RFR 8058778: New APIs for creating certificates and certificate requests

Sean Mullan sean.mullan at oracle.com
Tue Jan 12 21:58:49 UTC 2016

A few more comments for now, but I'll need another day or so to finish 
my review:

* General

Use @throws instead of @exception

* X509Certificate

lines 572-585 were removed, but where was it copied? It is not in 
GeneralName and probably should not be unless we add a toString method.

  847          * @exception IllegalArgumentException if {@code name}
  848          *      is not a valid signature algorithm name. TODO: really?

Agree, you can't detect this until the certificate is built/signed, so I 
think you should remove it, and add a note that the signature algorithm 
will not be checked for availability until it is built or signed.

867          * If Both this method and {@link #setSigAlgName} are 
called, the


* CertificateRequest

  125      * @return the encoded form of this certificate request
  126      */
  127     public abstract byte[] getEncoded();

Should say that it returns a new byte array each time it is called.


On 01/11/2016 02:59 AM, Wang Weijun wrote:
> Once again
> http://cr.openjdk.java.net/~weijun/8058778/webrev.08/
> http://cr.openjdk.java.net/~weijun/8058778/webrev.08/specdiff/java/security/cert/package-summary.html
> Changes:
> - GeneralName is now a standalone interface. Still no getType(), useless
> - Two newGeneralName, the binary one is simply newGeneralName(byte[]) which accepts every encoding including those having a string value
> There is still one TODO:
> We used to have subject(String) and subject(X500Principal), but on the issuer side there is only one
>     buildCertificate(CertificateRequest, KeyPair, X500Principal)
> seems not the same level. I'd prefer to  remove subject(String). It's just a short form and no more efficient than subject(X500Principal).
> Thanks
> Max

More information about the security-dev mailing list