RFR 8238264: Exception thrown when setting javax.net.ssl.keyStoreType = PKCS11
Martin Balao
mbalao at redhat.com
Wed Feb 5 18:46:59 UTC 2020
Hi Xuelei,
Thanks for having a look at this.
On 2/5/20 3:00 PM, Xuelei Fan wrote:
> I may think it differently. If keyStoreType is PKCS11, then keyStore
> must be "NONE". It might be not necessary to allow default keyStore
> value for PKCS11 keyStoreType.
Why do you think that a non-set or empty keyStore system property won't
work and we must enforce the "NONE" string value when keyStoreType is
"PKCS11"? It's confusing as a user-interface that you set the
keystore.type security property to "PKCS11" and then you must explicitly
set "javax.net.ssl.keyStore=NONE" as JVM parameter in each run because
empty/non-set is not considered the same than none. Looks to me that the
original intention was to consider empty / non-set as equal to "NONE"
because of the condition check here:
http://hg.openjdk.java.net/jdk/jdk/file/085463e75652/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java#l1010
Thanks,
Martin.-
More information about the security-dev
mailing list