RFR 8058778: New APIs for creating certificates and certificate requests

Wang Weijun weijun.wang at oracle.com
Thu Jan 7 12:33:20 UTC 2016


An updated webrev

  http://cr.openjdk.java.net/~weijun/8058778/webrev.07/
  http://cr.openjdk.java.net/~weijun/8058778/webrev.07/specdiff/java/security/cert/package-summary.html

with more changes:

1. Certificate.Builder and X509Certificate.Builder are now interfaces

2. Implementation is in a provider through CertificateFactory.getCertificateBuilder

3. New class CertificateRequest and PKCS10CertificateRequest, and CertificateFactory#generateCertificateRequest

4. New class X509Certificate.GeneralName

5. X509Certificate.Builder#setSigAlg(Name|OID|Params)

6. X509Certificate.Builder#serialNumber

Thanks
Max


> On Dec 16, 2015, at 10:26 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
> 
> Hi All
> 
> Here is an updated webrev
> 
>  http://cr.openjdk.java.net/~weijun/8058778/webrev.05/
> 
> Spec change is at
> 
>  http://cr.openjdk.java.net/~weijun/8058778/webrev.05/specdiff/java/security/cert/package-summary.html
> 
> These changes are made:
> 
> 1. The Builder is moved into java.security.cert.X509Certificate as an inner class
> 
> 2. There is no more addExtension(String,String,boolean) that tries to parse input value strings (leave them to keytool). Each supported extension has its own addXXXExtension() method in java.security.cert.X509Extension. The input format is the same as the output format of X509Certificate.getXXX() for each extension type. This relieves the requirement to define interfaces for GeneralNames etc at the moment.
> 
> 3. keytool directly calls X509Certificate.Builder now.
> 
> No CertificateRequest at the moment. Builder still using byte[] which is PKCS #10 encoded.
> 
> Many thanks to Mandy, Larry, and Sean for your comments. Mike, we will add more methods later when they are needed.
> 
> --Max
> 
>> On Dec 15, 2015, at 11:53 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>> 
>> On 12/03/2015 09:07 PM, Wang Weijun wrote:
>>> Or if this is too much, we can at least do the X509Extension part. If
>>> CertificateRequest is needed one day, we can create a new method
>>> Builder.certificateRequest() that returns it and deprecate the
>>> current request() method.
>>> 
>>> Or use certificateRequest() to return byte[] and save request() for
>>> the future. :-)
>> 
>> I agree with this approach. I like the idea of moving the creation of Extensions to X509Extension so that they could be used independently of the X509Certificate.Builder API. Let's defer a CertificateRequest API for later.
>> 
>> --Sean
> 




More information about the security-dev mailing list