RFR 8058778: New APIs for creating certificates and certificate requests
Sean Mullan
sean.mullan at oracle.com
Fri Jan 8 20:40:46 UTC 2016
On 01/07/2016 10:38 PM, Wang Weijun wrote:
>
>> On Jan 8, 2016, at 6:06 AM, Sean Mullan <sean.mullan at oracle.com>
>> wrote:
>> * CertificateFactorySpi
>>
>> Need more details on how inStream is parsed.
>
> I thought a "@see CertificateFactory#generateCertificateRequest" is
> enough. I do noticed that
> CertificateFactorySpi#engineGenerateCertificate copies all spec from
> CertificateFactory#generateCertificate.
I think if you specifically linked to that from the method description
it would be sufficient, ex: "For details on how inStream is parsed, see
...", but an @see on its own is more like an FYI and does not imply that
it is part of the specification.
>> * X509Certificate
>>
>> 657 * A builder that builds X.509 v3 certificates and
>> certificate requests.
>>
>> Why only v3? I think we need to allow this to support other
>> versions, if there ever are any.
>
> IMO no one wants v1 or v2 now. Or are you thinking of a future
> version?
Yes.
> That said, I can add a version(Enum) method. If it's v1 or v2
> extensions will be ignored, if >3, UOE.
Actually maybe just keep it simple for now and assume v3 is the default.
We can always add this method later if necessary.
>>
>> 772 String getDefaultSigAlgName(PrivateKey key);
>>
>> This seems like it should just be a static utility method, and not
>> something every subclass has to implement.
>
> But only the provider (X509Factory here) knows about the return
> values, and another provider can return different values.
Can you remind me why this needs to be a public method? Why can't this
be an implementation detail when the caller doesn't specify a signature
algorithm?
>> 1064 public static class GeneralName {
>>
>> This should be a standalone class, since we may leverage it in
>> other APIs that are not X509Certificate specific.
>
> Honestly the current GeneralName is not quite useful. It is only used
> as a *parameter* in building certificates. A real GeneralName needs
> getEncoded().
If we are going to add this class, I think it should be generally useful.
> Or, we can do it like
>
> interface GeneralName { byte[] getEncoded(); }
and an enum for the type and a getType method?
>
> class X509Certificate.Builder { GeneralName newGeneralName(int/Enum
> type, String svalue); GeneralName newGeneralName(int/Enum type,
> byte[] value); }
Ok.
--Sean
More information about the security-dev
mailing list