code review request: 7109096: keytool -genkeypair needn't call -selfcert

Xuelei Fan xuelei.fan at oracle.com
Mon Nov 7 19:19:31 PST 2011


Looks fine in general. Please make sure all regression tests are passed.

Thanks,
Xuelei

On 11/7/2011 7:34 PM, Weijun Wang wrote:
> Description:
> 
> keytool uses CertAndKeyGen to generate a basic self-signed certificate
> with no extensions. When -ext option was introduced, -genkeypair was
> implemented as original -genkeypair plus -selfcert, and extensions info
> was added in the -selfcert step.
> 
> This means the keystore object is modified twice in this single
> operation. In the case of PKCS11 or MSCAPI, it is actually written to
> the token twice. If a token can only be written once, the action will fail.
> 
> Webrev:
> 
> http://cr.openjdk.java.net/~weijun/7109096/webrev.00/
> 
> No new regression test (noreg-cleanup).
> 
> Note: NetBeans consolidates the multiple import lines in CertAndKeyGen
> into one. I'm not against that.
> 
> Thanks
> Max




More information about the security-dev mailing list