RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v9]
Sean Mullan
mullan at openjdk.org
Fri Jun 20 14:06:30 UTC 2025
On Wed, 18 Jun 2025 21:35:47 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> SunX509 key manager should support the same certificate checks that are supported by PKIX key manager.
>>
>> Effectively there should be only 2 differences between 2 key managers:
>> - PKIX supports multiple key stores through KeyStore.Builder interface while SunX509 supports only a single keystore.
>> - SunX509 caches its whole key store on initialization thus improving performance. This means that subsequent modifications of the KeyStore have no effect on SunX509 KM, unlike PKIX .
>>
>> **SUNX509 KeyManager performance before the change**
>> Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
>> SSLHandshake.doHandshake true TLSv1.2 thrpt 15 19758.012 ± 758.237 ops/s
>> SSLHandshake.doHandshake true TLS thrpt 15 1861.695 ± 14.681 ops/s
>> SSLHandshake.doHandshake false TLSv1.2 thrpt 15 **1186.962** ± 12.085 ops/s
>> SSLHandshake.doHandshake false TLS thrpt 15 **1056.288** ± 7.197 ops/s
>>
>> **SUNX509 KeyManager performance after the change**
>> Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
>> SSLHandshake.doHandshake true TLSv1.2 thrpt 15 20954.399 ± 260.817 ops/s
>> SSLHandshake.doHandshake true TLS thrpt 15 1813.401 ± 13.917 ops/s
>> SSLHandshake.doHandshake false TLSv1.2 thrpt 15 **1158.190** ± 6.023 ops/s
>> SSLHandshake.doHandshake false TLS thrpt 15 **1012.988** ± 10.943 ops/s
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Update system property name in one more test
test/jdk/sun/security/mscapi/ShortRSAKeyWithinTLS.java line 238:
> 236: // Disable KeyManager's algorithm constraints checking.
> 237: System.setProperty(
> 238: "jdk.tls.SunX509keymanager.certSelectionChecking", "false");
What if you instead just removed "RSA keySize < 1024" from the `jdk.certpath.disabledAlgorithms` security property - would this test still pass? This way you could still test the other parts of the cert selection code.
This same comment applies to other tests where you have set the `jdk.tls.SunX509keymanager.certSelectionChecking` property to false.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2159064375
More information about the net-dev
mailing list