Re: RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v9]

Fri, 20 Jun 2025 07:16:23 -0700 

On Wed, 18 Jun 2025 21:35:47 GMT, Artur Barashev <abaras...@openjdk.org> wrote:

>> SunX509 key manager should support the same certificate checks that are 
>> supported by PKIX key manager.
>> 
>> Effectively there should be only 2 differences between 2 key managers:
>> - PKIX supports multiple key stores through KeyStore.Builder interface while 
>> SunX509 supports only a single keystore.
>> - SunX509 caches its whole key store on initialization thus improving 
>> performance. This means that subsequent modifications of the KeyStore have 
>> no effect on SunX509 KM, unlike PKIX .
>> 
>> **SUNX509 KeyManager performance before the change**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  
>> Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 
>> 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  
>> 14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** 
>> ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** 
>> ±   7.197  ops/s
>> 
>> **SUNX509 KeyManager performance after the change**
>> Benchmark                 (resume)  (tlsVersion)   Mode  Cnt      Score     
>> Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  20954.399 ± 
>> 260.817  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1813.401 ±  
>> 13.917  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1158.190** 
>> ±   6.023  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1012.988** 
>> ±  10.943  ops/s
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Update system property name in one more test

test/jdk/sun/security/mscapi/ShortRSAKeyWithinTLS.java line 238:

> 236:         // Disable KeyManager's algorithm constraints checking.
> 237:         System.setProperty(
> 238:                 "jdk.tls.SunX509keymanager.certSelectionChecking", 
> "false");

What if you instead just removed "RSA keySize < 1024" from the 
`jdk.certpath.disabledAlgorithms` security property - would this test still 
pass? This way you could still test the other parts of the cert selection code.

This same comment applies to other tests where you have set the 
`jdk.tls.SunX509keymanager.certSelectionChecking` property to false.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2159064375

Reply via email to