whether the key should be Base64 encoded 
-        *                                                      before being written to the stream
-        * @throws ExtKeyToolException if there a problem retrieving or writing the key
+        * @param provider
+        *            name of the jce provider to use in retrieving the key
+        * @param outStream
+        *            stream that should be used to output the retrieved key
+        * @param keyStoreStream
+        *            stream used to retrieve the keystore
+        * @param storeType
+        *            the type of the keystore
+        * @param keyStorePassword
+        *            password used to verify the integrity of the keystore
+        * @param keyAlias
+        *            the alias under which the key is stored
+        * @param keyPassword
+        *            the password for recovering the key
+        * @param rfc
+        *            boolean indicator of whether the key should be Base64 encoded before being written to the stream
+        * @throws ExtKeyToolException
+        *             if there a problem retrieving or writing the key
         */
 
-       public void exportKey(
-               String provider,
-               PrintStream outStream,
-               InputStream keyStoreStream,
-               String storeType,
-               char[] keyStorePassword,
-               String keyAlias,
-               char[] keyPassword,
-               boolean rfc)
-               throws ExtKeyToolException {
+       public void exportKey(String provider, PrintStream outStream, InputStream keyStoreStream, String storeType,
+                       char[] keyStorePassword, String keyAlias, char[] keyPassword, boolean rfc) throws ExtKeyToolException {
 
                try {
 
@@ -204,15 +194,17 @@ public class ExtKeyTool {
                        }
                        log.info("Found key.");
 
+                       byte[] encodedKey = key.getEncoded();
+
                        if (rfc) {
                                log.debug("Dumping with rfc encoding");
-                               outStream.println("-----BEGIN " + key.getAlgorithm() + " PRIVATE KEY-----");
-                               BASE64Encoder encoder = new BASE64Encoder();
-                               encoder.encodeBuffer(key.getEncoded(), outStream);
-                               outStream.println("-----END " + key.getAlgorithm() + " PRIVATE KEY-----");
+                               outStream.println("-----BEGIN PRIVATE KEY-----");
+                               writeWithWrapping(Base64.encode(encodedKey), 76, outStream);
+                               outStream.println();
+                               outStream.println("-----END PRIVATE KEY-----");
                        } else {
                                log.debug("Dumping with default encoding.");
-                               outStream.write(key.getEncoded());
+                               outStream.write(encodedKey);
                        }
 
                } catch (KeyStoreException e) {
@@ -226,16 +218,55 @@ public class ExtKeyTool {
                        throw new ExtKeyToolException("Could not recover key with the installed JCE providers: " + nse);
                } catch (UnrecoverableKeyException uke) {
                        log.error("The key specified key cannot be recovered with the given password: " + uke);
-                       throw new ExtKeyToolException(
-                               "The key specified key cannot be recovered with the given password: " + uke);
+                       throw new ExtKeyToolException("The key specified key cannot be recovered with the given password: " + uke);
+               }
+       }
+
+       /**
+        * Attempts to unmarshall a secret key from a given stream.
+        * 
+        * @param keyStream
+        *            the <code>InputStream</code> suppying the key
+        * @param algorithm
+        *            the key algorithm
+        * @throws ExtKeyToolException
+        *             if there a problem unmarshalling the key
+        */
+
+       protected SecretKey readSecretKey(String provider, InputStream keyStream, String algorithm)
+                       throws ExtKeyToolException {
+
+               try {
+                       SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(algorithm, provider);
+
+                       byte[] inputBuffer = new byte[8];
+                       int i;
+                       ByteContainer inputBytes = new ByteContainer(400);
+                       do {
+                               i = keyStream.read(inputBuffer);
+                               for (int j = 0; j < i; j++) {
+                                       inputBytes.append(inputBuffer[j]);
+                               }
+                       } while (i > -1);
+
+                       KeySpec keySpec = null;
+                       if (algorithm.equals("DESede")) keySpec = new DESedeKeySpec(inputBytes.toByteArray());
+                       else if (algorithm.equals("DES")) keySpec = new DESKeySpec(inputBytes.toByteArray());
+                       return keyFactory.generateSecret(keySpec);
+
+               } catch (Exception e) {
+                       log.error("Problem reading secret key: " + e.getMessage());
+                       throw new ExtKeyToolException("Problem reading secret key.  Keys should be DER encoded native format.");
                }
        }
 
