On Tue, 1 Apr 2025 15:25:45 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> I am dubious that this is the right thing to do. There is a distinct > difference between a certificate that is trusted and one that requires > additional validation to determine if it is trusted. Blindly trusting > self-signed certificates is very dangeorous, and unless I am mistaken, this > seems to be what this code may do. I do not think lumping both of these > certificates into "trusted" certificates is the right thing to do. There is no 'blind' trust in this pull request. Any 'non trusted' certificate is validated via the OS APIs, once it has been validated by the OS then it is a trusted certificate it just needed its chain verified to the root. https://github.com/openjdk/jdk/pull/22911/files#diff-b0b2f959f0fa18e568c0688bd233882283bca94f4ff6dce886a21510ff82d64dR475 https://github.com/timja/jdk/blob/59ceebc4acf2c39c86c45b1aa6746bf619417cea/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m#L475 > It may mean that we need to enhance the `KeyStore` API to be able to store > arbitrary certificates. Or you could consider storing these additional > certificates in a `CertStore`. The `KeyStore` can store them arbitrarily right now can't it but is it that currently anything in there is 'trusted'? > > I am also not sure the use case is common. Typically a web server will send > its entire chain, and not just the server certificate. I don't think its very common either but I think its becoming more common with ZTNA providers (Zero Trust Network Access) being deployed in a lot of organisations for compliance and security reasons. When these are third party providers they often won't have your root cert and they may or may not provide the complete chain (I don't know if its configurable to do that) my organisation's one certainly doesn't provide the whole chain and there are other bug reports out there from other organisations too. > Certainly open to hearing alternate opinions if I have overlooked something. An alternative option would be a truststore or some other mechanism that just does [SecTrustEvaluateWithError](https://developer.apple.com/documentation/security/sectrustevaluatewitherror(_:_:)?language=objc) without any of the complexity of providing the actual certificates but just checks the trust for the presented chain. Not sure how complex that would be. ------------- PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2769893831
