RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v4]
Sean Mullan
mullan at openjdk.org
Fri Nov 4 20:02:27 UTC 2022
On Thu, 3 Nov 2022 23:25:29 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
> > Do you think it is that useful to have keytool record events? Ok, I guess some apps could be execing keytool, but that would be in a separate process, and probably wouldn't have JFR enabled. Also, these certs, if used for authentication usages will eventually come back into the runtime through CertificateFactory.
>
> I figured it would be useful. keytool is an important generator of X509 certs. Why not give the opportunity to record them if JFR is enabled etc ? -J-XX:StartFlightRecording passed to keytool is sufficient to capture a recording.
>
> The certs could be deployed out to any software stack I guess. Java being one possibility.
I think the threat level is a bit different than certificates that are actually parsed and potentially being used by applications to authenticate servers, etc, so I would be wary of treating these events with equivalence. These certificates may never be used by applications, and if they are, then there will be an event for that.
Also with keytool, you have direct control over what algorithms, key sizes, validity, etc are being used, whereas in an app case, you don't really know until you parse the certificate and see what it contains.
-------------
PR: https://git.openjdk.org/jdk/pull/10422
More information about the security-dev
mailing list