RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v3]
Sean Mullan
mullan at openjdk.org
Tue Nov 1 18:22:33 UTC 2022
On Thu, 27 Oct 2022 10:04:07 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
> Thanks for the feedback Sean. Yes - this event should also cater for the internal `new X509CertImpl` type calls that are sprinkled through some of the security libraries.
>
> Some look a bit suspicious perhaps ? I see OCSP/CertPath type calls to `new X509CertImpl` --- given that CertPath and CertificateFactory are viewed as two different services at the JCA level, I wonder if they should be routing calls back to `java.security.cert.CertificateFactory#generateCertificate` when generating certs ?
Yes, that code should ideally go through `CertificateFactory` and not call `new X509CertImpl` directly.
There's some old code in `sun.security.pkcs.PKCS7` that also calls `new X509CertImpl` if it cannot instantiate an X.509 `CertificateFactory`, but I think that code can be removed since an "X.509" `CertificateFactory` is a requirement.
-------------
PR: https://git.openjdk.org/jdk/pull/10422
More information about the security-dev
mailing list