Bug ID: JDK-8359956 Support algorithm constraints and certificate checks in SunX509 key manager

JDK-8359956 : Support algorithm constraints and certificate checks in SunX509 key manager

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P4
Status: Resolved
Resolution: Fixed

Submitted: 2025-06-18
Updated: 2025-08-07
Resolved: 2025-07-31

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 26
26 b10Fixed

Related Reports

CSR :	JDK-8360289 - Support algorithm constraints and certificate checks in SunX509 key manager
Causes :	JDK-8364495 - [TESTBUG] test/jdk/javax/management/security/SecurityTest.java after JDK-8359956
Causes :	JDK-8364484 - misc tests fail with Received fatal alert: handshake_failure
Duplicate :	JDK-8170706 - Support algorithm constraints in SunX509 key manager
Duplicate :	JDK-8359069 - Support certificate checks in SunX509 key manager
Duplicate :	JDK-8272875 - Change the default key manager to PKIX
Duplicate :	JDK-8362455 - Test test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java correction
Duplicate :	JDK-8353113 - Peer supported certificate signature algorithms are not being checked with default SunX509 key manager

Sub Tasks

JDK-8363967 :	Update JDK Providers Documentation - Open
JDK-8364529 :	Release Note: Support Algorithm Constraints and Certificate Checks in SunX509 Key Manager - Resolved
JDK-8364530 :	Release Note: Support algorithm constraints and certificate checks in SunX509 key manager - Closed

Description

SunX509 key manager should support the same certificate checks that are supported by PKIX key manager.

Effectively there should be only 2 differences between 2 key managers:
- PKIX supports multiple key stores through KeyStore.Builder interface while SunX509  supports only a single keystore.
- SunX509 caches its whole key store on initialization thus improving performance. This means that subsequent modifications of the KeyStore have no effect on SunX509  KM, unlike PKIX .

Comments

Changeset: e544cd99 Branch: master Author: Artur Barashev <abarashev@openjdk.org> Date: 2025-07-31 13:57:19 +0000 URL: https://git.openjdk.org/jdk/commit/e544cd992099ef905266610c2c1456705cdc4587

31-07-2025

A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/25016 Date: 2025-05-02 22:48:56 +0000

18-06-2025