Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8303465

KeyStore of type KeychainStore, provider Apple does not show all trusted certificates

XMLWordPrintable

    • b26
    • generic
    • os_x
    • Verified

        JDK-8278449 (https://github.com/openjdk/jdk/commit/9ce2d75d0b5a98fe0d223a2f070b7b0f0fa89322) changed the behavior of the MacOS Keystore implementation (KeychainStore, provider "Apple") to only show certificates with proper trust. This was also documented in the release notes, e.g. here: https://www.oracle.com/java/technologies/javase/17-0-3-relnotes.html#JDK-8278449

        However, the implementation seems flawed as not all possible trusted certificates are loaded. With the current code (https://github.com/openjdk/jdk/blob/2adb3b409e8cc87685a4379be3f7beeb53706e2e/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m#L440), certificates are only loaded if a trust record in the "user domain" exists. This however is not sufficient, as there might as well be records in the domains "admin" or "system".

        Further details can be taken out of the MacOS API documentation:
        https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting
        https://developer.apple.com/documentation/security/sectrustsettingsdomain

        The following example program can be used to display the Keystore contents from the MacOS key chain:

        --------------
        import java.security.KeyStore;

        public class MacKeyChainStoreTrustDemo {

                @SuppressWarnings("nls")
                public static void main(String[] args) throws Exception {
                        KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple");
                        keyStore.load(null, null);
                        keyStore.aliases().asIterator().forEachRemaining(System.out::println);
                        System.out.println("size:" + keyStore.size());
                }
        }
        --------------

              clanger Christoph Langer
              mbaesken Matthias Baesken
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: