RFR 8058778: New APIs for some keytool functions

Mandy Chung mandy.chung at oracle.com
Wed Dec 2 18:38:11 UTC 2015


Hi Max,

Is there any reason why this X509CertificateBuilder can’t be Java SE API?  Have you considered defining this builder API in java.security.cert.X509Certificate.Builder?

Mandy

> On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
> 
> Hi All
> 
> This enhancement creates a new jdk.security.cert.X509CertificateBuilder API that does what keytool -genkeypair/-certreq/-gencert can do.
> 
> code changes:
> 
>  http://cr.openjdk.java.net/~weijun/8058778/webrev.04
>  http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/
> 
> spec:
> 
>  http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html
> 
> You will be able to 
> 
> KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> kpg.initialize(2048);
> KeyPair ca = kpg.generateKeyPair();
> KeyPair user = kpg.generateKeyPair();
> 
> X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
>      .subject(new X500Principal("CN=ca"))
>      .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
>      .addExtension("BasicConstraints", "", true)
>      .signatureAlgorithm("SHA256withRSA")
>      .selfSign();
> 
> byte[] request = X509CertificateBuilder.fromKeyPair(user)
>      .subject(new X500Principal("CN=user"))
>      .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
>      .request();
> 
> X509Certificate userCert = X509CertificateBuilder.asCA(
>          ca.getPrivate(), caCert)
>      .signatureAlgorithm("SHA256withRSA")
>      .honorExtensions("all")
>      .sign(request);
> 
> Thanks
> Max
> 



More information about the security-dev mailing list