RFR 8238264: Exception thrown when setting javax.net.ssl.keyStoreType = PKCS11

Martin Balao mbalao at redhat.com
Wed Feb 5 21:46:59 UTC 2020


On 2/5/20 6:20 PM, Xuelei Fan wrote:
> But with the patch, the value is indeed changed from none (empty) to
> "NONE" in logic.  You would also need to change other code if yo really
> want it (have the property value return "NONE", check other code to make
> sure "NONE" is used when it is "empty", documentation the special value,
> etc).  I don't think we want to the unnecessary conflicts and complex,
> for limited benefits.
Sorry but I'm unable to understand your point and why my change would
imply such further changes.

There is the following check condition:

if (P11KEYSTORE.equals(defaultKeyStoreType) &&
!NONE.equals(defaultKeyStore)) {
	throw new IllegalArgumentException("if keyStoreType is "
	+ P11KEYSTORE + ", then keyStore must be " + NONE);
}

That check is preventing keyStoreType to be PKCS11 and keyStore to be
set to something other than "NONE". The concern is letting the user
specify contradictory input: if your keystore is of PKCS11 type, you are
not supposed to use keyStore to point to any file (because the file will
obviously use other keystore formats such as PKCS12 or JKS). However,
that check is also preventing all those cases in which keyStore is not
even set (default case). That's odd to me, but I understand this change
won't make it.

Thanks for having a look anyways.

Martin.-



More information about the security-dev mailing list