On Thu, 3 Nov 2022 23:25:29 GMT, Sean Coffey <coff...@openjdk.org> wrote:
> > Do you think it is that useful to have keytool record events? Ok, I guess > > some apps could be execing keytool, but that would be in a separate > > process, and probably wouldn't have JFR enabled. Also, these certs, if used > > for authentication usages will eventually come back into the runtime > > through CertificateFactory. > > I figured it would be useful. keytool is an important generator of X509 > certs. Why not give the opportunity to record them if JFR is enabled etc ? > -J-XX:StartFlightRecording passed to keytool is sufficient to capture a > recording. > > The certs could be deployed out to any software stack I guess. Java being one > possibility. I think the threat level is a bit different than certificates that are actually parsed and potentially being used by applications to authenticate servers, etc, so I would be wary of treating these events with equivalence. These certificates may never be used by applications, and if they are, then there will be an event for that. Also with keytool, you have direct control over what algorithms, key sizes, validity, etc are being used, whereas in an app case, you don't really know until you parse the certificate and see what it contains. ------------- PR: https://git.openjdk.org/jdk/pull/10422
