RFR: 8358594: Misleading keyLength value captured in JFR event for ML-KEM key [v3]
Sean Mullan
mullan at openjdk.org
Thu Jun 5 13:06:54 UTC 2025
On Thu, 5 Jun 2025 01:26:04 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Add more comment on why `KeyUtil::getKeySize` could return -1. Add a new method `getNistCategory` to get the NIST security category.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> enhance test to be exhaustive
I think that the JFR event should not print -1 for the key size for ML-KEM keys, and should be able to identity a key type that doesn't have a key size and emit something else. Otherwise I think the issue reported in this bug is still an issue because users won't understand what -1 means.
I actually think logging the ML-KEM variant (ex: ML-KEM-768) would be most useful. Nobody other than crypto experts are going to understand the NIST security levels, it's not much more user friendly than -1 in my opinion.
Perhaps the JSR code could see if the key implements `NamedX509Key` and then print out the `NamedParameterSpec` constant
-------------
PR Comment: https://git.openjdk.org/jdk/pull/25642#issuecomment-2944214724
More information about the security-dev
mailing list