RFR: 8260693: Provide the support for specifying a signer in keytool -genkeypair [v4]
Weijun Wang
weijun at openjdk.java.net
Fri Apr 2 01:59:18 UTC 2021
On Fri, 2 Apr 2021 01:44:03 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> update with review comments
>
> Only a few minor comments. Approved.
Maybe we don't need to resolve it in this code change. If we look carefully at RFC 8410 Sections 10.1 and 10.2, it shows the X25519 certificate in 10.2 is using the signer's SKID in 10.1 as its own SKID and it has no AKID. Currently, keytool will generate a new SKID and use signer's SKID as AKID. If we really want to generate a certificate that's identical to the one in the RFC, we'll need a way to tell keytool to omit the AKID (something like "-ext akid=none").
-------------
PR: https://git.openjdk.java.net/jdk/pull/3281
More information about the security-dev
mailing list