On Fri, Oct 19, 2018 at 10:09:16AM +1100, Igor Cicimov wrote: [snip] > To conclude, the way I would expect the trust store to be used and the > whole validation done: > > 1. I use custom trust store because I need to load self signed certificates > that > I need to validate when connecting to lets say partner APIs that use self > signed > certificates and I know I can trust > 2. I would expect nothing else needed in this store as every other valid > certificate > under the sun is already located in default locations on the server Java is > running on > 3. In case JAVA_HOME/lib/security/cacerts is my trust store (the default) I > would > expect Java to use the system store(s) too in case a certificate can not be > validated > simply because a CA is missing in the Java store. Example, DigiCert Global > Root G2 > CA is missing in the Java versions older than 8u91 causing inexplicable > PKIX exceptions > but can be found in the system store, both under /etc/ssl/certs and > /usr/share/ca-certificates > which are (much) more frequently updated with new certs than Java versions. > This actually > applies to the case of custom trust store even more so > > Thoughts?
There are two ways that a truststore can be inadequate. (1) It can lack a certificate that your application should trust. (2) It can contain a certificate that your application should NOT trust. Suppose that you had an application A which needs to distrust one of the CAs (X) that are trusted by the OS maintainers. And suppose that you had other applications on the same host which need to trust that same CA. The way it currently works, you can copy the systemwide JRE truststore once, remove from the copy the certificate for X, and tell A to use the copy as its truststore. Every other application can just default to the systemwide truststore. (This also works if you need to give A an additional trusted CA not needed by other applications, and are willing to trust all the other CAs.) The way you suggest it should work, you must remove X from all systemwide truststores of every type, and then configure a custom truststore for every application except A. Which is more error-prone? It shouldn't be difficult to write a script that makes a copy of the systemwide store and adjusts it to your application's specific needs. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: PGP signature
