RFR: 8327182: Move serverAlias into the loop
John Jiang
jjiang at openjdk.org
Mon Mar 4 06:59:52 UTC 2024
On Mon, 4 Mar 2024 05:04:13 GMT, Guoxiong Li <gli at openjdk.org> wrote:
>> In method `X509Authentication::createServerPossession`, it looks unnecessary to define variable `serverAlias` out of the for-loop.
>> It may be better to move `serverAlias` into that loop to narrow down the scope.
>
> src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 274:
>
>> 272: X509ExtendedKeyManager km = shc.sslContext.getX509KeyManager();
>> 273: for (String keyType : keyTypes) {
>> 274: String serverAlias = null;
>
> It seems not a simple cleanup. If you move the `serverAlias` definition into the loop, it means everytime entering into loop, the `serverAlias` will be `null`. But the previous code can keep the `serverAlias` value to the next iteration. So the meaning of the code has been changed. I don't know which meanings is right because I don't have a deep understanding of SSL now.
With my understanding, in each iteration, firstly choose an alias from key manager with a key type, and then try to get the keys and certificates associated with this alias.
If an alias or its associated keys and certificates have something wrong, it should try other aliases associated with the key types in the remaining iterations.
If an alias can be used by the subsequent iterations, that looks a bug.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18100#discussion_r1510666303
More information about the security-dev
mailing list