KeychainStore include user and predefined roots within one truststore

Sean Mullan sean.mullan at oracle.com
Fri Jan 17 21:58:16 UTC 2025 

Alexey,

Given your experience with implementing 
https://bugs.openjdk.org/browse/JDK-8320362, is this something you would 
be interested in working on?

Tim, any progress on the OCA?

Thanks,

Sean

On 1/13/25 2:47 PM, Alexey Bakhtin wrote:
> Hello Sean, Tim
>
> I've attached logs to the JDK-8347067, created based on Tim’s report.
> As you mentioned already, the issue happens because the TLS server 
> sends truncated chain without CA intermediate certificates.
> In my understanding, it should not be a problem if the Root and CA 
> intermediate are stored in the KeychainStore.
> According to the Apple spec CA intermediate can be stored without 
> trust settings but is considered trusted if validated to the root cert.
>
> Regards
> Alexey
>
>> On 13 Jan 2025, at 01:21, Tim Jacomb <timjacomb1 at gmail.com> wrote:
>>
>>
>> 	
>> Some people who received this message don't often get email from 
>> timjacomb1 at gmail.com. Learn why this is important 
>> <https://aka.ms/LearnAboutSenderIdentification>
>> 	
>>
>>
>> 	
>> Caution: This email originated from outside of the organization. Do 
>> not click links or open attachments unless you recognize the sender 
>> and know the content is safe.
>>
>>
>> Hi Sean
>>
>> I don't have access to add to the bug report, but I've attached to 
>> the GitHub pull request here:
>> https://github.com/openjdk/jdk/pull/22911#issuecomment-2586577905
>>
>> (this can also be reproduced with this repository: 
>> https://github.com/timja/openjdk-intermediate-ca-reproducer)
>>
>> Thanks
>> Tim
>>
>> On Thu, 9 Jan 2025 at 20:56, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>>
>>     On 1/8/25 4:06 AM, Tim Jacomb wrote:
>>     > TLS handshake fails with PKIX path building error.
>>     >
>>     > Chain is Root -> Intermediate -> Leaf in the runnable example
>>     although
>>     > in our real-world use-case its Root -> Intermediate 1 ->
>>     Intermediate 2
>>     > -> Leaf
>>     > If I run the example only with Root -> Leaf then it works fine...
>>
>>     It would be helpful if you can attach two logfiles (assuming the
>>     info
>>     isn't sensitive) to the bug report[1], one running with
>>     -Djavax.net.debug=all and the other with
>>     -Djava.security.debug=certpath.
>>
>>     Thanks,
>>     Sean
>>
>>     [1] https://bugs.openjdk.org/browse/JDK-8347067
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250117/97a40609/attachment-0001.htm>

More information about the security-dev mailing list