RFR: 8260693: Provide the support for specifying a signer in keytool -genkeypair [v4]
Weijun Wang
weijun at openjdk.java.net
Fri Apr 2 02:06:32 UTC 2021
On Fri, 2 Apr 2021 01:56:15 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Only a few minor comments. Approved.
>
> Maybe we don't need to resolve it in this code change. If we look carefully at RFC 8410 Sections 10.1 and 10.2, it shows the X25519 certificate in 10.2 is using the signer's SKID in 10.1 as its own SKID and it has no AKID. Currently, keytool will generate a new SKID and use signer's SKID as AKID. If we really want to generate a certificate that's identical to the one in the RFC, we'll need a way to tell keytool to omit the AKID (something like "-ext akid=none").
A simple fix you can do this time although unrelated to the issue. `Main::createV3Extensions` shows a `@param akey` in spec but the actual argument name is `pkey`.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3281
More information about the security-dev
mailing list