Hi Max, Is there any reason why this X509CertificateBuilder can’t be Java SE API? Have you considered defining this builder API in java.security.cert.X509Certificate.Builder?
Mandy > On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.w...@oracle.com> wrote: > > Hi All > > This enhancement creates a new jdk.security.cert.X509CertificateBuilder API > that does what keytool -genkeypair/-certreq/-gencert can do. > > code changes: > > http://cr.openjdk.java.net/~weijun/8058778/webrev.04 > http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/ > > spec: > > > http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html > > You will be able to > > KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); > kpg.initialize(2048); > KeyPair ca = kpg.generateKeyPair(); > KeyPair user = kpg.generateKeyPair(); > > X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca) > .subject(new X500Principal("CN=ca")) > .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650))) > .addExtension("BasicConstraints", "", true) > .signatureAlgorithm("SHA256withRSA") > .selfSign(); > > byte[] request = X509CertificateBuilder.fromKeyPair(user) > .subject(new X500Principal("CN=user")) > .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true) > .request(); > > X509Certificate userCert = X509CertificateBuilder.asCA( > ca.getPrivate(), caCert) > .signatureAlgorithm("SHA256withRSA") > .honorExtensions("all") > .sign(request); > > Thanks > Max >
