RFR 8058778: New APIs for some keytool functions

Wang Weijun weijun.wang at oracle.com
Thu Dec 3 01:27:49 UTC 2015 

> On Dec 3, 2015, at 4:11 AM, larry mccay <larry.mccay at gmail.com> wrote:
> 
> Hi Max -
> 
> Happy to see this enhancement - it would be great if it made its way into SE and other JVM implementations as a result!

I replied to Mandy's mail.

> 
> If not, what would the added dependency be for consuming applications?

They will need the jdk.security.cert module. It will be in JRE (I added it into boot.modules) but if you want to create your own runtime you will need to add it using jimage or jlink things. (I am not a module expert but you know it).

Thanks
Max

> 
> thanks,
> 
> --larry
> 
> On Wed, Dec 2, 2015 at 1:38 PM, Mandy Chung <mandy.chung at oracle.com> wrote:
> Hi Max,
> 
> Is there any reason why this X509CertificateBuilder can’t be Java SE API?  Have you considered defining this builder API in java.security.cert.X509Certificate.Builder?
> 
> Mandy
> 
> > On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
> >
> > Hi All
> >
> > This enhancement creates a new jdk.security.cert.X509CertificateBuilder API that does what keytool -genkeypair/-certreq/-gencert can do.
> >
> > code changes:
> >
> >  http://cr.openjdk.java.net/~weijun/8058778/webrev.04
> >  http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/
> >
> > spec:
> >
> >  http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html
> >
> > You will be able to
> >
> > KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> > kpg.initialize(2048);
> > KeyPair ca = kpg.generateKeyPair();
> > KeyPair user = kpg.generateKeyPair();
> >
> > X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
> >      .subject(new X500Principal("CN=ca"))
> >      .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
> >      .addExtension("BasicConstraints", "", true)
> >      .signatureAlgorithm("SHA256withRSA")
> >      .selfSign();
> >
> > byte[] request = X509CertificateBuilder.fromKeyPair(user)
> >      .subject(new X500Principal("CN=user"))
> >      .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
> >      .request();
> >
> > X509Certificate userCert = X509CertificateBuilder.asCA(
> >          ca.getPrivate(), caCert)
> >      .signatureAlgorithm("SHA256withRSA")
> >      .honorExtensions("all")
> >      .sign(request);
> >
> > Thanks
> > Max
> >
> 
>

More information about the security-dev mailing list