RFR 8058778: New APIs for creating certificates and certificate requests

Sean Mullan sean.mullan at oracle.com
Wed Jan 13 20:26:14 UTC 2016


On 01/12/2016 08:02 PM, Wang Weijun wrote:
> A new webrev at
>
> http://cr.openjdk.java.net/~weijun/8058778/webrev.09/
> http://cr.openjdk.java.net/~weijun/8058778/webrev.09/specdiff/java/security/cert/package-summary.html
>
> Changes from webrev.08:
>
> 1. X509Certificate.Builder addAuthorityKeyIdentifierExtension();
>     X509Certificate.Builder addSubjectKeyIdentifierExtension();
>
> 2. X509Extension getRawExtensionValue(String oid)
>
> 3. Spec changes we discussed.
>
> Still one TODO in X509Certificate.Builder subject(String name).
>
> Some comments below in line.
>
>> On Jan 13, 2016, at 5:58 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> A few more comments for now, but I'll need another day or so to finish my review:
>>
>> * General
>>
>> Use @throws instead of @exception
>
> I'll fix all new lines. Do I need to touch existing ones?

It's up to you.

>> * X509Certificate
>>
>> lines 572-585 were removed, but where was it copied? It is not in GeneralName and probably should not be unless we add a toString method.
>
> I moved them to Buidler#newGeneralName(Type,String). "See {@link GeneralName}" should be "See {@link Builder#newGeneralName(GeneralName.Type, String)} for the formats".
>
> Or is it always better to keep them in the existing API and add a link the new one?

For this case, I think it may be better to duplicate the information, 
since these are not GeneralName objects.

Here are some comments on PKCS10CertificateRequest:

- can all of the attributes be represented as extensions or is this just 
for a PKCS#9 ExtensionRequest attribute? If the latter, you should state 
that in the class description. It looks like you could also use the 
PKCS12Attribute class to represent these attributes( same ASN.1 
structure) but that name would probably be confusing (in retrospect we 
should have named it PKCSAttribute or X500Attribute).

- the getCertificationRequestInfo, getSignature, and getSigAlgParams 
methods should say that they return a new array each time they are called.

- I think you should rename getSubjectX500Principal to getSubject. (The 
X500Principal-named methods were needed for X509Certificate to 
distinguish them from the existing getSubjectDN methods).

   82      * As for RFC 1986, the version is always 0.

s/1986/2986/

--Sean



More information about the security-dev mailing list