RFR 8058778: New APIs for some keytool functions
Mandy Chung
mandy.chung at oracle.com
Wed Dec 2 18:38:11 UTC 2015
Hi Max,
Is there any reason why this X509CertificateBuilder can’t be Java SE API? Have you considered defining this builder API in java.security.cert.X509Certificate.Builder?
Mandy
> On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
>
> Hi All
>
> This enhancement creates a new jdk.security.cert.X509CertificateBuilder API that does what keytool -genkeypair/-certreq/-gencert can do.
>
> code changes:
>
> http://cr.openjdk.java.net/~weijun/8058778/webrev.04
> http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/
>
> spec:
>
> http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html
>
> You will be able to
>
> KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> kpg.initialize(2048);
> KeyPair ca = kpg.generateKeyPair();
> KeyPair user = kpg.generateKeyPair();
>
> X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
> .subject(new X500Principal("CN=ca"))
> .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
> .addExtension("BasicConstraints", "", true)
> .signatureAlgorithm("SHA256withRSA")
> .selfSign();
>
> byte[] request = X509CertificateBuilder.fromKeyPair(user)
> .subject(new X500Principal("CN=user"))
> .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
> .request();
>
> X509Certificate userCert = X509CertificateBuilder.asCA(
> ca.getPrivate(), caCert)
> .signatureAlgorithm("SHA256withRSA")
> .honorExtensions("all")
> .sign(request);
>
> Thanks
> Max
>
More information about the security-dev
mailing list