RFR: 8272875: Change the default key manager to PKIX
Anthony Scarpino
ascarpino at openjdk.org
Wed Apr 23 23:30:42 UTC 2025
On Fri, 18 Apr 2025 17:04:56 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> The current key manager is SunX509, which is configured in the java.security. The SunX509 algorithm does not check of the local certificate. The PKIX algorithm should be preferred now so that the default key manager could be more robust.
Do we understand why this is so much slower? I wouldn't have thought extra checking would cause this big of a performance hit.
test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java line 147:
> 145:
> 146: KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> 147: kpg.initialize(2048);
I would not specify the key size and let the provider default set it. That could expose any problems between constraints and provider defaults, also it future proofs the test when key sizes are increased some day in the future.
-------------
PR Review: https://git.openjdk.org/jdk/pull/24756#pullrequestreview-2788272968
PR Review Comment: https://git.openjdk.org/jdk/pull/24756#discussion_r2056617930
More information about the net-dev
mailing list