RFR 8238264: Exception thrown when setting javax.net.ssl.keyStoreType = PKCS11

Xuelei Fan xuelei.fan at oracle.com
Wed Feb 5 19:10:22 UTC 2020

For the property, the default key store is none.  We may not want to 
introduce new compatibility risks by adding a new default value.  If 
application want to use key store other than the default one, it is 
required to set it.


On 2/5/2020 10:46 AM, Martin Balao wrote:
> Hi Xuelei,
> Thanks for having a look at this.
> On 2/5/20 3:00 PM, Xuelei Fan wrote:
>> I may think it differently.  If keyStoreType is PKCS11, then keyStore
>> must be "NONE".  It might be not necessary to allow default keyStore
>> value for PKCS11 keyStoreType.
> Why do you think that a non-set or empty keyStore system property won't
> work and we must enforce the "NONE" string value when keyStoreType is
> "PKCS11"? It's confusing as a user-interface that you set the
> keystore.type security property to "PKCS11" and then you must explicitly
> set "javax.net.ssl.keyStore=NONE" as JVM parameter in each run because
> empty/non-set is not considered the same than none. Looks to me that the
> original intention was to consider empty / non-set as equal to "NONE"
> because of the condition check here:
> http://hg.openjdk.java.net/jdk/jdk/file/085463e75652/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java#l1010
> Thanks,
> Martin.-

More information about the security-dev mailing list