git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GitHub] ant pull request #64: Add support for SAN extension in GenerateKey task


Github user jnsnkrllive commented on a diff in the pull request:

    https://github.com/apache/ant/pull/64#discussion_r202096699
  
    --- Diff: src/main/org/apache/tools/ant/taskdefs/GenerateKey.java ---
    @@ -413,6 +429,16 @@ public void execute() throws BuildException {
                 sb.append("\" ");
             }
     
    +        if (useExtension) {
    +            sb.append("-ext ");
    --- End diff --
    
    Good question. I did some testing and here's what I found:
    
    keytool would fail if we pass "-ext" without a name.
    `keytool -genkey -alias "keystorename" -keystore "keystorename" -storepass "secret" -keypass "secret" -ext`
    > Command option -ext needs an argument.
    
    However, we won't ever append "-ext" without also appending a name too. Currently the only way to append "-ext" is when useExtension is true, which only happens if the sname attribute is included in the definition AND the java version is 1.7 or higher.
    
    keytool works fine if the saname attribute is not included in the definition. "useExtension" would be false (because "setSaname" would never get called) and it'd skip over the code block beginning on line 432.
    
    However, keytool throws an exception if saname="" is used in the definition
    `[genkey] keytool error: java.lang.Exception: Illegal item in san=`
    This definition of the task doesn't meet the requirements specified by keytool. Should ant handle this differently or defer to keytool for handing the invalid use? It doesn't look like we are doing any special validation on the other arguments (e.g. "sigalg" which is just a string in this Task but keytool only accepts certain values for that string). 


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xxxxxxxxxxxxxx
For additional commands, e-mail: dev-help@xxxxxxxxxxxxxx