On Tue, 2 May 2023 22:42:13 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> Could someone help review this PKCS11KeyStore fix regarding the cert chain >> removal? >> >> The proposed fix will not remove the cert if it has a corresponding private >> key or is an issuer of other entities in the same keystore. >> >> Thanks, >> Valerie > > test/jdk/sun/security/pkcs11/KeyStore/CertChainRemoval.java line 176: > >> 174: >> 175: // should only have "pk1" now >> 176: checkEntry(ks, "pk1", pk1Chain); > > When the kesytore should only have "pk1” now, how would checkEntry(ks, "pk1", > pk1Chain) succeed as it expects to have the “ca.cert” in the pk1Chain? The > “ca.cert” shall not be deleted because “pk1.cert” depends on it. I may have > missed something here. I mean "pk1" entrry, not just "pk1" cert. As you can see, the test checks for the complete cert chain for "pk1" entry. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186446763
