keytool is not in jdk-base-image

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

keytool is not in jdk-base-image

Sean Mullan
It will be difficult to sign modules without keytool. (It's possible, but you
would have to have a keystore already setup with your keys and certificates and
know the alias name, etc).

--Sean
Reply | Threaded
Open this post in threaded view
|

Re: keytool is not in jdk-base-image

Mandy Chung
On 8/31/11 2:34 PM, Sean Mullan wrote:
> It will be difficult to sign modules without keytool. (It's possible, but you
> would have to have a keystore already setup with your keys and certificates and
> know the alias name, etc).

But keytool depends on jsse and jndi.  Can these dependencies be
eliminated or as optional?

sun.security.tools.JarSigner             ->  sun.security.util.PathList (sun.jsse)
sun.security.tools.KeyTool               ->  javax.net.ssl.HttpsURLConnection (sun.jsse)
sun.security.tools.KeyTool               ->  javax.net.ssl.SSLContext (sun.jsse)
sun.security.tools.KeyTool               ->  javax.net.ssl.TrustManager (sun.jsse)
sun.security.tools.KeyTool               ->  sun.security.pkcs.PKCS10 (sun.jsse)
sun.security.tools.KeyTool               ->  sun.security.pkcs.PKCS10Attribute (sun.jsse)
sun.security.tools.KeyTool               ->  sun.security.pkcs.PKCS10Attributes (sun.jsse)
sun.security.tools.KeyTool               ->  sun.security.provider.certpath.ldap.LDAPCertStoreHelper (sun.jndi)
sun.security.tools.KeyTool               ->  sun.security.util.PathList (sun.jsse)
sun.security.tools.KeyTool               ->  sun.security.x509.CertAndKeyGen (sun.jsse)
sun.security.tools.KeyTool$2             ->  javax.net.ssl.X509TrustManager (sun.jsse)
sun.security.tools.KeyTool$3             ->  javax.net.ssl.HostnameVerifier (sun.jsse)
sun.security.tools.KeyTool$3             ->  javax.net.ssl.SSLSession (sun.jsse)


Mandy
Reply | Threaded
Open this post in threaded view
|

Re: keytool is not in jdk-base-image

Weijun Wang


On 09/01/2011 05:53 AM, Mandy Chung wrote:
> On 8/31/11 2:34 PM, Sean Mullan wrote:
>> It will be difficult to sign modules without keytool. (It's possible,
>> but you
>> would have to have a keystore already setup with your keys and
>> certificates and
>> know the alias name, etc).
>
> But keytool depends on jsse and jndi. Can these dependencies be
> eliminated or as optional?

The jndi dependence can be optional, but keytool needs the jsse module
to generate certs. See below:

>
> sun.security.tools.JarSigner -> sun.security.util.PathList (sun.jsse)

JarSigner?

> sun.security.tools.KeyTool -> javax.net.ssl.HttpsURLConnection (sun.jsse)
> sun.security.tools.KeyTool -> javax.net.ssl.SSLContext (sun.jsse)
> sun.security.tools.KeyTool -> javax.net.ssl.TrustManager (sun.jsse)
 > sun.security.tools.KeyTool$2 -> javax.net.ssl.X509TrustManager (sun.jsse)
 > sun.security.tools.KeyTool$3 -> javax.net.ssl.HostnameVerifier (sun.jsse)
 > sun.security.tools.KeyTool$3 -> javax.net.ssl.SSLSession (sun.jsse)

for keytool -printcert -sslserver <ssl_server>

> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10 (sun.jsse)
> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10Attribute (sun.jsse)
> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10Attributes (sun.jsse)

for keytool -certreq

> sun.security.tools.KeyTool ->
> sun.security.provider.certpath.ldap.LDAPCertStoreHelper (sun.jndi)

for keytool -printcrl -file ldap://....

> sun.security.tools.KeyTool -> sun.security.util.PathList (sun.jsse)

PathList is a utility class to create "a:b:c" on Unix and "a;b;c" on
Windows. Is there a similar tool inside base?

