RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore
Tim Jacomb
duke at openjdk.org
Fri Jan 24 21:17:28 UTC 2025
On Fri, 3 Jan 2025 15:36:33 GMT, Tim Jacomb <duke at openjdk.org> wrote:
>> src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 496:
>>
>>> 494:
>>> 495: // Only add certificates with trust settings
>>> 496: if (inputTrust == NULL) {
>>
>> From what I can tell non root certificates that do not have explicit trust settings do not show up in `SecTrustSettingsCopyTrustSettings`, docs appear to be https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) but not very clear.
>>
>> ----
>>
>> I need to test that the certificate is still chained to a root and not trusted as a root.
>
> Ok this isn't working properly 😢
>
> 1. ⛔ Fails: Marking the certificate as OS default (which for CA certs is trust: false) - with an intermediate
> 2. ⛔ Fails: Marking the certificate as OS default without an intermediate
> 3. ⛔ Fails: Removing the root but leaving the intermediate
>
> Case 2 succeeds on Java 23
Interesting for root certificate `SecTrustSettingsCopyTrustSettings` returns:
* -25300 (not found) when trust policy is `Use System Defaults`
* 0 and a `kSecTrustSettingsResult` value of 3 when set to Never Trust
* 0 and a `kSecTrustSettingsResult` value of 1 when set to Always Trust
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901958401
More information about the security-dev
mailing list