Hi Mark, On Tue, Oct 23, 2018 at 3:13 AM Mark H. Wood <mw...@iupui.edu> wrote:
> On Fri, Oct 19, 2018 at 10:09:16AM +1100, Igor Cicimov wrote: > [snip] > > To conclude, the way I would expect the trust store to be used and the > > whole validation done: > > > > 1. I use custom trust store because I need to load self signed > certificates > > that > > I need to validate when connecting to lets say partner APIs that use self > > signed > > certificates and I know I can trust > > 2. I would expect nothing else needed in this store as every other valid > > certificate > > under the sun is already located in default locations on the server Java > is > > running on > > 3. In case JAVA_HOME/lib/security/cacerts is my trust store (the > default) I > > would > > expect Java to use the system store(s) too in case a certificate can not > be > > validated > > simply because a CA is missing in the Java store. Example, DigiCert > Global > > Root G2 > > CA is missing in the Java versions older than 8u91 causing inexplicable > > PKIX exceptions > > but can be found in the system store, both under /etc/ssl/certs and > > /usr/share/ca-certificates > > which are (much) more frequently updated with new certs than Java > versions. > > This actually > > applies to the case of custom trust store even more so > > > > Thoughts? > > There are two ways that a truststore can be inadequate. (1) It can > lack a certificate that your application should trust. (2) It can > contain a certificate that your application should NOT trust. > > Suppose that you had an application A which needs to distrust one of the > CAs (X) that are trusted by the OS maintainers. And suppose that you had > other applications on the same host which need to trust that same CA. > > The way it currently works, you can copy the systemwide JRE truststore > once, remove from the copy the certificate for X, and tell A to use > the copy as its truststore. Every other application can just default > to the systemwide truststore. (This also works if you need to give A > an additional trusted CA not needed by other applications, and are > willing to trust all the other CAs.) > > The way you suggest it should work, you must remove X from all > systemwide truststores of every type, and then configure a custom > truststore for every application except A. > I get what you are saying but I really can't imagine I would ever get into this kind of situation where I would need to distrust a specific CA and only for one single application. Most of the time I need to trust all CA's that the world is trusting at that moment. > Which is more error-prone? > > It shouldn't be difficult to write a script that makes a copy of the > systemwide store and adjusts it to your application's specific needs. > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 > www.ulib.iupui.edu >
