RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore
Tim Jacomb
duke at openjdk.org
Fri Jan 24 21:17:27 UTC 2025
## The change
Without this change intermediate certificates that don't have explicit trust settings are ignored not added to the truststore.
## Reproducer
See https://github.com/timja/openjdk-intermediate-ca-reproducer
Without this change the reproducer fails, and with this change it succeeds.
## Example failing architecture
Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf
Where:
* All certs are in admin domain kSecTrustSettingsDomainAdmin
* Root CA is marked as always trust
* Intermediate 1 and 2 are Unspecified
Previously Root CA would be found but intermediate 1 and 2 would be skipped when verifying trust settings.
## Background reading
### Rust
see also Rust Lib that is used throughout Rust ecosystem for this:
https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58
e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've verified it is correctly implemented and works in my setup
## Python
I also looked at the Python implementation for inspiration as well (which also works on my system): https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
-------------
Commit messages:
- Executable files are not allowed...
- Flag test as manual
- Minor cleanups
- Add new line
- Add jtreg test
- Release subjCerts
- Revert unneeded changes
- Merge branch 'master' into load-anchor-and-user-certificates-keychainstore
- Verify certificate without trustsettings before adding
- Tweeks to make the basic case work
- ... and 1 more: https://git.openjdk.org/jdk/compare/f1d85ab3...2d955702
Changes: https://git.openjdk.org/jdk/pull/22911/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=22911&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8347067
Stats: 299 lines in 8 files changed: 287 ins; 6 del; 6 mod
Patch: https://git.openjdk.org/jdk/pull/22911.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/22911/head:pull/22911
PR: https://git.openjdk.org/jdk/pull/22911
More information about the security-dev
mailing list