Gurmeen Bindra | 19 Nov 14:45 2012

PKCS10CertificateRequest porting from 1.46 to 1.47

Hi,

While porting from 1.46 to latest release of bouncy-castle provider, I 
noticed that  org.bouncycastle.jce.PKCS10CertificationRequest class is 
deprecated.
The possible alternatives are JcaPKCS10CertificationRequestBuilder or 
org.bouncycastle.pkcs.PKCS10CertificationRequest.

However, I feel that the deprecated class was a lot easier as the caller 
did not have to worry about creating a signer or a subjectPublicKey. The 
API for getPublicKey() was also helpful. But with the new set of 
classes, the caller needs to do much more work.

Which API do you recommend for creating a PKCS10 with inputs=private key 
and subject ?

Thanks,
Gurmeen

David Hook | 20 Nov 01:15 2012

Re: PKCS10CertificateRequest porting from 1.46 to 1.47


Use the new classes. If you use JcaPKCS10CertificationRequestBuilder you 
don't need to create a SubjectPublicKeyInfo object, you can also use 
JcaPKCS10CertificationRequest to extract the public key directly. The 
main change, workload wise, is really the signer, but then that allows 
you to do things which would be impossible to have done before 
otherwise, so it is worth getting used to.

Regards,

David

On 20/11/12 00:45, Gurmeen Bindra wrote:
> Hi,
>
> While porting from 1.46 to latest release of bouncy-castle provider, I 
> noticed that org.bouncycastle.jce.PKCS10CertificationRequest class is 
> deprecated.
> The possible alternatives are JcaPKCS10CertificationRequestBuilder or 
> org.bouncycastle.pkcs.PKCS10CertificationRequest.
>
> However, I feel that the deprecated class was a lot easier as the 
> caller did not have to worry about creating a signer or a 
> subjectPublicKey. The API for getPublicKey() was also helpful. But 
> with the new set of classes, the caller needs to do much more work.
>
> Which API do you recommend for creating a PKCS10 with inputs=private 
> key and subject ?
>
> Thanks,
(Continue reading)

Gurmeen Bindra | 20 Nov 15:18 2012

Re: PKCS10CertificateRequest porting from 1.46 to 1.47

On 11/20/2012 12:15 AM, David Hook wrote:
>
> Use the new classes. If you use JcaPKCS10CertificationRequestBuilder you
> don't need to create a SubjectPublicKeyInfo object, you can also use
> JcaPKCS10CertificationRequest to extract the public key directly. The
> main change, workload wise, is really the signer, but then that allows
> you to do things which would be impossible to have done before
> otherwise, so it is worth getting used to.

Thanks David. I have got used to using the signer !

I also notice that PKCS10CertificationRequestParser class of the 
PEMReader class is still returning deprecated 
org.bouncycastle.jce.PKCS10CertificationRequest when parsing PEM CSR.
Will that also change once the 
org.bouncycastle.jce.PKCS10CertificationRequest class is removed ?

>
> Regards,
>
> David
>
> On 20/11/12 00:45, Gurmeen Bindra wrote:
>> Hi,
>>
>> While porting from 1.46 to latest release of bouncy-castle provider, I
>> noticed that org.bouncycastle.jce.PKCS10CertificationRequest class is
>> deprecated.
>> The possible alternatives are JcaPKCS10CertificationRequestBuilder or
>> org.bouncycastle.pkcs.PKCS10CertificationRequest.
(Continue reading)

Gurmeen Bindra | 20 Nov 15:31 2012

Re: PKCS10CertificateRequest porting from 1.46 to 1.47

On 11/20/2012 02:18 PM, Gurmeen Bindra wrote:
> On 11/20/2012 12:15 AM, David Hook wrote:
>>
>> Use the new classes. If you use JcaPKCS10CertificationRequestBuilder you
>> don't need to create a SubjectPublicKeyInfo object, you can also use
>> JcaPKCS10CertificationRequest to extract the public key directly. The
>> main change, workload wise, is really the signer, but then that allows
>> you to do things which would be impossible to have done before
>> otherwise, so it is worth getting used to.
>
> Thanks David. I have got used to using the signer !
>
> I also notice that PKCS10CertificationRequestParser class of the
> PEMReader class is still returning deprecated
> org.bouncycastle.jce.PKCS10CertificationRequest when parsing PEM CSR.
> Will that also change once the
> org.bouncycastle.jce.PKCS10CertificationRequest class is removed ?

