Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8347041

Intermediate certificates not correctly considered in KeychainStore

XMLWordPrintable

      ADDITIONAL SYSTEM INFORMATION :
      Mac Sequoia 15.0

      openjdk version "24-ea" 2025-03-18
      OpenJDK Runtime Environment (build 24-ea+29-3578)
      OpenJDK 64-Bit Server VM (build 24-ea+29-3578, mixed mode, sharing)


      A DESCRIPTION OF THE PROBLEM :
      Given an enterprise MitM solution.
      Root CA -> Intermediate CA 1 -> Intermediate CA 2 -> Leaf

      Where Root CA, Intermediate CA 1 and Intermediate CA 2 have all been added to the trusted admin certs section of keychain, (visible in security dump-trust-settings -d)

      Root CA has been marked as Always trust
      Intermediate CA 1 and Intermediate CA 2 are just using the default trust settings but appear as valid in keychain



      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Configure above environment
      Run java Main.java <URL>* KeychainStore
      Provide any trusted URL in <URL>*

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Success
      ACTUAL -
      Exception in thread "main" java.lang.RuntimeException: Test failed:
      at Main.main(Main.java:26)
      Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      ---------- BEGIN SOURCE ----------
      import java.security.KeyStore;
      import java.io.*;
      import java.net.*;
      import javax.net.ssl.*;

      public class Main {
              public static void main(String[] args) throws Exception {
                      KeyStore keyStore = KeyStore.getInstance(args[1], "Apple");
                      keyStore.load(null, null);
                      keyStore.aliases().asIterator().forEachRemaining(System.out::println);
                      System.out.println("size:" + keyStore.size());

                      System.setProperty("javax.net.ssl.trustStoreType", args[1]);

                      String url = args[0];

                      try {
                          HttpsURLConnection httpsCon = (HttpsURLConnection) new URI(url).toURL().openConnection();
                          if(httpsCon.getResponseCode() != 200) {
                              throw new RuntimeException("Test failed : bad http response code : "+ httpsCon.getResponseCode());
                          }
                          System.out.println("Success");
                      } catch(IOException ioe) {
                          throw new RuntimeException("Test failed: ", ioe);
                      }
              }
      }
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Do not use KeychainStore and use the default truststore type and manually add the certificates to the truststore

      FREQUENCY : always


            Unassigned Unassigned
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: