RFR: 8272875: Change the default key manager to PKIX
Artur Barashev
abarashev at openjdk.org
Thu Apr 24 14:24:49 UTC 2025
On Wed, 23 Apr 2025 17:54:38 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:
>> The current key manager is SunX509, which is configured in the java.security. The SunX509 algorithm does not check the local certificate. The PKIX algorithm should be preferred now so that the default key manager could be more robust.
>
> test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java line 147:
>
>> 145:
>> 146: KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
>> 147: kpg.initialize(2048);
>
> I would not specify the key size and let the provider default set it. That could expose any problems between constraints and provider defaults, also it future proofs the test when key sizes are increased some day in the future.
I see! I'll update the test, thanks!
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24756#discussion_r2058574827
More information about the net-dev
mailing list