On Wed, 15 Apr 2026 15:01:50 GMT, Matthias Baesken <[email protected]> wrote:
>> Seems there is a call to SecIdentityCopyPrivateKey where we miss calling >> CFRelease in early returns/failure cases; same for SecIdentityCopyPrivateKey >> . >> >> See the Apple documentation >> https://developer.apple.com/documentation/security/secidentitycopyprivatekey(_:_:) >> >> Also for >> https://developer.apple.com/documentation/security/secidentitycopycertificate(_:_:) >> >> --------- >> - [x] I confirm that I make this contribution in accordance with the >> [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai). > > Matthias Baesken has updated the pull request incrementally with one > additional commit since the last revision: > > Add a CFRetain after CFArrayGetValueAtIndex in addIdentitiesToKeystore This is too complicated. I almost think we should have an `errIn` label before the end of the do loop and release all of cert (if not used), private key (if not used), the chain, and the identity there. After all each iteration creates a new keystore entry and they are independent. Only `identitySearch` should be released at `errOut`. ------------- PR Comment: https://git.openjdk.org/jdk/pull/29821#issuecomment-4262361312
