< prev index next >

src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java

Print this page
rev 51972 : 8215694: keytool cannot generate RSASSA-PSS certificates
Reviewed-by: xuelei
rev 51973 : 8215694 resolve
   1 /*
   2  * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.tools.keytool;
  27 
  28 import java.io.IOException;
  29 import java.security.cert.X509Certificate;
  30 import java.security.cert.CertificateException;
  31 import java.security.cert.CertificateEncodingException;
  32 import java.security.*;

  33 import java.util.Date;
  34 
  35 import sun.security.pkcs10.PKCS10;
  36 import sun.security.x509.*;
  37 
  38 /**
  39  * Generate a pair of keys, and provide access to them.  This class is
  40  * provided primarily for ease of use.
  41  *
  42  * <P>This provides some simple certificate management functionality.
  43  * Specifically, it allows you to create self-signed X.509 certificates
  44  * as well as PKCS 10 based certificate signing requests.
  45  *
  46  * <P>Keys for some public key signature algorithms have algorithm
  47  * parameters, such as DSS/DSA.  Some sites' Certificate Authorities
  48  * adopt fixed algorithm parameters, which speeds up some operations
  49  * including key generation and signing.  <em>At this time, this interface
  50  * does not provide a way to provide such algorithm parameters, e.g.
  51  * by providing the CA certificate which includes those parameters.</em>
  52  *


 105             }
 106         }
 107         this.sigAlg = sigAlg;
 108     }
 109 
 110     /**
 111      * Sets the source of random numbers used when generating keys.
 112      * If you do not provide one, a system default facility is used.
 113      * You may wish to provide your own source of random numbers
 114      * to get a reproducible sequence of keys and signatures, or
 115      * because you may be able to take advantage of strong sources
 116      * of randomness/entropy in your environment.
 117      */
 118     public void         setRandom (SecureRandom generator)
 119     {
 120         prng = generator;
 121     }
 122 
 123     // want "public void generate (X509Certificate)" ... inherit DSA/D-H param
 124 















 125     /**
 126      * Generates a random public/private key pair, with a given key
 127      * size.  Different algorithms provide different degrees of security
 128      * for the same key size, because of the "work factor" involved in
 129      * brute force attacks.  As computers become faster, it becomes
 130      * easier to perform such attacks.  Small keys are to be avoided.
 131      *
 132      * <P>Note that not all values of "keyBits" are valid for all
 133      * algorithms, and not all public key algorithms are currently
 134      * supported for use in X.509 certificates.  If the algorithm
 135      * you specified does not produce X.509 compatible keys, an
 136      * invalid key exception is thrown.
 137      *
 138      * @param keyBits the number of bits in the keys.
 139      * @exception InvalidKeyException if the environment does not
 140      *  provide X.509 public keys for this signature algorithm.
 141      */
 142     public void generate (int keyBits)
 143     throws InvalidKeyException
 144     {
 145         KeyPair pair;
 146 
 147         try {
 148             if (prng == null) {
 149                 prng = new SecureRandom();
 150             }
 151             keyGen.initialize(keyBits, prng);
 152             pair = keyGen.generateKeyPair();
 153 
 154         } catch (Exception e) {
 155             throw new IllegalArgumentException(e.getMessage());
 156         }
 157 
 158         publicKey = pair.getPublic();
 159         privateKey = pair.getPrivate();
 160 
 161         // publicKey's format must be X.509 otherwise
 162         // the whole CertGen part of this class is broken.
 163         if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
 164             throw new IllegalArgumentException("Public key format is "
 165                 + publicKey.getFormat() + ", must be X.509");
 166         }
 167 
 168         if (sigAlg == null) {
 169             sigAlg = AlgorithmId.getDefaultSigAlgForKey(privateKey);
 170             if (sigAlg == null) {
 171                 throw new IllegalArgumentException(
 172                         "Cannot derive signature algorithm from "
 173                                 + privateKey.getAlgorithm());
 174             }
 175         }
 176     }


