RFR: 5561: Support for Crypto Events in JMC [v4]

Marcus Hirt hirt at openjdk.org
Mon Feb 2 13:40:36 UTC 2026 

On Tue, 23 Dec 2025 22:45:13 GMT, Suchita Chaturvedi <schaturvedi at openjdk.org> wrote:

>> This PR enhances the JMC UI for adding new information related to crypto events: specifically X509CertificateEvent.
>> 
>> This PR adds a new rule with respect to X509CertificateEvent which provides alert related to expired/expiring certificates and weak signature algorithms or weak key length or key type. The rule gives a basic overview of all the certificate ids which needs action or attention, however complete details are provided as part of a new screen - Security.
>> 
>> Attaching the screenshots here for better reference:
>> 
>> Rule Page:
>> 
>> <img width="362" height="373" alt="image" src="https://github.com/user-attachments/assets/4707e6b2-76be-4b1e-9f32-c6139851d86c" />
>> 
>> Security Screen Page:
>> 
>> <img width="959" height="385" alt="image" src="https://github.com/user-attachments/assets/5026e2b7-2754-47bc-a42d-5672f9f087d7" />
>
> Suchita Chaturvedi has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Fixing spotless failure

Changes requested by hirt (Lead).

application/org.openjdk.jmc.docs/html/SecurityPage.htm line 4:

> 2:   PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> 3: <!--
> 4:    Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.

All the copyrights should now be 2026.

core/org.openjdk.jmc.common/src/main/java/org/openjdk/jmc/common/security/CryptoUtil.java line 45:

> 43: import java.util.Map;
> 44: import java.util.concurrent.TimeUnit;
> 45: 

Perhaps a class comment explaining the class.

core/org.openjdk.jmc.common/src/main/java/org/openjdk/jmc/common/security/CryptoUtil.java line 70:

> 68: 			} else if (keyLength == 1024) {
> 69: 				remark = ACTION.concat(Messages.getString(Messages.Crypto_RSA_KEY_SIZE_1024)).concat(remark);
> 70: 			} else if (keyLength < 2048) {

Should all these constants be defined somewhere, e.g.:
  private static final int RSA_MINIMUM_KEY_SIZE = 1024;                                                                                                                  
  private static final int RSA_RECOMMENDED_KEY_SIZE = 2048;

core/org.openjdk.jmc.common/src/main/java/org/openjdk/jmc/common/security/CryptoUtil.java line 111:

> 109: 	}
> 110: 
> 111: 	public static String getCryptoIcon(

Splitting up the determination of the severity level and then deciding at the icon at the end might be cleaner. Perhaps using an enum for the severity level.

core/org.openjdk.jmc.common/src/main/java/org/openjdk/jmc/common/security/CryptoUtil.java line 168:

> 166: 	}
> 167: 
> 168: 	public static String getCryptoRuleResult(

There is a lot of code duplication. How about separating out some of the key functionality, e.g. :

  private static boolean isWeakSignatureAlgorithm(String signatureAlgorithm) {                                                                                           
      return signatureAlgorithm.contains("MD2") || signatureAlgorithm.contains("MD5");                                                                                   
  }

core/org.openjdk.jmc.common/src/main/java/org/openjdk/jmc/common/security/CryptoUtil.java line 231:

> 229: 
> 230: 		if (remarks.isEmpty()) {
> 231: 			remarks.add(Map.entry(OK, "Everything is fine"));

Should be externalised.

core/org.openjdk.jmc.common/src/main/resources/org/openjdk/jmc/common/messages/internal/messages.properties line 218:

> 216: Crypto_MD2= MD2 signature. 
> 217: Crypto_MD5= MD5 signature. 
> 218: Crypto_RSA_INSUFFICIENT_KEY_SIZE= RSA signature with insufficient key size. 

These could be improved by being a bit more concrete and specifying the expectations. E.g. "RSA key size {0} bits is below minimum {1} bits."

-------------

PR Review: https://git.openjdk.org/jmc/pull/686#pullrequestreview-3739355844
PR Review Comment: https://git.openjdk.org/jmc/pull/686#discussion_r2754348826
PR Review Comment: https://git.openjdk.org/jmc/pull/686#discussion_r2754300269
PR Review Comment: https://git.openjdk.org/jmc/pull/686#discussion_r2754339581
PR Review Comment: https://git.openjdk.org/jmc/pull/686#discussion_r2754323542
PR Review Comment: https://git.openjdk.org/jmc/pull/686#discussion_r2754308640
PR Review Comment: https://git.openjdk.org/jmc/pull/686#discussion_r2754327081
PR Review Comment: https://git.openjdk.org/jmc/pull/686#discussion_r2754371011

More information about the jmc-dev mailing list