Apple KeychainStore: Can it be used to access the MacOS trust store?

Alexey Bakhtin alexey at azul.com
Wed Feb 14 14:43:44 UTC 2024 

Hello Graham,

This functionality is under review now at https://github.com/openjdk/jdk/pull/16722
This patch proposes access to the MacOS trust store using new java KeychainStore-Root keystore.
Feel free to review and comment.

Regards
Aleksei

> On 14 Feb 2024, at 02:16, Graham Leggett <minfrin at sharp.fm> wrote:
> 
> Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> 
> Hi all,
> 
> I am trying to make life easier for Apple and Windows users by providing functionality to use Window-MY and Windows-ROOT, however I got stuck with KeychainStore.
> 
> keyStore = KeyStore.getInstance("KeychainStore", "Apple");
> keyStore.load(null, null);
> keyManagerFactory = KeyManagerFactory
> .getInstance("PKIX");
> keyManagerFactory.init(keyStore, keyPassphrase);
> trustStore = KeyStore.getInstance("KeychainStore", "Apple");
> trustStore.load(null, null);
> trustManagerFactory = TrustManagerFactory
> .getInstance("PKIX");
> trustManagerFactory.init(trustStore);
> ctx = SSLContext.getInstance("TLS");
> ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
> factory = ctx.getSocketFactory();
> 
> The problem is that when connecting to an TLS endpoint with a publicly issued certificate, Java cannot validate the server’s certificate as follows;
> 
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> 
> It looks like the functionality to access the MacOS trust store is missing, which is counterintuitive and makes it seem like I doing something wrong.
> 
> Digging into the JDK code it leads us here:
> 
> https://github.com/openjdk/jdk/blob/master/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
> 
> Specifically, what I don’t see is a call to SecTrustCopyAnchorCertificates:
> 
> https://developer.apple.com/documentation/security/1401507-sectrustcopyanchorcertificates?language=objc
> 
> Am I right in understanding that java can access certificates in a keychain, but not certificates in the trust store?
> 
> Does it make sense to amend “KeychainStore” to allow access to the trust store, or does macos need a dedicated keystore like Windows-ROOT?
> 
> Regards,
> Graham
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240214/41f3fe6b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240214/41f3fe6b/signature.asc>

More information about the security-dev mailing list