RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries
Valerie Peng
valeriep at openjdk.org
Fri May 5 19:46:18 UTC 2023
On Tue, 2 May 2023 22:42:13 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Could someone help review this PKCS11KeyStore fix regarding the cert chain removal?
>>
>> The proposed fix will not remove the cert if it has a corresponding private key or is an issuer of other entities in the same keystore.
>>
>> Thanks,
>> Valerie
>
> test/jdk/sun/security/pkcs11/KeyStore/CertChainRemoval.java line 176:
>
>> 174:
>> 175: // should only have "pk1" now
>> 176: checkEntry(ks, "pk1", pk1Chain);
>
> When the kesytore should only have "pk1” now, how would checkEntry(ks, "pk1", pk1Chain) succeed as it expects to have the “ca.cert” in the pk1Chain? The “ca.cert” shall not be deleted because “pk1.cert” depends on it. I may have missed something here.
I mean "pk1" entrry, not just "pk1" cert. As you can see, the test checks for the complete cert chain for "pk1" entry.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186446763
More information about the security-dev
mailing list