RFR: 8296901: Do not create unsigned certificate and CRL
Weijun Wang
weijun at openjdk.org
Tue Nov 15 00:53:49 UTC 2022
On Tue, 15 Nov 2022 00:35:31 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Instead if creating an "unsigned" `X509CertImpl` with only an `X509CertInfo` inside, a new static method `signNew` is introduced to create a newly signed certificate from an `X509CertInfo` object and a `PrivateKey`. Thus make sure an `X509CertImpl` is always signed and there is no read to keep its `readOnly` flag.
>
> The same for `X509CRLImpl`. A new inner class `TBSCertList` is added which is equivalent to `X509CertInfo` inside `X509CertImpl`.
src/java.base/share/classes/sun/security/x509/X509CRLImpl.java line 365:
> 363: */
> 364: public X509CRLImpl(TBSCertList info, AlgorithmId sigAlgId, byte[] signature,
> 365: byte[] tbsCertList, byte[] signedCRL) {
In fact, all arguments must be non null. Only the last one is checked to emphasize that the encoding must be provided. This constructor is also used in tests to create fake CRLs where not all fields are available.
src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 122:
> 120: */
> 121: public X509CertImpl(X509CertInfo info, AlgorithmId algId, byte[] signature,
> 122: byte[] signedCert) {
In fact, all arguments must be non null. Only the last one is checked to emphasize that the encoding must be provided. This constructor is also used in tests to create fake certificates where not all fields are available.
-------------
PR: https://git.openjdk.org/jdk/pull/11151
More information about the security-dev
mailing list