RFR: 8358594: Misleading keyLength value captured in JFR event for ML-KEM key [v3]
Sean Coffey
coffeys at openjdk.org
Fri Jun 13 14:58:40 UTC 2025
On Thu, 5 Jun 2025 13:49:38 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> > > Perhaps the JFR event logging code could see if the key implements `NamedX509Key` and then print out the `NamedParameterSpec` constant.
> >
> >
> > Or, just use public APIs as
> > ```
> > if (key instanceof AsymmetricKey ak
> > && ak.getParams() instanceof NamedParameterSpec nps) {
> > print(nps.getName());
> > }
> > ```
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > This will print out `Ed25519` and `X448` as well.
>
> Need @coffeys to weigh in on this. My suggestion is to add that code above in `JCAUtil.tryCommitCertEvent()` so that the key type is set to, for example, "ML-KEM-768" instead of "ML-KEM". Then, I would probably change `EventHelper.logX509CertificateEvent` and when the keysize passed in is -1, instead log "N/A" or some suitable text instead of "-1".
The suggested changes to the Logger part look fine to me. For JFR event itself, `keyLength` is of type int. We'd have to think through the implications of changing this. Perhaps we can have follow on sub-tasks or bugs for the logger and JFR changes.
The current patch looks good for enabling change.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/25642#issuecomment-2970662187
More information about the security-dev
mailing list