Re: RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v13]

Sean Mullan Tue, 29 Jul 2025 07:43:32 -0700

On Wed, 23 Jul 2025 21:20:49 GMT, Artur Barashev <abaras...@openjdk.org> wrote:


>> SunX509 key manager should support the same certificate checks that are 
>> supported by PKIX key manager.
>> 
>> Effectively there should be only 2 differences between 2 key managers:
>> - PKIX supports multiple key stores through KeyStore.Builder interface while 
>> SunX509 supports only a single keystore.
>> - SunX509 caches its whole key store on initialization thus improving 
>> performance. This means that subsequent modifications of the KeyStore have 
>> no effect on SunX509 KM, unlike PKIX .
>> 
>> **SUNX509 KeyManager performance before the change**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  
>> Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 
>> 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  
>> 14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** 
>> ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** 
>> ±   7.197  ops/s
>> 
>> **SUNX509 KeyManager performance after the change**
>> Benchmark                 (resume)  (tlsVersion)   Mode  Cnt      Score     
>> Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  20954.399 ± 
>> 260.817  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1813.401 ±  
>> 13.917  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1158.190** 
>> ±   6.023  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1012.988** 
>> ±  10.943  ops/s
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Update system property name

src/java.base/share/conf/security/java.security line 29:

> 27: # an unspecified error when initializing the java.security.Security class.
> 28: # Properties in this file are typically parsed only once. If any of the
> 29: # Properties in this file are typically parsed only once. If any of the

Duplicate line added, is this an accidental change?

test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java
 line 1:

> 1: /*

Needs copyright update.

test/jdk/sun/security/ssl/X509TrustManagerImpl/PKIXExtendedTM.java line 36:

> 34:  * @run main/othervm PKIXExtendedTM 1
> 35:  * @run main/othervm PKIXExtendedTM 2
> 36:  * @run main/othervm PKIXExtendedTM 3

Why did you remove these lines/test cases?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240064384
PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240068846
PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240090370

Re: RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v13]

Reply via email to