--- a/jdk/src/share/classes/sun/security/tools/CertAndKeyGen.java Wed Nov 09 09:30:13 2011 +0800
+++ b/jdk/src/share/classes/sun/security/tools/CertAndKeyGen.java Wed Nov 09 15:51:18 2011 +0800
@@ -33,18 +33,7 @@
import java.util.Date;
import sun.security.pkcs10.PKCS10;
-import sun.security.x509.AlgorithmId;
-import sun.security.x509.CertificateAlgorithmId;
-import sun.security.x509.CertificateIssuerName;
-import sun.security.x509.CertificateSerialNumber;
-import sun.security.x509.CertificateSubjectName;
-import sun.security.x509.CertificateValidity;
-import sun.security.x509.CertificateVersion;
-import sun.security.x509.CertificateX509Key;
-import sun.security.x509.X500Name;
-import sun.security.x509.X509CertImpl;
-import sun.security.x509.X509CertInfo;
-import sun.security.x509.X509Key;
+import sun.security.x509.*;
/**
@@ -165,6 +154,13 @@
publicKey = pair.getPublic();
privateKey = pair.getPrivate();
+
+ // publicKey's format must be X.509 otherwise
+ // the whole CertGen part of this class is broken.
+ if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
+ throw new IllegalArgumentException("publicKey's is not X.509, but "
+ + publicKey.getFormat());
+ }
}
@@ -186,6 +182,16 @@
return (X509Key)publicKey;
}
+ /**
+ * Always returns the public key of the generated key pair. Used
+ * by KeyTool only.
+ *
+ * The publicKey is not necessarily to be an instance of
+ * X509Key in some JCA/JCE providers, for example SunPKCS11.
+ */
+ public PublicKey getPublicKeyAnyway() {
+ return publicKey;
+ }
/**
* Returns the private key of the generated key pair.
@@ -200,7 +206,6 @@
return privateKey;
}
-
/**
* Returns a self-signed X.509v3 certificate for the public key.
* The certificate is immediately valid. No extensions.
@@ -225,6 +230,15 @@
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
+ return getSelfCertificate(myname, firstDate, validity, null);
+ }
+
+ // Like above, plus a CertificateExtensions argument, which can be null.
+ public X509Certificate getSelfCertificate (X500Name myname, Date firstDate,
+ long validity, CertificateExtensions ext)
+ throws CertificateException, InvalidKeyException, SignatureException,
+ NoSuchAlgorithmException, NoSuchProviderException
+ {
X509CertImpl cert;
Date lastDate;
@@ -248,6 +262,7 @@
info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
+ if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
cert = new X509CertImpl(info);
cert.sign(privateKey, this.sigAlg);
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java Wed Nov 09 09:30:13 2011 +0800
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java Wed Nov 09 15:51:18 2011 +0800
@@ -1518,9 +1518,16 @@
keypair.generate(keysize);
PrivateKey privKey = keypair.getPrivateKey();
+ CertificateExtensions ext = createV3Extensions(
+ null,
+ null,
+ v3ext,
+ keypair.getPublicKeyAnyway(),
+ null);
+
X509Certificate[] chain = new X509Certificate[1];
chain[0] = keypair.getSelfCertificate(
- x500Name, getStartDate(startDate), validity*24L*60L*60L);
+ x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
if (verbose) {
MessageFormat form = new MessageFormat(rb.getString
@@ -1537,9 +1544,6 @@
keyPass = promptForKeyPass(alias, null, storePass);
}
keyStore.setKeyEntry(alias, privKey, keyPass, chain);
-
- // resign so that -ext are applied.
- doSelfCert(alias, null, sigAlgName);
}
/**