RFR 8058778: New APIs for some keytool functions

Wang Weijun weijun.wang at oracle.com
Wed Dec 2 14:36:59 UTC 2015


Hi All

This enhancement creates a new jdk.security.cert.X509CertificateBuilder API that does what keytool -genkeypair/-certreq/-gencert can do.

code changes:

  http://cr.openjdk.java.net/~weijun/8058778/webrev.04
  http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/

spec:

  http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html

You will be able to 

 KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
 kpg.initialize(2048);
 KeyPair ca = kpg.generateKeyPair();
 KeyPair user = kpg.generateKeyPair();

 X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
      .subject(new X500Principal("CN=ca"))
      .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
      .addExtension("BasicConstraints", "", true)
      .signatureAlgorithm("SHA256withRSA")
      .selfSign();

 byte[] request = X509CertificateBuilder.fromKeyPair(user)
      .subject(new X500Principal("CN=user"))
      .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
      .request();

 X509Certificate userCert = X509CertificateBuilder.asCA(
          ca.getPrivate(), caCert)
      .signatureAlgorithm("SHA256withRSA")
      .honorExtensions("all")
      .sign(request);

Thanks
Max




More information about the security-dev mailing list