Skip to content


8296901: Do not create unsigned certificate and CRL
Browse files Browse the repository at this point in the history
Reviewed-by: mullan
  • Loading branch information
wangweij committed Nov 18, 2022
1 parent 7b3984c commit ab6b7ef
Show file tree
Hide file tree
Showing 11 changed files with 395 additions and 414 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -335,12 +335,11 @@ public X509Certificate getSelfCertificate (X500Name myname, Date firstDate,
if (ext != null) info.setExtensions(ext);

cert = new X509CertImpl(info);
if (signerFlag) {
// use signer's private key to sign
cert.sign(signerPrivateKey, sigAlg);
cert = X509CertImpl.newSigned(info, signerPrivateKey, sigAlg);
} else {
cert.sign(privateKey, sigAlg);
cert = X509CertImpl.newSigned(info, privateKey, sigAlg);

return cert;
Expand Down
13 changes: 7 additions & 6 deletions src/java.base/share/classes/sun/security/tools/keytool/
Original file line number Diff line number Diff line change
Expand Up @@ -1536,8 +1536,8 @@ private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStr
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privateKey, sigAlgName);
X509CertImpl cert = X509CertImpl
.newSigned(info, privateKey, sigAlgName);
dumpCert(cert, out);
for (Certificate ca: keyStore.getCertificateChain(alias)) {
if (ca instanceof X509Certificate xca) {
Expand Down Expand Up @@ -1589,8 +1589,9 @@ private void doGenCRL(PrintStream out)
badCerts[i] = new X509CRLEntryImpl(new BigInteger(ids.get(i)), firstDate);
X509CRLImpl crl = new X509CRLImpl(owner, firstDate, lastDate, badCerts);
crl.sign(privateKey, sigAlgName);
X509CRLImpl crl = X509CRLImpl.newSigned(
new X509CRLImpl.TBSCertList(owner, firstDate, lastDate, badCerts),
privateKey, sigAlgName);
if (rfc) {
out.println("-----BEGIN X509 CRL-----");
out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(crl.getEncodedInternal()));
Expand Down Expand Up @@ -3228,8 +3229,8 @@ private void doSelfCert(String alias, String dname, String sigAlgName)
// Sign the new certificate
X509CertImpl newCert = new X509CertImpl(certInfo);
newCert.sign(privKey, sigAlgName);
X509CertImpl newCert = X509CertImpl.newSigned(
certInfo, privKey, sigAlgName);

// Store the new certificate as a single-element certificate chain
keyStore.setKeyEntry(alias, privKey,
Expand Down

1 comment on commit ab6b7ef

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.