code review request: 7109096: keytool -genkeypair needn't call -selfcert

Weijun Wang weijun.wang at oracle.com
Mon Nov 7 23:18:47 PST 2011


I only run tests on my Linux before posting the webrev. Then, in the 
pre-push JPRT run, it fails on all Solaris!

Turns out that CertAndKeyGen has

     public X509Key getPublicKey()
     {
         if (!(publicKey instanceof X509Key)) {
             return null;
         }
         return (X509Key)publicKey;
     }

So the public key, which I guess is a P11RSAPublicKey, is now null. I'll 
try to find a workaround.

Thanks
Max


On 11/08/2011 11:19 AM, Xuelei Fan wrote:
> Looks fine in general. Please make sure all regression tests are passed.
>
> Thanks,
> Xuelei
>
> On 11/7/2011 7:34 PM, Weijun Wang wrote:
>> Description:
>>
>> keytool uses CertAndKeyGen to generate a basic self-signed certificate
>> with no extensions. When -ext option was introduced, -genkeypair was
>> implemented as original -genkeypair plus -selfcert, and extensions info
>> was added in the -selfcert step.
>>
>> This means the keystore object is modified twice in this single
>> operation. In the case of PKCS11 or MSCAPI, it is actually written to
>> the token twice. If a token can only be written once, the action will fail.
>>
>> Webrev:
>>
>> http://cr.openjdk.java.net/~weijun/7109096/webrev.00/
>>
>> No new regression test (noreg-cleanup).
>>
>> Note: NetBeans consolidates the multiple import lines in CertAndKeyGen
>> into one. I'm not against that.
>>
>> Thanks
>> Max
>



More information about the security-dev mailing list