RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries

Hai-May Chao hchao at openjdk.org
Thu May 4 16:48:14 UTC 2023

On Mon, 1 May 2023 19:49:05 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Could someone help review this PKCS11KeyStore fix regarding the cert chain removal?
> The proposed fix will not remove the cert if it has a corresponding private key or is an issuer of other entities in the same keystore.
> Thanks,
> Valerie

test/jdk/sun/security/pkcs11/KeyStore/CertChainRemoval.java line 176:

> 174: 
> 175:         // should only have "pk1" now
> 176:         checkEntry(ks, "pk1", pk1Chain);

When the kesytore should only have "pk1” now, how would checkEntry(ks, "pk1", pk1Chain) succeed as it expects to have the “ca.cert” in the pk1Chain? The “ca.cert” shall not be deleted because “pk1.cert” depends on it. I may have missed something here.


PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1183111954

More information about the security-dev mailing list