KeychainStore include user and predefined roots within one truststore
Alexey Bakhtin
alexey at azul.com
Fri Jan 17 22:20:09 UTC 2025
Hello Sean,
The enhancement looks reasonable.
As far as I know, Tim submitted the PR for this enhancement. I will be happy to review and help with it.
Regards
Alexey
> On 17 Jan 2025, at 13:58, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Alexey,
>
> Given your experience with implementing https://bugs.openjdk.org/browse/JDK-8320362, is this something you would be interested in working on?
>
> Tim, any progress on the OCA?
>
> Thanks,
>
> Sean
>
> On 1/13/25 2:47 PM, Alexey Bakhtin wrote:
>> Hello Sean, Tim
>>
>> I've attached logs to the JDK-8347067, created based on Tim’s report.
>> As you mentioned already, the issue happens because the TLS server sends truncated chain without CA intermediate certificates.
>> In my understanding, it should not be a problem if the Root and CA intermediate are stored in the KeychainStore.
>> According to the Apple spec CA intermediate can be stored without trust settings but is considered trusted if validated to the root cert.
>>
>> Regards
>> Alexey
>>
>>> On 13 Jan 2025, at 01:21, Tim Jacomb <timjacomb1 at gmail.com> <mailto:timjacomb1 at gmail.com> wrote:
>>>
>>>
>>> Some people who received this message don't often get email from timjacomb1 at gmail.com <mailto:timjacomb1 at gmail.com>. Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>
>>>
>>> Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>>
>>> Hi Sean
>>>
>>> I don't have access to add to the bug report, but I've attached to the GitHub pull request here:
>>> https://github.com/openjdk/jdk/pull/22911#issuecomment-2586577905
>>>
>>> (this can also be reproduced with this repository: https://github.com/timja/openjdk-intermediate-ca-reproducer)
>>>
>>> Thanks
>>> Tim
>>>
>>> On Thu, 9 Jan 2025 at 20:56, Sean Mullan <sean.mullan at oracle.com <mailto:sean.mullan at oracle.com>> wrote:
>>>>
>>>> On 1/8/25 4:06 AM, Tim Jacomb wrote:
>>>> > TLS handshake fails with PKIX path building error.
>>>> >
>>>> > Chain is Root -> Intermediate -> Leaf in the runnable example although
>>>> > in our real-world use-case its Root -> Intermediate 1 -> Intermediate 2
>>>> > -> Leaf
>>>> > If I run the example only with Root -> Leaf then it works fine...
>>>>
>>>> It would be helpful if you can attach two logfiles (assuming the info
>>>> isn't sensitive) to the bug report[1], one running with
>>>> -Djavax.net.debug=all and the other with -Djava.security.debug=certpath.
>>>>
>>>> Thanks,
>>>> Sean
>>>>
>>>> [1] https://bugs.openjdk.org/browse/JDK-8347067
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250117/c8dd1f73/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250117/c8dd1f73/signature-0001.asc>
More information about the security-dev
mailing list