On Sun, 26 Jan 2025 23:04:29 GMT, Tim Jacomb <d...@openjdk.org> wrote:
>> ## The change >> >> Without this change intermediate certificates that don't have explicit trust >> settings are ignored not added to the truststore. >> >> >> >> ## Reproducer >> >> See https://github.com/timja/openjdk-intermediate-ca-reproducer >> >> Without this change the reproducer fails, and with this change it succeeds. >> >> ## Example failing architecture >> >> Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf >> >> Where: >> * All certs are in admin domain kSecTrustSettingsDomainAdmin >> * Root CA is marked as always trust >> * Intermediate 1 and 2 are Unspecified >> >> Previously Root CA would be found but intermediate 1 and 2 would be skipped >> when verifying trust settings. >> >> ## Background reading >> >> ### Rust >> see also Rust Lib that is used throughout Rust ecosystem for this: >> https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58 >> >> e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've >> verified it is correctly implemented and works in my setup >> >> ## Python >> >> I also looked at the Python implementation for inspiration as well (which >> also works on my system): >> https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py > > Tim Jacomb has updated the pull request incrementally with one additional > commit since the last revision: > > Revert unneeded change test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java line 81: > 79: > 80: String nonTrustedCASubjectName = "CN=Non Trusted Example > CA,O=Example,C=US"; > 81: assertThat(not(containsSubjectName(certificates, > nonTrustedCASubjectName)), "Non trusted CA found " + nonTrustedCASubjectName, > certificates); Could you please add one more test, if you don't mind? NonTrustedIntermediateCA is issued by nonTrustedCA: openssl genrsa -out non-trusted-intermediate.key 2048 openssl req -new -sha256 -nodes -key non-trusted-intermediate.key \ -subj "/C=US/O=Example/CN=Non Trusted Example Intermediate CA" -out non-trusted-intermediate-ca.csr openssl x509 -req \ -extensions v3_ca \ -extfile openssl.cnf \ -in non-trusted-intermediate-ca.csr \ -CA non-trusted-test-ca.pem \ -CAkey non-trusted-root.key \ -CAcreateserial \ -out non-trusted-intermediate-ca.pem \ -days 3650 \ -sha256 In this case, we'll cover all basic scenarios. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1931130953
