Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files
8241003: Deprecate "denigrated" java.security.cert APIs that represen…
…t DNs as Principal or String objects

Reviewed-by: xuelei, valeriep, weijun
  • Loading branch information
seanjmullan committed Aug 26, 2020
1 parent cad4272 commit 6a50cb6b9cd0db83f2035bc7048a144497c3c95a
Show file tree
Hide file tree
Showing 16 changed files with 115 additions and 105 deletions.
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -187,8 +187,8 @@ public UnresolvedPermission(String type,
while (i < certs.length) {
count++;
while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;
@@ -207,8 +207,8 @@ public UnresolvedPermission(String type,
while (i < certs.length) {
signerCerts.add(certs[i]);
while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -279,12 +279,6 @@ public void verify(PublicKey key, Provider sigProvider)
public abstract int getVersion();

/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from
* the CRL. The issuer name identifies the entity that signed (and
* issued) the CRL.
@@ -316,7 +310,13 @@ public void verify(PublicKey key, Provider sigProvider)
* {@code TeletexString} or {@code UniversalString}.
*
* @return a Principal whose name is the issuer distinguished name.
*
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
* returns the {@code issuer} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/
@Deprecated(since="16")
public abstract Principal getIssuerDN();

/**
@@ -225,13 +225,6 @@ public void addIssuer(X500Principal issuer) {
}

/**
* <strong>Denigrated</strong>, use
* {@linkplain #addIssuer(X500Principal)} or
* {@linkplain #addIssuerName(byte[])} instead. This method should not be
* relied on as it can fail to match some CRLs because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Adds a name to the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names.
@@ -241,9 +234,17 @@ public void addIssuer(X500Principal issuer) {
* any previous value for the issuerNames criterion.
* If the specified name is a duplicate, it may be ignored.
*
* @param name the name in RFC 2253 form
* @param name the name in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> form
* @throws IOException if a parsing error occurs
*
* @deprecated Use {@link #addIssuer(X500Principal)} or
* {@link #addIssuerName(byte[])} instead. This method should not be
* relied on as it can fail to match some CRLs because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
*/
@Deprecated(since="16")
public void addIssuerName(String name) throws IOException {
addIssuerNameInternal(name, new X500Name(name).asX500Principal());
}
@@ -481,7 +482,8 @@ public Collection<X500Principal> getIssuers() {
* <p>
* If the value returned is not {@code null}, it is a
* {@code Collection} of names. Each name is a {@code String}
* or a byte array representing a distinguished name (in RFC 2253 or
* or a byte array representing a distinguished name (in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> or
* ASN.1 DER encoded form, respectively). Note that the
* {@code Collection} returned may contain duplicate names.
* <p>
@@ -46,13 +46,14 @@
* getBasicConstraints} method). Therefore, the {@link #match match}
* method would return {@code true} for any {@code X509Certificate}.
* Typically, several criteria are enabled (by calling
* {@link #setIssuer setIssuer} or
* {@link #setIssuer(X500Principal)} or
* {@link #setKeyUsage setKeyUsage}, for instance) and then the
* {@code X509CertSelector} is passed to
* {@link CertStore#getCertificates CertStore.getCertificates} or some similar
* method.
* <p>
* Several criteria can be enabled (by calling {@link #setIssuer setIssuer}
* Several criteria can be enabled (by calling
* {@link #setIssuer(X500Principal)}
* and {@link #setSerialNumber setSerialNumber},
* for example) such that the {@code match} method
* usually uniquely matches a single {@code X509Certificate}. We say
@@ -184,25 +185,25 @@ public void setIssuer(X500Principal issuer) {
}

/**
* <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)}
* or {@linkplain #setIssuer(byte[])} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form
* of some distinguished names.
* <p>
* Sets the issuer criterion. The specified distinguished name
* must match the issuer distinguished name in the
* {@code X509Certificate}. If {@code null}, any issuer
* distinguished name will do.
* <p>
* If {@code issuerDN} is not {@code null}, it should contain a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @param issuerDN a distinguished name in RFC 2253 format
* (or {@code null})
* @throws IOException if a parsing error occurs (incorrect form for DN)
*
* @deprecated Use {@link #setIssuer(X500Principal)} or
* {@link #setIssuer(byte[])} instead. This method should not be relied on
* as it can fail to match some certificates because of a loss of encoding
* information in the RFC 2253 String form of some distinguished names.
*/
@Deprecated(since="16")
public void setIssuer(String issuerDN) throws IOException {
if (issuerDN == null) {
issuer = null;
@@ -276,24 +277,26 @@ public void setSubject(X500Principal subject) {
}

