JDK-8165481 : Provide an API for generating certificates
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2016-08-26
  • Updated: 2016-09-06
  • Resolved: 2016-09-06
Related Reports
Duplicate :  
JDK-8058778 - New APIs for creating certificates and certificate requests
Description
A DESCRIPTION OF THE REQUEST :
With the already released JDKs, it is currently possible to generate X.509 v3 certificates using private JDK classes (CertAndKeyGen and X500Name).
This approach is not sustainable with the upcoming release of the modular JDK 9.

Note: We personally only need self-signed certificates, but I can see why other people would want to generate certificates from java code.


JUSTIFICATION :
There are too many problems with the approach using private JDK classes:

- the internal package(s) keep changing:
 - "sun.security.x509.CertAndKeyGen", // Oracle/Sun/OpenJDK 6, 7 < u111
 - "sun.security.tools.keytool.CertAndKeyGen", // Oracle/Sun/OpenJDK 8, 7 >= u111
 - "com.ibm.security.x509.CertAndKeyGen", // IBM SDK 7
 - "com.ibm.security.tools.CertAndKeyGen" // IBM SDK 8
- Java 9 will hide these classes

I would like to convert code using CertAndKeyGen to use standard, supported JDK classes.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
We would like a new JDK supported API which offers the keytool capabilities for generating X.509 certificates.
For example, java.security.cert.CetificateFactory could be augmented with APIs for generating certificates.

Since the code already exists in the JDK for keytool, the new API may use the existing code for implementing this feature.
ACTUAL -
Currently generating certificates need to rely on the JDK private CertAndKeyGen class.

---------- BEGIN SOURCE ----------
java.security.KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048, SecureRandom.getInstance("SHA1WithRSA"));
java.security.KeyPair keyPair = generator.generateKeyPair();
java.security.PrivateKey privatekey = keyPair.getPrivate();

javax.security.auth.x500.X500Principal principal = new X500Principal(dn);

java.security.cert.CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
// Proposed new API:
java.security.cert.X509Certificate selfSignedCert = certFactory.getSelfSignedCertificate(principal, 365, TimeUnit.DAYS);
// this allows to generate a self-signed X.509 v3 certificate, which is valid for 365 days.
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Use the JDK private CertAndKeyGen class.
For Java 9, use of -XaddExports command line flag seem to be the only workaround.