Bug ID: JDK-8272875 Change the default key manager to PKIX

JDK-8272875 : Change the default key manager to PKIX

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P3
Status: Open
Resolution: Unresolved

Submitted: 2021-08-24
Updated: 2024-04-01

Related Reports

Blocks :	JDK-8136720 - The PKIX KeyManagerFactory algorithm is underspecified
Relates :	JDK-8322767 - TLS full handshake is slow with PKCS12KeyStore and X509KeyManagerImpl
Relates :	JDK-8199440 - JDK selects wrong certificate during two-way SSL handshake

Description

The current key manager is SunX509, which is configured in the java.security.  The SunX509 algorithm does not check of the local certificate, and there are known problems if there are multiple certificates in the local key store (see JDK-8199440).  The PKIX algorithm should be preferred now so that the default key manager could be more robust.

java.security:
- ssl.KeyManagerFactory.algorithm=SunX509
+ ssl.KeyManagerFactory.algorithm=PKIX

Comments

If we move to this KeyManager, then JDK-8170706 no longer needs to be fixed and can be closed as Will Not Fix.

26-01-2022