RFR: 8148188: Enhance the security libraries to record events of interest
Sean Mullan
sean.mullan at oracle.com
Wed Nov 14 13:15:41 UTC 2018
On 11/13/18 1:53 PM, Sean Mullan wrote:
> * src/java.base/share/classes/sun/security/x509/X509CertImpl.java
>
> 158 // Event recording cache list
> 159 private List<Integer> recordedCerts;
>
> Shouldn't this be static? Otherwise each certificate would have it's own
> instance and duplicates would not be detected.
Thinking more about this, this List has the potential to contain a lot
of entries if there are many certificates and there is no way to control
the size. It might be better to leverage the existing in-memory
certificate cache in sun/security/provider/X509Factory.java:
private static final Cache<Object, X509CertImpl> certCache
= Cache.newSoftMemoryCache(750);
Could you look into moving the code from X509CertImpl to X509Factory
instead? In engineGenerateCertificate, you could do the commit only if
it is added to the cache:
try {
byte[] encoding = readOneBlock(is);
if (encoding != null) {
X509CertImpl cert = getFromCache(certCache, encoding);
if (cert != null) {
return cert;
}
cert = new X509CertImpl(encoding);
addToCache(certCache, cert.getEncodedInternal(), cert);
commitEvent();
return cert;
This way you could leverage the same cache. Duplicates could get
recorded but only if the constraints on the cache are exceeded. This
seems like a fair tradeoff.
--Sean
More information about the security-dev
mailing list