RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries
Valerie Peng
valeriep at openjdk.org
Fri May 5 21:42:13 UTC 2023
On Fri, 5 May 2023 16:46:16 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Could someone help review this PKCS11KeyStore fix regarding the cert chain removal?
>>
>> The proposed fix will not remove the cert if it has a corresponding private key or is an issuer of other entities in the same keystore.
>>
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java line 2031:
>
>> 2029: cert.getSubjectX500Principal() + "]");
>> 2030: }
>> 2031: } else {
>
> If `destroyIt` is false for the 1st cert, are you going to return false? Maybe it does not matter.
Hmm, I think the rest of chain should still be checked and removed if no dependents for them.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186517535
More information about the security-dev
mailing list