RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v3]
Sean Coffey
coffeys at openjdk.org
Thu Oct 27 10:06:24 UTC 2022
On Tue, 25 Oct 2022 14:56:15 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> By moving the JFR event up to the java.security.cert.CertificateFactory class, we can record all generate cert events, including those from 3rd party providers. I've also altered the logic so that an event is genertate for every generate cert call (not just ones missing from the JDK provider implementation cache)
>>
>> test case also updated to capture new logic
>
> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
>
> Use X500Principal#toString()
Thanks for the feedback Sean. Yes - this event should also cater for the internal `new X509CertImpl` type calls that are sprinkled through some of the security libraries.
Some look a bit suspicious perhaps ? I see OCSP/CertPath type calls to `new X509CertImpl` --- given that CertPath and CertificateFactory are viewed as two different services at the JCA level, I wonder if they should be routing calls back to `java.security.cert.CertificateFactory#generateCertificate` when generating certs ?
I'll study further and see if we can maximize the number of X509Certificate JFR events that are captured.
-------------
PR: https://git.openjdk.org/jdk/pull/10422
More information about the security-dev
mailing list