RFR: 8309214: sun/security/pkcs11/KeyStore/CertChainRemoval.java fails after 8301154
Matthias Baesken
mbaesken at openjdk.org
Fri Aug 11 12:11:30 UTC 2023
On Thu, 3 Aug 2023 20:51:33 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> This change addresses the scenario where a certificate is first stored as part of a certificate chain and then stored again as a certificate corresponding to a PrivateKey entry. Newer version of NSS errors out with CKR_GENERAL_ERROR with the 2nd store, i.e. C_CreateObject() call.
>
> Proposed fix is to check for match before calling C_CreateObject(), if a match is found, set its alias instead.
Marked as reviewed by mbaesken (Reviewer).
Looks okay to me and seems to fix the issues we faced in our test infrastructure; seems to need backport to jdk21.
Would be great to have a second reviewer who is working more actively in this area of the JDK codebase.
-------------
PR Review: https://git.openjdk.org/jdk/pull/15146#pullrequestreview-1573515639
PR Comment: https://git.openjdk.org/jdk/pull/15146#issuecomment-1674622671
More information about the security-dev
mailing list