Why cannot overwrite a KeyEntry with a TrustCertEntry?
Sean Mullan
sean.mullan at oracle.com
Thu Apr 11 14:47:45 UTC 2013
On 04/11/2013 04:36 AM, Weijun Wang wrote:
> Hi All
>
> The KeyStore::setCertificateEntry has
>
> * @exception KeyStoreException if the keystore has not been initialized,
> * or the given alias already exists and does not identify an
> * entry containing a trusted certificate,
> * or this operation fails for some other reason.
>
> which means you cannot overwrite a KeyEntry with a TrustCertEntry. While
> setKeyEntry allows a TrustCertEntry been overwritten by a KeyEntry.
>
> This has been true from the beginning, but why?
I'm not sure, but the exact reason is probably now lost in the sands of
time ;)
> On the other hand, setEntry mentions no restriction, although the
> current implementations (jks, pkcs12) fail when overwriting a KeyEntry
> with a TrustCertEntry.
The only thing I can think of is that it protects against accidental
overwriting of your private key, which might be a good thing, if you
haven't backed it up.
--Sean
More information about the security-dev
mailing list