        /**
         * Boolean indication of whether a given private key and public key form a valid keypair.
         * 
-        * @param pubKey the public key
-        * @param privKey the private key
+        * @param pubKey
+        *            the public key
+        * @param privKey
+        *            the private key
         */
 
        protected boolean isMatchingKey(String algorithm, PublicKey pubKey, PrivateKey privKey) {
@@ -243,6 +274,21 @@ public class ExtKeyTool {
                try {
                        String controlString = "asdf";
                        log.debug("Checking for matching private key/public key pair");
+
+                       /*
+                        * If both keys are RSA, compare the modulus. They can't be a pair if that doesn't match. Doing this early
+                        * check means we don't have to do a trial encryption for every public key (faster) and avoids warning
+                        * messages from the depths of the crypto provider if the key lengths differ.
+                        */
+                       if (privKey instanceof RSAKey && pubKey instanceof RSAKey) {
+                               RSAKey pubRSA = (RSAKey) pubKey;
+                               RSAKey privRSA = (RSAKey) privKey;
+                               if (!privRSA.getModulus().equals(pubRSA.getModulus())) {
+                                       log.debug("RSA modulus mismatch");
+                                       return false;
+                               }
+                       }
+
                        Cipher cipher = Cipher.getInstance(algorithm);
                        cipher.init(Cipher.ENCRYPT_MODE, pubKey);
                        byte[] encryptedData = cipher.doFinal(controlString.getBytes("UTF-8"));
@@ -260,16 +306,20 @@ public class ExtKeyTool {
                return false;
        }
 
-       /** 
+       /**
         * Attempts to unmarshall a private key from a given stream.
         * 
-        * @param keyStream the <code>InputStream</code> suppying the key
-        * @param algorithm the key algorithm
-        * @throws ExtKeyToolException if there a problem unmarshalling the key
+        * @param keyStream
+        *            the <code>InputStream</code> suppying the key
+        * @param algorithm
+        *            the key algorithm
+        * @throws ExtKeyToolException
+        *             if there a problem unmarshalling the key
         */
 
        protected PrivateKey readPrivateKey(String provider, InputStream keyStream, String algorithm)
-               throws ExtKeyToolException {
+                       throws ExtKeyToolException {
+
                try {
                        KeyFactory keyFactory = KeyFactory.getInstance(algorithm, provider);
 
@@ -288,31 +338,30 @@ public class ExtKeyTool {
 
                } catch (Exception e) {
                        log.error("Problem reading private key: " + e.getMessage());
-                       throw new ExtKeyToolException("Problem reading private key: " + e.getMessage());
+                       throw new ExtKeyToolException(
+                                       "Problem reading private key.  Keys should be DER encoded pkcs8 or DER encoded native format.");
                }
        }
 
        /**
-        * Converts an array of certificates into an ordered chain.  A
-        * certificate that matches the specified private key will be returned
-        * first and the root certificate will be returned last.
+        * Converts an array of certificates into an ordered chain. A certificate that matches the specified private key
+        * will be returned first and the root certificate will be returned last.
         * 
-        * @param       untestedCerts array of certificates
-        * @param       privKey the private key used to determine the first cert in the chain
-        * @throws InvalidCertificateChainException thrown if a chain cannot be constructed 
-        *                      from the specified elements
+        * @param untestedCerts
+        *            array of certificates
+        * @param privKey
+        *            the private key used to determine the first cert in the chain
+        * @throws InvalidCertificateChainException
+        *             thrown if a chain cannot be constructed from the specified elements
         */
 
