RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v4]
Sean Coffey
coffeys at openjdk.org
Thu Nov 3 23:27:31 UTC 2022
On Thu, 3 Nov 2022 17:54:35 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> Do you think it is that useful to have keytool record events? Ok, I guess some apps could be execing keytool, but that would be in a separate process, and probably wouldn't have JFR enabled. Also, these certs, if used for authentication usages will eventually come back into the runtime through CertificateFactory.
I figured it would be useful. keytool is an important generator of X509 certs. Why not give the opportunity to record them if JFR is enabled etc ? -J-XX:StartFlightRecording passed to keytool is sufficient to capture a recording.
The certs could be deployed out to any software stack I guess. Java being one possibility.
I see your point about recording of constructor with X509CertInfo now. The keytool eventually re-loads the newly generated cert. I'll look at editing. (duplicate record)
jdk.X509Certificate {
startTime = 23:16:53.687 (2022-11-03)
algorithm = N/A
serialNumber = "44ffbec5b6f38b64"
subject = "CN=test.oracle.com, OU=JPG, C=US"
issuer = "CN=test.oracle.com, OU=JPG, C=US"
keyType = "RSA"
keyLength = 2048
certificateId = 0
validFrom = 23:16:53.686 (2022-11-03)
validUntil = 23:16:53.686 (2023-11-03)
eventThread = "main" (javaThreadId = 1)
stackTrace = [
sun.security.jca.JCAUtil.tryCommitCertEvent(Certificate) line: 129
sun.security.x509.X509CertImpl.<init>(X509CertInfo) line: 290
sun.security.tools.keytool.CertAndKeyGen.getSelfCertificate(X500Name, Date, long, CertificateExtensions) line: 340
sun.security.tools.keytool.Main.doGenKeyPair(String, String, String, int, String, String, String) line: 2013
sun.security.tools.keytool.Main.doCommands(PrintStream) line: 1180
...
]
}
jdk.X509Certificate {
startTime = 23:16:53.901 (2022-11-03)
algorithm = "SHA384withRSA"
serialNumber = "44ffbec5b6f38b64"
subject = "CN=test.oracle.com, OU=JPG, C=US"
issuer = "CN=test.oracle.com, OU=JPG, C=US"
keyType = "RSA"
keyLength = 2048
certificateId = 1683785197
validFrom = 23:16:53.000 (2022-11-03)
validUntil = 23:16:53.000 (2023-11-03)
eventThread = "main" (javaThreadId = 1)
stackTrace = [
sun.security.jca.JCAUtil.tryCommitCertEvent(Certificate) line: 129
java.security.cert.CertificateFactory.generateCertificate(InputStream) line: 356
sun.security.pkcs12.PKCS12KeyStore.loadSafeContents(DerInputStream) line: 2428
sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(AlgorithmParameters, byte[], char[]) line: 2127
sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore$RetryWithZero, char[]) line: 257
]
-------------
PR: https://git.openjdk.org/jdk/pull/10422
More information about the security-dev
mailing list