JDK-8265499 : Release Note: Problem looking up Client Certificates in keystore
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u261,11.0.1
  • Priority: P3
  • Status: Resolved
  • Resolution: Withdrawn
  • Submitted: 2021-04-20
  • Updated: 2022-03-30
  • Resolved: 2022-03-30
Description
Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate `javax.net.ssl.X509KeyManager.chooseClientAlias` method in multiple iterations while performing client authentication. One key type per call.
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements `javax.net.ssl.X509KeyManager`, ensure that the code logic in that implementation does not assume that all keytypes are passed in the `keyType` String array in the first call to chooseClientAlias:  `String chooseClientAlias​(String[] keyType, Principal[] issuers, Socket socket)`