Explore TencentKona 8.0.4: SM2/SM3/SM4 JCE Provider & Parallel G1 Full GC

Release Overview

Base line updated to OpenJDK 8u272

TencentSMProvider adds SM2, SM3 and SM4 algorithms to the standard JCE API

Parallel Full GC implementation for G1

Parallel heap‑inspection support for G1 and ParallelScavenge

Various performance improvements and bug fixes

SM2/SM3/SM4 JCE Provider

TencentKona 8.0.4 bundles a JCE provider ( TencentSMProvider) that implements the Chinese national cryptographic standards SM2 (asymmetric encryption), SM3 (hash) and SM4 (symmetric encryption). Applications can use the standard java.security and javax.crypto APIs without any third‑party libraries.

Micro‑service scenario

Two REST services are used to demonstrate the provider:

Consumer – obtains public/secret keys from the Provider, encrypts data and sends the ciphertext.

Provider – generates SM2 key pairs and SM4 secret keys, returns the public key/secret key, decrypts incoming ciphertext and can compute SM3 digests.

Typical workflow

Both services start with java -jar … using the KonaJDK 8 runtime.

Consumer loads the provider: Security.addProvider(new TencentSMProvider()); Consumer requests keys from Provider:

GET http://<em>{provider-host}</em>:18083/echo-rest/getkeysm2   // SM2 public key

GET http://<em>{provider-host}</em>:18083/echo-rest/getkeysm4   // SM4 secret key (Base64)

Consumer encrypts the payload:

SM2 encryption – use Cipher.getInstance("SM2") with the received public key.

SM4 GCM encryption – use Cipher.getInstance("SM4/GCM/NoPadding") with the secret key; the HTTP request must carry the IV and authentication tag in headers.

Consumer sends the ciphertext:

POST http://<em>{provider-host}</em>:18083/echo-rest/encrypt/SM2/IamSecretData

or

POST http://<em>{provider-host}</em>:18083/echo-rest/encrypt/SM4/IamSecretData

Headers: IV, Tag, Ciphertext.

Provider decrypts the data, returns the plaintext, and optionally computes an SM3 digest via

POST http://<em>{provider-host}</em>:18083/echo-rest/encrypt/SM3/IamSecretData

Running the example

Start the two services with KonaJDK 8, then use the following curl commands to verify each operation:

# Retrieve SM2 public key
curl http://localhost:18083/echo-rest/getkeysm2

# Retrieve SM4 secret key
curl http://localhost:18083/echo-rest/getkeysm4

# Encrypt with SM2 and get decrypted result
curl -X POST http://localhost:18083/echo-rest/encrypt/SM2/IamSecretData

# Encrypt with SM4 (GCM) and get decrypted result
curl -X POST http://localhost:18083/echo-rest/encrypt/SM4/IamSecretData

# Compute SM3 hash of a string
curl -X POST http://localhost:18083/echo-rest/encrypt/SM3/IamSecretData

Parallel G1 Full GC

In OpenJDK 8 the G1 Full GC was single‑threaded, leading to pause times of tens to hundreds of seconds on large heaps. TencentKona 8.0.4 introduces a parallel implementation that distributes the Full GC work across all available CPU cores. Internal benchmarks on a multi‑terabyte heap show an average pause‑time reduction of about 80 % compared with the legacy implementation.

Parallel Heap Inspection

The release back‑ports the OpenJDK contribution “parallel heap inspection”. Users can now invoke: jmap -histo:parallel=<n> <pid> where <n> is the number of parallel threads (e.g., jmap -histo:parallel=30 12345). On a 280 GB heap the histogram generation time drops from ~15 s to <1 s.

Reference

Official release page: https://github.com/Tencent/TencentKona-8/releases