RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore [v5]
Tim Jacomb
duke at openjdk.org
Wed Apr 2 15:02:57 UTC 2025
On Tue, 1 Apr 2025 19:23:27 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> We need to be really careful here. With this fix we are deciding at runtime that these intermediate certificates should be treated as `KeyStore.TrustedCertificateEntry` objects just because they validated ok, and without any interaction with the user or application.
> Also, the JDK does not rely on certificate chain validation from the OS. The JDK has its own PKIX `CertPathValidator` implementation and has its own restrictions on weak algorithms, etc which is a key part of establishing trust in certificates used in TLS, signed JARs, etc. You are now delegating this to MacOS as a mostly invisible change which brings in a new set of security concerns which may make it less secure or at a minimum requires resources to ensure this code is properly reviewed, audited, etc.
This isn't being delegated to macOS anymore so than it already was, trust settings are still checked as the OS does not validate non trusted certificates, this is just in `KeychainStore` which is opt-in only.
`CertPathValidator` is still used in finding the path and I assume could still veto weak algorithms etc.
It would be good if it did check the path and not assume all certificates are Trusted Roots.
Yes, exactly the same on Windows, I implemented it in node.js here: https://github.com/nodejs/node/pull/57164 (node's certificate validation does check the path)
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2772856681
More information about the security-dev
mailing list