RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v14]

Sean Mullan mullan at openjdk.org
Tue Jul 29 19:53:00 UTC 2025 

On Tue, 29 Jul 2025 15:11:45 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> SunX509 key manager should support the same certificate checks that are supported by PKIX key manager.
>> 
>> Effectively there should be only 2 differences between 2 key managers:
>> - PKIX supports multiple key stores through KeyStore.Builder interface while SunX509 supports only a single keystore.
>> - SunX509 caches its whole key store on initialization thus improving performance. This means that subsequent modifications of the KeyStore have no effect on SunX509 KM, unlike PKIX .
>> 
>> **SUNX509 KeyManager performance before the change**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** ±   7.197  ops/s
>> 
>> **SUNX509 KeyManager performance after the change**
>> Benchmark                 (resume)  (tlsVersion)   Mode  Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  20954.399 ± 260.817  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1813.401 ±  13.917  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1158.190** ±   6.023  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1012.988** ±  10.943  ops/s
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Address review comments

src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java line 58:

> 56:  * Layer that adds algorithm constraints and certificate checking to a key
> 57:  * manager.
> 58:  */

Can you add some more comments about the algorithm it uses for selecting certificates (when certChecking is enabled)? In other words, what the preference order is for selecting certs, and which certificates are not chosen due to disabled algs, or other reasons. You can probably copy some/most of this from the comments in `X509KeyManagerImpl`.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240798471

More information about the security-dev mailing list