• Icon: Sub-task Sub-task
    • Resolution: Unresolved
    • Icon: P4 P4
    • 26
    • None
    • docs

      NOTE: the work on this issue should be started after CSR JDK-8360289 is approved.

      Update the description of the SunX509 KeyManagerFactory algorithm in the JDK Providers Guide: https://docs.oracle.com/en/java/javase/24/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2

      The following text:
      ---
      SunX509: A factory for X509ExtendedKeyManager instances that manage X.509 certificate-based key pairs for local side authentication, but with less strict checking of certificate usage/validity and chain verification. This KeyManagerFactory supports initialization using a Keystore object, but does not currently support initialization using the class javax.net.ssl.ManagerFactoryParameters.

      Note: The SunX509 factory is for backwards compatibility with older releases, and should no longer be used.
      ---

      Should be replaces with something like this:
      ---
      SunX509: same as PKIX but with better performance at the expense of not supporting initialization using the class javax.net.ssl.ManagerFactoryParameters. This KeyManagerFactory supports initialization using a Keystore object only. SunX509 caches its whole key store on initialization thus improving performance. This means that subsequent modifications of the KeyStore have no effect on SunX509 KM, unlike PKIX .
      The legacy behavior (do not check certificates) of SunX509 KeyManagerFactory can be restored by setting `jdk.tls.SunX509KeyManager.certChecking` system property to `false`.
      ---

            rgallard Raymond Gallardo
            abarashev Artur Barashev
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: