-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
None
-
None
-
os_x
The issue is reported by Tim Jacomb: timjacomb1@gmail.com
The current implementation of the KeychainStore loads certificates with the implicit or empty trust settings only. Certificates without trust settings are discarded.
According to the Apple https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) specification two different scenarios should be considered:
* Empty trustSettings means that the certificate is trusted if it is self-signed.
* Null trustSettings means that the certificate must be verified before adding to the trust store.
Scenario:
Root CA -> Intermediate 1 -> Intermediate 2
Where:
* All certs are in admin domain kSecTrustSettingsDomainAdmin
* Root CA is marked as always trust
* Intermediate 1 and 2 are Unspecified
Expected behavior:
Root CA, Intermediate 1, and Intermediate 2 are added to the "KeychainStore" trust storage.
TLS client accepts the server certificate if it is signed by "Intermediate 2", but "Intermediate 2" is not part of the "Certificate" TLS handshake message.
Current behavior:
Intermediate 1, and Intermediate 2 are not added to the "KeychainStore" trust storage.
TLS client rejects server certificate.
Reproducer:
https://github.com/timja/openjdk-intermediate-ca-reproducer
The current implementation of the KeychainStore loads certificates with the implicit or empty trust settings only. Certificates without trust settings are discarded.
According to the Apple https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) specification two different scenarios should be considered:
* Empty trustSettings means that the certificate is trusted if it is self-signed.
* Null trustSettings means that the certificate must be verified before adding to the trust store.
Scenario:
Root CA -> Intermediate 1 -> Intermediate 2
Where:
* All certs are in admin domain kSecTrustSettingsDomainAdmin
* Root CA is marked as always trust
* Intermediate 1 and 2 are Unspecified
Expected behavior:
Root CA, Intermediate 1, and Intermediate 2 are added to the "KeychainStore" trust storage.
TLS client accepts the server certificate if it is signed by "Intermediate 2", but "Intermediate 2" is not part of the "Certificate" TLS handshake message.
Current behavior:
Intermediate 1, and Intermediate 2 are not added to the "KeychainStore" trust storage.
TLS client rejects server certificate.
Reproducer:
https://github.com/timja/openjdk-intermediate-ca-reproducer
- duplicates
-
JDK-8347041 Intermediate certificates not correctly considered in KeychainStore
-
- Closed
-
- relates to
-
-
- Resolved
-
- links to
-
Review(master)
openjdk/jdk/22911