Code Review Request, JDK-8207029 Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21

Bradford Wetmore bradford.wetmore at oracle.com
Fri Jul 13 00:06:00 UTC 2018


The code itself looks good, but I didn't see a regression tests.  Is 
this what JDK-8207174 will be for?

On 7/11/2018 11:53 PM, Alan Bateman wrote:
> On 12/07/2018 05:47, Xuelei Fan wrote:

>> It's an interesting user case of the TrustManagerFactory and 
>> KeyManagerFactory.  The KeyManager or TrustManager implementation may 
>> be not implemented in the same provider as SSLSocket/SSLEngine.
>>
>> See also 
>> http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017536.html. 
>>
> Xuelei - is there follow-up work to develop some tests that use custom 
> KeyManager or TrustManager implementations that are in different 
> providers to the SSLEngine. I realize not many will do that but it seems 
> easy to break these type of scenarios if we don't have tests.

If I understand your question correctly, custom KM/TM are quite common. 
I routinely write custom impls to wrap functionality around the behavior 
of the stock TM/KM.  e.g. outputting debug information.

class MyTM extends X509TrustManager {
     private final X509TrustManager tm;
     MyTM(X509TrustManager tm) {
         theTM = tm;
     }
     checkTrusted(args)
         System.out.println(args);
         tm.checkTrusts(args)
     }
}

Brad




More information about the security-dev mailing list