RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries
Weijun Wang
weijun at openjdk.org
Fri May 5 23:02:23 UTC 2023
On Fri, 5 May 2023 21:39:13 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java line 2031:
>>
>>> 2029: cert.getSubjectX500Principal() + "]");
>>> 2030: }
>>> 2031: } else {
>>
>> If `destroyIt` is false for the 1st cert, are you going to return false? Maybe it does not matter.
>
> Hmm, I think the rest of chain should still be checked and removed if no dependents for them.
Of course, I was only talking about the final return value.
And, I take back my words. This method should return true no matter what `destroyIt` is. The return value is only used in `deleteEntry` and it should be true even if the.cert is used elsewhere.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186547307
More information about the security-dev
mailing list