RFR 8058778: New APIs for creating certificates and certificate requests

Sean Mullan sean.mullan at oracle.com
Fri Jan 8 20:40:46 UTC 2016


On 01/07/2016 10:38 PM, Wang Weijun wrote:
>
>> On Jan 8, 2016, at 6:06 AM, Sean Mullan <sean.mullan at oracle.com>
>> wrote:

>> * CertificateFactorySpi
>>
>> Need more details on how inStream is parsed.
>
> I thought a "@see CertificateFactory#generateCertificateRequest" is
> enough. I do noticed that
> CertificateFactorySpi#engineGenerateCertificate copies all spec from
> CertificateFactory#generateCertificate.

I think if you specifically linked to that from the method description 
it would be sufficient, ex: "For details on how inStream is parsed, see 
...", but an @see on its own is more like an FYI and does not imply that 
it is part of the specification.

>> * X509Certificate
>>
>> 657      * A builder that builds X.509 v3 certificates and
>> certificate requests.
>>
>> Why only v3? I think we need to allow this to support other
>> versions, if there ever are any.
>
> IMO no one wants v1 or v2 now. Or are you thinking of a future
> version?

Yes.

> That said, I can add a version(Enum) method. If it's v1 or v2
> extensions will be ignored, if >3, UOE.

Actually maybe just keep it simple for now and assume v3 is the default. 
We can always add this method later if necessary.

>>
>> 772         String getDefaultSigAlgName(PrivateKey key);
>>
>> This seems like it should just be a static utility method, and not
>> something every subclass has to implement.
>
> But only the provider (X509Factory here) knows about the return
> values, and another provider can return different values.

Can you remind me why this needs to be a public method? Why can't this 
be an implementation detail when the caller doesn't specify a signature 
algorithm?

>> 1064     public static class GeneralName {
>>
>> This should be a standalone class, since we may leverage it in
>> other APIs that are not X509Certificate specific.
>
> Honestly the current GeneralName is not quite useful. It is only used
> as a *parameter* in building certificates. A real GeneralName needs
> getEncoded().

If we are going to add this class, I think it should be generally useful.

> Or, we can do it like
>
> interface GeneralName { byte[] getEncoded(); }

and an enum for the type and a getType method?

>
> class X509Certificate.Builder { GeneralName newGeneralName(int/Enum
> type, String svalue); GeneralName newGeneralName(int/Enum type,
> byte[] value); }

Ok.

--Sean



More information about the security-dev mailing list