RFR 8058778: New APIs for some keytool functions
Wang Weijun
weijun.wang at oracle.com
Thu Dec 3 01:25:07 UTC 2015
> On Dec 3, 2015, at 2:38 AM, Mandy Chung <mandy.chung at oracle.com> wrote:
>
> Hi Max,
>
> Is there any reason why this X509CertificateBuilder can’t be Java SE API?
Well, not much.
When we first design the new API, it was meant to be a quick alternative to sun.security.tools.keytool.Main since that class will be invisible after jigsaw. So it's just a simple utility class and not fine polished.
One unpolished is the certificate request. It's now just a byte[]. We might need a base class CertificateRequest and a child X509CertificateRequest and some getters.
Another is the addExtension() method [1] that takes string values. Although I've tried my best to specify the precise format [1] I still think it's not mature enough as a Java SE API. Maybe I should just keep the addExtension(Extension) one [3] and create static methods in Extension (or shall I create a child named X509Extension) that generates known/unknown extension objects.
Maybe my understanding is biased, but when I am thinking of a Java SE API, it contains multiple classes and a clean structure. On the other hand, a JDK-specific tool can be a huge single class with every method inside (just like keytool itself).
> Have you considered defining this builder API in java.security.cert.X509Certificate.Builder?
That sounds like a good place.
Thanks
Max
[1] http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html#addExtension-java.lang.String-java.lang.String-boolean-
[2] http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html#extensions
[3] http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html#addExtension-java.security.cert.Extension-
>
> Mandy
>
>> On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
>>
>> Hi All
>>
>> This enhancement creates a new jdk.security.cert.X509CertificateBuilder API that does what keytool -genkeypair/-certreq/-gencert can do.
>>
>> code changes:
>>
>> http://cr.openjdk.java.net/~weijun/8058778/webrev.04
>> http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/
>>
>> spec:
>>
>> http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html
>>
>> You will be able to
>>
>> KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
>> kpg.initialize(2048);
>> KeyPair ca = kpg.generateKeyPair();
>> KeyPair user = kpg.generateKeyPair();
>>
>> X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
>> .subject(new X500Principal("CN=ca"))
>> .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
>> .addExtension("BasicConstraints", "", true)
>> .signatureAlgorithm("SHA256withRSA")
>> .selfSign();
>>
>> byte[] request = X509CertificateBuilder.fromKeyPair(user)
>> .subject(new X500Principal("CN=user"))
>> .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
>> .request();
>>
>> X509Certificate userCert = X509CertificateBuilder.asCA(
>> ca.getPrivate(), caCert)
>> .signatureAlgorithm("SHA256withRSA")
>> .honorExtensions("all")
>> .sign(request);
>>
>> Thanks
>> Max
>>
>
More information about the security-dev
mailing list