Code Review Request, JDK-8207029 Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21

Xuelei Fan xuelei.fan at oracle.com
Fri Jul 13 00:49:44 UTC 2018


On 7/12/2018 5:06 PM, Bradford Wetmore wrote:
> The code itself looks good, but I didn't see a regression tests.  Is 
> this what JDK-8207174 will be for?
> 
No, I did not have a regression test in this update.  I asked the bug 
reporter helped for the testing, and passed.  However, we definitely 
need a regression test as it is likely to happen again in the future. 
JDK-8207174 is used for the following up test development.

Thanks,
Xuelei

> On 7/11/2018 11:53 PM, Alan Bateman wrote:
>> On 12/07/2018 05:47, Xuelei Fan wrote:
> 
>>> It's an interesting user case of the TrustManagerFactory and 
>>> KeyManagerFactory.  The KeyManager or TrustManager implementation may 
>>> be not implemented in the same provider as SSLSocket/SSLEngine.
>>>
>>> See also 
>>> http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017536.html. 
>>>
>> Xuelei - is there follow-up work to develop some tests that use custom 
>> KeyManager or TrustManager implementations that are in different 
>> providers to the SSLEngine. I realize not many will do that but it 
>> seems easy to break these type of scenarios if we don't have tests.
> 
> If I understand your question correctly, custom KM/TM are quite common. 
> I routinely write custom impls to wrap functionality around the behavior 
> of the stock TM/KM.  e.g. outputting debug information.
> 
> class MyTM extends X509TrustManager {
>      private final X509TrustManager tm;
>      MyTM(X509TrustManager tm) {
>          theTM = tm;
>      }
>      checkTrusted(args)
>          System.out.println(args);
>          tm.checkTrusts(args)
>      }
> }
> 
> Brad
> 


More information about the security-dev mailing list