RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries
Weijun Wang
weijun at openjdk.org
Fri May 5 17:00:17 UTC 2023
On Mon, 1 May 2023 19:49:05 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> Could someone help review this PKCS11KeyStore fix regarding the cert chain removal?
>
> The proposed fix will not remove the cert if it has a corresponding private key or is an issuer of other entities in the same keystore.
>
> Thanks,
> Valerie
Is it possible to generate the keys and certs on the fly?
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java line 2031:
> 2029: cert.getSubjectX500Principal() + "]");
> 2030: }
> 2031: } else {
If `destroyIt` is false for the 1st cert, are you going to return false? Maybe it does not matter.
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java line 2057:
> 2055: currHdl = ch[0];
> 2056: } else {
> 2057: currHdl = 0L;
Maybe just `break`?
-------------
PR Review: https://git.openjdk.org/jdk/pull/13743#pullrequestreview-1415118643
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186303587
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186299589
More information about the security-dev
mailing list