JDK-8227024 : Remove the deprecated javax.security.cert APIs
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2019-07-01
  • Updated: 2023-11-09
Related Reports
Blocks :  
JDK-8259594 - Umbrella: JDK 17 terminal deprecations
CSR :  
JDK-8227395 - Remove the deprecated javax.security.cert APIs
Relates :  
JDK-8241039 - Retire the deprecated SSLSession.getPeerCertificateChain() method
Relates :  
JDK-8157712 - Deprecate the javax.security.cert and com.sun.net.ssl APIs with forRemoval=true
Relates :  
JDK-8161898 - Deprecate methods that reference javax.security.cert APIs with forRemoval=true
Sub Tasks
JDK-8240968 :  
Release Note: Remove the deprecated javax.security.cert APIs - Closed
Description
The javax.security.cert APIs and the dependent were initially deprecated in Java SE 9 and marked for removal in Java SE 19. This also includes several methods in the javax.net.ssl package.
Comments
For what it's worth, I reached out to the Netty project and contributed this PR which suggests to remove any use of classes in javax.security.cert: https://github.com/netty/netty/pull/13326 EDIT: This PR was accepted for Netty 5. The SSLSession.getPeerCertificateChain implementations are still in place to support builing on Java 11, but their implementations all throw UnsupportedOperationException. Should be straightforward to remove once this method is removed from the JDK.
17-04-2023
Jetty has no dependencies on javax.security.cert: https://github.com/eclipse/jetty.project
15-04-2023
Grizzly seems to have removed all their dependencies on javax.security.cert in the following PR https://github.com/eclipse-ee4j/glassfish/issues/23734 This was merged in December 2021.
15-04-2023
I reached out to the Bouncycastle community with an email suggesting that they retire the use of javax.security.cert. I got the following response: https://marc.info/?l=bouncycastle-crypto-dev&m=168154811006840&w=2 ..in which they sketch a few possible solutions and also suggest that the OpenJDK project go ahead with the removal and reach back to Bouncycastle when we have a JDK they can test their changes on.
15-04-2023
I reached out to the Conscrypt community and provided a PR to reduce and contain dependencies on javax.security.cert: https://github.com/google/conscrypt/pull/1128
15-04-2023
I reached out to the Undertow community with a PR which removes uses of javax.security.cert: https://github.com/undertow-io/undertow/pull/1468
14-04-2023
I reached out to the Vert.x project and contributed this PR which suggests to remove any use of javax.security.cert and the getPeerCertificateChain methods: https://github.com/eclipse-vertx/vert.x/pull/4665
14-04-2023
Observing that Tomcat cannot backport this to versions using Java 11, I'm curious if would be possible to backport JDK-8241039 (Retire the deprecated SSLSession.getPeerCertificateChain() method) to Java 11?
11-04-2023
For what it's worth, I reached out to the Tomcat project and contributed this PR which suggests to remove any use of classes in javax.security.cert: https://github.com/apache/tomcat/pull/608 EDIT: This PR is merged in Tomcat 11 mainline, but will not be backported because of the lack of the default method in Java 11, see https://github.com/apache/tomcat/pull/608#issuecomment-1503257308
11-04-2023
There has been a lot of internal discussion about the demonstrated impact to existing provider and JSSE implementations, so we have decided to defer for now. More discussion details to be added later.
02-08-2022
Restarting this effort. Reaching out to a few known users of the API. See CSR for more info. Some of the internal changes have already been made.
28-01-2022
See comments in CSR (JDK-8227395), we may come back in a few years for the removal. For reference, here is the webrev: http://cr.openjdk.java.net/~xuelei/8227024/webrev.00/
14-03-2020
com.sun.net.ssl has been removed.
08-07-2019