Hi Max - Happy to see this enhancement - it would be great if it made its way into SE and other JVM implementations as a result!
If not, what would the added dependency be for consuming applications? thanks, --larry On Wed, Dec 2, 2015 at 1:38 PM, Mandy Chung <mandy.ch...@oracle.com> wrote: > Hi Max, > > Is there any reason why this X509CertificateBuilder can’t be Java SE API? > Have you considered defining this builder API in > java.security.cert.X509Certificate.Builder? > > Mandy > > > On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.w...@oracle.com> wrote: > > > > Hi All > > > > This enhancement creates a new jdk.security.cert.X509CertificateBuilder > API that does what keytool -genkeypair/-certreq/-gencert can do. > > > > code changes: > > > > http://cr.openjdk.java.net/~weijun/8058778/webrev.04 > > http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/ > > > > spec: > > > > > http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html > > > > You will be able to > > > > KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); > > kpg.initialize(2048); > > KeyPair ca = kpg.generateKeyPair(); > > KeyPair user = kpg.generateKeyPair(); > > > > X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca) > > .subject(new X500Principal("CN=ca")) > > .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650))) > > .addExtension("BasicConstraints", "", true) > > .signatureAlgorithm("SHA256withRSA") > > .selfSign(); > > > > byte[] request = X509CertificateBuilder.fromKeyPair(user) > > .subject(new X500Principal("CN=user")) > > .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true) > > .request(); > > > > X509Certificate userCert = X509CertificateBuilder.asCA( > > ca.getPrivate(), caCert) > > .signatureAlgorithm("SHA256withRSA") > > .honorExtensions("all") > > .sign(request); > > > > Thanks > > Max > > > >