RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore
Tim Jacomb
duke at openjdk.org
Fri Jan 24 21:17:27 UTC 2025
On Fri, 3 Jan 2025 11:28:01 GMT, Tim Jacomb <duke at openjdk.org> wrote:
> ## The change
>
> Without this change intermediate certificates that don't have explicit trust settings are ignored not added to the truststore.
>
>
>
> ## Reproducer
>
> See https://github.com/timja/openjdk-intermediate-ca-reproducer
>
> Without this change the reproducer fails, and with this change it succeeds.
>
> ## Example failing architecture
>
> Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf
>
> Where:
> * All certs are in admin domain kSecTrustSettingsDomainAdmin
> * Root CA is marked as always trust
> * Intermediate 1 and 2 are Unspecified
>
> Previously Root CA would be found but intermediate 1 and 2 would be skipped when verifying trust settings.
>
> ## Background reading
>
> ### Rust
> see also Rust Lib that is used throughout Rust ecosystem for this:
> https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58
>
> e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've verified it is correctly implemented and works in my setup
>
> ## Python
>
> I also looked at the Python implementation for inspiration as well (which also works on my system): https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
Attaching logs are requested on mailing list,
[debug-all.txt](https://github.com/user-attachments/files/18394763/debug-all.txt)
[cert-path.txt](https://github.com/user-attachments/files/18394767/cert-path.txt)
(OCA has been signed by my employer, so should be able to move forward soon)
src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 414:
> 412: jobject *inputTrust) {
> 413: CFArrayRef trustSettings;
> 414: if (*inputTrust == NULL) {
moved so that the empty `ArrayList` is always created
src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 496:
> 494:
> 495: // Only add certificates with trust settings
> 496: if (inputTrust == NULL) {
>From what I can tell non root certificates that do not have explicit trust settings do not show up in `SecTrustSettingsCopyTrustSettings`, docs appear to be https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) but not very clear.
----
I need to test that the certificate is still chained to a root and not trusted as a root.
test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java line 43:
> 41:
> 42: /*
> 43: * @test
@alexeybakhtin quick question on how this should be marked as manual.
I see all tests in https://github.com/openjdk/jdk/blob/master/test/jdk/TEST.groups#L256-L259 are manual ones.
Is this test automatically included in that?
Or should it be added here?
https://github.com/openjdk/jdk/blob/master/test/jdk/TEST.groups#L657
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2586577905
PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2591999366
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901702739
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901704441
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1905788654
More information about the security-dev
mailing list