Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8219472

Mark deprecated javax.security.cert APIs with forRemoval=true

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
       Low risk as this is a documentation only update.
    • Interface Kind:
      Java API
    • Scope:
      SE

      Description

      Summary

      Propose to mark the javax.security.cert APIs with forRemoval=true.

      Problem

      JSSE 1.0.x was an un-bundled release that provided JDK 1.2/1.3 with SSL/TLS, and was eventually bundled in JDK 1.4.

      The javax.security.cert APIs were deprecated in JDK 9 but have had the following warning (since 1.4.2) in the description of each class:

      Note: The classes in the package javax.security.cert exist for compatibility with earlier versions of the Java Secure Sockets Extension (JSSE). New applications should instead use the standard Java SE certificate classes located in java.security.cert.

      Since these earlier versions of JSSE are no longer maintained or supported, there is no reason to retain these packages for compatibility and they should be removed in a future release.

      This update will add forRemoval=true to the deprecated javax.security.cert APIs.

      Note that in JDK 9, these APIs were originally marked for removal in JDK 9 but the change was backed out before 9 was released because some external projects needed more time to remove the dependencies. See also JDK-8157712 and CCC-8157712.

      Solution

      Add forRemoval=true to the Deprecated annotation of the javax.security.cert classes.

      Specification

      Add forRemoval=true to the Deprecated annotation of classes in the javax.security.cert package. The spec update is almost the same as:

        * @since 1.4
        * @see X509Certificate
        * @deprecated Use the classes in {@code java.security.cert} instead.
      + *      This class is subject to removal in a future version of Java SE.
        *
        * @author Hemma Prafullchandra
        */
      - @Deprecated(since="9")
      + @Deprecated(since="9", forRemoval=true)
        public abstract class Certificate {

      All public classes in the package get updated:

      • Certificate.java
      • CertificateEncodingException.java
      • CertificateException.java
      • CertificateExpiredException.java
      • CertificateNotYetValidException.java
      • CertificateParsingException.java
      • X509Certificate.java

      And the following methods:

      • javax.net.ssl.HandshakeCompletedEvent.getPeerCertificateChain()
      • javax.net.ssl.SSLSession.getPeerCertificateChain()

      Suggested release note

      The javax.security.cert API has been deprecated. The classes in this package should no longer be used. The java.security.cert package contains suitable replacements.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              xuelei Xue-Lei Fan
              Reporter:
              xuelei Xue-Lei Fan
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: