On Thu, 1 Apr 2021 16:26:39 GMT, Hai-May Chao <hc...@openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2013:
>> 
>>> 2011:         }
>>> 2012: 
>>> 2013:         X509Certificate[] chain = new X509Certificate[1];
>> 
>> Since the chain might contain one, I'd suggest we just declare a `newCert` 
>> here. When signer flag is not on, we can simply get the chain with `new 
>> Certificate[] {newCert}`.
>
> Not sure the reason why a change is needed for the existing logic.

With a signer, it makes no sense to create a single-cert array at the 
beginning. I am suggesting:
X509Certificate newCert  = keypair.getSelfCertificate(...);
Certificate[] finalChain;
if (signerFlag) {
    finalChain = new ...
    finalChain[0] = newCert;
} else {
   finalChain = new Certificate[] { newCert };
}
keyStore.setEntry(..., finalChain);

-------------

PR: https://git.openjdk.java.net/jdk/pull/3281

Reply via email to