RFR: 8358594: Misleading keyLength value captured in JFR event for ML-KEM key [v3]
Sean Mullan
mullan at openjdk.org
Thu Jun 5 13:51:55 UTC 2025
On Thu, 5 Jun 2025 13:31:19 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> > Perhaps the JFR event logging code could see if the key implements `NamedX509Key` and then print out the `NamedParameterSpec` constant.
>
> Or, just use public APIs as
>
> ```
> if (key instanceof AsymmetricKey ak
> && ak.getParams() instanceof NamedParameterSpec nps) {
> print(nps.getName());
> }
> ```
>
> This will print out `Ed25519` and `X448` as well.
Need @coffeys to weigh in on this. My suggestion is to add that code above in `JCAUtil.tryCommitCertEvent()` so that the key type is set to, for example, "ML-KEM-768" instead of "ML-KEM". Then, I would probably change `EventHelper.logX509CertificateEvent` and when the keysize passed in is -1, instead log "N/A" or some suitable text instead of "-1".
-------------
PR Comment: https://git.openjdk.org/jdk/pull/25642#issuecomment-2944467452
More information about the security-dev
mailing list