RFR: 8260693: Provide the support for specifying a signer in keytool -genkeypair [v5]
Weijun Wang
weijun at openjdk.java.net
Thu Apr 8 00:06:39 UTC 2021
On Wed, 7 Apr 2021 23:17:53 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Please review the changes that adds the -signer option to keytool -genkeypair command. As key agreement algorithms do not have a signing algorithm, the specified signer's private key will be used to sign and generate a key agreement certificate.
>> CSR review is at: https://bugs.openjdk.java.net/browse/JDK-8264325
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> update with review comments
No comment on src side.
src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java line 88:
> 86: */
> 87: public CertAndKeyGen (String keyType, String sigAlg, String providerName)
> 88: throws NoSuchAlgorithmException, NoSuchProviderException
Indent the line 8 spaces further.
test/jdk/sun/security/tools/keytool/GenKeyPairSigner.java line 96:
> 94:
> 95: Certificate[] certChain = kstore.getCertificateChain("e1");
> 96: if (certChain.length != 2) {
Try using `Asserts` class in `/test/lib` to make code simpler. Also, why not throw an exception but call `System.exit(1)`? We usually do not call this method in a test because the test framework must take great care so that itself does not get terminated.
test/jdk/sun/security/tools/keytool/GenKeyPairSigner.java line 299:
> 297: System.exit(1);
> 298: }
> 299:
Since you are here, you can check if the new entry is indeed protected by the new key password.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3281
More information about the security-dev
mailing list