RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v4]
Sean Mullan
mullan at openjdk.org
Thu Nov 3 17:58:27 UTC 2022
On Wed, 2 Nov 2022 15:42:08 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> By moving the JFR event up to the java.security.cert.CertificateFactory class, we can record all generate cert events, including those from 3rd party providers. I've also altered the logic so that an event is genertate for every generate cert call (not just ones missing from the JDK provider implementation cache)
>>
>> test case also updated to capture new logic
>
> Sean Coffey has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 21 commits:
>
> - code clean up
> - funnel cert events via generateCertificate only
> - Revert use of x509 constructor helper in some areas. Clean up tests
> - modules fix up in test
> - Capture CertAndKeyGen certs
> - import clean up
> - Copyright year update
> - Merge branch 'master' into 8292033-x509Event
> - record events for internal constructor calls. Expand testing
> - Use X500Principal#toString()
> - ... and 11 more: https://git.openjdk.org/jdk/compare/cf5546b3...f430a3ee
Do you think it is that useful to have keytool record events? Ok, I guess some apps could be execing keytool, but that would be in a separate process, and probably wouldn't have JFR enabled. Also, these certs, if used for authentication usages will eventually come back into the runtime through CertificateFactory.
-------------
PR: https://git.openjdk.org/jdk/pull/10422
More information about the security-dev
mailing list