On Thu, 16 Apr 2026 17:46:40 GMT, Weijun Wang <[email protected]> wrote:
> This function calls 3 `Copy` functions. We already took care of outputs from > `SecIdentityCopyCertificate` and `SecIdentityCopyPrivateKey`, what about > `SecIdentitySearchCopyNext` that returns `theIdentity`? It's like the > certificate and the private key that each do loop will create one so we > cannot just clean it after errOut. SecIdentitySearchCopyNext manpage says about identity https://developer.apple.com/documentation/security/secidentitysearchcopynext identity On return, points to the identity object of the next matching identity (if any). In Objective-C, call the [CFRelease] function to release this object when finished with it. So you might be right that we need to call CFRelease. But here https://github.com/openjdk/jdk/blob/17e91514a85c8b39f837eae0e6154daf523d4de1/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m#L134C24-L134C33 we put identify into some array ; so I am not sure _when_ to release it. > This is too complicated. I almost think we should have an `errIn` label > before the end of the do loop and release all of cert (if not used), private > key (if not used), the chain, and the identity there. After all each > iteration creates a new keystore entry and they are independent. Only > `identitySearch` should be released at `errOut`. Should we maybe do it in a follow up change ? It gets all a little complicated unfortunately. ------------- PR Comment: https://git.openjdk.org/jdk/pull/29821#issuecomment-4305185484 PR Comment: https://git.openjdk.org/jdk/pull/29821#issuecomment-4305196366
