-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
16
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
sun.security.pkcs11.P11KeyStore method engineSetEntry compares the new public key (in the cert) with the public keys of all stored private keys and if an entry is found it updates the existing key and cert.
First, according to the JCA and the java.security.KeyStore doc it's always only the alias that differentiates a key. The same key can even be stored multiple times using different aliases. This is not forbidden. It seems the implementation prohibits this.
Second, since the code loops over all pkeys and gets the cert for it, performance will decrease linearly with the number of keys in the keystore. Depending on the PKCS#11 implementation this becomes very slow.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Keys in P11 keystore shall only be distinguised by name and not guessing about the public key stored in the cert.
FREQUENCY : always
sun.security.pkcs11.P11KeyStore method engineSetEntry compares the new public key (in the cert) with the public keys of all stored private keys and if an entry is found it updates the existing key and cert.
First, according to the JCA and the java.security.KeyStore doc it's always only the alias that differentiates a key. The same key can even be stored multiple times using different aliases. This is not forbidden. It seems the implementation prohibits this.
Second, since the code loops over all pkeys and gets the cert for it, performance will decrease linearly with the number of keys in the keystore. Depending on the PKCS#11 implementation this becomes very slow.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Keys in P11 keystore shall only be distinguised by name and not guessing about the public key stored in the cert.
FREQUENCY : always