JDK-8136720 : The PKIX KeyManagerFactory algorithm is underspecified
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2015-09-17
  • Updated: 2022-02-07
Related Reports
Blocks :  
JDK-8272875 - Change the default key manager to PKIX
Description
The PKIX KeyManagerFactory algorithm is underspecified. It does not provide sufficient information for an independent implementation to be compatible. The standard algorithm document [1] says:

"A factory for X509ExtendedKeyManagers that manage X.509 certificate-based key pairs for local side authentication according to the rules defined by the IETF PKIX working group in RFC 3280 or its successor. The KeyManagerFactory must support initialization using the class javax.net.ssl.KeyStoreBuilderParameters."

The OpenJDK implementation never calls a PKIX CertPathValidator or CertPathBuilder. It needs to be more specific that it is a filtering mechanism, and avoids selecting certificates that would not be PKIX compliant. It also needs to be more specific about how it uses the KeyStoreBuilderParameters.

[1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyManagerFactory
Comments
Once we get this tightened up, unless there is a good reason, we should change the default value of ssl.KeyManagerFactory.algorithm from SunX509 to PKIX.
17-09-2015