   1 /*
   2  * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.tools.keytool;
  27 
  28 import java.io.IOException;
  29 import java.security.cert.X509Certificate;
  30 import java.security.cert.CertificateException;
  31 import java.security.cert.CertificateEncodingException;
  32 import java.security.*;
  33 import java.security.spec.AlgorithmParameterSpec;
  34 import java.util.Date;
  35 
  36 import sun.security.pkcs10.PKCS10;
  37 import sun.security.x509.*;
  38 
  39 /**
  40  * Generate a pair of keys, and provide access to them.  This class is
  41  * provided primarily for ease of use.
  42  *
  43  * <P>This provides some simple certificate management functionality.
  44  * Specifically, it allows you to create self-signed X.509 certificates
  45  * as well as PKCS 10 based certificate signing requests.
  46  *
  47  * <P>Keys for some public key signature algorithms have algorithm
  48  * parameters, such as DSS/DSA.  Some sites' Certificate Authorities
  49  * adopt fixed algorithm parameters, which speeds up some operations
  50  * including key generation and signing.  <em>At this time, this interface
  51  * does not provide a way to provide such algorithm parameters, e.g.
  52  * by providing the CA certificate which includes those parameters.</em>
  53  *


 106             }
 107         }
 108         this.sigAlg = sigAlg;
 109     }
 110 
 111     /**
 112      * Sets the source of random numbers used when generating keys.
 113      * If you do not provide one, a system default facility is used.
 114      * You may wish to provide your own source of random numbers
 115      * to get a reproducible sequence of keys and signatures, or
 116      * because you may be able to take advantage of strong sources
 117      * of randomness/entropy in your environment.
 118      */
 119     public void         setRandom (SecureRandom generator)
 120     {
 121         prng = generator;
 122     }
 123 
 124     // want "public void generate (X509Certificate)" ... inherit DSA/D-H param
 125 
 126     public void generate(int keyBits) {
 127         if (keyBits != -1) {
 128             try {
 129                 if (prng == null) {
 130                     prng = new SecureRandom();
 131                 }
 132                 keyGen.initialize(keyBits, prng);
 133 
 134             } catch (Exception e) {
 135                 throw new IllegalArgumentException(e.getMessage());
 136             }
 137         }
 138         generateInternal();
 139     }
 140 
 141     /**
 142      * Generates a random public/private key pair, with a given key
 143      * size.  Different algorithms provide different degrees of security
 144      * for the same key size, because of the "work factor" involved in
 145      * brute force attacks.  As computers become faster, it becomes
 146      * easier to perform such attacks.  Small keys are to be avoided.
 147      *
 148      * <P>Note that not all values of "keyBits" are valid for all
 149      * algorithms, and not all public key algorithms are currently
 150      * supported for use in X.509 certificates.  If the algorithm
 151      * you specified does not produce X.509 compatible keys, an
 152      * invalid key exception is thrown.
 153      *
 154      * @param keyBits the number of bits in the keys.
 155      * @exception InvalidKeyException if the environment does not
 156      *  provide X.509 public keys for this signature algorithm.
 157      */
 158     public void generateInternal() {
 159         KeyPair pair = keyGen.generateKeyPair();













 160 
 161         publicKey = pair.getPublic();
 162         privateKey = pair.getPrivate();
 163 
 164         // publicKey's format must be X.509 otherwise
 165         // the whole CertGen part of this class is broken.
 166         if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
 167             throw new IllegalArgumentException("Public key format is "
 168                 + publicKey.getFormat() + ", must be X.509");
 169         }
 170 
 171         if (sigAlg == null) {
 172             sigAlg = AlgorithmId.getDefaultSigAlgForKey(privateKey);
 173             if (sigAlg == null) {
 174                 throw new IllegalArgumentException(
 175                         "Cannot derive signature algorithm from "
 176                                 + privateKey.getAlgorithm());
 177             }
 178         }
 179     }


< prev index next >