8305406: Add @spec tags in java.base/java.* (part 2)

src/java.base/share/classes/com/sun/crypto/provider/AESKeyWrap.java

@@ -37,6 +37,9 @@
  * <a href=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf>
  * "Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping"</a>
  * and represents AES cipher in KW mode.
+ *
+ * @spec https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *      Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
  */
 class AESKeyWrap extends FeedbackCipher {
 

src/java.base/share/classes/com/sun/crypto/provider/AESKeyWrapPadded.java

@@ -39,6 +39,9 @@
  * <a href=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf>
  * "Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping"</a>
  * and represents AES cipher in KWP mode.
+ *
+ * @spec https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *      Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
  */
 class AESKeyWrapPadded extends FeedbackCipher {
 

src/java.base/share/classes/com/sun/crypto/provider/KWUtil.java

@@ -35,6 +35,9 @@
  * This class acts as the base class for AES KeyWrap algorithms as defined
  * in <a href=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf>
  * "Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping"
+ *
+ * @spec https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *      Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
  */
 class KWUtil {
 

src/java.base/share/classes/com/sun/crypto/provider/KeyWrapCipher.java

@@ -36,6 +36,9 @@
  * This class is the impl class for AES KeyWrap algorithms as defined in
  * <a href=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf>
  * "Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping"
+ *
+ * @spec https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *      Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
  */
 abstract class KeyWrapCipher extends CipherSpi {
 

src/java.base/share/classes/java/security/DrbgParameters.java

@@ -227,6 +227,9 @@
  * Calling {@link SecureRandom#generateSeed(int)} will directly read
  * from this system default entropy source.
  *
+ * @spec https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
+ *      Recommendation for Random Number Generation Using Deterministic Random Bit Generators
+ *
  * @since 9
  */
 public class DrbgParameters {

src/java.base/share/classes/java/security/Key.java

@@ -86,6 +86,10 @@
  * Security Appendix</a>
  * of the <cite>Java Object Serialization Specification</cite> for more information.
  *
+ * @spec serialization/index.html Java Object Serialization Specification
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @see PublicKey
  * @see PrivateKey
  * @see KeyPair

src/java.base/share/classes/java/security/KeyRep.java

@@ -44,6 +44,7 @@
  * Security Appendix</a>
  * of the <cite>Java Object Serialization Specification</cite> for more information.
  *
+ * @spec serialization/index.html Java Object Serialization Specification
  * @see Key
  * @see KeyFactory
  * @see javax.crypto.spec.SecretKeySpec

src/java.base/share/classes/java/security/SecureRandom.java

@@ -141,6 +141,11 @@
  * <li>{@link SecureRandomSpi#engineReseed(SecureRandomParameters)}
  * </ul>
  *
+ * @spec https://www.rfc-editor.org/info/rfc4086
+ *      RFC 4086: Randomness Requirements for Security
+ * @spec https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
+ *      Security Requirements for Cryptographic Modules
+ *
  * @see java.security.SecureRandomSpi
  * @see java.util.Random
  *

src/java.base/share/classes/java/security/Security.java

@@ -273,6 +273,7 @@ private static String getProviderProperty(String key, Provider provider) {
      *
      * @return the value of the specified property.
      *
+     * @spec security/standard-names.html Java Security Standard Algorithm Names
      * @deprecated This method used to return the value of a proprietary
      * property in the master file of the "SUN" Cryptographic Service
      * Provider in order to determine how to parse algorithm-specific
@@ -504,6 +505,7 @@ public static Provider getProvider(String name) {
      *         if the filter is not in the required format
      * @throws NullPointerException if filter is {@code null}
      *
+     * @spec security/standard-names.html Java Security Standard Algorithm Names
      * @see #getProviders(java.util.Map)
      * @since 1.3
      */
@@ -581,6 +583,7 @@ public static Provider[] getProviders(String filter) {
      *         if the filter is not in the required format
      * @throws NullPointerException if filter is {@code null}
      *
+     * @spec security/standard-names.html Java Security Standard Algorithm Names
      * @see #getProviders(java.lang.String)
      * @since 1.3
      */

src/java.base/share/classes/java/security/cert/CRL.java

@@ -56,6 +56,8 @@ public abstract class CRL {
      * "{@docRoot}/../specs/security/standard-names.html">
      * Java Security Standard Algorithm Names</a> document
      * for information about standard CRL types.
+     *
+     * @spec security/standard-names.html Java Security Standard Algorithm Names
      */
     protected CRL(String type) {
         this.type = type;

src/java.base/share/classes/java/security/cert/CRLReason.java

@@ -31,6 +31,9 @@
  * RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL
  * Profile</a>.
  *
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @author Sean Mullan
  * @since 1.7
  * @see X509CRLEntry#getRevocationReason

src/java.base/share/classes/java/security/cert/PKIXRevocationChecker.java

@@ -81,14 +81,13 @@
  * necessary locking. Multiple threads each manipulating separate objects
  * need not synchronize.
  *
+ * @spec https://www.rfc-editor.org/info/rfc2560
+ *      RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate
+ *              Status Protocol - OCSP
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @since 1.8
- *
- * @see <a href="http://www.ietf.org/rfc/rfc2560.txt"><i>RFC&nbsp;2560: X.509
- * Internet Public Key Infrastructure Online Certificate Status Protocol -
- * OCSP</i></a>
- * @see <a href="http://www.ietf.org/rfc/rfc5280.txt"><i>RFC&nbsp;5280:
- * Internet X.509 Public Key Infrastructure Certificate and Certificate
- * Revocation List (CRL) Profile</i></a>
  */
 public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
     private URI ocspResponder;

src/java.base/share/classes/java/security/cert/TrustAnchor.java

@@ -125,6 +125,10 @@ public class TrustAnchor {
      * decoded
      * @throws NullPointerException if the specified
      * {@code X509Certificate} is {@code null}
+     *
+     * @spec https://www.rfc-editor.org/info/rfc5280
+     *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+     *              and Certificate Revocation List (CRL) Profile
      */
     public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
     {
@@ -207,6 +211,10 @@ public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey,
      * or incorrectly formatted or the name constraints cannot be decoded
      * @throws NullPointerException if the specified {@code caName} or
      * {@code pubKey} parameter is {@code null}
+     *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      */
     public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)
     {

src/java.base/share/classes/java/security/cert/X509CRL.java

@@ -95,6 +95,9 @@
  * }
  * }</pre>
  *
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @author Hemma Prafullchandra
  * @since 1.2
  *
@@ -460,6 +463,11 @@ public X509CRLEntry getRevokedCertificate(X509Certificate certificate) {
      * relevant ASN.1 definitions.
      *
      * @return the signature algorithm OID string.
+     *
+     * @spec https://www.rfc-editor.org/info/rfc3279
+     *      RFC 3279: Algorithms and Identifiers for the Internet X.509
+     *              Public Key Infrastructure Certificate and Certificate
+     *              Revocation List (CRL) Profile
      */
     public abstract String getSigAlgOID();
 

src/java.base/share/classes/java/security/cert/X509CRLSelector.java

@@ -65,6 +65,9 @@
  * provide the necessary locking. Multiple threads each manipulating
  * separate objects need not synchronize.
  *
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @see CRLSelector
  * @see X509CRL
  *
@@ -193,6 +196,10 @@ public void setIssuers(Collection<X500Principal> issuers) {
      *
      * @param names a {@code Collection} of names (or {@code null})
      * @throws IOException if a parsing error occurs
+     *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      * @see #getIssuerNames
      */
     public void setIssuerNames(Collection<?> names) throws IOException {
@@ -238,6 +245,9 @@ public void addIssuer(X500Principal issuer) {
      *     <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> form
      * @throws IOException if a parsing error occurs
      *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      * @deprecated Use {@link #addIssuer(X500Principal)} or
      * {@link #addIssuerName(byte[])} instead. This method should not be
      * relied on as it can fail to match some CRLs because of a loss of
@@ -493,6 +503,10 @@ public Collection<X500Principal> getIssuers() {
      * protect against subsequent modifications.
      *
      * @return a {@code Collection} of names (or {@code null})
+     *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      * @see #setIssuerNames
      */
     public Collection<Object> getIssuerNames() {

src/java.base/share/classes/java/security/cert/X509CertSelector.java

@@ -74,6 +74,9 @@
  * provide the necessary locking. Multiple threads each manipulating
  * separate objects need not synchronize.
  *
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @see CertSelector
  * @see X509Certificate
  *
@@ -198,6 +201,9 @@ public void setIssuer(X500Principal issuer) {
      *                 (or {@code null})
      * @throws IOException if a parsing error occurs (incorrect form for DN)
      *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      * @deprecated Use {@link #setIssuer(X500Principal)} or
      * {@link #setIssuer(byte[])} instead. This method should not be relied on
      * as it can fail to match some certificates because of a loss of encoding
@@ -290,6 +296,9 @@ public void setSubject(X500Principal subject) {
      *                  (or {@code null})
      * @throws IOException if a parsing error occurs (incorrect form for DN)
      *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      * @deprecated Use {@link #setSubject(X500Principal)} or
      * {@link #setSubject(byte[])} instead. This method should not be relied
      * on as it can fail to match some certificates because of a loss of
@@ -732,6 +741,12 @@ public void setSubjectAlternativeNames(Collection<List<?>> names)
      *             RFC 5280, section 4.2.1.6)
      * @param name the name in string form (not {@code null})
      * @throws IOException if a parsing error occurs
+     *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
+     * @spec https://www.rfc-editor.org/info/rfc822
+     *      RFC 822: STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES
      */
     public void addSubjectAlternativeName(int type, String name)
             throws IOException {
@@ -1281,6 +1296,9 @@ public X500Principal getIssuer() {
      * @return the required issuer distinguished name in RFC 2253 format
      *         (or {@code null})
      *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      * @deprecated Use {@link #getIssuer()} or {@link #getIssuerAsBytes()}
      * instead. This method should not be relied on as it can fail to match
      * some certificates because of a loss of encoding information in the
@@ -1340,6 +1358,9 @@ public X500Principal getSubject() {
      * @return the required subject distinguished name in RFC 2253 format
      *         (or {@code null})
      *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
      * @deprecated Use {@link #getSubject()} or {@link #getSubjectAsBytes()}
      * instead. This method should not be relied on as it can fail to match
      * some certificates because of a loss of encoding information in the

src/java.base/share/classes/java/security/cert/X509Certificate.java

@@ -95,6 +95,9 @@
  * }
  * </pre>
  *
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @author Hemma Prafullchandra
  * @since 1.2
  *
@@ -386,6 +389,11 @@ public abstract byte[] getTBSCertificate()
      * relevant ASN.1 definitions.
      *
      * @return the signature algorithm OID string.
+     *
+     * @spec https://www.rfc-editor.org/info/rfc3279
+     *      RFC 3279: Algorithms and Identifiers for the Internet X.509
+     *              Public Key Infrastructure Certificate and Certificate
+     *              Revocation List (CRL) Profile
      */
     public abstract String getSigAlgOID();
 
@@ -614,6 +622,12 @@ public List<String> getExtendedKeyUsage() throws CertificateParsingException {
      * @return an immutable {@code Collection} of subject alternative
      * names (or {@code null})
      * @throws CertificateParsingException if the extension cannot be decoded
+     *
+     * @spec https://www.rfc-editor.org/info/rfc2253
+     *      RFC 2253: Lightweight Directory Access Protocol (v3):
+     *              UTF-8 String Representation of Distinguished Names
+     * @spec https://www.rfc-editor.org/info/rfc822
+     *      RFC 822: STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES
      * @since 1.4
      */
     public Collection<List<?>> getSubjectAlternativeNames()

src/java.base/share/classes/java/security/cert/package-info.java

@@ -52,6 +52,10 @@
  *   <li> {@extLink security_guide_pki Java PKI Programmer's Guide}
  * </ul>
  *
+ * @spec security/standard-names.html Java Security Standard Algorithm Names
+ * @spec https://www.rfc-editor.org/info/rfc5280
+ *      RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+ *              and Certificate Revocation List (CRL) Profile
  * @since 1.2
  */
 package java.security.cert;

src/java.base/share/classes/java/security/interfaces/EdECKey.java

@@ -35,6 +35,8 @@
  * This interface allows access to the algorithm parameters associated with
  * the key.
  *
+ * @spec https://www.rfc-editor.org/info/rfc8032
+ *      RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)
  * @since 15
  */
 public interface EdECKey {

src/java.base/share/classes/java/security/interfaces/EdECPrivateKey.java

@@ -39,6 +39,8 @@
  * string lengths that are a multiple of 8, and the key is represented using
  * a byte array.
  *
+ * @spec https://www.rfc-editor.org/info/rfc8032
+ *      RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)
  * @since 15
  */
 public interface EdECPrivateKey extends EdECKey, PrivateKey {

src/java.base/share/classes/java/security/interfaces/EdECPublicKey.java

@@ -37,6 +37,8 @@
  * An Edwards-Curve public key is a point on the curve, which is represented using an
  * EdECPoint.
  *
+ * @spec https://www.rfc-editor.org/info/rfc8032
+ *      RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)
  * @since 15
  */
 public interface EdECPublicKey extends EdECKey, PublicKey {

src/java.base/share/classes/java/security/interfaces/RSAKey.java

@@ -33,6 +33,8 @@
  * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard,
  * such as those for RSA, or RSASSA-PSS algorithms.
  *
+ * @spec https://www.rfc-editor.org/info/rfc8017
+ *      RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2
  * @author Jan Luehe
  *
  * @see RSAPublicKey

src/java.base/share/classes/java/security/interfaces/RSAMultiPrimePrivateCrtKey.java

@@ -33,6 +33,8 @@
  * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard,
  * using the <i>Chinese Remainder Theorem</i> (CRT) information values.
  *
+ * @spec https://www.rfc-editor.org/info/rfc8017
+ *      RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2
  * @author Valerie Peng
  *
  *

src/java.base/share/classes/java/security/interfaces/RSAPrivateCrtKey.java

@@ -32,6 +32,8 @@
  * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard,
  * using the <i>Chinese Remainder Theorem</i> (CRT) information values.
  *
+ * @spec https://www.rfc-editor.org/info/rfc8017
+ *      RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2
  * @author Jan Luehe
  * @since 1.2
  *