Hi all,
I am trying to make life easier for Apple and Windows users by providing
functionality to use Window-MY and Windows-ROOT, however I got stuck with
KeychainStore.
keyStore = KeyStore.getInstance("KeychainStore", "Apple");
keyStore.load(null, null);
keyManagerFactory = KeyManagerFactory
.getInstance("PKIX");
keyManagerFactory.init(keyStore, keyPassphrase);
trustStore = KeyStore.getInstance("KeychainStore", "Apple");
trustStore.load(null, null);
trustManagerFactory = TrustManagerFactory
.getInstance("PKIX");
trustManagerFactory.init(trustStore);
ctx = SSLContext.getInstance("TLS");
ctx.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(), null);
factory = ctx.getSocketFactory();
The problem is that when connecting to an TLS endpoint with a publicly issued
certificate, Java cannot validate the server’s certificate as follows;
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
It looks like the functionality to access the MacOS trust store is missing,
which is counterintuitive and makes it seem like I doing something wrong.
Digging into the JDK code it leads us here:
https://github.com/openjdk/jdk/blob/master/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
Specifically, what I don’t see is a call to SecTrustCopyAnchorCertificates:
https://developer.apple.com/documentation/security/1401507-sectrustcopyanchorcertificates?language=objc
Am I right in understanding that java can access certificates in a keychain,
but not certificates in the trust store?
Does it make sense to amend “KeychainStore” to allow access to the trust store,
or does macos need a dedicated keystore like Windows-ROOT?
Regards,
Graham
—
