RFR: 8260693: Provide the support for specifying a signer in keytool -genkeypair [v2]
Weijun Wang
weijun at openjdk.java.net
Thu Apr 1 16:52:29 UTC 2021
On Thu, 1 Apr 2021 16:26:39 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2013:
>>
>>> 2011: }
>>> 2012:
>>> 2013: X509Certificate[] chain = new X509Certificate[1];
>>
>> Since the chain might contain one, I'd suggest we just declare a `newCert` here. When signer flag is not on, we can simply get the chain with `new Certificate[] {newCert}`.
>
> Not sure the reason why a change is needed for the existing logic.
With a signer, it makes no sense to create a single-cert array at the beginning. I am suggesting:
X509Certificate newCert = keypair.getSelfCertificate(...);
Certificate[] finalChain;
if (signerFlag) {
finalChain = new ...
finalChain[0] = newCert;
} else {
finalChain = new Certificate[] { newCert };
}
keyStore.setEntry(..., finalChain);
-------------
PR: https://git.openjdk.java.net/jdk/pull/3281
More information about the security-dev
mailing list