On Thu, 11 Feb 2021 22:10:55 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1482:
>>
>>> 1480: byte[] signerSubjectKeyIdExt =
>>> ((X509Certificate)signerCert).getExtensionValue(
>>> 1481: KnownOIDs.SubjectKeyID.value());
>>> 1482:
>>
>> How about pass in the `KeyIdentifier` instead of `PublicKey akey` into the
>> createV3Extensions method? And you can calculated with
>> X509CertImpl impl;
>> if (signerCert instanceof X509CertImpl) {
>> impl = (X509CertImpl) signerCert;
>> } else {
>> impl = new X509CertImpl(signerCert.getEncoded());
>> }
>> impl.getSubjectKeyId();
>
> Changed as suggested.
Sorry, I should have been more verbose on my suggestion. I was thinking about
passing in **_only_** the `KeyIdentifier` and _**not**_ `akey`. After all both
of them are for the same purpose and it's clear to consolidate to only one. If
the cert has an SKID then use it, otherwise calculate one using `new
KeyIdentifier(akey)`. All these are done inside the `doGenCert)()` method. The
`createV3Extensions` just add an AKID if the parameter is not null.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2343
