Re: Apple KeychainStore: Can it be used to access the MacOS trust store?

Wed, 14 Feb 2024 06:44:28 -0800 

Hello Graham,

This functionality is under review now at 
https://github.com/openjdk/jdk/pull/16722
This patch proposes access to the MacOS trust store using new java 
KeychainStore-Root keystore.
Feel free to review and comment.

Regards
Aleksei

> On 14 Feb 2024, at 02:16, Graham Leggett <minf...@sharp.fm> wrote:
> 
> Caution: This email originated from outside of the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe.
> 
> 
> Hi all,
> 
> I am trying to make life easier for Apple and Windows users by providing 
> functionality to use Window-MY and Windows-ROOT, however I got stuck with 
> KeychainStore.
> 
> keyStore = KeyStore.getInstance("KeychainStore", "Apple");
> keyStore.load(null, null);
> keyManagerFactory = KeyManagerFactory
> .getInstance("PKIX");
> keyManagerFactory.init(keyStore, keyPassphrase);
> trustStore = KeyStore.getInstance("KeychainStore", "Apple");
> trustStore.load(null, null);
> trustManagerFactory = TrustManagerFactory
> .getInstance("PKIX");
> trustManagerFactory.init(trustStore);
> ctx = SSLContext.getInstance("TLS");
> ctx.init(keyManagerFactory.getKeyManagers(), 
> trustManagerFactory.getTrustManagers(), null);
> factory = ctx.getSocketFactory();
> 
> The problem is that when connecting to an TLS endpoint with a publicly issued 
> certificate, Java cannot validate the server’s certificate as follows;
> 
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
> to find valid certification path to requested target
> 
> It looks like the functionality to access the MacOS trust store is missing, 
> which is counterintuitive and makes it seem like I doing something wrong.
> 
> Digging into the JDK code it leads us here:
> 
> https://github.com/openjdk/jdk/blob/master/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
> 
> Specifically, what I don’t see is a call to SecTrustCopyAnchorCertificates:
> 
> https://developer.apple.com/documentation/security/1401507-sectrustcopyanchorcertificates?language=objc
> 
> Am I right in understanding that java can access certificates in a keychain, 
> but not certificates in the trust store?
> 
> Does it make sense to amend “KeychainStore” to allow access to the trust 
> store, or does macos need a dedicated keystore like Windows-ROOT?
> 
> Regards,
> Graham
> —
>

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to