keytool is not in jdk-base-image

Sean Mullan sean.mullan at oracle.com
Thu Sep 1 08:28:43 PDT 2011 

On 8/31/11 8:46 PM, Weijun Wang wrote:
> 
> 
> On 09/01/2011 05:53 AM, Mandy Chung wrote:
>> On 8/31/11 2:34 PM, Sean Mullan wrote:
>>> It will be difficult to sign modules without keytool. (It's possible,
>>> but you
>>> would have to have a keystore already setup with your keys and
>>> certificates and
>>> know the alias name, etc).
>>
>> But keytool depends on jsse and jndi. Can these dependencies be
>> eliminated or as optional?
> 
> The jndi dependence can be optional, but keytool needs the jsse module 
> to generate certs. See below:
> 
>>
>> sun.security.tools.JarSigner -> sun.security.util.PathList (sun.jsse)
> 
> JarSigner?
> 
>> sun.security.tools.KeyTool -> javax.net.ssl.HttpsURLConnection (sun.jsse)
>> sun.security.tools.KeyTool -> javax.net.ssl.SSLContext (sun.jsse)
>> sun.security.tools.KeyTool -> javax.net.ssl.TrustManager (sun.jsse)
>  > sun.security.tools.KeyTool$2 -> javax.net.ssl.X509TrustManager (sun.jsse)
>  > sun.security.tools.KeyTool$3 -> javax.net.ssl.HostnameVerifier (sun.jsse)
>  > sun.security.tools.KeyTool$3 -> javax.net.ssl.SSLSession (sun.jsse)
> 
> for keytool -printcert -sslserver <ssl_server>

This option is very specific to SSL. Can we make this optional? The option would
fail if sun.jsse is not installed.

>> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10 (sun.jsse)
>> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10Attribute (sun.jsse)
>> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10Attributes (sun.jsse)

Move these into jdk.tools.base. I don't think anything else uses PKCS10.

> 
> for keytool -certreq
> 
>> sun.security.tools.KeyTool ->
>> sun.security.provider.certpath.ldap.LDAPCertStoreHelper (sun.jndi)
> 
> for keytool -printcrl -file ldap://....

Ok, we should make that optional so jndi is not required.

> 
>> sun.security.tools.KeyTool -> sun.security.util.PathList (sun.jsse)
> 
> PathList is a utility class to create "a:b:c" on Unix and "a;b;c" on 
> Windows. Is there a similar tool inside base?

This class is simple enough that we can just copy the functionality into keytool.

>> sun.security.tools.KeyTool -> sun.security.x509.CertAndKeyGen (sun.jsse)
> 
> for keytool -genkeypair and keytool -gencert

Move CertAndKeyGen into jdk.tools.base. I don't think anything else uses it.

--Sean

More information about the jigsaw-dev mailing list