Re: RFR 8058778: New APIs for some keytool functions

Wed, 02 Dec 2015 17:29:29 -0800 

> On Dec 3, 2015, at 4:11 AM, larry mccay <larry.mc...@gmail.com> wrote:
> 
> Hi Max -
> 
> Happy to see this enhancement - it would be great if it made its way into SE 
> and other JVM implementations as a result!

I replied to Mandy's mail.

> 
> If not, what would the added dependency be for consuming applications?

They will need the jdk.security.cert module. It will be in JRE (I added it into 
boot.modules) but if you want to create your own runtime you will need to add 
it using jimage or jlink things. (I am not a module expert but you know it).

Thanks
Max

> 
> thanks,
> 
> --larry
> 
> On Wed, Dec 2, 2015 at 1:38 PM, Mandy Chung <mandy.ch...@oracle.com> wrote:
> Hi Max,
> 
> Is there any reason why this X509CertificateBuilder can’t be Java SE API?  
> Have you considered defining this builder API in 
> java.security.cert.X509Certificate.Builder?
> 
> Mandy
> 
> > On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.w...@oracle.com> wrote:
> >
> > Hi All
> >
> > This enhancement creates a new jdk.security.cert.X509CertificateBuilder API 
> > that does what keytool -genkeypair/-certreq/-gencert can do.
> >
> > code changes:
> >
> >  http://cr.openjdk.java.net/~weijun/8058778/webrev.04
> >  http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/
> >
> > spec:
> >
> >  
> > http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html
> >
> > You will be able to
> >
> > KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> > kpg.initialize(2048);
> > KeyPair ca = kpg.generateKeyPair();
> > KeyPair user = kpg.generateKeyPair();
> >
> > X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca)
> >      .subject(new X500Principal("CN=ca"))
> >      .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650)))
> >      .addExtension("BasicConstraints", "", true)
> >      .signatureAlgorithm("SHA256withRSA")
> >      .selfSign();
> >
> > byte[] request = X509CertificateBuilder.fromKeyPair(user)
> >      .subject(new X500Principal("CN=user"))
> >      .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true)
> >      .request();
> >
> > X509Certificate userCert = X509CertificateBuilder.asCA(
> >          ca.getPrivate(), caCert)
> >      .signatureAlgorithm("SHA256withRSA")
> >      .honorExtensions("all")
> >      .sign(request);
> >
> > Thanks
> > Max
> >
> 
>

Reply via email to