RFR: 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates [v3]

Christoph Langer clanger at openjdk.org
Wed May 17 21:32:50 UTC 2023

On Wed, 17 May 2023 20:49:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> No matter what `SecTrustSettingsCopyTrustSettings` returns, you will always call `jm_createTrustedCertEntry`. This means if I add a self-signed certificate but has not added any trusted settings onto it, it will be always trusted. Is this intended?

Yes, I will call `jm_createTrustedCertEntry` for every certificate, at least independent from the results of the `SecTrustSettingsCopyTrustSettings` calls.

As I outlined in my initial PR description, point 3, the actual check whether a certificate is self-signed is done in the `createTrustedCertEntry` Java method. So, yes, when there is a self-signed certificate without explicit trust settings, it is always trusted. I thought that this was the intentional behavior even before my changes. However, the difference to the code before is that I look at the certificate and check whether it is a real plain self-signed certificate that can be used for TLS communication - which would be trusted. But what's not trusted now are CA root certificates which also means self-signed but additionally key usage 'keyCertSign' and/or 'cRLSign'. See [this code](https://github.com/RealCLanger/jdk/blob/b14e5f2c78ff4aded84410a2b58d83138349d9ab/src/java.base/macosx/classes/apple/security/KeychainStore.java#L857)

Makes sense?


PR Comment: https://git.openjdk.org/jdk/pull/13945#issuecomment-1552107272

More information about the security-dev mailing list