RFR: 8292033: Move jdk.X509Certificate event logic to JCA layer [v5]
Sean Coffey
coffeys at openjdk.org
Fri Nov 4 20:32:31 UTC 2022
On Fri, 4 Nov 2022 15:58:01 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> By moving the JFR event up to the java.security.cert.CertificateFactory class, we can record all generate cert events, including those from 3rd party providers. I've also altered the logic so that an event is genertate for every generate cert call (not just ones missing from the JDK provider implementation cache)
>>
>> test case also updated to capture new logic
>
> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
>
> Further code review comments and new keytool test coverage with JFR
I'd agree with your thoughts. While it may not be a threat level, it's still a useful information point, especially in environments where hard coded values might get embedded in some type of key generation tool. Not many might be interested but there's a option there now with JFR to view this data at least. I don't think many will configure keytool to run with JFR.
Happy to revert the keytool change but I don't see it being too invasive in code changes.
-------------
PR: https://git.openjdk.org/jdk/pull/10422
More information about the security-dev
mailing list