Relook at 6937978: let keytool -gencert generate the chain

Xuelei Fan xuelei.fan at oracle.com
Fri Jan 21 08:12:05 UTC 2011 

Is there any impact on the return value of
KeyStore.getCertificateChain(String)?

Andrew

On 1/21/2011 12:25 PM, Weijun Wang wrote:
> Hi Sean
> 
> Some time ago we enhanced "keytool -gencert" to generate a cert chain,
> including certicates from the end-entity to the secondary level CA,
> except the root CA. I have some different opinion now, and think maybe
> it's better to include the root CA.
> 
> 1. There is no spec saying a chain cannot include the root CA. In fact,
> in MSIE's certificate exporting dialog, when p7b format is selected and
> a chain is exported, it includes the root CA cert.
> 
> 2. No matter if the root CA cert is there or not, when we call "keytool
> -importcert" on the chain, if the root CA is already trusted, the reply
> can be imported silently, and inside the PrivateKeyEntry, the root CA
> cert will be added anyway.
> 
> 3. *Here comes the important reason*: If the root CA is not already
> trusted, "keytool -importcert" command will show a warning asking the
> user to accept the last cert in the chain. I'm quite sure the user would
> like to see the root CA info here, but not the secondary CA.
> 
> The code change will be a simple
> 
> diff --git a/src/share/classes/sun/security/tools/KeyTool.java
> b/src/share/classes/sun/security/tools/KeyTool.java
> --- a/src/share/classes/sun/security/tools/KeyTool.java
> +++ b/src/share/classes/sun/security/tools/KeyTool.java
> @@ -1249,9 +1249,7 @@
>          for (Certificate ca: keyStore.getCertificateChain(alias)) {
>              if (ca instanceof X509Certificate) {
>                  X509Certificate xca = (X509Certificate)ca;
> -                if (!isSelfSigned(xca)) {
>                      dumpCert(xca, out);
> -                }
>              }
>          }
>      }
> 
> Thanks
> Max
> 
> 
> 
> 
> -------- Original Message --------
> Subject: hg: jdk7/tl/jdk: 6937978: let keytool -gencert generate the chain
> Date: Fri, 16 Apr 2010 02:06:34 +0000
> From: Weijun.Wang at Sun.COM
> To: jdk7-changes at openjdk.java.net, compiler-dev at openjdk.java.net,
> core-libs-dev at openjdk.java.net, serviceability-dev at openjdk.java.net,
> security-dev at openjdk.java.net, net-dev at openjdk.java.net
> 
> Changeset: db4fd2fdf196
> Author:    weijun
> Date:      2010-04-16 10:06 +0800
> URL:       http://hg.openjdk.java.net/jdk7/tl/jdk/rev/db4fd2fdf196
> 
> 6937978: let keytool -gencert generate the chain
> Reviewed-by: mullan
> 
> ! src/share/classes/sun/security/tools/KeyTool.java
> ! test/sun/security/tools/keytool/selfissued.sh
>

More information about the security-dev mailing list