On Fri, 5 May 2023 16:46:16 GMT, Weijun Wang <[email protected]> wrote:
>> Could someone help review this PKCS11KeyStore fix regarding the cert chain
>> removal?
>>
>> The proposed fix will not remove the cert if it has a corresponding private
>> key or is an issuer of other entities in the same keystore.
>>
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java
> line 2031:
>
>> 2029: cert.getSubjectX500Principal() + "]");
>> 2030: }
>> 2031: } else {
>
> If `destroyIt` is false for the 1st cert, are you going to return false?
> Maybe it does not matter.
Hmm, I think the rest of chain should still be checked and removed if no
dependents for them.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13743#discussion_r1186517535