-       protected X509Certificate[] linkChain(
-               String keyAlgorithm,
-               X509Certificate[] untestedCerts,
-               PrivateKey privKey)
-               throws InvalidCertificateChainException {
+       protected X509Certificate[] linkChain(String keyAlgorithm, X509Certificate[] untestedCerts, PrivateKey privKey)
+                       throws InvalidCertificateChainException {
 
                log.debug("Located " + untestedCerts.length + " cert(s) in input file");
 
                log.info("Finding end cert in chain.");
-               ArrayList replyCerts = new ArrayList();
+               ArrayList<X509Certificate> replyCerts = new ArrayList<X509Certificate>();
                for (int i = 0; untestedCerts.length > i; i++) {
                        if (isMatchingKey(keyAlgorithm, untestedCerts[i].getPublicKey(), privKey)) {
                                log.debug("Found matching end cert: " + untestedCerts[i].getSubjectDN());
@@ -325,7 +374,8 @@ public class ExtKeyTool {
                }
                if (replyCerts.size() > 1) {
                        log.error("More than one certificate in chain that matches specified private key");
-                       throw new InvalidCertificateChainException("More than one certificate in chain that matches specified private key");
+                       throw new InvalidCertificateChainException(
+                                       "More than one certificate in chain that matches specified private key");
                }
 
                log.info("Populating chain with remaining certs.");
@@ -338,8 +388,7 @@ public class ExtKeyTool {
                                ((X509Certificate) replyCerts.get(i)).verify(pubKey);
                        } catch (Exception e) {
                                log.error("Certificate chain cannot be verified: " + e.getMessage());
-                               throw new InvalidCertificateChainException(
-                                       "Certificate chain cannot be verified: " + e.getMessage());
+                               throw new InvalidCertificateChainException("Certificate chain cannot be verified: " + e.getMessage());
                        }
                }
                log.info("All signatures verified. Certificate chain successfully created.");
@@ -348,17 +397,19 @@ public class ExtKeyTool {
        }
 
        /**
-        * Given an ArrayList containing a base certificate and an array of unordered certificates, 
-        * populates the ArrayList with an ordered certificate chain, based on subject and issuer.
+        * Given an ArrayList containing a base certificate and an array of unordered certificates, populates the ArrayList
+        * with an ordered certificate chain, based on subject and issuer.
         * 
-        * @param       chainSource array of certificates to pull from
-        * @param       chainDest ArrayList containing base certificate
-        * @throws InvalidCertificateChainException thrown if a chain cannot be constructed from 
-        *                      the specified elements
+        * @param chainSource
+        *            array of certificates to pull from
+        * @param chainDest
+        *            ArrayList containing base certificate
+        * @throws InvalidCertificateChainException
+        *             thrown if a chain cannot be constructed from the specified elements
         */
 
-       protected void walkChain(X509Certificate[] chainSource, ArrayList chainDest)
-               throws InvalidCertificateChainException {
+       protected void walkChain(X509Certificate[] chainSource, ArrayList<X509Certificate> chainDest)
+                       throws InvalidCertificateChainException {
 
                X509Certificate currentCert = (X509Certificate) chainDest.get(chainDest.size() - 1);
                if (currentCert.getSubjectDN().equals(currentCert.getIssuerDN())) {
@@ -377,41 +428,40 @@ public class ExtKeyTool {
                }
        }
 
