RFR 8238264: Exception thrown when setting javax.net.ssl.keyStoreType = PKCS11

Martin Balao mbalao at redhat.com
Wed Feb 5 18:46:59 UTC 2020


Hi Xuelei,

Thanks for having a look at this.

On 2/5/20 3:00 PM, Xuelei Fan wrote:
> I may think it differently.  If keyStoreType is PKCS11, then keyStore
> must be "NONE".  It might be not necessary to allow default keyStore
> value for PKCS11 keyStoreType.

Why do you think that a non-set or empty keyStore system property won't
work and we must enforce the "NONE" string value when keyStoreType is
"PKCS11"? It's confusing as a user-interface that you set the
keystore.type security property to "PKCS11" and then you must explicitly
set "javax.net.ssl.keyStore=NONE" as JVM parameter in each run because
empty/non-set is not considered the same than none. Looks to me that the
original intention was to consider empty / non-set as equal to "NONE"
because of the condition check here:
http://hg.openjdk.java.net/jdk/jdk/file/085463e75652/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java#l1010

Thanks,
Martin.-



More information about the security-dev mailing list