8325766: Extend CertificateBuilder to create trust and end entity certificates programmatically #23700
Conversation
|
👋 Welcome back mdonovan! A progress list of the required criteria for merging this PR into |
|
@mpdonova This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 10 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
| throws CertificateException, IOException { | ||
| SecureRandom random = new SecureRandom(); | ||
|
|
||
| boolean [] keyUsage = new boolean[]{false, false, false, |
There was a problem hiding this comment.
Wouldn't it be easier to just use var keyUsage = new boolean[KeyUsage.values().length]?
There was a problem hiding this comment.
I updated the array initialization.
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
Show resolved
Hide resolved
|
The similarity between the certificate pairs is impressive! Just curious - why the change in issuer and owner names? |
Looks like it's something between |
After looking into this some more, I found that OpenSSL prints them backwards and I was using OpenSSL to print the hard-coded certificates and then just copying and pasting the strings. I changed the hard-coded DN strings to follow the RFC order. |
| KeyUsage.DIGITAL_SIGNATURE, KeyUsage.NONREPUDIATION, KeyUsage.KEY_ENCIPHERMENT) | ||
| .addBasicConstraintsExt(false, false, -1) | ||
| .addExtension(CertificateBuilder.createIPSubjectAltNameExt(true, "127.0.0.1")) | ||
| .build(trustedCert, caKeys.getPrivate(), "MD5WithRSA"); |
There was a problem hiding this comment.
MD5 algorithm is not allowed in TLSv1.3
There was a problem hiding this comment.
I'll address this in JDK-8353738
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
Show resolved
Hide resolved
|
@mpdonova This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a |
| public static CertificateBuilder newCertificateBuilder(String subjectName, | ||
| PublicKey publicKey, PublicKey caKey, KeyUsage... keyUsages) |
There was a problem hiding this comment.
My suggestion is to make this a regular constructor and have an additional method that sets the certificate lifetime as a Duration parameter, ex:
new CertificateBuilder(subject, pubKey, caPubKey, keyUsage).withValidity(Duration.ofHours(1));
There was a problem hiding this comment.
I think the way it currently is follows the builder pattern better. All of the 'set' methods return this which means if I change this method to a constructor, I'd have to duplicate the "set" code from all those methods.
I like the idea of using Duration but the API for it doesn't really lend itself to this use case. When the certificate is finally created, we write Date objects to the DerOutputStream so I'd have to choose a start time and then calculate the end time based on the duration. It's not hard, but it doesn't seem worth it when the common use case of this class is to generate short-lived certificates for a test. The default one-hour validity will cover the vast majority of tests.
There was a problem hiding this comment.
I think the way it currently is follows the builder pattern better. All of the 'set' methods return
thiswhich means if I change this method to a constructor, I'd have to duplicate the "set" code from all those methods.
I'm not sure what you mean - can you give an example? I don't see any advantages of using a static method here, but I agree it works either way.
I like the idea of using
Durationbut the API for it doesn't really lend itself to this use case. When the certificate is finally created, we writeDateobjects to the DerOutputStream so I'd have to choose a start time and then calculate the end time based on the duration. It's not hard, but it doesn't seem worth it when the common use case of this class is to generate short-lived certificates for a test. The default one-hour validity will cover the vast majority of tests.
I view this test utility class as being flexible enough for different cases. This is a useful method in that the other parameters are common fields that all certs usually have but it also means I can't use this method to to create a certificate with a longer, or shorter validity period. Alternatively, how about adding another method that hard-codes it as one hour:
CertificateBuilder oneHourValidity()
There was a problem hiding this comment.
As a constructor, the code would look like this
public CertificateBuilder(String subjectName,
PublicKey publicKey, PublicKey caKey, KeyUsage... keyUsages)
throws CertificateException, IOException {
factory = CertificateFactory.getInstance("X.509");
SecureRandom random = new SecureRandom();
boolean [] keyUsage = new boolean[KeyUsage.values().length];
for (KeyUsage ku : keyUsages) {
keyUsage[ku.ordinal()] = true;
}
this.subjectName = new X500Principal(subjectName);
this.publicKey = Objects.requireNonNull(publicKey, "Caught null public key");
notBefore = (Date)Date.from(Instant.now().minus(1, ChronoUnit.HOURS));
notAfter = Date.from(Instant.now().plus(1, ChronoUnit.HOURS));
serialNumber = BigInteger.valueOf(random.nextLong(1000000)+1);
byte[] keyIdBytes = new KeyIdentifier(publicKey).getIdentifier();
Extension e = new SubjectKeyIdentifierExtension(keyIdBytes);
extensions.put(e.getId(), e);
KeyIdentifier kid = new KeyIdentifier(caKey);
e = new AuthorityKeyIdentifierExtension(kid, null, null);
extensions.put(e.getId(), e);
if (keyUsages.length != 0) {
e = new KeyUsageExtension(keyUsage);
extensions.put(e.getId(), e);
}
}
it also means I can't use this method to to create a certificate with a longer, or shorter validity period
There are methods to set the not-before and not-after fields. Any field set in this static method can be changed:
newCertificateBuilder(...).notAfter(Date.from(Instant.now().plus(10, TimeUnit.YEARS)));
I don't like using Date here and would be happy to overload it to take Instant as well.
There was a problem hiding this comment.
As a constructor, the code would look like this
Ah, I see. Well technically you could call the set methods from the ctor but you would get this-escape compiler warnings, which you probably want to avoid.
it also means I can't use this method to to create a certificate with a longer, or shorter validity period
There are methods to set the not-before and not-after fields. Any field set in this static method can be changed:
newCertificateBuilder(...).notAfter(Date.from(Instant.now().plus(10, TimeUnit.YEARS)));I don't like using
Datehere and would be happy to overload it to takeInstantas well.
Yes, but I don't think the static method which is generically named newCertificateBuilder should be hard-coding a one hour validity period, that detail should be either in a different method (my preference) or this method should be named more clearly like oneHourCertificateBuilder. I realize this is just a test method, but this is a nicely designed API that has been very useful so I would prefer if we keep the flexibility.
There was a problem hiding this comment.
I removed the default one-hour validity from the builder method and created a setOneHourValidity() method.
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
Outdated
Show resolved
Hide resolved
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
Outdated
Show resolved
Hide resolved
|
@mpdonova This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the |
|
/open |
|
@mpdonova This pull request is now open |
|
@mpdonova This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a |
|
@mpdonova this pull request can not be integrated into git checkout certbuilder
git fetch https://git.openjdk.org/jdk.git master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push |
openjdk
bot
added
the
merge-conflict
mpdonova
changed the title
openjdk
bot
removed
the
merge-conflict
|
/integrate |
|
Going to push as commit 3184714.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
This PR updates the CertificateBuilder with a new method that creates a new instance with common fields (subject name, public key, serial number, validity, and key uses) filled-in. One test, IPIdentities.java, is updated to show how the method can be used to create various certificates. I attached screenshots that compare the old hard-coded certificates (left) with the new generated certificates.
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/23700/head:pull/23700$ git checkout pull/23700Update a local copy of the PR:
$ git checkout pull/23700$ git pull https://git.openjdk.org/jdk.git pull/23700/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 23700View PR using the GUI difftool:
$ git pr show -t 23700Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/23700.diff
Using Webrev
Link to Webrev Comment