JDK-8355219 : Change the default key manager to PKIX
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Withdrawn
  • Submitted: 2025-04-21
  • Updated: 2025-06-20
  • Resolved: 2025-06-20
Related Reports
CSR :  
JDK-8272875 - Change the default key manager to PKIX
Description
Summary
-------
Change the default key manager from "SunX509" to "PKIX"

Problem
-------
Current default SunX509 Key Manager doesn't check local certificate signature against local algorithm constraints and also against peer-supported algorithms supplied by TLS peer with ClientHello or with CertificateRequest commands (per TLSv1.3 RFC).

Solution
--------
- Change the default key manager from "SunX509" to "PKIX" in `java.security` config file.
- Update "Security Developer's Guide" documentation.

Specification
-------------
1) The `javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()` method will return "PKIX" since by default it is specified to read the value of the `ssl.KeyManagerFactory.algorithm` security property. If the property does not exist, the implementation will also return "PKIX" instead of "SunX509". 

2) java.security:

     - ssl.KeyManagerFactory.algorithm=SunX509
     + ssl.KeyManagerFactory.algorithm=PKIX

3) Security Developer’s Guide:

    "SunX509" is currently listed as the default value for KeyManager, change it to
    "PKIX"