Apple KeychainStore: Can it be used to access the MacOS trust store?

[Graham Leggett]

Hi all,

I am trying to make life easier for Apple and Windows users by providing functionality to use Window-MY and Windows-ROOT, however I got stuck with KeychainStore.

keyStore = KeyStore.getInstance("KeychainStore", "Apple");
keyStore.load(null, null);
keyManagerFactory = KeyManagerFactory
.getInstance("PKIX");
keyManagerFactory.init(keyStore, keyPassphrase);
trustStore = KeyStore.getInstance("KeychainStore", "Apple");
trustStore.load(null, null);
trustManagerFactory = TrustManagerFactory
.getInstance("PKIX");
trustManagerFactory.init(trustStore);
ctx = SSLContext.getInstance("TLS");
ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
factory = ctx.getSocketFactory();

The problem is that when connecting to an TLS endpoint with a publicly issued certificate, Java cannot validate the server’s certificate as follows;

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

It looks like the functionality to access the MacOS trust store is missing, which is counterintuitive and makes it seem like I doing something wrong.

Digging into the JDK code it leads us here:

https://github.com/openjdk/jdk/blob/master/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m

Specifically, what I don’t see is a call to SecTrustCopyAnchorCertificates:

https://developer.apple.com/documentation/security/1401507-sectrustcopyanchorcertificates?language=objc

Am I right in understanding that java can access certificates in a keychain, but not certificates in the trust store?

Does it make sense to amend “KeychainStore” to allow access to the trust store, or does macos need a dedicated keystore like Windows-ROOT?

Regards,
Graham
—