changeset 5630:3f1c3479232a

7109096: keytool -genkeypair needn't call -selfcert Reviewed-by: xuelei
author weijun
date Wed, 09 Nov 2011 15:51:18 +0800
parents 60dda124c866
children 7aa5b507e745
files src/share/classes/sun/security/tools/KeyTool.java src/share/classes/sun/security/x509/CertAndKeyGen.java
diffstat 2 files changed, 35 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/tools/KeyTool.java	Mon Jan 14 23:22:03 2013 +0000
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Wed Nov 09 15:51:18 2011 +0800
@@ -1547,9 +1547,16 @@
         keypair.generate(keysize);
         PrivateKey privKey = keypair.getPrivateKey();
 
+        CertificateExtensions ext = createV3Extensions(
+                null,
+                null,
+                v3ext,
+                keypair.getPublicKeyAnyway(),
+                null);
+
         X509Certificate[] chain = new X509Certificate[1];
         chain[0] = keypair.getSelfCertificate(
-                x500Name, getStartDate(startDate), validity*24L*60L*60L);
+                x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
 
         if (verbose) {
             MessageFormat form = new MessageFormat(rb.getString
@@ -1566,9 +1573,6 @@
             keyPass = promptForKeyPass(alias, null, storePass);
         }
         keyStore.setKeyEntry(alias, privKey, keyPass, chain);
-
-        // resign so that -ext are applied.
-        doSelfCert(alias, null, sigAlgName);
     }
 
     /**
--- a/src/share/classes/sun/security/x509/CertAndKeyGen.java	Mon Jan 14 23:22:03 2013 +0000
+++ b/src/share/classes/sun/security/x509/CertAndKeyGen.java	Wed Nov 09 15:51:18 2011 +0800
@@ -153,6 +153,13 @@
 
         publicKey = pair.getPublic();
         privateKey = pair.getPrivate();
+
+        // publicKey's format must be X.509 otherwise
+        // the whole CertGen part of this class is broken.
+        if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
+            throw new IllegalArgumentException("publicKey's is not X.509, but "
+                    + publicKey.getFormat());
+        }
     }
 
 
@@ -174,6 +181,16 @@
         return (X509Key)publicKey;
     }
 
+    /**
+     * Always returns the public key of the generated key pair. Used
+     * by KeyTool only.
+     *
+     * The publicKey is not necessarily to be an instance of
+     * X509Key in some JCA/JCE providers, for example SunPKCS11.
+     */
+    public PublicKey getPublicKeyAnyway() {
+        return publicKey;
+    }
 
     /**
      * Returns the private key of the generated key pair.
@@ -188,7 +205,6 @@
         return privateKey;
     }
 
-
     /**
      * Returns a self-signed X.509v3 certificate for the public key.
      * The certificate is immediately valid. No extensions.
@@ -213,6 +229,15 @@
     throws CertificateException, InvalidKeyException, SignatureException,
         NoSuchAlgorithmException, NoSuchProviderException
     {
+        return getSelfCertificate(myname, firstDate, validity, null);
+    }
+
+    // Like above, plus a CertificateExtensions argument, which can be null.
+    public X509Certificate getSelfCertificate (X500Name myname, Date firstDate,
+            long validity, CertificateExtensions ext)
+    throws CertificateException, InvalidKeyException, SignatureException,
+        NoSuchAlgorithmException, NoSuchProviderException
+    {
         X509CertImpl    cert;
         Date            lastDate;
 
@@ -236,6 +261,7 @@
             info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
             info.set(X509CertInfo.VALIDITY, interval);
             info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
+            if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
 
             cert = new X509CertImpl(info);
             cert.sign(privateKey, this.sigAlg);