Integrated: 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates

[Christoph Langer]

On Thu, 11 May 2023 21:38:35 GMT, Christoph Langer <clanger at openjdk.org> wrote:

> With this PR we try to be better in loading certificates from the MacOS Keychain into a JDK Trust store.
> 
> The current implementation after JDK-8278449 would only load/trust certificates from an identity (with private key available) and certificates that have explicit trust set in the user domain (as shown by security dump-trust-settings). This, however is not sufficient and does not match the MacOS system behavior, e.g. if you compare with tools like curl or Safari.
> 
> This change does the following:
> 1. The native method that reads trust settings will call the API SecTrustSettingsCopyTrustSettings on a certificate for both, User and Admin domain.
> 2. We now trust self-signed certificates that have an explicit trust entry with no sub-records or no sub-records that would deny the certificate usage for any purpose.
> 3. The check for double aliases has been augmented by comparing whether the certificate to be added is the same as the one that is already present. This can happen if a certificate is contained in both, the user and the system keychain, for instance.
> 
> I have added a test that verifies whether certificates that should be trusted from "security dump-trust-settings" are contained in the keystore and those that should be disallowed are absent.

This pull request has now been integrated.

Changeset: ac41c030
Author:    Christoph Langer <clanger at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/ac41c030030c3d31815474c793ac9c420c47e22c
Stats:     241 lines in 3 files changed: 193 ins; 32 del; 16 mod

8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates

Reviewed-by: mbaesken, weijun

-------------

PR: https://git.openjdk.org/jdk/pull/13945