<div dir="ltr">Hi Alexey<div><br></div><div>> It looks like the use case you described can be easily achieved by wrapping all certificates from the KeychainStore-ROOT and KeychainStore stores into one custom Trust Store. As far as I know, all certificates should be in one or another Keychain store.</div><div><br></div><div>Yes that would work although I would like to avoid that. We have developers using many different Java versions from different vendors and it would be great if you could just get them to set "JAVA_TOOL_OPTIONS=-Djavax.net.ssl.trustStoreType=KeychainStore-Something".</div><div><br></div><div>Then validation could just work out of the box without having to do anything. </div><div><br></div><div>> Also, please look at my comments for the patch for intermediate certs</div><div>Thanks that makes sense, I'll take a look and try implement on Monday</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sat, 4 Jan 2025 at 00:36, Alexey Bakhtin <<a href="mailto:alexey@azul.com">alexey@azul.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>Hello Tim,</div><div><br></div><div>It looks like the use case you described can be easily achieved by wrapping all certificates from the KeychainStore-ROOT and KeychainStore stores into one custom Trust Store. As far as I know, all certificates should be in one or another Keychain store.</div><div><br></div><div>Also, please look at my comments for the patch for intermediate certs: <a href="https://github.com/openjdk/jdk/pull/22911#issuecomment-2569957562" target="_blank">https://github.com/openjdk/jdk/pull/22911#issuecomment-2569957562</a></div><div><br></div><div>Thank you</div><div>Alexey</div><div><br></div><div><br><blockquote type="cite"><div>On 3 Jan 2025, at 03:29, Tim Jacomb <<a href="mailto:timjacomb1@gmail.com" target="_blank">timjacomb1@gmail.com</a>> wrote:</div><br><div>

<div>

<table border="0" cellspacing="0" cellpadding="0" width="100%" style="background:revert;color:revert;direction:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;border:0px;display:table;width:100%;table-layout:fixed;float:none;border-spacing:0px" align="left">

<tbody style="background:revert;border:revert;color:revert;direction:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;width:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;display:block">

<tr style="background:revert;border:revert;color:revert;direction:revert;display:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;width:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert">

<td valign="middle" width="1px" bgcolor="#A6A6A6" cellpadding="7px 2px 7px 2px" style="background-image:revert;background-position:revert;background-size:revert;background-repeat:revert;background-origin:revert;background-clip:revert;border:revert;color:revert;direction:revert;display:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;padding:7px 2px;background-color:rgb(166,166,166);width:0px">

</td>

<td valign="middle" width="100%" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 15px" style="background-image:revert;background-position:revert;background-size:revert;background-repeat:revert;background-origin:revert;background-clip:revert;border:revert;direction:revert;display:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;table-layout:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;width:100%;background-color:rgb(234,234,234);padding:7px 5px 7px 15px;font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:12px;font-weight:normal;color:rgb(33,33,33);text-align:left">

<div style="background:revert;border:revert;color:revert;direction:revert;display:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;width:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert">

Some people who received this message don't often get email from <a href="mailto:timjacomb1@gmail.com" target="_blank">timjacomb1@gmail.com</a>.

<a href="https://aka.ms/LearnAboutSenderIdentification" style="background:revert;color:revert;direction:revert;display:revert;font-size:revert;opacity:revert" target="_blank">

Learn why this is important</a> </div>

</td>

<td valign="middle" align="left" width="75px" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 5px" style="background-image:revert;background-position:revert;background-size:revert;background-repeat:revert;background-origin:revert;background-clip:revert;border:revert;direction:revert;display:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;table-layout:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;width:75px;background-color:rgb(234,234,234);padding:7px 5px;font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:12px;font-weight:normal;color:rgb(33,33,33);text-align:left">

</td>

</tr>

</tbody>

</table>

<div>

<table border="0" cellspacing="0" cellpadding="0" align="left" width="100%">

<tbody>

<tr>

<td style="background:rgb(255,185,0);padding:5pt 2pt"></td>

<td width="100%" cellpadding="7px 6px 7px 15px" style="background:rgb(255,248,229);padding:5pt 4pt 5pt 11pt">

<div style="color:rgb(34,34,34)"><span style="color:rgb(34,34,34);font-weight:bold">Caution:</span> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

</div>

</td>

</tr>

</tbody>

</table>

<br>

<div>

<div dir="ltr">Hi

<div><br>

</div>

<div>Following on from:</div>

<div><a href="https://bugs.openjdk.org/browse/JDK-8320362" target="_blank">https://bugs.openjdk.org/browse/JDK-8320362</a></div>

<div><br>

</div>

<div>It's now possible to get system roots on macOS devices in the truststore: KeychainStore-ROOT.</div>

<div>That's quite useful.</div>

<div><br>

</div>

<div>Unfortunately it doesn't cover everything though.</div>

<div>In practice there's two issues I've found in trying to use it:</div>

<div><br>

</div>

<div>1. It is missing custom CA certificates, (which would have been included if Apple APIs - SecTrustCopyCustomAnchorCertificates were used, see discussion at

<a href="https://github.com/openjdk/jdk/pull/16722#issuecomment-1948542783" target="_blank">https://github.com/openjdk/jdk/pull/16722#issuecomment-1948542783</a>)</div>

<div>2. It is missing intermediate certificates which are required for custom CA certificates, (these are not included with SecTrustCopyCustomAnchorCertificates although the root CAs above are).</div>

<div><br>

</div>

<div>The architecture at my company that is using ZScaler MiTM proxy is:</div>

<div>Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf</div>

<div><br>

</div>

<div>Where:</div>

<div>

<ul>

<li>All certs are in admin domain kSecTrustSettingsDomainAdmin</li><li>Root CA is marked as always trust</li><li>Intermediate 1 and 2 are Unspecified</li></ul>

<div>Not all certificates get re-signed by Zscaler, some URLs are bypassed.</div>

<div>So I need to be able to trust both custom CAs and the predefined roots.</div>

<div><br>

</div>

<div>I was thinking of creating a new truststore: KeychainStore-ALL.</div>

<div>I think it could just reuse all the existing code, and work pretty seamlessly, (I have a separate patch for intermediate certs not working correctly -

<a href="https://github.com/openjdk/jdk/pull/22911" target="_blank">https://github.com/openjdk/jdk/pull/22911</a>).</div>

<div><br>

</div>

<div>It could be improved at the expense of more code to use the Apple APIs directly (SecTrustCopyCustomAnchorCertificates) and not read the keychain file.</div>

<div><br>

</div>

<div>What do you think?</div>

<div><br>

</div>

<div>Thanks</div>

<div>Tim</div>

<div><br>

</div>

</div>

</div>

</div>

</div>

</div>

</div></blockquote></div><br></div></blockquote></div>