[jboss-jira] [JBoss JIRA] (ELY-567) Add a builder API for X.509 certificates
David Lloyd (JIRA)
issues at jboss.org
Wed Jun 8 07:47:00 EDT 2016
[ https://issues.jboss.org/browse/ELY-567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13249544#comment-13249544 ]
David Lloyd commented on ELY-567:
---------------------------------
Recently pointed out on the OpenJDK Security Development list:
{blockquote}
Hi -
To be very specific here - if a certificate has extensions, it MUST be version 3, otherwise it SHOULD be version 1, but may be version 2 or 3. (If a certificate has either of the issuer or subject unique ID fields, it must be at least version 2 - but those fields are deprecated as a MUST NOT for conforming CAs, so you should never issue a certificate with those fields).
A CA certificate (i.e. an intermediate certificate) is required to have a basicConstraints extension - and must be a version three certificate.
If you do this (support V1 cert gen), I'd make it a side effect of whether or not you add extensions instead of a discrete option.
{blockquote}
> Add a builder API for X.509 certificates
> ----------------------------------------
>
> Key: ELY-567
> URL: https://issues.jboss.org/browse/ELY-567
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: X.500
> Reporter: David Lloyd
>
> It is going to be somewhat common for us to generate certificates for various purposes, including (but not limited to) self-signing and CSRs. While it is possible to assemble a certificate by hand using the DER encoding API, it would be nicer to have a certificate builder API which wraps the DER encoder and makes this process easier. It should adhere to all certificate generation rules and recommendations found in RFCs and elsewhere.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list