> sun.security.tools.KeyTool -> sun.security.x509.CertAndKeyGen (sun.jsse)

for keytool -genkeypair and keytool -gencert

-Max

>
>
> Mandy
Reply | Threaded
Open this post in threaded view
|

Re: keytool is not in jdk-base-image

Sean Mullan
On 8/31/11 8:46 PM, Weijun Wang wrote:

>
>
> On 09/01/2011 05:53 AM, Mandy Chung wrote:
>> On 8/31/11 2:34 PM, Sean Mullan wrote:
>>> It will be difficult to sign modules without keytool. (It's possible,
>>> but you
>>> would have to have a keystore already setup with your keys and
>>> certificates and
>>> know the alias name, etc).
>>
>> But keytool depends on jsse and jndi. Can these dependencies be
>> eliminated or as optional?
>
> The jndi dependence can be optional, but keytool needs the jsse module
> to generate certs. See below:
>
>>
>> sun.security.tools.JarSigner -> sun.security.util.PathList (sun.jsse)
>
> JarSigner?
>
>> sun.security.tools.KeyTool -> javax.net.ssl.HttpsURLConnection (sun.jsse)
>> sun.security.tools.KeyTool -> javax.net.ssl.SSLContext (sun.jsse)
>> sun.security.tools.KeyTool -> javax.net.ssl.TrustManager (sun.jsse)
>  > sun.security.tools.KeyTool$2 -> javax.net.ssl.X509TrustManager (sun.jsse)
>  > sun.security.tools.KeyTool$3 -> javax.net.ssl.HostnameVerifier (sun.jsse)
>  > sun.security.tools.KeyTool$3 -> javax.net.ssl.SSLSession (sun.jsse)
>
> for keytool -printcert -sslserver <ssl_server>

This option is very specific to SSL. Can we make this optional? The option would
fail if sun.jsse is not installed.

>> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10 (sun.jsse)
>> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10Attribute (sun.jsse)
>> sun.security.tools.KeyTool -> sun.security.pkcs.PKCS10Attributes (sun.jsse)

Move these into jdk.tools.base. I don't think anything else uses PKCS10.

>
> for keytool -certreq
>
>> sun.security.tools.KeyTool ->
>> sun.security.provider.certpath.ldap.LDAPCertStoreHelper (sun.jndi)
>
> for keytool -printcrl -file ldap://....

Ok, we should make that optional so jndi is not required.

>
>> sun.security.tools.KeyTool -> sun.security.util.PathList (sun.jsse)
>
> PathList is a utility class to create "a:b:c" on Unix and "a;b;c" on
> Windows. Is there a similar tool inside base?

This class is simple enough that we can just copy the functionality into keytool.

>> sun.security.tools.KeyTool -> sun.security.x509.CertAndKeyGen (sun.jsse)
>
> for keytool -genkeypair and keytool -gencert

Move CertAndKeyGen into jdk.tools.base. I don't think anything else uses it.

--Sean
Reply | Threaded
Open this post in threaded view
|

Re: keytool is not in jdk-base-image

Dr Andrew John Hughes
On 11:28 Thu 01 Sep     , Sean Mullan wrote:
> On 8/31/11 8:46 PM, Weijun Wang wrote:

snip...

>
> >
> >> sun.security.tools.KeyTool -> sun.security.util.PathList (sun.jsse)
> >
> > PathList is a utility class to create "a:b:c" on Unix and "a;b;c" on
> > Windows. Is there a similar tool inside base?
>
> This class is simple enough that we can just copy the functionality into keytool.
>

Might java.nio.file.Path be useful here?  Or does that make the situation worse?

--
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37
Reply | Threaded
Open this post in threaded view
|

Re: keytool is not in jdk-base-image

Sean Mullan
On 9/1/11 10:39 PM, Dr Andrew John Hughes wrote:

> On 11:28 Thu 01 Sep     , Sean Mullan wrote:
>> On 8/31/11 8:46 PM, Weijun Wang wrote:
>
> snip...
>
>>
>>>
>>>> sun.security.tools.KeyTool -> sun.security.util.PathList (sun.jsse)
>>>
>>> PathList is a utility class to create "a:b:c" on Unix and "a;b;c" on
>>> Windows. Is there a similar tool inside base?
>>
>> This class is simple enough that we can just copy the functionality into keytool.
>>
>
> Might java.nio.file.Path be useful here?  

I don't think so, at least not directly - PathList contains utility methods that
operate on a list of paths (ex: classpath).

