Re: RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v14]

Tue, 29 Jul 2025 12:53:31 -0700 

On Tue, 29 Jul 2025 15:11:45 GMT, Artur Barashev <abaras...@openjdk.org> wrote:

>> SunX509 key manager should support the same certificate checks that are 
>> supported by PKIX key manager.
>> 
>> Effectively there should be only 2 differences between 2 key managers:
>> - PKIX supports multiple key stores through KeyStore.Builder interface while 
>> SunX509 supports only a single keystore.
>> - SunX509 caches its whole key store on initialization thus improving 
>> performance. This means that subsequent modifications of the KeyStore have 
>> no effect on SunX509 KM, unlike PKIX .
>> 
>> **SUNX509 KeyManager performance before the change**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  
>> Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 
>> 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  
>> 14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** 
>> ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** 
>> ±   7.197  ops/s
>> 
>> **SUNX509 KeyManager performance after the change**
>> Benchmark                 (resume)  (tlsVersion)   Mode  Cnt      Score     
>> Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  20954.399 ± 
>> 260.817  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1813.401 ±  
>> 13.917  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1158.190** 
>> ±   6.023  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1012.988** 
>> ±  10.943  ops/s
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Address review comments

src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java 
line 58:

> 56:  * Layer that adds algorithm constraints and certificate checking to a key
> 57:  * manager.
> 58:  */

Can you add some more comments about the algorithm it uses for selecting 
certificates (when certChecking is enabled)? In other words, what the 
preference order is for selecting certs, and which certificates are not chosen 
due to disabled algs, or other reasons. You can probably copy some/most of this 
from the comments in `X509KeyManagerImpl`.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240798471

Reply via email to