
<div dir="ltr"><span style="font-size:12.8px">Hi Max -</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Happy to see this enhancement - it would be great if it made its way into SE and other JVM implementations as a result!</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">If not, what would the added dependency be for consuming applications?</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">thanks,</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">--larry</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 2, 2015 at 1:38 PM, Mandy Chung <span dir="ltr"><<a href="mailto:mandy.chung@oracle.com" target="_blank">mandy.chung@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Max,<br>

<br>

Is there any reason why this X509CertificateBuilder can’t be Java SE API?  Have you considered defining this builder API in java.security.cert.X509Certificate.Builder?<br>

<span class="HOEnZb"><font color="#888888"><br>

Mandy<br>

</font></span><div class="HOEnZb"><div class="h5"><br>

> On Dec 2, 2015, at 6:36 AM, Wang Weijun <<a href="mailto:weijun.wang@oracle.com">weijun.wang@oracle.com</a>> wrote:<br>

><br>

> Hi All<br>

><br>

> This enhancement creates a new jdk.security.cert.X509CertificateBuilder API that does what keytool -genkeypair/-certreq/-gencert can do.<br>

><br>

> code changes:<br>

><br>

>  <a href="http://cr.openjdk.java.net/~weijun/8058778/webrev.04" rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~weijun/8058778/webrev.04</a><br>

>  <a href="http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/" rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/</a><br>

><br>

> spec:<br>

><br>

>  <a href="http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html" rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html</a><br>

><br>

> You will be able to<br>

><br>

> KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");<br>

> kpg.initialize(2048);<br>

> KeyPair ca = kpg.generateKeyPair();<br>

> KeyPair user = kpg.generateKeyPair();<br>

><br>

> X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)<br>

>      .subject(new X500Principal("CN=ca"))<br>

>      .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))<br>

>      .addExtension("BasicConstraints", "", true)<br>

>      .signatureAlgorithm("SHA256withRSA")<br>

>      .selfSign();<br>

><br>

> byte[] request = X509CertificateBuilder.fromKeyPair(user)<br>

>      .subject(new X500Principal("CN=user"))<br>

>      .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)<br>

>      .request();<br>

><br>

> X509Certificate userCert = X509CertificateBuilder.asCA(<br>

>          ca.getPrivate(), caCert)<br>

>      .signatureAlgorithm("SHA256withRSA")<br>

>      .honorExtensions("all")<br>

>      .sign(request);<br>

><br>

> Thanks<br>

> Max<br>

><br>

<br>

</div></div></blockquote></div><br></div>