Hi Max, Very high level comments: - Builder::selfSign and Builder::sign are the two methods building the X509Certificate.
Both @throws java.lang.IllegalStateException - if the builder is initialized with one of the asCA methods It reads to me that there is no other method to generate a certificate from a builder created from Builder::fromKeyPair factory method. - is clearExtensions needed only for reusing the Builder? Would it be reasonable to require it to create a Builder that I suppose it’s not too expensive? In that case, the clearExtensions is not needed. Extension::newSubjectAlternativeNameExtension(boolean isCritical, List<?>... names) Extension::newIssuerAlternativeNameExtension(boolean isCritical, List<?>... names) Extension::newSubjectInformationAccessExtension(List<?>... accessDescriptions) Extension::newAuthorityInformationAccessExtension(List<?>... accessDescriptions) - this takes List<?> with 3 entries, each of which is of a specified type. There may be other better alternatives to define this API. A builder may fit well that can take 3 parameters for each name/accessDescription such that it can be statically checked. Have you considered other options? Mandy > On Dec 15, 2015, at 6:26 PM, Wang Weijun <weijun.w...@oracle.com> wrote: > > Hi All > > Here is an updated webrev > > http://cr.openjdk.java.net/~weijun/8058778/webrev.05/ > > Spec change is at > > > http://cr.openjdk.java.net/~weijun/8058778/webrev.05/specdiff/java/security/cert/package-summary.html > > These changes are made: > > 1. The Builder is moved into java.security.cert.X509Certificate as an inner > class > > 2. There is no more addExtension(String,String,boolean) that tries to parse > input value strings (leave them to keytool). Each supported extension has its > own addXXXExtension() method in java.security.cert.X509Extension. The input > format is the same as the output format of X509Certificate.getXXX() for each > extension type. This relieves the requirement to define interfaces for > GeneralNames etc at the moment. > > 3. keytool directly calls X509Certificate.Builder now. > > No CertificateRequest at the moment. Builder still using byte[] which is PKCS > #10 encoded. > > Many thanks to Mandy, Larry, and Sean for your comments. Mike, we will add > more methods later when they are needed. > > --Max >
