-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
21.0.2
-
generic
-
os_x
ADDITIONAL SYSTEM INFORMATION :
openjdk version "21.0.2" 2024-01-16
OpenJDK Runtime Environment (build 21.0.2+13-58)
OpenJDK 64-Bit Server VM (build 21.0.2+13-58, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
When "KeychainStore" is used as follows by Eclipse (for example), and an attempt is made to connect to a SSL secured server, the KeychainStore pops up a dialog box asking to unlock the keychain once for every certificate in the keychain, including certificates unrelated to the request.
-Djavax.net.ssl.keyStoreType=KeychainStore
-Djavax.net.ssl.keyStore=NONE
In my case, that is one hundred and forty three popups.
REGRESSION : Last worked in version 21.0.2
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Have many certificates in a MacOS keychain.
- Make an attempt to connect to an SSL endpoint that requires client certificates.
- Use the KeychainStore.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Based on the handshake with the server, select exactly one certificate, and request the password for that certificate only.
ACTUAL -
Password is asked for every single certificate in the keychain, including unrelated certificates that do not match the CA certs requested by the server.
"Eclipse wants to export key "<key>" from your keychain." - over and over again, with different values for "<key>".
It looks like the certificate iteration functions being used below are unlocking every certificate private key, instead of searching for certificates only.
https://github.com/openjdk/jdk/blob/master/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
---------- BEGIN SOURCE ----------
The Eclipse application shows this.
Add the following to eclipse.ini (for example) and start eclipse:
-Djavax.net.ssl.keyStoreType=KeychainStore
-Djavax.net.ssl.keyStore=NONE
-Djavax.net.ssl.trustStoreType=JKS
-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-21.0.2.jdk/Contents/Home/lib/security/cacerts
It appears that as soon as eclipse starts making outbound connections, it starts triggering the password popup.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None.
The password popup has no cancel functionality. The only way to stop the endless popups is to exit the java application.
FREQUENCY : always
openjdk version "21.0.2" 2024-01-16
OpenJDK Runtime Environment (build 21.0.2+13-58)
OpenJDK 64-Bit Server VM (build 21.0.2+13-58, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
When "KeychainStore" is used as follows by Eclipse (for example), and an attempt is made to connect to a SSL secured server, the KeychainStore pops up a dialog box asking to unlock the keychain once for every certificate in the keychain, including certificates unrelated to the request.
-Djavax.net.ssl.keyStoreType=KeychainStore
-Djavax.net.ssl.keyStore=NONE
In my case, that is one hundred and forty three popups.
REGRESSION : Last worked in version 21.0.2
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Have many certificates in a MacOS keychain.
- Make an attempt to connect to an SSL endpoint that requires client certificates.
- Use the KeychainStore.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Based on the handshake with the server, select exactly one certificate, and request the password for that certificate only.
ACTUAL -
Password is asked for every single certificate in the keychain, including unrelated certificates that do not match the CA certs requested by the server.
"Eclipse wants to export key "<key>" from your keychain." - over and over again, with different values for "<key>".
It looks like the certificate iteration functions being used below are unlocking every certificate private key, instead of searching for certificates only.
https://github.com/openjdk/jdk/blob/master/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
---------- BEGIN SOURCE ----------
The Eclipse application shows this.
Add the following to eclipse.ini (for example) and start eclipse:
-Djavax.net.ssl.keyStoreType=KeychainStore
-Djavax.net.ssl.keyStore=NONE
-Djavax.net.ssl.trustStoreType=JKS
-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-21.0.2.jdk/Contents/Home/lib/security/cacerts
It appears that as soon as eclipse starts making outbound connections, it starts triggering the password popup.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None.
The password popup has no cancel functionality. The only way to stop the endless popups is to exit the java application.
FREQUENCY : always
