RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options
Weijun Wang
weijun.wang at oracle.com
Wed Jun 3 07:59:32 UTC 2020
The source change looks fine to me.
In TrustedCert.java:
- You can use FileOutputStream and Files.copy(Path,OutputStream) in cat().
- There is no need to recreate root.jks and root.pem.
- Why not use -trustcacerts below?
160 kt("-importcert -file server.pem -noprompt", "server.jks");
- It's probably better to add a " " between cmd and options in patchcmd(). Same in TrustedCRL.java.
In TrustedCRL.java:
- No need to recreate ks and ca.crl. Just call "-printcrl" with different options.
- Why create using MD5withRSA? Do you meant to warn about the weak algorithm?
Also I would suggest you create a dedicate method (maybe in SecurityTools.java) to create your own cacerts. There is no need to copy over the system cacerts, just make sure the file is created with the JKS storetype. We are thinking of upgrading the storetype of cacerts and it's nice to do this at a single place so we can modify it easily later.
Thanks,
Max
> On Jun 2, 2020, at 2:37 AM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>
> Hi,
>
> I’d like to request a review for:
>
> JBS: https://bugs.openjdk.java.net/browse/JDK-8244148
> CSR: https://bugs.openjdk.java.net/browse/JDK-8246269
> Webrev: http://cr.openjdk.java.net/~hchao/8244148/webrev.00/
>
> The change is to add the support of -trustcacerts and -keystore options to -printcert and -princrl command for keytool. This enables keytool to use the trusted certificates when verifying untrusted artifacts that are signed by CAs. It also incorporates Max’s change that consolidates the code to get the default location of cacerts keystore.
>
> Thanks,
> Hai-May
>
More information about the security-dev
mailing list