RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v9]

Sean Mullan mullan at openjdk.org
Fri Jun 20 14:06:30 UTC 2025 

On Wed, 18 Jun 2025 21:35:47 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> SunX509 key manager should support the same certificate checks that are supported by PKIX key manager.
>> 
>> Effectively there should be only 2 differences between 2 key managers:
>> - PKIX supports multiple key stores through KeyStore.Builder interface while SunX509 supports only a single keystore.
>> - SunX509 caches its whole key store on initialization thus improving performance. This means that subsequent modifications of the KeyStore have no effect on SunX509 KM, unlike PKIX .
>> 
>> **SUNX509 KeyManager performance before the change**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** ±   7.197  ops/s
>> 
>> **SUNX509 KeyManager performance after the change**
>> Benchmark                 (resume)  (tlsVersion)   Mode  Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  20954.399 ± 260.817  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1813.401 ±  13.917  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1158.190** ±   6.023  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1012.988** ±  10.943  ops/s
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Update system property name in one more test

test/jdk/sun/security/mscapi/ShortRSAKeyWithinTLS.java line 238:

> 236:         // Disable KeyManager's algorithm constraints checking.
> 237:         System.setProperty(
> 238:                 "jdk.tls.SunX509keymanager.certSelectionChecking", "false");

What if you instead just removed "RSA keySize < 1024" from the `jdk.certpath.disabledAlgorithms` security property - would this test still pass? This way you could still test the other parts of the cert selection code.

This same comment applies to other tests where you have set the `jdk.tls.SunX509keymanager.certSelectionChecking` property to false.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2159064375

More information about the net-dev mailing list