-       /** 
-        * Given a java keystore, private key, and matching certificate chain; creates a new 
-        * keystore containing the union of these objects
-        * 
-        * @param provider                      the name of the jce provider to use
-        * @param keyAlgorithm          the algorithm of the key to be added, defaults to RSA if null
-        * @param keyStream             strema used to retrieve the private key, can contain a PEM encoded 
-        *                                                      or pkcs8 encoded key
-        * @param chainStream           stream used to retrieve certificates, can contain a series of 
-        *                                                      PEM encoded certs or a pkcs7 chain
-        * @param keyStoreInStream      stream used to retrieve the initial keystore
-        * @param storeType             the type of the keystore
-        * @param keyAlias                      the alias under which the key/chain should be saved
-        * @param keyStorePassword      password used to verify the integrity of the old keystore and 
-        *                                                      save the new keystore
-        * @param keyPassword           the password for saving the key
+       /**
+        * Given a java keystore, private key, and matching certificate chain; creates a new keystore containing the union
+        * of these objects
         * 
+        * @param provider
+        *            the name of the jce provider to use
+        * @param keyAlgorithm
+        *            the algorithm of the key to be added, defaults to RSA if null
+        * @param keyStream
+        *            strema used to retrieve the private key, can contain a PEM encoded or pkcs8 encoded key
+        * @param chainStream
+        *            stream used to retrieve certificates, can contain a series of PEM encoded certs or a pkcs7 chain
+        * @param keyStoreInStream
+        *            stream used to retrieve the initial keystore
+        * @param storeType
+        *            the type of the keystore
+        * @param keyAlias
+        *            the alias under which the key/chain should be saved
+        * @param keyStorePassword
+        *            password used to verify the integrity of the old keystore and save the new keystore
+        * @param keyPassword
+        *            the password for saving the key
+        * @param secret
+        *            indicates this is a secret key import
         * @return an OutputStream containing the new keystore
-        * 
-        * @throws ExtKeyToolException if there a problem importing the key
+        * @throws ExtKeyToolException
+        *             if there a problem importing the key
         */
 
-       public ByteArrayOutputStream importKey(
-               String provider,
-               String keyAlgorithm,
-               InputStream keyStream,
-               InputStream chainStream,
-               InputStream keyStoreInStream,
-               String storeType,
-               String keyAlias,
-               char[] keyStorePassword,
-               char[] keyPassword)
-               throws ExtKeyToolException {
-
-               log.info("Importing key pair.");
+       public ByteArrayOutputStream importKey(String provider, String keyAlgorithm, InputStream keyStream,
+                       InputStream chainStream, InputStream keyStoreInStream, String storeType, String keyAlias,
+                       char[] keyStorePassword, char[] keyPassword, boolean secret) throws ExtKeyToolException {
+
+               log.info("Importing " + (secret ? "key pair" : "secret key."));
                try {
 
                        // The Sun provider incorrectly reads only the first cert in the stream.
@@ -429,31 +479,42 @@ public class ExtKeyTool {
                        }
                        if (keyStore.containsAlias(keyAlias) == true && keyStore.isKeyEntry(keyAlias)) {
                                log.error("Could not import key: " + "key alias (" + keyAlias + ") already exists");
-                               throw new ExtKeyToolException(
-                                       "Could not import key: " + "key alias (" + keyAlias + ") already exists");
+                               throw new ExtKeyToolException("Could not import key: " + "key alias (" + keyAlias + ") already exists");
                        }
                        keyStore.deleteEntry(keyAlias);
 
-                       log.info("Reading private key.");
-                       if (keyAlgorithm == null) {
-                               keyAlgorithm = "RSA";
-                       }
-                       log.debug("Using key algorithm: (" + keyAlgorithm + ")");
-                       PrivateKey key = readPrivateKey(provider, keyStream, keyAlgorithm);
+                       if (secret) {
+                               log.info("Reading secret key.");
+                               if (keyAlgorithm == null) {
+                                       keyAlgorithm = "AES";
+                               }
+                               log.debug("Using key algorithm: (" + keyAlgorithm + ")");
+                               SecretKey key = readSecretKey(provider, keyStream, keyAlgorithm);
+                               keyStore.setKeyEntry(keyAlias, key, keyPassword, null);
+                       } else {
+                               log.info("Reading private key.");
+                               if (keyAlgorithm == null) {
+                                       keyAlgorithm = "RSA";
+                               }
+                               log.debug("Using key algorithm: (" + keyAlgorithm + ")");
+                               PrivateKey key = readPrivateKey(provider, keyStream, keyAlgorithm);
 
-                       log.info("Reading certificate chain.");
+                               log.info("Reading certificate chain.");
 
-                       CertificateFactory certFactory = CertificateFactory.getInstance("X.509", provider);
-                       Collection chain = certFactory.generateCertificates(new BufferedInputStream(chainStream));
-                       if (chain.isEmpty()) {
-                               log.error("Input did not contain any valid certificates.");
-                               throw new ExtKeyToolException("Input did not contain any valid certificates.");
-                       }
+                               CertificateFactory certFactory = CertificateFactory.getInstance("X.509", provider);
+                               Collection<? extends Certificate> chain = certFactory.generateCertificates(new BufferedInputStream(
+                                               chainStream));
+                               if (chain.isEmpty()) {
+                                       log.error("Input did not contain any valid certificates.");
+                                       throw new ExtKeyToolException("Input did not contain any valid certificates.");
+                               }
 
