JDK-6586284 : X509KeyManager and X509TrustManager need pre-keystore access callbacks
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 6u2
  • Priority: P3
  • Status: Closed
  • Resolution: Won't Fix
  • OS: generic
  • CPU: generic
  • Submitted: 2007-07-27
  • Updated: 2010-09-29
  • Resolved: 2009-03-17
Related Reports
Relates :  
JDK-6586274 - SSLSocketFactory and SSLServerSocketFactory can't be configured
Relates :  
JDK-6586258 - X509ExtendedTrustManager is in the wrong namespace
Relates :  
JDK-6586276 - SSLSockets and SSLEngines need a switch to enable hostname validation
Description
The classes KeyManager and TrustManager and their extended versions are used in conjunction with instances of KeyStore.  If the KeyStore is updated dynamically it will be necessary to inspect the keystore before acessing it via KeyManager and TrustManager.  The only way of doing this at present is to subclass KeyManager and TrustManager (in fact to subclass X509ExtendedKeyManager and X509ExtendedTrustManager) to add the required functionality, and this is not an altogether straightforward process.

The RFE is to add callback hooks to KeyManager and TrustManager (or the X509 subclasses).  These callbacks would be made whenever a new connection was being made, and would enable key and trust store updates to be detected, and the keystores to be updated before the connection was made.
Comments
EVALUATION If without public APIs supported, it is impossible to synchronize the key store between the trust/key manager and applications. For a special requirment, a customized trust/key manager can manage the entries synchronized, it is the bwetter approach. Will close it.
06-03-2009
EVALUATION I would prefer adding a pair of new implements of x509 trust manager and key manager, which would get the keystore entries from KeyStore directly instead of using the cached entries as present implements. There are a few performance lose because we need to access KeyStore for every entry access, but it is only a small lose, will not hurt the overall performance a lot. So for better performance, normal user could use the current cache based implements; and a few cases like the CR descripted could use the new implements.
03-02-2009