Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8321045

Load anchor certificates from Keychain keystore

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 23
    • security-libs
    • None
    • behavioral
    • minimal
    • Compatibility risk should be minimal because of proposed solution just extends the list of trusted certificates with the native MacOS Trusted Anchors
    • Other
    • JDK

      Summary

      Expand the MacOS KeyStore support in the Apple provider to include access to the System Root certificates

      Problem

      The current implementation of the Apple provider does not load System Root certificates from the native MacOS store to the JDK KeychainStore implementation. As a result, the KeychainStore trust store can not be used to verify SSL server certificates, even if the root certificate is present in the native MacOS store and permitted.

      Solution

      I suggest introducing a new KeychainStore-ROOT keystore to access predefined System Root certificates from the native Keychain storage.

      Trusted Anchor certificates should be loaded with the Trusted Settings similar to the regular CA certificates (see JDK-8320362 and JDK-8303465)

      Predefined System Root certificates are located in the /System/Library/Keychains/SystemRootCertificates.keychain keystore [1]. The only way to access pre-trusted Root CA Certificates is to read them from the /System/Library/Keychains/SystemRootCertificates.keychain store.

      Keychain-ROOT keystore should be read-only and throw KeyStoreException in an attempt to modify.

      Alternative solution:

      Access the list of System Root certificates using SecTrustCopyAnchorCertificates native call [2]. This API returns pre-trusted Root and user-defined Root certificates, so it can not be used for KeychainStore-ROOT keystore

      Specification

      The expanded set of strings to be supported are: - "KeychainStore-ROOT": keystore type that identifies the native MacOS System Root keystore.

      The following changes should be made to the existing "JDK Providers Documentation" [3]:

      "KeychainStore": The keystore type that identifies the native MacOS login/system keystore. It contains the user's personal certificates and associated private keys that are only accessible to the current user account.

      "KeychainStore-ROOT": The keystore type that identifies the native MacOS System Root keystore. It contains the pre-trusted Root CA Certificates that are accessible to all accounts on the system.

      [1] https://opensource.apple.com/source/libsecurity_keychain/libsecurity_keychain-55050.9/lib/TrustSettingsSchema.h.auto.html

      [2] https://developer.apple.com/documentation/security/1401507-sectrustcopyanchorcertificates?language=objc

      [3] https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html#GUID-3185649A-C316-45F2-A70E-2B3FF6BDC34F

            abakhtin Alexey Bakhtin
            abakhtin Alexey Bakhtin
            Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: