RFR: 8329251: Print custom truststore/ keystore name [v11]

Sean Mullan mullan at openjdk.org
Fri Nov 15 21:29:07 UTC 2024


On Thu, 14 Nov 2024 06:28:25 GMT, Prasadrao Koppula <pkoppula at openjdk.org> wrote:

>> src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java line 283:
>> 
>>> 281:         if (ks != null && SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
>>> 282:             String keystorePath = SharedSecrets
>>> 283:                     .getJavaSecurityKeyStoreAccess()
>> 
>> This code only works if `java.security.debug=keystore` is also enabled, otherwise it will always return `null`. I think that dependency is not intuitive, and will be hard for users to remember. I think you should change `KeyStore.java` to always cache the filename, whether debug is on or not.
>
> The primary concern is the repeated calls to SharedSecrets to access the inputStream, even though the keystore name is needed in minimal cases ( only when debug enabled) . To optimize, we can cache the filename and access it only when debugging is enabled, reducing unnecessary overhead in the common case.
> 
> I agree that dependency is not intuitive and hard for users to remember.

Perhaps you could cache the `InputStream` instead in `KeyStore`, and only use shared secrets to get the pathname as needed when logging is enabled in the TLS code.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/20414#discussion_r1844521411


More information about the core-libs-dev mailing list