RFR 8058778: New APIs for some keytool functions
Wang Weijun
weijun.wang at oracle.com
Wed Dec 2 14:36:59 UTC 2015
Hi All
This enhancement creates a new jdk.security.cert.X509CertificateBuilder API that does what keytool -genkeypair/-certreq/-gencert can do.
code changes:
http://cr.openjdk.java.net/~weijun/8058778/webrev.04
http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/
spec:
http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html
You will be able to
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(2048);
KeyPair ca = kpg.generateKeyPair();
KeyPair user = kpg.generateKeyPair();
X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
.subject(new X500Principal("CN=ca"))
.validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
.addExtension("BasicConstraints", "", true)
.signatureAlgorithm("SHA256withRSA")
.selfSign();
byte[] request = X509CertificateBuilder.fromKeyPair(user)
.subject(new X500Principal("CN=user"))
.addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
.request();
X509Certificate userCert = X509CertificateBuilder.asCA(
ca.getPrivate(), caCert)
.signatureAlgorithm("SHA256withRSA")
.honorExtensions("all")
.sign(request);
Thanks
Max
More information about the security-dev
mailing list