--Sean
Reply | Threaded
Open this post in threaded view
|

Re: keytool is not in jdk-base-image

Weijun Wang
In reply to this post by Sean Mullan
I see three kinds of solutions in your reply:

1. Move something to a module
2. Make a function optional
3. Re-write PathList inside keytool

I understand #3 is something I need to do and #1 is configured somewhere
in class classification. What about #2? To make a function optional,
what will the user experience be?

Does it mean when a module is not installed, the function just fails
with a ClassNotFoundException? Or I can write something like
Class.forName() inside to show user a warning message?

Thanks
Max


On 09/01/2011 11:28 PM, Sean Mullan wrote:

> On 8/31/11 8:46 PM, Weijun Wang wrote:
>>
>>
>> On 09/01/2011 05:53 AM, Mandy Chung wrote:
>>> On 8/31/11 2:34 PM, Sean Mullan wrote:
>>>> It will be difficult to sign modules without keytool. (It's possible,
>>>> but you
>>>> would have to have a keystore already setup with your keys and
>>>> certificates and
>>>> know the alias name, etc).
>>>
>>> But keytool depends on jsse and jndi. Can these dependencies be
>>> eliminated or as optional?
>>
>> The jndi dependence can be optional, but keytool needs the jsse module
>> to generate certs. See below:
>>
>>>
>>> sun.security.tools.JarSigner ->  sun.security.util.PathList (sun.jsse)
>>
>> JarSigner?
>>
>>> sun.security.tools.KeyTool ->  javax.net.ssl.HttpsURLConnection (sun.jsse)
>>> sun.security.tools.KeyTool ->  javax.net.ssl.SSLContext (sun.jsse)
>>> sun.security.tools.KeyTool ->  javax.net.ssl.TrustManager (sun.jsse)
>>   >  sun.security.tools.KeyTool$2 ->  javax.net.ssl.X509TrustManager (sun.jsse)
>>   >  sun.security.tools.KeyTool$3 ->  javax.net.ssl.HostnameVerifier (sun.jsse)
>>   >  sun.security.tools.KeyTool$3 ->  javax.net.ssl.SSLSession (sun.jsse)
>>
>> for keytool -printcert -sslserver<ssl_server>
>
> This option is very specific to SSL. Can we make this optional? The option would
> fail if sun.jsse is not installed.
>
>>> sun.security.tools.KeyTool ->  sun.security.pkcs.PKCS10 (sun.jsse)
>>> sun.security.tools.KeyTool ->  sun.security.pkcs.PKCS10Attribute (sun.jsse)
>>> sun.security.tools.KeyTool ->  sun.security.pkcs.PKCS10Attributes (sun.jsse)
>
> Move these into jdk.tools.base. I don't think anything else uses PKCS10.
>
>>
>> for keytool -certreq
>>
>>> sun.security.tools.KeyTool ->
>>> sun.security.provider.certpath.ldap.LDAPCertStoreHelper (sun.jndi)
>>
>> for keytool -printcrl -file ldap://....
>
> Ok, we should make that optional so jndi is not required.
>
>>
>>> sun.security.tools.KeyTool ->  sun.security.util.PathList (sun.jsse)
>>
>> PathList is a utility class to create "a:b:c" on Unix and "a;b;c" on
>> Windows. Is there a similar tool inside base?
>
> This class is simple enough that we can just copy the functionality into keytool.
>
>>> sun.security.tools.KeyTool ->  sun.security.x509.CertAndKeyGen (sun.jsse)
>>
>> for keytool -genkeypair and keytool -gencert
>
> Move CertAndKeyGen into jdk.tools.base. I don't think anything else uses it.
>
> --Sean
Reply | Threaded
Open this post in threaded view
|

Re: keytool is not in jdk-base-image

Sean Mullan
On 9/4/11 8:46 PM, Weijun Wang wrote:

> I see three kinds of solutions in your reply:
>
> 1. Move something to a module
> 2. Make a function optional
> 3. Re-write PathList inside keytool
>
> I understand #3 is something I need to do and #1 is configured somewhere
> in class classification. What about #2? To make a function optional,
> what will the user experience be?
>
> Does it mean when a module is not installed, the function just fails
> with a ClassNotFoundException? Or I can write something like
> Class.forName() inside to show user a warning message?

Yes, I think so.

Please hold off on making any changes for now. I'm doing a bit of
experimentation on my own. I want to try moving things around and it will also
give me some more experience with how the modules are built.

--Sean