On Tue, 29 Jul 2025 15:11:45 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> SunX509 key manager should support the same certificate checks that are >> supported by PKIX key manager. >> >> Effectively there should be only 2 differences between 2 key managers: >> - PKIX supports multiple key stores through KeyStore.Builder interface while >> SunX509 supports only a single keystore. >> - SunX509 caches its whole key store on initialization thus improving >> performance. This means that subsequent modifications of the KeyStore have >> no effect on SunX509 KM, unlike PKIX . >> >> **SUNX509 KeyManager performance before the change** >> Benchmark (resume) (tlsVersion) Mode >> Cnt Score Error Units >> SSLHandshake.doHandshake true TLSv1.2 thrpt 15 19758.012 ± >> 758.237 ops/s >> SSLHandshake.doHandshake true TLS thrpt 15 1861.695 ± >> 14.681 ops/s >> SSLHandshake.doHandshake false TLSv1.2 thrpt 15 **1186.962** >> ± 12.085 ops/s >> SSLHandshake.doHandshake false TLS thrpt 15 **1056.288** >> ± 7.197 ops/s >> >> **SUNX509 KeyManager performance after the change** >> Benchmark (resume) (tlsVersion) Mode Cnt Score >> Error Units >> SSLHandshake.doHandshake true TLSv1.2 thrpt 15 20954.399 ± >> 260.817 ops/s >> SSLHandshake.doHandshake true TLS thrpt 15 1813.401 ± >> 13.917 ops/s >> SSLHandshake.doHandshake false TLSv1.2 thrpt 15 **1158.190** >> ± 6.023 ops/s >> SSLHandshake.doHandshake false TLS thrpt 15 **1012.988** >> ± 10.943 ops/s > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Address review comments test/jdk/sun/security/ssl/X509KeyManager/PeerConstraintsCheck.java line 74: > 72: * This class tests against the peer supported certificate signatures > sent in > 73: * "signature_algorithms_cert" extension. > 74: */ Can you add a sentence or two about why the test should fail when the SunX509 KM is used and the certCheck property is enabled or the PKIX KM is used? I think it is because the server's cert is signed with SHA256withECDSA and the "signature_algorithms_cert" extension is set to SHA384withECDSA, so it must be signed with SHA384withECDSA, is that right? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240586473