Hi All Here is an updated webrev
http://cr.openjdk.java.net/~weijun/8058778/webrev.05/ Spec change is at http://cr.openjdk.java.net/~weijun/8058778/webrev.05/specdiff/java/security/cert/package-summary.html These changes are made: 1. The Builder is moved into java.security.cert.X509Certificate as an inner class 2. There is no more addExtension(String,String,boolean) that tries to parse input value strings (leave them to keytool). Each supported extension has its own addXXXExtension() method in java.security.cert.X509Extension. The input format is the same as the output format of X509Certificate.getXXX() for each extension type. This relieves the requirement to define interfaces for GeneralNames etc at the moment. 3. keytool directly calls X509Certificate.Builder now. No CertificateRequest at the moment. Builder still using byte[] which is PKCS #10 encoded. Many thanks to Mandy, Larry, and Sean for your comments. Mike, we will add more methods later when they are needed. --Max > On Dec 15, 2015, at 11:53 PM, Sean Mullan <sean.mul...@oracle.com> wrote: > > On 12/03/2015 09:07 PM, Wang Weijun wrote: >> Or if this is too much, we can at least do the X509Extension part. If >> CertificateRequest is needed one day, we can create a new method >> Builder.certificateRequest() that returns it and deprecate the >> current request() method. >> >> Or use certificateRequest() to return byte[] and save request() for >> the future. :-) > > I agree with this approach. I like the idea of moving the creation of > Extensions to X509Extension so that they could be used independently of the > X509Certificate.Builder API. Let's defer a CertificateRequest API for later. > > --Sean
