Re: RFR 8058778: New APIs for creating certificates and certificate requests

Wed, 13 Jan 2016 12:25:12 -0800 

On 01/12/2016 08:02 PM, Wang Weijun wrote:

A new webrev at

http://cr.openjdk.java.net/~weijun/8058778/webrev.09/
http://cr.openjdk.java.net/~weijun/8058778/webrev.09/specdiff/java/security/cert/package-summary.html

Changes from webrev.08:

1. X509Certificate.Builder addAuthorityKeyIdentifierExtension();
    X509Certificate.Builder addSubjectKeyIdentifierExtension();

2. X509Extension getRawExtensionValue(String oid)

3. Spec changes we discussed.

Still one TODO in X509Certificate.Builder subject(String name).

Some comments below in line.


On Jan 13, 2016, at 5:58 AM, Sean Mullan <sean.mul...@oracle.com> wrote:

A few more comments for now, but I'll need another day or so to finish my 
review:

* General

Use @throws instead of @exception


I'll fix all new lines. Do I need to touch existing ones?


It's up to you.


* X509Certificate

lines 572-585 were removed, but where was it copied? It is not in GeneralName 
and probably should not be unless we add a toString method.


I moved them to Buidler#newGeneralName(Type,String). "See {@link GeneralName}" should be 
"See {@link Builder#newGeneralName(GeneralName.Type, String)} for the formats".

Or is it always better to keep them in the existing API and add a link the new 
one?
For this case, I think it may be better to duplicate the information, since these are not GeneralName objects. 

Here are some comments on PKCS10CertificateRequest:
- can all of the attributes be represented as extensions or is this just for a PKCS#9 ExtensionRequest attribute? If the latter, you should state that in the class description. It looks like you could also use the PKCS12Attribute class to represent these attributes( same ASN.1 structure) but that name would probably be confusing (in retrospect we should have named it PKCSAttribute or X500Attribute).
- the getCertificationRequestInfo, getSignature, and getSigAlgParams methods should say that they return a new array each time they are called.
- I think you should rename getSubjectX500Principal to getSubject. (The X500Principal-named methods were needed for X509Certificate to distinguish them from the existing getSubjectDN methods). 

  82      * As for RFC 1986, the version is always 0.

s/1986/2986/

--Sean

Reply via email to