RFR 8058778: New APIs for creating certificates and certificate requests

Wang Weijun weijun.wang at oracle.com
Mon Jan 11 07:59:41 UTC 2016 

Once again

http://cr.openjdk.java.net/~weijun/8058778/webrev.08/
http://cr.openjdk.java.net/~weijun/8058778/webrev.08/specdiff/java/security/cert/package-summary.html

Changes:

- GeneralName is now a standalone interface. Still no getType(), useless

- Two newGeneralName, the binary one is simply newGeneralName(byte[]) which accepts every encoding including those having a string value

There is still one TODO:

We used to have subject(String) and subject(X500Principal), but on the issuer side there is only one

   buildCertificate(CertificateRequest, KeyPair, X500Principal)

seems not the same level. I'd prefer to  remove subject(String). It's just a short form and no more efficient than subject(X500Principal).

Thanks
Max

> On Jan 9, 2016, at 8:57 AM, Wang Weijun <weijun.wang at oracle.com> wrote:
> 
>> 
>> On Jan 9, 2016, at 4:40 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>> 
>> On 01/07/2016 10:38 PM, Wang Weijun wrote:
>>> 
>>>> On Jan 8, 2016, at 6:06 AM, Sean Mullan <sean.mullan at oracle.com>
>>>> wrote:
>> 
>>>> * CertificateFactorySpi
>>>> 
>>>> Need more details on how inStream is parsed.
>>> 
>>> I thought a "@see CertificateFactory#generateCertificateRequest" is
>>> enough. I do noticed that
>>> CertificateFactorySpi#engineGenerateCertificate copies all spec from
>>> CertificateFactory#generateCertificate.
>> 
>> I think if you specifically linked to that from the method description it would be sufficient, ex: "For details on how inStream is parsed, see ...", but an @see on its own is more like an FYI and does not imply that it is part of the specification.
> 
> I'll copy the text then, same with generateCertificate().
> 
>> 
>>>> 
>>>> 772         String getDefaultSigAlgName(PrivateKey key);
>>>> 
>>>> This seems like it should just be a static utility method, and not
>>>> something every subclass has to implement.
>>> 
>>> But only the provider (X509Factory here) knows about the return
>>> values, and another provider can return different values.
>> 
>> Can you remind me why this needs to be a public method? Why can't this be an implementation detail when the caller doesn't specify a signature algorithm?
> 
> It allows a caller (maybe a GUI tool) to know what default values are.
> 
>> ful.
>> 
>>> Or, we can do it like
>>> 
>>> interface GeneralName { byte[] getEncoded(); }
>> 
>> and an enum for the type and a getType method?
> 
> enum will be here. getType() is useful but not necessary.
> 
> Thanks
> Max
> 
>> 
>>> 
>>> class X509Certificate.Builder { GeneralName newGeneralName(int/Enum
>>> type, String svalue); GeneralName newGeneralName(int/Enum type,
>>> byte[] value); }
>> 
>> Ok.
>> 
>> --Sean

More information about the security-dev mailing list