RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries
Hai-May Chao
hchao at openjdk.org
Thu May 4 16:48:14 UTC 2023
On Mon, 1 May 2023 19:49:05 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> Could someone help review this PKCS11KeyStore fix regarding the cert chain removal?
>
> The proposed fix will not remove the cert if it has a corresponding private key or is an issuer of other entities in the same keystore.
>
> Thanks,
> Valerie
test/jdk/sun/security/pkcs11/KeyStore/CertChainRemoval.java line 176:
> 174:
> 175: // should only have "pk1" now
> 176: checkEntry(ks, "pk1", pk1Chain);
When the kesytore should only have "pk1” now, how would checkEntry(ks, "pk1", pk1Chain) succeed as it expects to have the “ca.cert” in the pk1Chain? The “ca.cert” shall not be deleted because “pk1.cert” depends on it. I may have missed something here.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1183111954
More information about the security-dev
mailing list