RFR: JDK-8303465: KeyStore of type KeychainStore, provider Apple shows different behavior after 8278449

Weijun Wang weijun at openjdk.org
Thu Mar 2 15:28:23 UTC 2023 

On Thu, 2 Mar 2023 13:33:53 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> After 8278449, we seem to ignore in the call
> 
> `  if (SecTrustSettingsCopyTrustSettings(certRef, kSecTrustSettingsDomainUser, &trustSettings) == errSecItemNotFound) `
> 
> all trusted certs from admin and system domains, so a lot more certs are ignored than necessary.
> Probably we should take at least the certs with trust settings from kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin and kSecTrustSettingsDomainSystem domains .

I'd like to contribute a test.

/*
 * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

import jdk.test.lib.process.OutputAnalyzer;
import jdk.test.lib.process.ProcessTools;

import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;

/*
 * @test
 * @bug 8303465
 * @library /test/lib
 * @requires os.family == "mac"
 * @summary list more trusted certificates
 */
public class ListKeyChain {


    public static void main(String[] args) throws Throwable {
        List<String> trusted = new ArrayList<>();
        populate(true, trusted);
        populate(false, trusted);
        System.out.println(trusted);
        KeyStore ks = KeyStore.getInstance("KEYCHAINSTORE");
        ks.load(null, null);
        for (String alias : trusted) {
            if (!ks.containsAlias(alias)) {
                throw new RuntimeException("Not found: " + alias);
            }
        }
    }

    static void populate(boolean admin, List<String> trusted) throws Throwable {
        OutputAnalyzer output = admin
                ? ProcessTools.executeProcess("security", "dump-trust-setting", "-d")
                : ProcessTools.executeProcess("security", "dump-trust-setting");
        String certName = null;
        for (String line : output.shouldHaveExitValue(0).asLines()) {
            if (line.startsWith("Cert ")) {
                certName = line.split(":", 2)[1].trim().toLowerCase();
            } else if (line.contains("Number of trust settings :")) {
                if (line.endsWith(": 0")) { // we only list trusted-for-all certs
                    trusted.add(certName);
                }
            }
        }
    }
}

-------------

PR: https://git.openjdk.org/jdk/pull/12829

More information about the security-dev mailing list