RFR: 8260693: Provide the support for specifying a signer in keytool -genkeypair [v4]
Hai-May Chao
hchao at openjdk.java.net
Wed Apr 7 23:17:54 UTC 2021
On Fri, 2 Apr 2021 11:52:16 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>>> Maybe we don't need to resolve it in this code change. If we look carefully at RFC 8410 Sections 10.1 and 10.2, it shows the X25519 certificate in 10.2 is using the signer's SKID in 10.1 as its own SKID and it has no AKID. Currently, keytool will generate a new SKID and use signer's SKID as AKID. If we really want to generate a certificate that's identical to the one in the RFC, we'll need a way to tell keytool to omit the AKID (something like "-ext akid=none").
>>
>> Better to use AKID for certification path building.
>
> I don't mean we will remove it by default. Just think there needs a way to remove either AKID or SKID, because we always generate them automatically.
The support for omitting AKID will be tracked by different PR if needed.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3281
More information about the security-dev
mailing list