Why cannot overwrite a KeyEntry with a TrustCertEntry?
Brad Wetmore
bradford.wetmore at oracle.com
Fri Apr 12 01:49:31 UTC 2013
On 4/11/2013 7:47 AM, Sean Mullan wrote:
> On 04/11/2013 04:36 AM, Weijun Wang wrote:
>> Hi All
>>
>> The KeyStore::setCertificateEntry has
>>
>> * @exception KeyStoreException if the keystore has not been initialized,
>> * or the given alias already exists and does not identify an
>> * entry containing a trusted certificate,
>> * or this operation fails for some other reason.
>>
>> which means you cannot overwrite a KeyEntry with a TrustCertEntry. While
>> setKeyEntry allows a TrustCertEntry been overwritten by a KeyEntry.
>>
>> This has been true from the beginning, but why?
>
> I'm not sure, but the exact reason is probably now lost in the sands of
> time ;)
>
>> On the other hand, setEntry mentions no restriction, although the
>> current implementations (jks, pkcs12) fail when overwriting a KeyEntry
>> with a TrustCertEntry.
>
> The only thing I can think of is that it protects against accidental
> overwriting of your private key, which might be a good thing, if you
> haven't backed it up.
That was added in April 1998.
4129553: KeyStore should store any type of "Key", not just "PrivateKey"
I *THINK* what Sean states was the reason, but before my time.
Brad
More information about the security-dev
mailing list