-                       X509Certificate[] verifiedChain =
-                               linkChain(keyAlgorithm, (X509Certificate[]) chain.toArray(new X509Certificate[0]), key);
+                               X509Certificate[] verifiedChain = linkChain(keyAlgorithm, (X509Certificate[]) chain
+                                               .toArray(new X509Certificate[0]), key);
+
+                               keyStore.setKeyEntry(keyAlias, key, keyPassword, verifiedChain);
+                       }
 
-                       keyStore.setKeyEntry(keyAlias, key, keyPassword, verifiedChain);
                        ByteArrayOutputStream keyStoreOutStream = new ByteArrayOutputStream();
                        keyStore.store(keyStoreOutStream, keyStorePassword);
                        log.info("Key Store saved to stream.");
@@ -480,81 +541,70 @@ public class ExtKeyTool {
        /**
         * Tries to decipher command line arguments.
         * 
-        * @throws IllegalArgumentException if arguments are not properly formatted
+        * @throws IllegalArgumentException
+        *             if arguments are not properly formatted
         */
 
        private static Properties parseArguments(String[] args) throws IllegalArgumentException {
 
-               if (args.length < 1) {
-                       throw new IllegalArgumentException("No arguments found.");
-               }
+               if (args.length < 1) { throw new IllegalArgumentException("No arguments found."); }
                Properties parsedArguments = new Properties();
 
-               for (int i = 0;(i < args.length) && args[i].startsWith("-"); i++) {
+               for (int i = 0; (i < args.length) && args[i].startsWith("-"); i++) {
 
                        String flags = args[i];
 
-                       //parse actions
+                       // parse actions
                        if (flags.equalsIgnoreCase("-exportkey")) {
                                parsedArguments.setProperty("command", "exportKey");
                        } else if (flags.equalsIgnoreCase("-importkey")) {
                                parsedArguments.setProperty("command", "importKey");
                        }
 
-                       //parse specifiers
-                       else if (flags.equalsIgnoreCase("-alias")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -alias requires a parameter");
-                               }
+                       // parse specifiers
+                       else if (flags.equalsIgnoreCase("-secret")) {
+                               parsedArguments.setProperty("secret", "true");
+                       } else if (flags.equalsIgnoreCase("-alias")) {
+                               if (++i == args.length) { throw new IllegalArgumentException("The argument -alias requires a parameter"); }
                                parsedArguments.setProperty("alias", args[i]);
                        } else if (flags.equalsIgnoreCase("-keyfile")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -keyfile requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -keyfile requires a parameter"); }
                                parsedArguments.setProperty("keyFile", args[i]);
                        } else if (flags.equalsIgnoreCase("-certfile")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -certfile requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -certfile requires a parameter"); }
                                parsedArguments.setProperty("certFile", args[i]);
                        } else if (flags.equalsIgnoreCase("-keystore")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -keystore requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -keystore requires a parameter"); }
                                parsedArguments.setProperty("keyStore", args[i]);
                        } else if (flags.equalsIgnoreCase("-storepass")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -storepass requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -storepass requires a parameter"); }
                                parsedArguments.setProperty("storePass", args[i]);
                        } else if (flags.equalsIgnoreCase("-storetype")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -storetype requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -storetype requires a parameter"); }
                                parsedArguments.setProperty("storeType", args[i]);
                        } else if (flags.equalsIgnoreCase("-keypass")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -keypass requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -keypass requires a parameter"); }
                                parsedArguments.setProperty("keyPass", args[i]);
                        } else if (flags.equalsIgnoreCase("-provider")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -provider requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -provider requires a parameter"); }
                                parsedArguments.setProperty("provider", args[i]);
                        } else if (flags.equalsIgnoreCase("-file")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -file requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException("The argument -file requires a parameter"); }
                                parsedArguments.setProperty("file", args[i]);
                        } else if (flags.equalsIgnoreCase("-algorithm")) {
-                               if (++i == args.length) {
-                                       throw new IllegalArgumentException("The argument -algorithm requires a parameter");
-                               }
+                               if (++i == args.length) { throw new IllegalArgumentException(
+                                               "The argument -algorithm requires a parameter"); }
                                parsedArguments.setProperty("keyAlgorithm", args[i]);
                        }
 