And also the PEMWriter still expects the deprecated PKCS10 object.

>
>
>>
>> Regards,
>>
>> David
>>
>> On 20/11/12 00:45, Gurmeen Bindra wrote:
>>> Hi,
>>>
(Continue reading)

David Hook | 21 Nov 01:31 2012

Re: PKCS10CertificateRequest porting from 1.46 to 1.47


This one is fixed in CVS already.

Before anyone comments, yes, we haven't been managing this project 
terribly well lately. Sorry. It's been one of those 
work/life/open-source-project balance sort of things.

We are working towards getting back to a 3 - 4 releases a year cycle 
once 1.48 goes out. 1.48 is going to be delayed a bit longer as we need 
to get a new signing certificate (or put another way, there is progress 
been made, it's just not visible...)

Regards,

David

On 21/11/12 01:31, Gurmeen Bindra wrote:
> On 11/20/2012 02:18 PM, Gurmeen Bindra wrote:
>> On 11/20/2012 12:15 AM, David Hook wrote:
>>>
>>> Use the new classes. If you use JcaPKCS10CertificationRequestBuilder 
>>> you
>>> don't need to create a SubjectPublicKeyInfo object, you can also use
>>> JcaPKCS10CertificationRequest to extract the public key directly. The
>>> main change, workload wise, is really the signer, but then that allows
>>> you to do things which would be impossible to have done before
>>> otherwise, so it is worth getting used to.
>>
>> Thanks David. I have got used to using the signer !
>>
(Continue reading)

Gurmeen Bindra | 21 Nov 12:26 2012

Re: PKCS10CertificateRequest porting from 1.46 to 1.47

On 11/21/2012 12:31 AM, David Hook wrote:
>
> This one is fixed in CVS already.

Thanks David. Sorry, I should have checked the CVS first - looks promising.

>
> Before anyone comments, yes, we haven't been managing this project
> terribly well lately. Sorry. It's been one of those
> work/life/open-source-project balance sort of things.
>
> We are working towards getting back to a 3 - 4 releases a year cycle
> once 1.48 goes out. 1.48 is going to be delayed a bit longer as we need
> to get a new signing certificate (or put another way, there is progress
> been made, it's just not visible...)
>
> Regards,
>
> David
>
> On 21/11/12 01:31, Gurmeen Bindra wrote:
>> On 11/20/2012 02:18 PM, Gurmeen Bindra wrote:
>>> On 11/20/2012 12:15 AM, David Hook wrote:
>>>>
>>>> Use the new classes. If you use JcaPKCS10CertificationRequestBuilder
>>>> you
>>>> don't need to create a SubjectPublicKeyInfo object, you can also use
>>>> JcaPKCS10CertificationRequest to extract the public key directly. The
>>>> main change, workload wise, is really the signer, but then that allows
>>>> you to do things which would be impossible to have done before
(Continue reading)

Martin Paljak | 21 Nov 15:02 2012
Picon

Re: PKCS10CertificateRequest porting from 1.46 to 1.47

Hello,

On Tue, Nov 20, 2012 at 4:18 PM, Gurmeen Bindra
<gurmeen.bindra@...> wrote:
>> Use the new classes. If you use JcaPKCS10CertificationRequestBuilder you
>> don't need to create a SubjectPublicKeyInfo object, you can also use
>> JcaPKCS10CertificationRequest to extract the public key directly. The
>> main change, workload wise, is really the signer, but then that allows
>> you to do things which would be impossible to have done before
>> otherwise, so it is worth getting used to.

I have not checked the new code, but I once patched the PKCS10
generator to be able to actually sign it with an external device, with
a signature along the lines of "byte[] signRequest(byte[]
requestBytes)" ?

That would be a convincing reason to upgrade old code...

Martin


Gmane