RFR: 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates

Christoph Langer clanger at openjdk.org
Thu May 11 21:51:58 UTC 2023


With this PR we try to be better in loading certificates from the MacOS Keychain into a JDK Trust store.

The current implementation after JDK-8278449 would only load/trust certificates from an identity (with private key available) and certificates that have explicit trust set in the user domain (as shown by security dump-trust-settings). This, however is not sufficient and does not match the MacOS system behavior, e.g. if you compare with tools like curl or Safari.

This change does the following:
1. The native method that reads trust settings will call the API SecTrustSettingsCopyTrustSettings on a certificate for both, User and Admin domain.
2. No trust settings will be reported as "inputTrust" being null. If the certificate is trusted with no specific records, "inputTrust" will be an empty list.
3. The Java Method to add a certificate now checks for "self signed" certificate not only by checking whether it was signed with its own key but it must also not be a root certificate that can be used to sign other certificates. This is done by inspecting the key usage extension.
4. We now trust certificates that are either "real" self-signed certificates or certificates that have an explicit trust entry with no sub-records that would deny the certificate for any purpose.
5. The check for double aliases has been augmented by comparing whether the certificate to be added is the same as the one that is already present. This can happen if a certificate is contained in both, the user and the system keychain, for instance.

I have added a test that verifies whether certificates that should be trusted from "security dump-trust-settings" are contained in the keystore and those that should be disallowed are absent.

-------------

Commit messages:
 - JDK-8303465

Changes: https://git.openjdk.org/jdk/pull/13945/files
 Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=13945&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8303465
  Stats: 272 lines in 3 files changed: 204 ins; 31 del; 37 mod
  Patch: https://git.openjdk.org/jdk/pull/13945.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/13945/head:pull/13945

PR: https://git.openjdk.org/jdk/pull/13945



More information about the security-dev mailing list