On Thu, 27 Oct 2022 10:04:07 GMT, Sean Coffey <coff...@openjdk.org> wrote:
> Thanks for the feedback Sean. Yes - this event should also cater for the > internal `new X509CertImpl` type calls that are sprinkled through some of the > security libraries. > > Some look a bit suspicious perhaps ? I see OCSP/CertPath type calls to `new > X509CertImpl` --- given that CertPath and CertificateFactory are viewed as > two different services at the JCA level, I wonder if they should be routing > calls back to `java.security.cert.CertificateFactory#generateCertificate` > when generating certs ? Yes, that code should ideally go through `CertificateFactory` and not call `new X509CertImpl` directly. There's some old code in `sun.security.pkcs.PKCS7` that also calls `new X509CertImpl` if it cannot instantiate an X.509 `CertificateFactory`, but I think that code can be removed since an "X.509" `CertificateFactory` is a requirement. ------------- PR: https://git.openjdk.org/jdk/pull/10422
