Seán Coffey

Seems like there's a difference of opinion on when such a configuration issue should be reported. Reporting at start up will cost cycles (esp since there's an IO stat call)...

Thanks for the feedback Sean. Yes - this event should also cater for the internal `new X509CertImpl` type calls that are sprinkled through some of the security libraries. Some look...

on further reading, it turns out that code like `CertificateFactory.generateCertPath` or `generateCertificates` need not have an explicit X509Cert event recording. In theory, that implementation should call into `CertificateFactory.generateCertificate` to generate...

> Do you think it is that useful to have keytool record events? Ok, I guess some apps could be execing keytool, but that would be in a separate process,...

I'd agree with your thoughts. While it may not be a threat level, it's still a useful information point, especially in environments where hard coded values might get embedded in...

> Hello Sean, > > > Debug output is also now added for these properties via -Djava.security.debug=properties > > Looking at the existing code upstream, it appears that the value...

/integrate

> > > > My vote would be to leave it out. `keytool` already emits warnings when weak algorithms are used. It seems we both agree that few users, will...

/integrate

@wangweij Updated the PR to incorporate extra changes as a result JDK-8327818 Would appreciate if you can take a look