On Tue, 1 Apr 2025 19:23:27 GMT, Sean Mullan wrote:
> We need to be really careful here. With this fix we are deciding at runtime
> that these intermediate certificates should be treated as
> `KeyStore.TrustedCertificateEntry` objects just because they validated ok,
> and without any interacti
On Tue, 1 Apr 2025 15:25:45 GMT, Sean Mullan wrote:
> I am dubious that this is the right thing to do. There is a distinct
> difference between a certificate that is trusted and one that requires
> additional validation to determine if it is trusted. Blindly trusting
> self-signed certificates
On Mon, 27 Jan 2025 13:06:57 GMT, Sean Mullan wrote:
>> Tim Jacomb has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Revert unneeded change
>
> This change is significant and should be reviewed by at least
On Mon, 27 Jan 2025 22:43:32 GMT, Tim Jacomb wrote:
>> ## The change
>>
>> Without this change intermediate certificates that don't have explicit trust
>> settings are ignored not added to the truststore.
>>
>>
>>
>> ## Reproducer
>&g
> I also looked at the Python implementation for inspiration as well (which
> also works on my system):
> https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
Tim Jacomb has updated the pull request incrementally with one additional
commit since the last re
> I also looked at the Python implementation for inspiration as well (which
> also works on my system):
> https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
Tim Jacomb has updated the pull request incrementally with one additional
commit since the last revi
> I also looked at the Python implementation for inspiration as well (which
> also works on my system):
> https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
Tim Jacomb has updated the pull request incrementally with one additional
commit since th
On Sat, 25 Jan 2025 01:10:41 GMT, Alexey Bakhtin wrote:
>> Tim Jacomb has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains 13 addi
> I also looked at the Python implementation for inspiration as well (which
> also works on my system):
> https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
Tim Jacomb has updated the pull request with a new target base due to a merge
or a rebase. The incrementa
On Tue, 7 Jan 2025 20:20:46 GMT, Tim Jacomb wrote:
>> The test should be marked as `@run junit/manual ` and added to the
>> `jdk_security_manual_interactive` part of the TEST.groups
>
> Any idea how I can run the test after making those changes?
>
> The tes
On Sat, 4 Jan 2025 00:19:46 GMT, Alexey Bakhtin wrote:
> I think, in this particular case, we need two iterations to add certificates
> into the trust store. The first iteration will add certificates with non-null
> trust settings, and the second iteration should verify and add certificates
>
On Fri, 3 Jan 2025 15:36:33 GMT, Tim Jacomb wrote:
>> src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 496:
>>
>>> 494:
>>> 495: // Only add certificates with trust settings
>>> 496: if (inputTrust == NULL)
On Fri, 3 Jan 2025 11:28:01 GMT, Tim Jacomb wrote:
> ## The change
>
> Without this change intermediate certificates that don't have explicit trust
> settings are ignored not added to the truststore.
>
>
>
> ## Reproducer
>
> See https://github.com/timja
On Tue, 7 Jan 2025 17:21:50 GMT, Alexey Bakhtin wrote:
>> test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java
>> line 43:
>>
>>> 41:
>>> 42: /*
>>> 43: * @test
>>
>> @alexeybakhtin quick question on how this should be marked as manual.
>>
>> I see all tests in
>> htt
On Fri, 3 Jan 2025 16:52:51 GMT, Tim Jacomb wrote:
>> Interesting for root certificate `SecTrustSettingsCopyTrustSettings` returns:
>>
>> * -25300 (not found) when trust policy is `Use System Defaults`
>> * 0 and a `kSecTrustSettingsResult` value of 3 when set to
On Fri, 3 Jan 2025 16:29:57 GMT, Tim Jacomb wrote:
>> Ok this isn't working properly 😢
>>
>> 1. â›” Fails: Marking the certificate as OS default (which for CA certs is
>> trust: false) - with an intermediate
>> 2. â›” Fails: Marking the certificate as OS defau
On Fri, 3 Jan 2025 11:38:29 GMT, Tim Jacomb wrote:
>> ## The change
>>
>> Without this change intermediate certificates that don't have explicit trust
>> settings are ignored not added to the truststore.
>>
>>
>>
>> ## Reproducer
>&g
On Mon, 6 Jan 2025 20:43:22 GMT, Tim Jacomb wrote:
> Is it possible to add jtreg test for this scenario?
I've done some research.
I _think_ it would only be possible with manual intervention to run it.
The certificates could be generated with a script, similar to the existin
## The change
Without this change intermediate certificates that don't have explicit trust
settings are ignored not added to the truststore.
## Reproducer
See https://github.com/timja/openjdk-intermediate-ca-reproducer
Without this change the reproducer fails, and with this change it succeed
intermediate are stored in the KeychainStore.
> According to the Apple spec CA intermediate can be stored without trust
> settings but is considered trusted if validated to the root cert.
>
> Regards
> Alexey
>
> On 13 Jan 2025, at 01:21, Tim Jacomb
> wrote:
>
Thanks
Tim
On Thu, 9 Jan 2025 at 20:56, Sean Mullan wrote:
>
> On 1/8/25 4:06 AM, Tim Jacomb wrote:
> > TLS handshake fails with PKIX path building error.
> >
> > Chain is Root -> Intermediate -> Leaf in the runnable example although
> > in our real-world use-cas
Responses below
On Tue, 7 Jan 2025 at 22:15, Sean Mullan wrote:
> Some additional thoughts below.
> On 1/4/25 3:45 AM, Tim Jacomb wrote:
>
> Following on from:
> https://bugs.openjdk.org/browse/JDK-8320362
>
> It's now possible to get system roots on macOS d
n admin could specify a
truststore pointing to the OS rather than relying on the application having
implemented a custom truststore.
Thanks
Tim
On Sat, 4 Jan 2025 at 08:45, Tim Jacomb wrote:
> Hi Alexey
>
> > It looks like the use case you described can be easily achieved by
> wr
diate certs:
> https://github.com/openjdk/jdk/pull/22911#issuecomment-2569957562
>
> Thank you
> Alexey
>
>
> On 3 Jan 2025, at 03:29, Tim Jacomb wrote:
>
> Some people who received this message don't often get email from
> timjaco...@gmail.com. Learn why this is i
Hi
Following on from:
https://bugs.openjdk.org/browse/JDK-8320362
It's now possible to get system roots on macOS devices in the
truststore: KeychainStore-ROOT.
That's quite useful.
Unfortunately it doesn't cover everything though.
In practice there's two issues I've found in trying to use it:
1
25 matches
Mail list logo
