diff --git a/src/share/classes/sun/security/tools/CertAndKeyGen.java b/src/share/classes/sun/security/tools/CertAndKeyGen.java index 4c32a33b4f74b03c6d09a92c6c9ee7ab8422055f..fad412e9f9ac000e106334a0bf0f669e06371dea 100644 --- a/src/share/classes/sun/security/tools/CertAndKeyGen.java +++ b/src/share/classes/sun/security/tools/CertAndKeyGen.java @@ -33,18 +33,7 @@ import java.security.*; import java.util.Date; import sun.security.pkcs10.PKCS10; -import sun.security.x509.AlgorithmId; -import sun.security.x509.CertificateAlgorithmId; -import sun.security.x509.CertificateIssuerName; -import sun.security.x509.CertificateSerialNumber; -import sun.security.x509.CertificateSubjectName; -import sun.security.x509.CertificateValidity; -import sun.security.x509.CertificateVersion; -import sun.security.x509.CertificateX509Key; -import sun.security.x509.X500Name; -import sun.security.x509.X509CertImpl; -import sun.security.x509.X509CertInfo; -import sun.security.x509.X509Key; +import sun.security.x509.*; /** @@ -165,6 +154,13 @@ public final class CertAndKeyGen { publicKey = pair.getPublic(); privateKey = pair.getPrivate(); + + // publicKey's format must be X.509 otherwise + // the whole CertGen part of this class is broken. + if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) { + throw new IllegalArgumentException("publicKey's is not X.509, but " + + publicKey.getFormat()); + } } @@ -186,6 +182,16 @@ public final class CertAndKeyGen { return (X509Key)publicKey; } + /** + * Always returns the public key of the generated key pair. Used + * by KeyTool only. + * + * The publicKey is not necessarily to be an instance of + * X509Key in some JCA/JCE providers, for example SunPKCS11. + */ + public PublicKey getPublicKeyAnyway() { + return publicKey; + } /** * Returns the private key of the generated key pair. @@ -200,7 +206,6 @@ public final class CertAndKeyGen { return privateKey; } - /** * Returns a self-signed X.509v3 certificate for the public key. * The certificate is immediately valid. No extensions. @@ -224,6 +229,15 @@ public final class CertAndKeyGen { X500Name myname, Date firstDate, long validity) throws CertificateException, InvalidKeyException, SignatureException, NoSuchAlgorithmException, NoSuchProviderException + { + return getSelfCertificate(myname, firstDate, validity, null); + } + + // Like above, plus a CertificateExtensions argument, which can be null. + public X509Certificate getSelfCertificate (X500Name myname, Date firstDate, + long validity, CertificateExtensions ext) + throws CertificateException, InvalidKeyException, SignatureException, + NoSuchAlgorithmException, NoSuchProviderException { X509CertImpl cert; Date lastDate; @@ -248,6 +262,7 @@ public final class CertAndKeyGen { info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey)); info.set(X509CertInfo.VALIDITY, interval); info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname)); + if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext); cert = new X509CertImpl(info); cert.sign(privateKey, this.sigAlg); diff --git a/src/share/classes/sun/security/tools/KeyTool.java b/src/share/classes/sun/security/tools/KeyTool.java index 0d928209807406a1f4c81602ec61f9570d845c5f..3125f6f54c7a20a0ca01409222708e0cc7cb88ed 100644 --- a/src/share/classes/sun/security/tools/KeyTool.java +++ b/src/share/classes/sun/security/tools/KeyTool.java @@ -1518,9 +1518,16 @@ public final class KeyTool { keypair.generate(keysize); PrivateKey privKey = keypair.getPrivateKey(); + CertificateExtensions ext = createV3Extensions( + null, + null, + v3ext, + keypair.getPublicKeyAnyway(), + null); + X509Certificate[] chain = new X509Certificate[1]; chain[0] = keypair.getSelfCertificate( - x500Name, getStartDate(startDate), validity*24L*60L*60L); + x500Name, getStartDate(startDate), validity*24L*60L*60L, ext); if (verbose) { MessageFormat form = new MessageFormat(rb.getString @@ -1537,9 +1544,6 @@ public final class KeyTool { keyPass = promptForKeyPass(alias, null, storePass); } keyStore.setKeyEntry(alias, privKey, keyPass, chain); - - // resign so that -ext are applied. - doSelfCert(alias, null, sigAlgName); } /**