RFR: 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates [v4]
Christoph Langer
clanger at openjdk.org
Fri May 19 12:02:27 UTC 2023
> With this PR we try to be better in loading certificates from the MacOS Keychain into a JDK Trust store.
>
> The current implementation after JDK-8278449 would only load/trust certificates from an identity (with private key available) and certificates that have explicit trust set in the user domain (as shown by security dump-trust-settings). This, however is not sufficient and does not match the MacOS system behavior, e.g. if you compare with tools like curl or Safari.
>
> This change does the following:
> 1. The native method that reads trust settings will call the API SecTrustSettingsCopyTrustSettings on a certificate for both, User and Admin domain.
> 2. No trust settings will be reported as "inputTrust" being null. If the certificate is trusted with no specific records, "inputTrust" will be an empty list.
> 3. The Java Method to add a certificate now checks for "self signed" certificate not only by checking whether it was signed with its own key but it must also not be a root certificate that can be used to sign other certificates. This is done by inspecting the key usage extension.
> 4. We now trust certificates that are either "real" self-signed certificates or certificates that have an explicit trust entry with no sub-records that would deny the certificate for any purpose.
> 5. The check for double aliases has been augmented by comparing whether the certificate to be added is the same as the one that is already present. This can happen if a certificate is contained in both, the user and the system keychain, for instance.
>
> I have added a test that verifies whether certificates that should be trusted from "security dump-trust-settings" are contained in the keystore and those that should be disallowed are absent.
Christoph Langer has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains five additional commits since the last revision:
- Do not trust self signed certificates without trust settings
- Merge branch 'master' into JDK-8303465
- Check return code of SecTrustSettingsCopyTrustSettings and address review comments
- Add some more initializations to avoid crashes
- JDK-8303465
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/13945/files
- new: https://git.openjdk.org/jdk/pull/13945/files/b14e5f2c..890e12bf
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=13945&range=03
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=13945&range=02-03
Stats: 19714 lines in 628 files changed: 12808 ins; 2901 del; 4005 mod
Patch: https://git.openjdk.org/jdk/pull/13945.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/13945/head:pull/13945
PR: https://git.openjdk.org/jdk/pull/13945
More information about the security-dev
mailing list