-                       //options
+                       // options
                        else if (flags.equalsIgnoreCase("-v")) {
                                parsedArguments.setProperty("verbose", "true");
                        } else if (flags.equalsIgnoreCase("-rfc")) {
@@ -563,15 +613,13 @@ public class ExtKeyTool {
                                throw new IllegalArgumentException("Unrecognized argument: " + flags);
                        }
                }
-               if (parsedArguments.getProperty("command", null) == null) {
-                       throw new IllegalArgumentException("No action specified");
-               }
+               if (parsedArguments.getProperty("command", null) == null) { throw new IllegalArgumentException(
+                               "No action specified"); }
                return parsedArguments;
        }
 
        /**
-        * Ensures that providers specified on the command line are in fact loaded
-        * into the current environment.
+        * Ensures that providers specified on the command line are in fact loaded into the current environment.
         * 
         * @return the name of the provider add, null if no provider was added
         */
@@ -598,12 +646,13 @@ public class ExtKeyTool {
         */
 
        protected void startLogger(Properties arguments) {
+
                Logger root = Logger.getRootLogger();
-               root.addAppender(new ConsoleAppender(new PatternLayout(PatternLayout.TTCC_CONVERSION_PATTERN)));
-               if (arguments.getProperty("verbose", null) == null
-                       || arguments.getProperty("verbose", null).equals("false")) {
+               if (arguments.getProperty("verbose", null) == null || arguments.getProperty("verbose", null).equals("false")) {
+                       root.addAppender(new ConsoleAppender(new PatternLayout(PatternLayout.DEFAULT_CONVERSION_PATTERN)));
                        root.setLevel(Level.WARN);
                } else {
+                       root.addAppender(new ConsoleAppender(new PatternLayout(PatternLayout.TTCC_CONVERSION_PATTERN)));
                        root.setLevel(Level.DEBUG);
                }
        }
@@ -611,9 +660,16 @@ public class ExtKeyTool {
        public static void main(String[] args) {
 
                try {
-                       Properties arguments = parseArguments(args);
-
                        ExtKeyTool tool = new ExtKeyTool();
+                       Properties arguments = null;
+                       try {
+                               arguments = parseArguments(args);
+                       } catch (IllegalArgumentException iae) {
+                               System.err.println("Illegal argument specified: " + iae.getMessage()
+                                               + System.getProperty("line.separator"));
+                               printUsage(System.err);
+                               System.exit(1);
+                       }
                        tool.startLogger(arguments);
                        String providerName = tool.initProvider(arguments);
                        if (providerName != null) {
@@ -621,11 +677,6 @@ public class ExtKeyTool {
                        }
                        tool.run(arguments);
 
-               } catch (IllegalArgumentException iae) {
-                       log.fatal(
-                               "Illegal argument specified: " + iae.getMessage() + System.getProperty("line.separator"));
-                       LogManager.shutdown();
-                       printUsage(System.err);
                } catch (ExtKeyToolException ske) {
                        log.fatal("Cannot Perform Operation: " + ske.getMessage() + System.getProperty("line.separator"));
                        LogManager.shutdown();
@@ -636,12 +687,13 @@ public class ExtKeyTool {
        /**
         * Based on on a set of properties, executes <code>ExtKeyTool</code> actions.
         * 
-        * @param arguments runtime parameters specified on the command line
+        * @param arguments
+        *            runtime parameters specified on the command line
         */
 
        private void run(Properties arguments) throws ExtKeyToolException {
 
-               //common for all actions
+               // common for all actions
                char[] storePassword = null;
                if (arguments.getProperty("storePass", null) != null) {
                        storePassword = arguments.getProperty("storePass").toCharArray();
@@ -654,7 +706,7 @@ public class ExtKeyTool {
                        providerName = "SUN";
                }
 
