RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v4]

Sean Coffey coffeys at openjdk.org
Wed Nov 2 15:49:34 UTC 2022 

On Wed, 2 Nov 2022 15:42:08 GMT, Sean Coffey <coffeys at openjdk.org> wrote:

>> By moving the JFR event up to the java.security.cert.CertificateFactory class, we can record all generate cert events, including those from 3rd party providers. I've also altered the logic so that an event is genertate for every generate cert call (not just ones missing from the JDK provider implementation cache)
>> 
>> test case also updated to capture new logic
>
> Sean Coffey has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 21 commits:
> 
>  - code clean up
>  - funnel cert events via generateCertificate only
>  - Revert use of x509 constructor helper in some areas. Clean up tests
>  - modules fix up in test
>  - Capture CertAndKeyGen certs
>  - import clean up
>  - Copyright year update
>  - Merge branch 'master' into 8292033-x509Event
>  - record events for internal constructor calls. Expand testing
>  - Use X500Principal#toString()
>  - ... and 11 more: https://git.openjdk.org/jdk/compare/cf5546b3...f430a3ee

on further reading, it turns out that code like `CertificateFactory.generateCertPath` or `generateCertificates` need not have an explicit X509Cert event recording. In theory, that implementation should call into  `CertificateFactory.generateCertificate` to generate the underlying certificates. Some of the JDK implementation doesn't go down that route and I've added an X509CertImpl getter method to help in those scenarios.  (to construct and record an X509CertImpl instance)

Recording cert events from  `CertificateFactory.generateCertPath` or `generateCertificates` would most likely lead to duplicate certificates being recorded. It depends on how the 3rd party providers are coded of course and we have no control over that.

I've beefed up the test logic to cover the various CertificateFactory methods that raised concern. I also included a CertAndGen example to cover what keytool might do in such scenarios.

@seanjmullan  - I'll log a new bug to cover the `sun.security.pkcs.PKCS7` code issues you highlight

-------------

PR: https://git.openjdk.org/jdk/pull/10422

More information about the security-dev mailing list