RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries

Weijun Wang weijun at openjdk.org
Fri May 5 23:02:23 UTC 2023


On Fri, 5 May 2023 21:39:13 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java line 2031:
>> 
>>> 2029:                             cert.getSubjectX500Principal() + "]");
>>> 2030:                     }
>>> 2031:                 } else {
>> 
>> If `destroyIt` is false for the 1st cert, are you going to return false? Maybe it does not matter.
>
> Hmm, I think the rest of chain should still be checked and removed if no dependents for them.

Of course, I was only talking about the final return value.

And, I take back my words. This method should return true no matter what `destroyIt` is. The return value is only used in `deleteEntry` and it should be true even if the.cert is used elsewhere.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186547307



More information about the security-dev mailing list