/**
* <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)}
* or {@linkplain #setSubject(byte[])} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Sets the subject criterion. The specified distinguished name
* must match the subject distinguished name in the
* {@code X509Certificate}. If {@code null}, any subject
* distinguished name will do.
* <p>
* If {@code subjectDN} is not {@code null}, it should contain a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @param subjectDN a distinguished name in RFC 2253 format
* (or {@code null})
* @throws IOException if a parsing error occurs (incorrect form for DN)
*
* @deprecated Use {@link #setSubject(X500Principal)} or
* {@link #setSubject(byte[])} instead. This method should not be relied
* on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
*/
@Deprecated(since="16")
public void setSubject(String subjectDN) throws IOException {
if (subjectDN == null) {
subject = null;
@@ -310,8 +313,7 @@ public void setSubject(String subjectDN) throws IOException {
* <p>
* If {@code subjectDN} is not {@code null}, it should contain a
* single DER encoded distinguished name, as defined in X.501. For the ASN.1
* notation for this structure, see
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
* notation for this structure, see {@link #setIssuer(byte[])}.
*
* @param subjectDN a byte array containing the distinguished name in
* ASN.1 DER format (or {@code null})
@@ -711,7 +713,8 @@ public void setSubjectAlternativeNames(Collection<List<?>> names)
* the restrictions included in RFC 5280). IPv4 address names are
* supplied using dotted quad notation. OID address names are represented
* as a series of nonnegative integers separated by periods. And
* directory names (distinguished names) are supplied in RFC 2253 format.
* directory names (distinguished names) are supplied in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
* No standard string format is defined for otherNames, X.400 names,
* EDI party names, IPv6 address names, or any other type of names. They
* should be specified using the
@@ -1299,23 +1302,24 @@ public X500Principal getIssuer() {
}

/**
* <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or
* {@linkplain #getIssuerAsBytes()} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Returns the issuer criterion as a {@code String}. This
* distinguished name must match the issuer distinguished name in the
* {@code X509Certificate}. If {@code null}, the issuer criterion
* is disabled and any issuer distinguished name will do.
* <p>
* If the value returned is not {@code null}, it is a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @return the required issuer distinguished name in RFC 2253 format
* (or {@code null})
*
* @deprecated Use {@link #getIssuer()} or {@link #getIssuerAsBytes()}
* instead. This method should not be relied on as it can fail to match
* some certificates because of a loss of encoding information in the
* RFC 2253 String form of some distinguished names.
*/
@Deprecated(since="16")
public String getIssuerAsString() {
return (issuer == null ? null : issuer.getName());
}
@@ -1329,8 +1333,7 @@ public String getIssuerAsString() {
* If the value returned is not {@code null}, it is a byte
* array containing a single DER encoded distinguished name, as defined in
* X.501. The ASN.1 notation for this structure is supplied in the
* documentation for
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
* documentation for {@link #setIssuer(byte[])}.
* <p>
* Note that the byte array returned is cloned to protect against
* subsequent modifications.
@@ -1358,23 +1361,24 @@ public X500Principal getSubject() {
}

/**
* <strong>Denigrated</strong>, use {@linkplain #getSubject()} or
* {@linkplain #getSubjectAsBytes()} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Returns the subject criterion as a {@code String}. This
* distinguished name must match the subject distinguished name in the
* {@code X509Certificate}. If {@code null}, the subject criterion
* is disabled and any subject distinguished name will do.
* <p>
* If the value returned is not {@code null}, it is a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @return the required subject distinguished name in RFC 2253 format
* (or {@code null})
*
* @deprecated Use {@link #getSubject()} or {@link #getSubjectAsBytes()}
* instead. This method should not be relied on as it can fail to match
* some certificates because of a loss of encoding information in the
* RFC 2253 String form of some distinguished names.
*/
@Deprecated(since="16")
public String getSubjectAsString() {
return (subject == null ? null : subject.getName());
}
@@ -1388,8 +1392,7 @@ public String getSubjectAsString() {
* If the value returned is not {@code null}, it is a byte
* array containing a single DER encoded distinguished name, as defined in
* X.501. The ASN.1 notation for this structure is supplied in the
* documentation for
* {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
* documentation for {@link #setSubject(byte[])}.
* <p>
* Note that the byte array returned is cloned to protect against
* subsequent modifications.
@@ -1985,7 +1988,7 @@ public boolean match(Certificate cert) {
if (debug != null) {
debug.println("X509CertSelector.match(SN: "
+ (xcert.getSerialNumber()).toString(16) + "\n Issuer: "
+ xcert.getIssuerDN() + "\n Subject: " + xcert.getSubjectDN()
+ xcert.getIssuerX500Principal() + "\n Subject: " + xcert.getSubjectX500Principal()
+ ")");
}

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -197,12 +197,6 @@ public abstract void checkValidity(Date date)
public abstract BigInteger getSerialNumber();

/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from
* the certificate. The issuer name identifies the entity that signed (and
* issued) the certificate.
@@ -234,7 +228,13 @@ public abstract void checkValidity(Date date)
* {@code TeletexString} or {@code UniversalString}.
*
* @return a Principal whose name is the issuer distinguished name.
*
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
* returns the {@code issuer} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/
@Deprecated(since="16")
public abstract Principal getIssuerDN();

/**
@@ -255,12 +255,6 @@ public X500Principal getIssuerX500Principal() {
}

/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getSubjectX500Principal()}. This method returns the {@code subject}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code subject} (subject distinguished name) value
* from the certificate. If the {@code subject} value is empty,
* then the {@code getName()} method of the returned
@@ -275,7 +269,13 @@ public X500Principal getIssuerX500Principal() {
* and other relevant definitions.
*
* @return a Principal whose name is the subject name.
*
* @deprecated Use {@link #getSubjectX500Principal} instead. This method
* returns the {@code subject} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/
@Deprecated(since="16")
public abstract Principal getSubjectDN();

/**
@@ -704,6 +704,7 @@ public X509Certificate getCertificate(BigInteger serial, X500Name issuerName) {
* Populate array of Issuer DNs from certificates and convert
* each Principal to type X500Name if necessary.
*/
@SuppressWarnings("deprecation")
private void populateCertIssuerNames() {
if (certificates == null)
return;

0 comments on commit 6a50cb6

Please sign in to comment.