On Fri, 3 Jan 2025 11:28:01 GMT, Tim Jacomb <d...@openjdk.org> wrote:
> ## The change > > Without this change intermediate certificates that don't have explicit trust > settings are ignored not added to the truststore. > > > > ## Reproducer > > See https://github.com/timja/openjdk-intermediate-ca-reproducer > > Without this change the reproducer fails, and with this change it succeeds. > > ## Example failing architecture > > Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf > > Where: > * All certs are in admin domain kSecTrustSettingsDomainAdmin > * Root CA is marked as always trust > * Intermediate 1 and 2 are Unspecified > > Previously Root CA would be found but intermediate 1 and 2 would be skipped > when verifying trust settings. > > ## Background reading > > ### Rust > see also Rust Lib that is used throughout Rust ecosystem for this: > https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58 > > e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've > verified it is correctly implemented and works in my setup > > ## Python > > I also looked at the Python implementation for inspiration as well (which > also works on my system): > https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py Attaching logs are requested on mailing list, [debug-all.txt](https://github.com/user-attachments/files/18394763/debug-all.txt) [cert-path.txt](https://github.com/user-attachments/files/18394767/cert-path.txt) (OCA has been signed by my employer, so should be able to move forward soon) src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 414: > 412: jobject *inputTrust) { > 413: CFArrayRef trustSettings; > 414: if (*inputTrust == NULL) { moved so that the empty `ArrayList` is always created src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 496: > 494: > 495: // Only add certificates with trust settings > 496: if (inputTrust == NULL) { >From what I can tell non root certificates that do not have explicit trust >settings do not show up in `SecTrustSettingsCopyTrustSettings`, docs appear to >be >https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) > but not very clear. ---- I need to test that the certificate is still chained to a root and not trusted as a root. test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java line 43: > 41: > 42: /* > 43: * @test @alexeybakhtin quick question on how this should be marked as manual. I see all tests in https://github.com/openjdk/jdk/blob/master/test/jdk/TEST.groups#L256-L259 are manual ones. Is this test automatically included in that? Or should it be added here? https://github.com/openjdk/jdk/blob/master/test/jdk/TEST.groups#L657 ------------- PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2586577905 PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2591999366 PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901702739 PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901704441 PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1905788654
