-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
11, 17, 23, 24
-
generic
-
os_x
ADDITIONAL SYSTEM INFORMATION :
Mac Sequoia 15.0
openjdk version "24-ea" 2025-03-18
OpenJDK Runtime Environment (build 24-ea+29-3578)
OpenJDK 64-Bit Server VM (build 24-ea+29-3578, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
Given an enterprise MitM solution.
Root CA -> Intermediate CA 1 -> Intermediate CA 2 -> Leaf
Where Root CA, Intermediate CA 1 and Intermediate CA 2 have all been added to the trusted admin certs section of keychain, (visible in security dump-trust-settings -d)
Root CA has been marked as Always trust
Intermediate CA 1 and Intermediate CA 2 are just using the default trust settings but appear as valid in keychain
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure above environment
Run java Main.java <URL>* KeychainStore
Provide any trusted URL in <URL>*
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Success
ACTUAL -
Exception in thread "main" java.lang.RuntimeException: Test failed:
at Main.main(Main.java:26)
Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
---------- BEGIN SOURCE ----------
import java.security.KeyStore;
import java.io.*;
import java.net.*;
import javax.net.ssl.*;
public class Main {
public static void main(String[] args) throws Exception {
KeyStore keyStore = KeyStore.getInstance(args[1], "Apple");
keyStore.load(null, null);
keyStore.aliases().asIterator().forEachRemaining(System.out::println);
System.out.println("size:" + keyStore.size());
System.setProperty("javax.net.ssl.trustStoreType", args[1]);
String url = args[0];
try {
HttpsURLConnection httpsCon = (HttpsURLConnection) new URI(url).toURL().openConnection();
if(httpsCon.getResponseCode() != 200) {
throw new RuntimeException("Test failed : bad http response code : "+ httpsCon.getResponseCode());
}
System.out.println("Success");
} catch(IOException ioe) {
throw new RuntimeException("Test failed: ", ioe);
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Do not use KeychainStore and use the default truststore type and manually add the certificates to the truststore
FREQUENCY : always
Mac Sequoia 15.0
openjdk version "24-ea" 2025-03-18
OpenJDK Runtime Environment (build 24-ea+29-3578)
OpenJDK 64-Bit Server VM (build 24-ea+29-3578, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
Given an enterprise MitM solution.
Root CA -> Intermediate CA 1 -> Intermediate CA 2 -> Leaf
Where Root CA, Intermediate CA 1 and Intermediate CA 2 have all been added to the trusted admin certs section of keychain, (visible in security dump-trust-settings -d)
Root CA has been marked as Always trust
Intermediate CA 1 and Intermediate CA 2 are just using the default trust settings but appear as valid in keychain
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure above environment
Run java Main.java <URL>* KeychainStore
Provide any trusted URL in <URL>*
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Success
ACTUAL -
Exception in thread "main" java.lang.RuntimeException: Test failed:
at Main.main(Main.java:26)
Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
---------- BEGIN SOURCE ----------
import java.security.KeyStore;
import java.io.*;
import java.net.*;
import javax.net.ssl.*;
public class Main {
public static void main(String[] args) throws Exception {
KeyStore keyStore = KeyStore.getInstance(args[1], "Apple");
keyStore.load(null, null);
keyStore.aliases().asIterator().forEachRemaining(System.out::println);
System.out.println("size:" + keyStore.size());
System.setProperty("javax.net.ssl.trustStoreType", args[1]);
String url = args[0];
try {
HttpsURLConnection httpsCon = (HttpsURLConnection) new URI(url).toURL().openConnection();
if(httpsCon.getResponseCode() != 200) {
throw new RuntimeException("Test failed : bad http response code : "+ httpsCon.getResponseCode());
}
System.out.println("Success");
} catch(IOException ioe) {
throw new RuntimeException("Test failed: ", ioe);
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Do not use KeychainStore and use the default truststore type and manually add the certificates to the truststore
FREQUENCY : always
- duplicates
-
JDK-8347067 Load certificates without explicit trust settings in KeyChainStore
-
- New
-
- relates to
-
JDK-8303465 KeyStore of type KeychainStore, provider Apple does not show all trusted certificates
-
- Closed
-