RFR (16): 8241003: Deprecate "denigrated" java.security.cert APIs that represent DNs as Principal or String objects

Sean Mullan sean.mullan at oracle.com
Fri Aug 21 16:24:38 UTC 2020

Ping ...

On 8/7/20 10:01 AM, Sean Mullan wrote:
> Please review this change to deprecate the following APIs:
> java.security.cert.X509Certificate.getIssuerDN()
> java.security.cert.X509Certificate.getSubjectDN()
> java.security.cert.X509CRL.getIssuerDN()
> java.security.cert.X509CertSelector.setIssuer(String)
> java.security.cert.X509CertSelector.setSubject(String)
> java.security.cert.X509CertSelector.getIssuerAsString()
> java.security.cert.X509CertSelector.getSubjectAsString()
> java.security.cert.X509CRLSelector.addIssuerName(String)
> These APIs either take or return Distinguished Names as Principal or 
> String objects which can cause issues due to loss of encoding 
> information or differences when comparing names across different 
> Principal implementations. All of them have alternative APIs which use 
> X500Principal objects instead. They have long had warnings in the 
> javadoc and have been discouraged from being used. There are no plans to 
> remove the APIs at this time, as they have been in the platform for a 
> long time and removing them would be a much higher compatibility risk.
> webrev: https://cr.openjdk.java.net/~mullan/webrevs/8241003/webrev.00/
> CSR: https://bugs.openjdk.java.net/browse/JDK-8250970
> bug: https://bugs.openjdk.java.net/browse/JDK-8241003
> --Sean

More information about the security-dev mailing list