On Mon, 1 May 2023 19:49:05 GMT, Valerie Peng <valer...@openjdk.org> wrote:
> Could someone help review this PKCS11KeyStore fix regarding the cert chain
> removal?
>
> The proposed fix will not remove the cert if it has a corresponding private
> key or is an issuer of other entities in the same keystore.
>
> Thanks,
> Valerie
Is it possible to generate the keys and certs on the fly?
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java line
2031:
> 2029: cert.getSubjectX500Principal() + "]");
> 2030: }
> 2031: } else {
If `destroyIt` is false for the 1st cert, are you going to return false? Maybe
it does not matter.
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java line
2057:
> 2055: currHdl = ch[0];
> 2056: } else {
> 2057: currHdl = 0L;
Maybe just `break`?
-------------
PR Review: https://git.openjdk.org/jdk/pull/13743#pullrequestreview-1415118643
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186303587
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186299589
