Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8219472

Mark deprecated javax.security.cert APIs with forRemoval=true

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P3
    • 13
    • security-libs
    • None
    • minimal
    •  Low risk as this is a documentation only update.
    • Java API
    • SE

    Description

      Summary

      Propose to mark the javax.security.cert APIs with forRemoval=true.

      Problem

      JSSE 1.0.x was an un-bundled release that provided JDK 1.2/1.3 with SSL/TLS, and was eventually bundled in JDK 1.4.

      The javax.security.cert APIs were deprecated in JDK 9 but have had the following warning (since 1.4.2) in the description of each class:

      Note: The classes in the package javax.security.cert exist for compatibility with earlier versions of the Java Secure Sockets Extension (JSSE). New applications should instead use the standard Java SE certificate classes located in java.security.cert.

      Since these earlier versions of JSSE are no longer maintained or supported, there is no reason to retain these packages for compatibility and they should be removed in a future release.

      This update will add forRemoval=true to the deprecated javax.security.cert APIs.

      Note that in JDK 9, these APIs were originally marked for removal in JDK 9 but the change was backed out before 9 was released because some external projects needed more time to remove the dependencies. See also JDK-8157712 and CCC-8157712.

      Solution

      Add forRemoval=true to the Deprecated annotation of the javax.security.cert classes.

      Specification

      Add forRemoval=true to the Deprecated annotation of classes in the javax.security.cert package. The spec update is almost the same as:

        * @since 1.4
        * @see X509Certificate
        * @deprecated Use the classes in {@code java.security.cert} instead.
      + *      This class is subject to removal in a future version of Java SE.
        *
        * @author Hemma Prafullchandra
        */
      - @Deprecated(since="9")
      + @Deprecated(since="9", forRemoval=true)
        public abstract class Certificate {

      All public classes in the package get updated:

      • Certificate.java
      • CertificateEncodingException.java
      • CertificateException.java
      • CertificateExpiredException.java
      • CertificateNotYetValidException.java
      • CertificateParsingException.java
      • X509Certificate.java

      And the following methods:

      • javax.net.ssl.HandshakeCompletedEvent.getPeerCertificateChain()
      • javax.net.ssl.SSLSession.getPeerCertificateChain()

      Suggested release note

      The javax.security.cert API has been deprecated. The classes in this package should no longer be used. The java.security.cert package contains suitable replacements.

      Attachments

        Issue Links

          Activity

            People

              xuelei Xuelei Fan
              xuelei Xuelei Fan
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: