ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jnsnkrllive <...@git.apache.org>
Subject [GitHub] ant pull request #64: Add support for SAN extension in GenerateKey task
Date Thu, 12 Jul 2018 16:20:25 GMT
Github user jnsnkrllive commented on a diff in the pull request:

    https://github.com/apache/ant/pull/64#discussion_r202096699
  
    --- Diff: src/main/org/apache/tools/ant/taskdefs/GenerateKey.java ---
    @@ -413,6 +429,16 @@ public void execute() throws BuildException {
                 sb.append("\" ");
             }
     
    +        if (useExtension) {
    +            sb.append("-ext ");
    --- End diff --
    
    Good question. I did some testing and here's what I found:
    
    keytool would fail if we pass "-ext" without a name.
    `keytool -genkey -alias "keystorename" -keystore "keystorename" -storepass "secret" -keypass
"secret" -ext`
    > Command option -ext needs an argument.
    
    However, we won't ever append "-ext" without also appending a name too. Currently the
only way to append "-ext" is when useExtension is true, which only happens if the sname attribute
is included in the definition AND the java version is 1.7 or higher.
    
    keytool works fine if the saname attribute is not included in the definition. "useExtension"
would be false (because "setSaname" would never get called) and it'd skip over the code block
beginning on line 432.
    
    However, keytool throws an exception if saname="" is used in the definition
    `[genkey] keytool error: java.lang.Exception: Illegal item in san=`
    This definition of the task doesn't meet the requirements specified by keytool. Should
ant handle this differently or defer to keytool for handing the invalid use? It doesn't look
like we are doing any special validation on the other arguments (e.g. "sigalg" which is just
a string in this Task but keytool only accepts certain values for that string). 


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message