code review request: 7109096: keytool -genkeypair needn't call -selfcert

Weijun Wang at
Mon Nov 7 03:34:01 PST 2011


keytool uses CertAndKeyGen to generate a basic self-signed certificate 
with no extensions. When -ext option was introduced, -genkeypair was 
implemented as original -genkeypair plus -selfcert, and extensions info 
was added in the -selfcert step.

This means the keystore object is modified twice in this single 
operation. In the case of PKCS11 or MSCAPI, it is actually written to 
the token twice. If a token can only be written once, the action will fail.


No new regression test (noreg-cleanup).

Note: NetBeans consolidates the multiple import lines in CertAndKeyGen 
into one. I'm not against that.


More information about the security-dev mailing list