> On Dec 3, 2015, at 2:38 AM, Mandy Chung <mandy.ch...@oracle.com> wrote: > > Hi Max, > > Is there any reason why this X509CertificateBuilder can’t be Java SE API?
Well, not much. When we first design the new API, it was meant to be a quick alternative to sun.security.tools.keytool.Main since that class will be invisible after jigsaw. So it's just a simple utility class and not fine polished. One unpolished is the certificate request. It's now just a byte[]. We might need a base class CertificateRequest and a child X509CertificateRequest and some getters. Another is the addExtension() method [1] that takes string values. Although I've tried my best to specify the precise format [1] I still think it's not mature enough as a Java SE API. Maybe I should just keep the addExtension(Extension) one [3] and create static methods in Extension (or shall I create a child named X509Extension) that generates known/unknown extension objects. Maybe my understanding is biased, but when I am thinking of a Java SE API, it contains multiple classes and a clean structure. On the other hand, a JDK-specific tool can be a huge single class with every method inside (just like keytool itself). > Have you considered defining this builder API in > java.security.cert.X509Certificate.Builder? That sounds like a good place. Thanks Max [1] http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html#addExtension-java.lang.String-java.lang.String-boolean- [2] http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html#extensions [3] http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html#addExtension-java.security.cert.Extension- > > Mandy > >> On Dec 2, 2015, at 6:36 AM, Wang Weijun <weijun.w...@oracle.com> wrote: >> >> Hi All >> >> This enhancement creates a new jdk.security.cert.X509CertificateBuilder API >> that does what keytool -genkeypair/-certreq/-gencert can do. >> >> code changes: >> >> http://cr.openjdk.java.net/~weijun/8058778/webrev.04 >> http://cr.openjdk.java.net/~weijun/8058778/dev/webrev.01/ >> >> spec: >> >> http://cr.openjdk.java.net/~weijun/8058778/webrev.04/ktspec/jdk/security/cert/X509CertificateBuilder.html >> >> You will be able to >> >> KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); >> kpg.initialize(2048); >> KeyPair ca = kpg.generateKeyPair(); >> KeyPair user = kpg.generateKeyPair(); >> >> X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca) >> .subject(new X500Principal("CN=ca")) >> .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650))) >> .addExtension("BasicConstraints", "", true) >> .signatureAlgorithm("SHA256withRSA") >> .selfSign(); >> >> byte[] request = X509CertificateBuilder.fromKeyPair(user) >> .subject(new X500Principal("CN=user")) >> .addExtension("KeyUsage", "digitalSignature,keyEncipherment", true) >> .request(); >> >> X509Certificate userCert = X509CertificateBuilder.asCA( >> ca.getPrivate(), caCert) >> .signatureAlgorithm("SHA256withRSA") >> .honorExtensions("all") >> .sign(request); >> >> Thanks >> Max >> >