-               //export key action
+               // export key action
                if (arguments.getProperty("command").equals("exportKey")) {
 
                        boolean rfc = false;
@@ -674,21 +726,16 @@ public class ExtKeyTool {
                        }
 
                        try {
-                               exportKey(
-                                       providerName,
-                                       outStream,
-                                       new FileInputStream(resolveKeyStore(arguments.getProperty("keyStore", null))),
-                                       arguments.getProperty("storeType", null),
-                                       storePassword,
-                                       arguments.getProperty("alias", null),
-                                       resolveKeyPass(arguments.getProperty("keyPass", null), storePassword),
-                                       rfc);
+                               exportKey(providerName, outStream, new FileInputStream(resolveKeyStore(arguments.getProperty(
+                                               "keyStore", null))), arguments.getProperty("storeType", null), storePassword, arguments
+                                               .getProperty("alias", null), resolveKeyPass(arguments.getProperty("keyPass", null),
+                                               storePassword), rfc);
                        } catch (FileNotFoundException e) {
                                throw new ExtKeyToolException("KeyStore not found.");
                        }
                        outStream.close();
 
-                       //import action
+                       // import action
                } else if (arguments.getProperty("command").equals("importKey")) {
 
                        InputStream keyInStream = null;
@@ -709,30 +756,23 @@ public class ExtKeyTool {
                                } catch (FileNotFoundException e) {
                                        throw new ExtKeyToolException("Could not open cert file." + e.getMessage());
                                }
-                       } else {
-                               throw new IllegalArgumentException("Certificate file must be specified.");
-                       }
+                       } else if (!arguments.getProperty("secret").equalsIgnoreCase("true")) { throw new IllegalArgumentException(
+                                       "Certificate file must be specified."); }
 
                        try {
-                               ByteArrayOutputStream keyStoreOutStream =
-                                       importKey(
-                                               providerName,
-                                               arguments.getProperty("keyAlgorithm", null),
-                                               keyInStream,
-                                               certInStream,
-                                               new FileInputStream(resolveKeyStore(arguments.getProperty("keyStore", null))),
-                                               arguments.getProperty("storeType", null),
-                                               arguments.getProperty("alias", null),
-                                               storePassword,
-                                               resolveKeyPass(arguments.getProperty("keyPass", null), storePassword));
+
+                               ByteArrayOutputStream keyStoreOutStream = importKey(providerName, arguments.getProperty("keyAlgorithm",
+                                               null), keyInStream, certInStream, new FileInputStream(resolveKeyStore(arguments.getProperty(
+                                               "keyStore", null))), arguments.getProperty("storeType", null), arguments.getProperty("alias",
+                                               null), storePassword, resolveKeyPass(arguments.getProperty("keyPass", null), storePassword),
+                                               arguments.getProperty("secret", "false").equalsIgnoreCase("true"));
 
                                keyInStream.close();
                                // A quick sanity check before we overwrite the old keystore
-                               if (keyStoreOutStream == null || keyStoreOutStream.size() < 1) {
-                                       throw new ExtKeyToolException("Failed to create keystore: results are null");
-                               }
-                               keyStoreOutStream.writeTo(
-                                       new FileOutputStream(resolveKeyStore(arguments.getProperty("keyStore", null))));
+                               if (keyStoreOutStream == null || keyStoreOutStream.size() < 1) { throw new ExtKeyToolException(
+                                               "Failed to create keystore: results are null"); }
+                               keyStoreOutStream
+                                               .writeTo(new FileOutputStream(resolveKeyStore(arguments.getProperty("keyStore", null))));
                                System.out.println("Key import successful.");
 
                        } catch (FileNotFoundException e) {
@@ -742,8 +782,8 @@ public class ExtKeyTool {
                        }
 
