-
Bug
-
Resolution: Fixed
-
P3
-
11, 17, 18, 19, 20
-
b24
-
generic
-
generic
-
Verified
ADDITIONAL SYSTEM INFORMATION :
java version "18.0.1.1" 2022-04-22
Java(TM) SE Runtime Environment (build 18.0.1.1+2-6)
Java HotSpot(TM) 64-Bit Server VM (build 18.0.1.1+2-6, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
I have a simple setup on a PKCS#11 compliant token with 2 entries seen from Java key-store:
"e1":{RCA_PrivateKey <-> RCA_Cert}
"e2":{CA_PrivateKey <-> CA_Cert}
To be clear, "CA_Cert" is signed and issued by "RCA_Cert and PrivateKey"
Calling KeyStore.deleteEntry("e2") on key-store obtained from SunPKCS11Provider (that is, an instance of P11KeyStore) results in "RCA_Cert" also getting deleted while it is on the chain of "RCA_PrivateKey" and this, leaves that key dangling.
Looking at the code for PK11KeyStore.destroyChain()
(https://github.com/openjdk/jdk/blob/048705c04967d106dedc09a4cf2325a3b46ef4e7/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java#L1965)
reveals that the logic for "only delete if not part of any other chain" (from code comments on line 2025) does not take this PrivateKey association into account, just looks for subject-issuer DN matching (line 2030).
This check must also be in place so that the status of key-store is not rendered invalid after the delete operation.
FREQUENCY : always
java version "18.0.1.1" 2022-04-22
Java(TM) SE Runtime Environment (build 18.0.1.1+2-6)
Java HotSpot(TM) 64-Bit Server VM (build 18.0.1.1+2-6, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
I have a simple setup on a PKCS#11 compliant token with 2 entries seen from Java key-store:
"e1":{RCA_PrivateKey <-> RCA_Cert}
"e2":{CA_PrivateKey <-> CA_Cert}
To be clear, "CA_Cert" is signed and issued by "RCA_Cert and PrivateKey"
Calling KeyStore.deleteEntry("e2") on key-store obtained from SunPKCS11Provider (that is, an instance of P11KeyStore) results in "RCA_Cert" also getting deleted while it is on the chain of "RCA_PrivateKey" and this, leaves that key dangling.
Looking at the code for PK11KeyStore.destroyChain()
(https://github.com/openjdk/jdk/blob/048705c04967d106dedc09a4cf2325a3b46ef4e7/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java#L1965)
reveals that the logic for "only delete if not part of any other chain" (from code comments on line 2025) does not take this PrivateKey association into account, just looks for subject-issuer DN matching (line 2030).
This check must also be in place so that the status of key-store is not rendered invalid after the delete operation.
FREQUENCY : always
- relates to
-
-
- Closed
-
