Relook at 6937978: let keytool -gencert generate the chain

Weijun Wang weijun.wang at oracle.com
Fri Jan 21 08:23:32 UTC 2011 


On 01/21/2011 04:12 PM, Xuelei Fan wrote:
> Is there any impact on the return value of
> KeyStore.getCertificateChain(String)?

Nothing. This method returns what's actually inside the KeyStore entry.

My proposal only make the output of "keytool -gencert -file certs" 
command different. As described in my number 2 reason below, it won't 
even make any changes to the "keytool -import -file certs" result.

Max

>
> Andrew
>
> On 1/21/2011 12:25 PM, Weijun Wang wrote:
>> Hi Sean
>>
>> Some time ago we enhanced "keytool -gencert" to generate a cert chain,
>> including certicates from the end-entity to the secondary level CA,
>> except the root CA. I have some different opinion now, and think maybe
>> it's better to include the root CA.
>>
>> 1. There is no spec saying a chain cannot include the root CA. In fact,
>> in MSIE's certificate exporting dialog, when p7b format is selected and
>> a chain is exported, it includes the root CA cert.
>>
>> 2. No matter if the root CA cert is there or not, when we call "keytool
>> -importcert" on the chain, if the root CA is already trusted, the reply
>> can be imported silently, and inside the PrivateKeyEntry, the root CA
>> cert will be added anyway.
>>
>> 3. *Here comes the important reason*: If the root CA is not already
>> trusted, "keytool -importcert" command will show a warning asking the
>> user to accept the last cert in the chain. I'm quite sure the user would
>> like to see the root CA info here, but not the secondary CA.
>>
>> The code change will be a simple
>>
>> diff --git a/src/share/classes/sun/security/tools/KeyTool.java
>> b/src/share/classes/sun/security/tools/KeyTool.java
>> --- a/src/share/classes/sun/security/tools/KeyTool.java
>> +++ b/src/share/classes/sun/security/tools/KeyTool.java
>> @@ -1249,9 +1249,7 @@
>>           for (Certificate ca: keyStore.getCertificateChain(alias)) {
>>               if (ca instanceof X509Certificate) {
>>                   X509Certificate xca = (X509Certificate)ca;
>> -                if (!isSelfSigned(xca)) {
>>                       dumpCert(xca, out);
>> -                }
>>               }
>>           }
>>       }
>>
>> Thanks
>> Max
>>
>>
>>
>>
>> -------- Original Message --------
>> Subject: hg: jdk7/tl/jdk: 6937978: let keytool -gencert generate the chain
>> Date: Fri, 16 Apr 2010 02:06:34 +0000
>> From: Weijun.Wang at Sun.COM
>> To: jdk7-changes at openjdk.java.net, compiler-dev at openjdk.java.net,
>> core-libs-dev at openjdk.java.net, serviceability-dev at openjdk.java.net,
>> security-dev at openjdk.java.net, net-dev at openjdk.java.net
>>
>> Changeset: db4fd2fdf196
>> Author:    weijun
>> Date:      2010-04-16 10:06 +0800
>> URL:       http://hg.openjdk.java.net/jdk7/tl/jdk/rev/db4fd2fdf196
>>
>> 6937978: let keytool -gencert generate the chain
>> Reviewed-by: mullan
>>
>> ! src/share/classes/sun/security/tools/KeyTool.java
>> ! test/sun/security/tools/keytool/selfissued.sh
>>
>

More information about the security-dev mailing list