RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v3]
Sean Mullan
mullan at openjdk.org
Tue Oct 25 20:13:40 UTC 2022
On Tue, 25 Oct 2022 14:56:15 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> By moving the JFR event up to the java.security.cert.CertificateFactory class, we can record all generate cert events, including those from 3rd party providers. I've also altered the logic so that an event is genertate for every generate cert call (not just ones missing from the JDK provider implementation cache)
>>
>> test case also updated to capture new logic
>
> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
>
> Use X500Principal#toString()
I think this will miss cases where the certificates are part of a chain, and the application (or JDK code) is calling `CertificateFactory.generateCertPath` or `generateCertificates`, whereas the previous code would not have missed it (if not using a 3rd-party provider) as it was firing the event at a lower layer in the provider code.
I think this is fixable though. In these methods, you can iterate over the certificates that are in the `Collection` or `CertPath` and log an event for each.
-------------
PR: https://git.openjdk.org/jdk/pull/10422
More information about the security-dev
mailing list