JDK-8219472 : Mark deprecated javax.security.cert APIs with forRemoval=true
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2019-02-20
  • Updated: 2019-03-02
  • Resolved: 2019-03-02
Related Reports
CSR :  
JDK-8160247 - Mark deprecated javax.security.cert APIs with forRemoval=true
Description
Summary
-------
Propose to mark the javax.security.cert APIs with forRemoval=true.

Problem
-------
JSSE 1.0.x was an un-bundled release that provided JDK 1.2/1.3 with SSL/TLS, and was eventually bundled in JDK 1.4.

The javax.security.cert APIs were deprecated in JDK 9 but have had the following warning (since 1.4.2) in the description of each class:

> Note: The classes in the package javax.security.cert exist for 
> compatibility with earlier versions of the Java Secure Sockets
> Extension (JSSE).  New applications should instead use the standard
> Java SE certificate classes located in java.security.cert.

Since these earlier versions of JSSE are no longer maintained or supported, there is no reason to retain these packages for compatibility and they should be removed in a future release.

This update will add forRemoval=true to the deprecated javax.security.cert  APIs.

Note that in JDK 9, these APIs were originally marked for removal in JDK 9 but the change was backed out before 9 was released because some external projects needed more time to remove the dependencies.  See also JDK-8157712 and CCC-8157712.

Solution
--------
Add forRemoval=true to the Deprecated annotation of the javax.security.cert classes.

Specification
-------------
Add forRemoval=true to the Deprecated annotation of classes in the javax.security.cert package. The spec update is almost the same as:

      * @since 1.4
      * @see X509Certificate
      * @deprecated Use the classes in {@code java.security.cert} instead.
    + *      This class is subject to removal in a future version of Java SE.
      *
      * @author Hemma Prafullchandra
      */
    - @Deprecated(since="9")
    + @Deprecated(since="9", forRemoval=true)
      public abstract class Certificate {

All public classes in the package get updated:

 - Certificate.java
 - CertificateEncodingException.java
 - CertificateException.java
 - CertificateExpiredException.java
 - CertificateNotYetValidException.java
 - CertificateParsingException.java
 - X509Certificate.java

And the following methods:

 - javax.net.ssl.HandshakeCompletedEvent.getPeerCertificateChain()
 - javax.net.ssl.SSLSession.getPeerCertificateChain()

Suggested release note
-------------
The javax.security.cert API has been deprecated. The classes in this package should no longer be used. The java.security.cert package contains suitable replacements.
Comments
Moving to Approved.
02-03-2019