RFR 8058778: New APIs for some keytool functions

larry mccay larry.mccay at gmail.com
Wed Dec 2 20:11:54 UTC 2015


Hi Max -

Happy to see this enhancement - it would be great if it made its way into
SE and other JVM implementations as a result!

If not, what would the added dependency be for consuming applications?

thanks,

--larry

On Wed, Dec 2, 2015 at 1:38 PM, Mandy Chung <mandy.chung at oracle.com> wrote:

> Hi Max,
>
> Is there any reason why this X509CertificateBuilder can’t be Java SE API?
> Have you considered defining this builder API in
> java.security.cert.X509Certificate.Builder?
>
> Mandy
>
> > On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
> >
> > Hi All
> >
> > This enhancement creates a new jdk.security.cert.X509CertificateBuilder
> API that does what keytool -genkeypair/-certreq/-gencert can do.
> >
> > code changes:
> >
> >  http://cr.openjdk.java.net/~weijun/8058778/webrev.04
> >  http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/
> >
> > spec:
> >
> >
> http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html
> >
> > You will be able to
> >
> > KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> > kpg.initialize(2048);
> > KeyPair ca = kpg.generateKeyPair();
> > KeyPair user = kpg.generateKeyPair();
> >
> > X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
> >      .subject(new X500Principal("CN=ca"))
> >      .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
> >      .addExtension("BasicConstraints", "", true)
> >      .signatureAlgorithm("SHA256withRSA")
> >      .selfSign();
> >
> > byte[] request = X509CertificateBuilder.fromKeyPair(user)
> >      .subject(new X500Principal("CN=user"))
> >      .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
> >      .request();
> >
> > X509Certificate userCert = X509CertificateBuilder.asCA(
> >          ca.getPrivate(), caCert)
> >      .signatureAlgorithm("SHA256withRSA")
> >      .honorExtensions("all")
> >      .sign(request);
> >
> > Thanks
> > Max
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20151202/20f7258b/attachment.html>


More information about the security-dev mailing list