KeychainStore include user and predefined roots within one truststore
Tim Jacomb
timjacomb1 at gmail.com
Fri Jan 3 11:29:48 UTC 2025
Hi
Following on from:
https://bugs.openjdk.org/browse/JDK-8320362
It's now possible to get system roots on macOS devices in the
truststore: KeychainStore-ROOT.
That's quite useful.
Unfortunately it doesn't cover everything though.
In practice there's two issues I've found in trying to use it:
1. It is missing custom CA certificates, (which would have been included if
Apple APIs - SecTrustCopyCustomAnchorCertificates were used, see discussion
at https://github.com/openjdk/jdk/pull/16722#issuecomment-1948542783)
2. It is missing intermediate certificates which are required for custom CA
certificates, (these are not included with
SecTrustCopyCustomAnchorCertificates although the root CAs above are).
The architecture at my company that is using ZScaler MiTM proxy is:
Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf
Where:
- All certs are in admin domain kSecTrustSettingsDomainAdmin
- Root CA is marked as always trust
- Intermediate 1 and 2 are Unspecified
Not all certificates get re-signed by Zscaler, some URLs are bypassed.
So I need to be able to trust both custom CAs and the predefined roots.
I was thinking of creating a new truststore: KeychainStore-ALL.
I think it could just reuse all the existing code, and work pretty
seamlessly, (I have a separate patch for intermediate certs not working
correctly - https://github.com/openjdk/jdk/pull/22911).
It could be improved at the expense of more code to use the Apple APIs
directly (SecTrustCopyCustomAnchorCertificates) and not read the keychain
file.
What do you think?
Thanks
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250103/8a647763/attachment-0001.htm>
More information about the security-dev
mailing list