RFR 8058778: New APIs for some keytool functions

Wang Weijun weijun.wang at oracle.com
Wed Dec 16 02:26:19 UTC 2015

Hi All

Here is an updated webrev


Spec change is at


These changes are made:

1. The Builder is moved into java.security.cert.X509Certificate as an inner class

2. There is no more addExtension(String,String,boolean) that tries to parse input value strings (leave them to keytool). Each supported extension has its own addXXXExtension() method in java.security.cert.X509Extension. The input format is the same as the output format of X509Certificate.getXXX() for each extension type. This relieves the requirement to define interfaces for GeneralNames etc at the moment.

3. keytool directly calls X509Certificate.Builder now.

No CertificateRequest at the moment. Builder still using byte[] which is PKCS #10 encoded.

Many thanks to Mandy, Larry, and Sean for your comments. Mike, we will add more methods later when they are needed.


> On Dec 15, 2015, at 11:53 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
> On 12/03/2015 09:07 PM, Wang Weijun wrote:
>> Or if this is too much, we can at least do the X509Extension part. If
>> CertificateRequest is needed one day, we can create a new method
>> Builder.certificateRequest() that returns it and deprecate the
>> current request() method.
>> Or use certificateRequest() to return byte[] and save request() for
>> the future. :-)
> I agree with this approach. I like the idea of moving the creation of Extensions to X509Extension so that they could be used independently of the X509Certificate.Builder API. Let's defer a CertificateRequest API for later.
> --Sean

More information about the security-dev mailing list