                } else {
-                       throw new IllegalArgumentException(
-                               "This keytool cannot perform the operation: (" + arguments.getProperty("command") + ")");
+                       throw new IllegalArgumentException("This keytool cannot perform the operation: ("
+                                       + arguments.getProperty("command") + ")");
                }
 
        }
@@ -754,8 +794,7 @@ public class ExtKeyTool {
         * @return the <code>File</code> representation of the selected keystore
         */
 
-       protected File resolveKeyStore(String keyStoreLocation)
-               throws ExtKeyToolException, FileNotFoundException {
+       protected File resolveKeyStore(String keyStoreLocation) throws ExtKeyToolException, FileNotFoundException {
 
                if (keyStoreLocation == null) {
                        keyStoreLocation = System.getProperty("user.home") + File.separator + ".keystore";
@@ -770,8 +809,9 @@ public class ExtKeyTool {
        }
 
        /**
-        * Decides what password to use for storing/retrieving keys from the keystore.  NOTE: Possible
-        * terminal interaction with the user.
+        * Decides what password to use for storing/retrieving keys from the keystore. NOTE: Possible terminal interaction
+        * with the user.
+        * 
         * @return a char array containing the password
         */
 
@@ -787,9 +827,7 @@ public class ExtKeyTool {
                                BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
                                String passwordInput = reader.readLine();
                                passwordInput.trim();
-                               if (passwordInput != null) {
-                                       return passwordInput.toCharArray();
-                               }
+                               if (passwordInput != null && !passwordInput.equals("")) { return passwordInput.toCharArray(); }
                        } catch (IOException e) {
                                log.warn(e.getMessage());
                        }
@@ -808,9 +846,10 @@ public class ExtKeyTool {
                out.print("\t     [-keypass <keypass>] ");
                out.println("[-provider <provider_class_name>] ");
                out.print("\t     [-file <output_file>] ");
-               out.println();out.println();
+               out.println();
+               out.println();
 
-               out.print("-importkey      [-v] [-alias <alias>] ");
+               out.print("-importkey      [-v] [-secret] [-alias <alias>] ");
                out.println("[-keyfile <key_file>]");
                out.print("\t     [-keystore <keystore>] ");
                out.println("[-storepass <storepass>]");
@@ -828,7 +867,6 @@ public class ExtKeyTool {
         */
 
        // Sure makes you wish bytes were first class objects.
-
        private class ByteContainer {
 
                private byte[] buffer;
@@ -836,11 +874,13 @@ public class ExtKeyTool {
                private int currentSize = 0;
 
                private ByteContainer(int cushion) {
+
                        buffer = new byte[cushion];
                        this.cushion = cushion;
                }
 
                private void grow() {
+
                        log.debug("Growing ByteContainer.");
                        int newSize = currentSize + cushion;
                        byte[] b = new byte[newSize];
@@ -852,11 +892,13 @@ public class ExtKeyTool {
                        buffer = b;
                }
 
-               /** 
-                * Returns an array of the bytes in the container. <p>
+               /**
+                * Returns an array of the bytes in the container.
+                * <p>
                 */
 
                private byte[] toByteArray() {
+
                        byte[] b = new byte[currentSize];
                        for (int i = 0; i < currentSize; i++) {
                                b[i] = buffer[i];
@@ -864,11 +906,12 @@ public class ExtKeyTool {
                        return b;
                }
 
-               /** 
+               /**
                 * Add one byte to the end of the container.
                 */
 
                private void append(byte b) {
+
                        if (currentSize == buffer.length) {
                                grow();
                        }
@@ -885,20 +928,21 @@ public class ExtKeyTool {
        protected class ExtKeyToolException extends Exception {
 
                protected ExtKeyToolException(String message) {
+
                        super(message);
                }
        }
 
        /**
-        * Signals that an error occurred while trying to constuct a
-        * certificate chain.
+        * Signals that an error occurred while trying to constuct a certificate chain.
         */
 
        protected class InvalidCertificateChainException extends ExtKeyToolException {
 
                protected InvalidCertificateChainException(String message) {
+
                        super(message);
                }
        }
 
-}
+}
\ No newline at end of file