RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore

Tim Jacomb duke at openjdk.org
Fri Jan 24 21:17:28 UTC 2025 

On Fri, 3 Jan 2025 11:38:29 GMT, Tim Jacomb <duke at openjdk.org> wrote:

>> ## The change
>> 
>> Without this change intermediate certificates that don't have explicit trust settings are ignored not added to the truststore.
>> 
>> 
>> 
>> ## Reproducer
>> 
>> See https://github.com/timja/openjdk-intermediate-ca-reproducer
>> 
>> Without this change the reproducer fails, and with this change it succeeds.
>> 
>> ## Example failing architecture
>> 
>> Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf
>> 
>> Where:
>> * All certs are in admin domain kSecTrustSettingsDomainAdmin
>> * Root CA is marked as always trust
>> * Intermediate 1 and 2 are Unspecified
>> 
>> Previously Root CA would be found but intermediate 1 and 2 would be skipped when verifying trust settings.
>> 
>> ## Background reading
>> 
>> ### Rust
>> see also Rust Lib that is used throughout Rust ecosystem for this: 
>> https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58
>> 
>> e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've verified it is correctly implemented and works in my setup
>> 
>> ## Python
>> 
>> I also looked at the Python implementation for inspiration as well (which also works on my system): https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
>
> src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 496:
> 
>> 494: 
>> 495:             // Only add certificates with trust settings
>> 496:             if (inputTrust == NULL) {
> 
> From what I can tell non root certificates that do not have explicit trust settings do not show up in `SecTrustSettingsCopyTrustSettings`, docs appear to be https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) but not very clear.
> 
> ----
> 
> I need to test that the certificate is still chained to a root and not trusted as a root.

Ok this isn't working properly 😢 

1. ⛔ Fails: Marking the certificate as OS default (which for CA certs is trust: false) - with an intermediate
2. ⛔ Fails: Marking the certificate as OS default  without an intermediate
3. ⛔ Fails: Removing the root but leaving the intermediate

Case 2 succeeds on Java 23

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901904523

More information about the security-dev mailing list