< prev index next >
src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java
Print this page
rev 51972 : 8215694: keytool cannot generate RSASSA-PSS certificates
Reviewed-by: xuelei
rev 51973 : 8215694 resolve
*** 1,7 ****
/*
! * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
--- 1,7 ----
/*
! * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
*** 28,43 ****
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateEncodingException;
import java.security.*;
import java.util.Date;
import sun.security.pkcs10.PKCS10;
import sun.security.x509.*;
-
/**
* Generate a pair of keys, and provide access to them. This class is
* provided primarily for ease of use.
*
* <P>This provides some simple certificate management functionality.
--- 28,43 ----
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateEncodingException;
import java.security.*;
+ import java.security.spec.AlgorithmParameterSpec;
import java.util.Date;
import sun.security.pkcs10.PKCS10;
import sun.security.x509.*;
/**
* Generate a pair of keys, and provide access to them. This class is
* provided primarily for ease of use.
*
* <P>This provides some simple certificate management functionality.
*** 121,130 ****
--- 121,145 ----
prng = generator;
}
// want "public void generate (X509Certificate)" ... inherit DSA/D-H param
+ public void generate(int keyBits) {
+ if (keyBits != -1) {
+ try {
+ if (prng == null) {
+ prng = new SecureRandom();
+ }
+ keyGen.initialize(keyBits, prng);
+
+ } catch (Exception e) {
+ throw new IllegalArgumentException(e.getMessage());
+ }
+ }
+ generateInternal();
+ }
+
/**
* Generates a random public/private key pair, with a given key
* size. Different algorithms provide different degrees of security
* for the same key size, because of the "work factor" involved in
* brute force attacks. As computers become faster, it becomes
*** 138,162 ****
*
* @param keyBits the number of bits in the keys.
* @exception InvalidKeyException if the environment does not
* provide X.509 public keys for this signature algorithm.
*/
! public void generate (int keyBits)
! throws InvalidKeyException
! {
! KeyPair pair;
!
! try {
! if (prng == null) {
! prng = new SecureRandom();
! }
! keyGen.initialize(keyBits, prng);
! pair = keyGen.generateKeyPair();
!
! } catch (Exception e) {
! throw new IllegalArgumentException(e.getMessage());
! }
publicKey = pair.getPublic();
privateKey = pair.getPrivate();
// publicKey's format must be X.509 otherwise
--- 153,164 ----
*
* @param keyBits the number of bits in the keys.
* @exception InvalidKeyException if the environment does not
* provide X.509 public keys for this signature algorithm.
*/
! public void generateInternal() {
! KeyPair pair = keyGen.generateKeyPair();
publicKey = pair.getPublic();
privateKey = pair.getPrivate();
// publicKey's format must be X.509 otherwise
*** 260,291 ****
CertificateValidity interval =
new CertificateValidity(firstDate,lastDate);
X509CertInfo info = new X509CertInfo();
// Add all mandatory attributes
info.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
new java.util.Random().nextInt() & 0x7fffffff));
! AlgorithmId algID = AlgorithmId.get(sigAlg);
info.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(algID));
info.set(X509CertInfo.SUBJECT, myname);
info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.ISSUER, myname);
if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
cert = new X509CertImpl(info);
! cert.sign(privateKey, this.sigAlg);
return (X509Certificate)cert;
} catch (IOException e) {
throw new CertificateEncodingException("getSelfCert: " +
e.getMessage());
}
}
// Keep the old method
public X509Certificate getSelfCertificate (X500Name myname, long validity)
--- 262,301 ----
CertificateValidity interval =
new CertificateValidity(firstDate,lastDate);
X509CertInfo info = new X509CertInfo();
+ AlgorithmParameterSpec params = AlgorithmId
+ .getDefaultAlgorithmParameterSpec(sigAlg, privateKey);
// Add all mandatory attributes
info.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
new java.util.Random().nextInt() & 0x7fffffff));
! AlgorithmId algID = AlgorithmId.getWithParameterSpec(sigAlg, params);
info.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(algID));
info.set(X509CertInfo.SUBJECT, myname);
info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.ISSUER, myname);
if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
cert = new X509CertImpl(info);
! cert.sign(privateKey,
! params,
! sigAlg,
! null);
return (X509Certificate)cert;
} catch (IOException e) {
throw new CertificateEncodingException("getSelfCert: " +
e.getMessage());
+ } catch (InvalidAlgorithmParameterException e2) {
+ throw new SignatureException(
+ "Unsupported PSSParameterSpec: " + e2.getMessage());
}
}
// Keep the old method
public X509Certificate getSelfCertificate (X500Name myname, long validity)
*** 307,316 ****
--- 317,327 ----
*
* @param myname X.500 name of the subject
* @exception InvalidKeyException on key handling errors.
* @exception SignatureException on signature handling errors.
*/
+ // This method is not used inside JDK. Will not update it.
public PKCS10 getCertRequest (X500Name myname)
throws InvalidKeyException, SignatureException
{
PKCS10 req = new PKCS10 (publicKey);
< prev index next >