I'm using Network Security Services as my Sun PKCS#11 provider for my Java application and I'm experiencing some undesired behavior.
reinserting the same trusted certificate into the Keystore will delete the trust attributes that were successfully set when the certificate was initially inserted.
Here is some incomplete code to demonstrate the essence of the problem:
Provider p = new SunPKCS11(pkcs11ConFile);
Security.addProvider(p);
KeyStore keystore = KeyStore.getInstance("PKCS11");
keystore.load(null, pwd);
pkcs11Keystore.setCertificateEntry(alias, cert);
//at this point, when I use certutil.exe to list the keystore certificate I can see
//the certificate listed with attributes "CT,C,C" for SSL,S/MIME,JAR/XPI respectively.
keystore.deleteEntry(alias);
keystore.setCertificateEntry(alias, cert);
//now when I run the same certutil.exe command I see empty trust attributes i.e. ",,".
I'm still able to reload the same keystore (and certificate) and SSL authentication works flawlessly however, when the app is restarted and the keystore is reloaded again, the certificate is unavailable in the list of trusted aliases.
Why things fail to work only when the app is restarted is also a mystery to me.
I read something that seems to be related on http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6298106 however it doesn't seem to apply 100% and I don't understand the internals of nss to make complete sense of it.
Does anyone understand this behavior?
thanks, Mike
