Relook at 6937978: let keytool -gencert generate the chain

Xuelei Fan xuelei.fan at oracle.com
Fri Jan 21 08:32:22 UTC 2011 

OK.

Thanks,
Xuelei


On 1/21/2011 4:23 PM, Weijun Wang wrote:
> 
> 
> On 01/21/2011 04:12 PM, Xuelei Fan wrote:
>> Is there any impact on the return value of
>> KeyStore.getCertificateChain(String)?
> 
> Nothing. This method returns what's actually inside the KeyStore entry.
> 
> My proposal only make the output of "keytool -gencert -file certs"
> command different. As described in my number 2 reason below, it won't
> even make any changes to the "keytool -import -file certs" result.
> 
> Max
> 
>>
>> Andrew
>>
>> On 1/21/2011 12:25 PM, Weijun Wang wrote:
>>> Hi Sean
>>>
>>> Some time ago we enhanced "keytool -gencert" to generate a cert chain,
>>> including certicates from the end-entity to the secondary level CA,
>>> except the root CA. I have some different opinion now, and think maybe
>>> it's better to include the root CA.
>>>
>>> 1. There is no spec saying a chain cannot include the root CA. In fact,
>>> in MSIE's certificate exporting dialog, when p7b format is selected and
>>> a chain is exported, it includes the root CA cert.
>>>
>>> 2. No matter if the root CA cert is there or not, when we call "keytool
>>> -importcert" on the chain, if the root CA is already trusted, the reply
>>> can be imported silently, and inside the PrivateKeyEntry, the root CA
>>> cert will be added anyway.
>>>
>>> 3. *Here comes the important reason*: If the root CA is not already
>>> trusted, "keytool -importcert" command will show a warning asking the
>>> user to accept the last cert in the chain. I'm quite sure the user would
>>> like to see the root CA info here, but not the secondary CA.
>>>
>>> The code change will be a simple
>>>
>>> diff --git a/src/share/classes/sun/security/tools/KeyTool.java
>>> b/src/share/classes/sun/security/tools/KeyTool.java
>>> --- a/src/share/classes/sun/security/tools/KeyTool.java
>>> +++ b/src/share/classes/sun/security/tools/KeyTool.java
>>> @@ -1249,9 +1249,7 @@
>>>           for (Certificate ca: keyStore.getCertificateChain(alias)) {
>>>               if (ca instanceof X509Certificate) {
>>>                   X509Certificate xca = (X509Certificate)ca;
>>> -                if (!isSelfSigned(xca)) {
>>>                       dumpCert(xca, out);
>>> -                }
>>>               }
>>>           }
>>>       }
>>>
>>> Thanks
>>> Max
>>>
>>>
>>>
>>>
>>> -------- Original Message --------
>>> Subject: hg: jdk7/tl/jdk: 6937978: let keytool -gencert generate the
>>> chain
>>> Date: Fri, 16 Apr 2010 02:06:34 +0000
>>> From: Weijun.Wang at Sun.COM
>>> To: jdk7-changes at openjdk.java.net, compiler-dev at openjdk.java.net,
>>> core-libs-dev at openjdk.java.net, serviceability-dev at openjdk.java.net,
>>> security-dev at openjdk.java.net, net-dev at openjdk.java.net
>>>
>>> Changeset: db4fd2fdf196
>>> Author:    weijun
>>> Date:      2010-04-16 10:06 +0800
>>> URL:       http://hg.openjdk.java.net/jdk7/tl/jdk/rev/db4fd2fdf196
>>>
>>> 6937978: let keytool -gencert generate the chain
>>> Reviewed-by: mullan
>>>
>>> ! src/share/classes/sun/security/tools/KeyTool.java
>>> ! test/sun/security/tools/keytool/selfissued.sh
>>>
>>

More information about the security-dev mailing list