RFR 8238264: Exception thrown when setting javax.net.ssl.keyStoreType = PKCS11

Xuelei Fan xuelei.fan at oracle.com
Wed Feb 5 21:58:26 UTC 2020

Normally, we need to be consistent for the system property use.  We 
don't use one spec in a place, and another spec in another place.


On 2/5/2020 1:46 PM, Martin Balao wrote:
> On 2/5/20 6:20 PM, Xuelei Fan wrote:
>> But with the patch, the value is indeed changed from none (empty) to
>> "NONE" in logic.  You would also need to change other code if yo really
>> want it (have the property value return "NONE", check other code to make
>> sure "NONE" is used when it is "empty", documentation the special value,
>> etc).  I don't think we want to the unnecessary conflicts and complex,
>> for limited benefits.
> Sorry but I'm unable to understand your point and why my change would
> imply such further changes.
> There is the following check condition:
> if (P11KEYSTORE.equals(defaultKeyStoreType) &&
> !NONE.equals(defaultKeyStore)) {
> 	throw new IllegalArgumentException("if keyStoreType is "
> 	+ P11KEYSTORE + ", then keyStore must be " + NONE);
> }
> That check is preventing keyStoreType to be PKCS11 and keyStore to be
> set to something other than "NONE". The concern is letting the user
> specify contradictory input: if your keystore is of PKCS11 type, you are
> not supposed to use keyStore to point to any file (because the file will
> obviously use other keystore formats such as PKCS12 or JKS). However,
> that check is also preventing all those cases in which keyStore is not
> even set (default case). That's odd to me, but I understand this change
> won't make it.
> Thanks for having a look anyways.
> Martin.-

More information about the security-dev mailing list