RFR (16): 8241003: Deprecate "denigrated" java.security.cert APIs that represent DNs as Principal or String objects

Sean Mullan sean.mullan at oracle.com
Fri Aug 7 14:01:30 UTC 2020


Please review this change to deprecate the following APIs:

java.security.cert.X509Certificate.getIssuerDN()
java.security.cert.X509Certificate.getSubjectDN()
java.security.cert.X509CRL.getIssuerDN()
java.security.cert.X509CertSelector.setIssuer(String)
java.security.cert.X509CertSelector.setSubject(String)
java.security.cert.X509CertSelector.getIssuerAsString()
java.security.cert.X509CertSelector.getSubjectAsString()
java.security.cert.X509CRLSelector.addIssuerName(String)

These APIs either take or return Distinguished Names as Principal or 
String objects which can cause issues due to loss of encoding 
information or differences when comparing names across different 
Principal implementations. All of them have alternative APIs which use 
X500Principal objects instead. They have long had warnings in the 
javadoc and have been discouraged from being used. There are no plans to 
remove the APIs at this time, as they have been in the platform for a 
long time and removing them would be a much higher compatibility risk.

webrev: https://cr.openjdk.java.net/~mullan/webrevs/8241003/webrev.00/
CSR: https://bugs.openjdk.java.net/browse/JDK-8250970
bug: https://bugs.openjdk.java.net/browse/JDK-8241003

--Sean


More information about the security-dev mailing list