7109096: keytool -genkeypair needn't call -selfcert

Reviewed-by: xuelei

7109096: keytool -genkeypair needn't call -selfcert
Reviewed-by: xuelei
c7b72ac3 · weijun · 297c3ebc · c7b72ac3 · c7b72ac3
2 changed file
--- a/src/share/classes/sun/security/tools/CertAndKeyGen.java
+++ b/src/share/classes/sun/security/tools/CertAndKeyGen.java
@@ -33,18 +33,7 @@ import java.security.*;
 import java.util.Date;
 import sun.security.pkcs10.PKCS10;
-import sun.security.x509.AlgorithmId;
+import sun.security.x509.*;
-import sun.security.x509.CertificateAlgorithmId;
-import sun.security.x509.CertificateIssuerName;
-import sun.security.x509.CertificateSerialNumber;
-import sun.security.x509.CertificateSubjectName;
-import sun.security.x509.CertificateValidity;
-import sun.security.x509.CertificateVersion;
-import sun.security.x509.CertificateX509Key;
-import sun.security.x509.X500Name;
-import sun.security.x509.X509CertImpl;
-import sun.security.x509.X509CertInfo;
-import sun.security.x509.X509Key;
 /**
@@ -165,6 +154,13 @@ public final class CertAndKeyGen {
        publicKey = pair.getPublic();
        privateKey = pair.getPrivate();
+        // publicKey's format must be X.509 otherwise
+        // the whole CertGen part of this class is broken.
+        if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
+            throw new IllegalArgumentException("publicKey's is not X.509, but "
+                    + publicKey.getFormat());
+        }
    }
@@ -186,6 +182,16 @@ public final class CertAndKeyGen {
        return (X509Key)publicKey;
    }
+    /**
+     * Always returns the public key of the generated key pair. Used
+     * by KeyTool only.
+     *
+     * The publicKey is not necessarily to be an instance of
+     * X509Key in some JCA/JCE providers, for example SunPKCS11.
+     */
+    public PublicKey getPublicKeyAnyway() {
+        return publicKey;
+    }
    /**
     * Returns the private key of the generated key pair.
@@ -200,7 +206,6 @@ public final class CertAndKeyGen {
        return privateKey;
    }
    /**
     * Returns a self-signed X.509v3 certificate for the public key.
     * The certificate is immediately valid. No extensions.
@@ -224,6 +229,15 @@ public final class CertAndKeyGen {
            X500Name myname, Date firstDate, long validity)
    throws CertificateException, InvalidKeyException, SignatureException,
        NoSuchAlgorithmException, NoSuchProviderException
+    {
+        return getSelfCertificate(myname, firstDate, validity, null);
+    }
+    // Like above, plus a CertificateExtensions argument, which can be null.
+    public X509Certificate getSelfCertificate (X500Name myname, Date firstDate,
+            long validity, CertificateExtensions ext)
+    throws CertificateException, InvalidKeyException, SignatureException,
+        NoSuchAlgorithmException, NoSuchProviderException
    {
        X509CertImpl    cert;
        Date            lastDate;
@@ -248,6 +262,7 @@ public final class CertAndKeyGen {
            info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
            info.set(X509CertInfo.VALIDITY, interval);
            info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
+            if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
            cert = new X509CertImpl(info);
            cert.sign(privateKey, this.sigAlg);

--- a/src/share/classes/sun/security/tools/KeyTool.java
+++ b/src/share/classes/sun/security/tools/KeyTool.java
@@ -1518,9 +1518,16 @@ public final class KeyTool {
        keypair.generate(keysize);
        PrivateKey privKey = keypair.getPrivateKey();
+        CertificateExtensions ext = createV3Extensions(
+                null,
+                null,
+                v3ext,
+                keypair.getPublicKeyAnyway(),
+                null);
        X509Certificate[] chain = new X509Certificate[1];
        chain[0] = keypair.getSelfCertificate(
-                x500Name, getStartDate(startDate), validity*24L*60L*60L);
+                x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
        if (verbose) {
            MessageFormat form = new MessageFormat(rb.getString
@@ -1537,9 +1544,6 @@ public final class KeyTool {
            keyPass = promptForKeyPass(alias, null, storePass);
        }
        keyStore.setKeyEntry(alias, privKey, keyPass, chain);
-        // resign so that -ext are applied.
-        doSelfCert(alias, null, sigAlgName);
    }
    /**