archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 14:24:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280

Browse source 
Reviewed-by: coffeys, mullan, weijun
This commit is contained in:
Hai-May Chao 2021-02-17 16:38:56 +00:00
parent cb84539d56
commit 05301f5fd2
3 changed files with 146 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

51
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -1476,12 +1476,39 @@ public final class Main {
reqex = (CertificateExtensions)attr.getAttributeValue();
}
}
PublicKey subjectPubKey = req.getSubjectPublicKeyInfo();
PublicKey issuerPubKey = signerCert.getPublicKey();
KeyIdentifier signerSubjectKeyId;
if (Arrays.equals(subjectPubKey.getEncoded(), issuerPubKey.getEncoded())) {
// No AKID for self-signed cert
signerSubjectKeyId = null;
} else {
X509CertImpl certImpl;
if (signerCert instanceof X509CertImpl) {
certImpl = (X509CertImpl) signerCert;
} else {
certImpl = new X509CertImpl(signerCert.getEncoded());
}
// To enforce compliance with RFC 5280 section 4.2.1.1: "Where a key
// identifier has been previously established, the CA SHOULD use the
// previously established identifier."
// Use issuer's SKID to establish the AKID in createV3Extensions() method.
signerSubjectKeyId = certImpl.getSubjectKeyId();
if (signerSubjectKeyId == null) {
signerSubjectKeyId = new KeyIdentifier(issuerPubKey);
}
}
CertificateExtensions ext = createV3Extensions(
reqex,
null,
v3ext,
req.getSubjectPublicKeyInfo(),
signerCert.getPublicKey());
subjectPubKey,
signerSubjectKeyId);
info.set(X509CertInfo.EXTENSIONS, ext);
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privateKey, sigAlgName);
@ -4224,6 +4251,7 @@ public final class Main {
* @param extstrs -ext values, Read keytool doc
* @param pkey the public key for the certificate
* @param akey the public key for the authority (issuer)
* @param aSubjectKeyId the subject key identifier for the authority (issuer)
* @return the created CertificateExtensions
*/
private CertificateExtensions createV3Extensions(
@ -4231,7 +4259,7 @@ public final class Main {
CertificateExtensions existingEx,
List <String> extstrs,
PublicKey pkey,
PublicKey akey) throws Exception {
KeyIdentifier aSubjectKeyId) throws Exception {
// By design, inside a CertificateExtensions object, all known
// extensions uses name (say, "BasicConstraints") as key and
@ -4256,6 +4284,14 @@ public final class Main {
}
}
try {
// always non-critical
setExt(result, new SubjectKeyIdentifierExtension(
new KeyIdentifier(pkey).getIdentifier()));
if (aSubjectKeyId != null) {
setExt(result, new AuthorityKeyIdentifierExtension(aSubjectKeyId,
null, null));
}
// name{:critical}{=value}
// Honoring requested extensions
if (requestedEx != null) {
@ -4578,13 +4614,6 @@ public final class Main {
"Unknown.extension.type.") + extstr);
}
}
// always non-critical
setExt(result, new SubjectKeyIdentifierExtension(
new KeyIdentifier(pkey).getIdentifier()));
if (akey != null && !pkey.equals(akey)) {
setExt(result, new AuthorityKeyIdentifierExtension(
new KeyIdentifier(akey), null, null));
}
} catch(IOException e) {
throw new RuntimeException(e);
}