RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries

Hai-May Chao hchao at openjdk.org
Fri May 5 20:44:20 UTC 2023


On Fri, 5 May 2023 19:43:31 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> test/jdk/sun/security/pkcs11/KeyStore/CertChainRemoval.java line 176:
>> 
>>> 174: 
>>> 175:         // should only have "pk1" now
>>> 176:         checkEntry(ks, "pk1", pk1Chain);
>> 
>> When the kesytore should only have "pk1” now, how would checkEntry(ks, "pk1", pk1Chain) succeed as it expects to have the “ca.cert” in the pk1Chain? The “ca.cert” shall not be deleted because “pk1.cert” depends on it. I may have missed something here.
>
> I mean "pk1" entrry, not just "pk1" cert. As you can see, the test checks for the complete cert chain for "pk1" entry.

I've the same understanding of this test. The test looks good to me. I was puzzled by its "pk1" comment.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186485506


More information about the security-dev mailing list