-
Sub-task
-
Resolution: Unresolved
-
P4
-
None
NOTE: the work on this issue should be started after CSR JDK-8360289 is approved.
Update the description of the SunX509 KeyManagerFactory algorithm in the JDK Providers Guide: https://docs.oracle.com/en/java/javase/24/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2
The following text:
---
SunX509: A factory for X509ExtendedKeyManager instances that manage X.509 certificate-based key pairs for local side authentication, but with less strict checking of certificate usage/validity and chain verification. This KeyManagerFactory supports initialization using a Keystore object, but does not currently support initialization using the class javax.net.ssl.ManagerFactoryParameters.
Note: The SunX509 factory is for backwards compatibility with older releases, and should no longer be used.
---
Should be replaces with something like this:
---
SunX509: same as PKIX but with better performance at the expense of not supporting initialization using the class javax.net.ssl.ManagerFactoryParameters. This KeyManagerFactory supports initialization using a Keystore object only. SunX509 caches its whole key store on initialization thus improving performance. This means that subsequent modifications of the KeyStore have no effect on SunX509 KM, unlike PKIX .
The legacy behavior (do not check certificates) of SunX509 KeyManagerFactory can be restored by setting `jdk.tls.SunX509KeyManager.certChecking` system property to `false`.
---
Update the description of the SunX509 KeyManagerFactory algorithm in the JDK Providers Guide: https://docs.oracle.com/en/java/javase/24/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2
The following text:
---
SunX509: A factory for X509ExtendedKeyManager instances that manage X.509 certificate-based key pairs for local side authentication, but with less strict checking of certificate usage/validity and chain verification. This KeyManagerFactory supports initialization using a Keystore object, but does not currently support initialization using the class javax.net.ssl.ManagerFactoryParameters.
Note: The SunX509 factory is for backwards compatibility with older releases, and should no longer be used.
---
Should be replaces with something like this:
---
SunX509: same as PKIX but with better performance at the expense of not supporting initialization using the class javax.net.ssl.ManagerFactoryParameters. This KeyManagerFactory supports initialization using a Keystore object only. SunX509 caches its whole key store on initialization thus improving performance. This means that subsequent modifications of the KeyStore have no effect on SunX509 KM, unlike PKIX .
The legacy behavior (do not check certificates) of SunX509 KeyManagerFactory can be restored by setting `jdk.tls.SunX509KeyManager.certChecking` system property to `false`.
---