From 4207c8df37228f1d8f4d89df4a6b4eac656a25e6 Mon Sep 17 00:00:00 2001
From: Hiroko Takamiya <htakamiy@us.ibm.com>
Date: Thu, 21 Nov 2024 16:44:46 -0500
Subject: [PATCH] Update the code to iterating through keyTypes. Currently the
 code checks only the first keyType

---
 .../com/ibm/ws/ssl/core/WSX509KeyManager.java | 22 +++++++++++++------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/core/WSX509KeyManager.java b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/core/WSX509KeyManager.java
index 82593c3ba7a..e54dd320922 100644
--- a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/core/WSX509KeyManager.java
+++ b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/core/WSX509KeyManager.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2005, 2015 IBM Corporation and others.
+ * Copyright (c) 2005, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -343,18 +343,26 @@ public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSL
         if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled())
             Tr.entry(tc, "chooseEngineClientAlias", new Object[] { keyType, issuers, engine });
 
-        String rc = null;
+        String alias = null;
         if (null != customKM && customKM instanceof X509ExtendedKeyManager) {
             if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled())
                 Tr.debug(tc, "chooseEngineClientAlias, using customKM -> " + customKM.getClass().getName());
-            rc = ((X509ExtendedKeyManager) customKM).chooseEngineClientAlias(keyType, issuers, engine);
-        } else {
-            rc = chooseClientAlias(keyType[0], issuers);
-        }
+            alias = ((X509ExtendedKeyManager) customKM).chooseEngineClientAlias(keyType, issuers, engine);
+        } 
+        //Despite the Javadoc indicating support for passing an array of keyTypes, 
+        //there is a historical requirement to pass the key individually each time. 
+        //To maintain the zero-migration policy approach, iteration will continue 
+        //unless a performance issue arises. 
+        for (String type : keyType) {
+            alias = chooseClientAlias(type, issuers);
+            if (alias != null) {
+                break;
+            }
+        }        
 
         if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled())
             Tr.exit(tc, "chooseEngineClientAlias");
-        return rc;
+        return alias;
     }
 
     /**