RFR (16): 8241003: Deprecate "denigrated" java.security.cert APIs that represent DNs as Principal or String objects

Valerie Peng valerie.peng at oracle.com
Fri Aug 21 18:14:01 UTC 2020


Is it intentional to use toString() in 
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java? 
Normally, toString() is kind of loose, not as strict as getName().

Valerie

On 8/21/2020 11:01 AM, Xuelei Fan wrote:
> Looks fine to me.
>
> Just a trivial format comment.  Some use link for "RFC 2253", some do 
> not. It's OK.  And it's good as well if you want to use a uniform style.
>
> Xuelei
>
> On 8/21/2020 9:24 AM, Sean Mullan wrote:
>> Ping ...
>>
>> On 8/7/20 10:01 AM, Sean Mullan wrote:
>>> Please review this change to deprecate the following APIs:
>>>
>>> java.security.cert.X509Certificate.getIssuerDN()
>>> java.security.cert.X509Certificate.getSubjectDN()
>>> java.security.cert.X509CRL.getIssuerDN()
>>> java.security.cert.X509CertSelector.setIssuer(String)
>>> java.security.cert.X509CertSelector.setSubject(String)
>>> java.security.cert.X509CertSelector.getIssuerAsString()
>>> java.security.cert.X509CertSelector.getSubjectAsString()
>>> java.security.cert.X509CRLSelector.addIssuerName(String)
>>>
>>> These APIs either take or return Distinguished Names as Principal or 
>>> String objects which can cause issues due to loss of encoding 
>>> information or differences when comparing names across different 
>>> Principal implementations. All of them have alternative APIs which 
>>> use X500Principal objects instead. They have long had warnings in 
>>> the javadoc and have been discouraged from being used. There are no 
>>> plans to remove the APIs at this time, as they have been in the 
>>> platform for a long time and removing them would be a much higher 
>>> compatibility risk.
>>>
>>> webrev: https://cr.openjdk.java.net/~mullan/webrevs/8241003/webrev.00/
>>> CSR: https://bugs.openjdk.java.net/browse/JDK-8250970
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8241003
>>>
>>> --Sean


More information about the security-dev mailing list