On Thu, 11 May 2023 21:38:35 GMT, Christoph Langer <clan...@openjdk.org> wrote:
> With this PR we try to be better in loading certificates from the MacOS > Keychain into a JDK Trust store. > > The current implementation after JDK-8278449 would only load/trust > certificates from an identity (with private key available) and certificates > that have explicit trust set in the user domain (as shown by security > dump-trust-settings). This, however is not sufficient and does not match the > MacOS system behavior, e.g. if you compare with tools like curl or Safari. > > This change does the following: > 1. The native method that reads trust settings will call the API > SecTrustSettingsCopyTrustSettings on a certificate for both, User and Admin > domain. > 2. We now trust self-signed certificates that have an explicit trust entry > with no sub-records or no sub-records that would deny the certificate usage > for any purpose. > 3. The check for double aliases has been augmented by comparing whether the > certificate to be added is the same as the one that is already present. This > can happen if a certificate is contained in both, the user and the system > keychain, for instance. > > I have added a test that verifies whether certificates that should be trusted > from "security dump-trust-settings" are contained in the keystore and those > that should be disallowed are absent. This pull request has now been integrated. Changeset: ac41c030 Author: Christoph Langer <clan...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/ac41c030030c3d31815474c793ac9c420c47e22c Stats: 241 lines in 3 files changed: 193 ins; 32 del; 16 mod 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates Reviewed-by: mbaesken, weijun ------------- PR: https://git.openjdk.org/jdk/pull/13945
