RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore [v3]
Alexey Bakhtin
abakhtin at openjdk.org
Mon Jan 27 20:25:53 UTC 2025
On Sun, 26 Jan 2025 23:04:29 GMT, Tim Jacomb <duke at openjdk.org> wrote:
>> ## The change
>>
>> Without this change intermediate certificates that don't have explicit trust settings are ignored not added to the truststore.
>>
>>
>>
>> ## Reproducer
>>
>> See https://github.com/timja/openjdk-intermediate-ca-reproducer
>>
>> Without this change the reproducer fails, and with this change it succeeds.
>>
>> ## Example failing architecture
>>
>> Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf
>>
>> Where:
>> * All certs are in admin domain kSecTrustSettingsDomainAdmin
>> * Root CA is marked as always trust
>> * Intermediate 1 and 2 are Unspecified
>>
>> Previously Root CA would be found but intermediate 1 and 2 would be skipped when verifying trust settings.
>>
>> ## Background reading
>>
>> ### Rust
>> see also Rust Lib that is used throughout Rust ecosystem for this:
>> https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58
>>
>> e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've verified it is correctly implemented and works in my setup
>>
>> ## Python
>>
>> I also looked at the Python implementation for inspiration as well (which also works on my system): https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
>
> Tim Jacomb has updated the pull request incrementally with one additional commit since the last revision:
>
> Revert unneeded change
test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java line 81:
> 79:
> 80: String nonTrustedCASubjectName = "CN=Non Trusted Example CA,O=Example,C=US";
> 81: assertThat(not(containsSubjectName(certificates, nonTrustedCASubjectName)), "Non trusted CA found " + nonTrustedCASubjectName, certificates);
Could you please add one more test, if you don't mind?
NonTrustedIntermediateCA is issued by nonTrustedCA:
openssl genrsa -out non-trusted-intermediate.key 2048
openssl req -new -sha256 -nodes -key non-trusted-intermediate.key \
-subj "/C=US/O=Example/CN=Non Trusted Example Intermediate CA" -out non-trusted-intermediate-ca.csr
openssl x509 -req \
-extensions v3_ca \
-extfile openssl.cnf \
-in non-trusted-intermediate-ca.csr \
-CA non-trusted-test-ca.pem \
-CAkey non-trusted-root.key \
-CAcreateserial \
-out non-trusted-intermediate-ca.pem \
-days 3650 \
-sha256
In this case, we'll cover all basic scenarios.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1931130953
More information about the security-dev
mailing list