On Fri, 18 Apr 2025 17:04:56 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
> The current key manager is SunX509, which is configured in the java.security.
> The SunX509 algorithm does not check of the local certificate. The PKIX
> algorithm should be preferred now so that the default key manager could be
> more robust.
Do we understand why this is so much slower? I wouldn't have thought extra
checking would cause this big of a performance hit.
test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java line
147:
> 145:
> 146: KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> 147: kpg.initialize(2048);
I would not specify the key size and let the provider default set it. That
could expose any problems between constraints and provider defaults, also it
future proofs the test when key sizes are increased some day in the future.
-------------
PR Review: https://git.openjdk.org/jdk/pull/24756#pullrequestreview-2788272968
PR Review Comment: https://git.openjdk.org/jdk/pull/24756#discussion_r2056617930
