Fix CA certificate extraction from PKCS12 key entry chains in SecureSockets

[george-mcintyre]

Problem

Java's TrustManagerFactory only trusts entries with alias type trustedCertEntry. CA certificates embedded in the certificate chain of a PrivateKeyEntry are not automatically trusted — unless Oracle's proprietary OID (1.2.840.113556.1.8000.2554.43570) is present in the keystore metadata. PVXS-created .p12 files do not include this OID, so the TrustManager cannot verify server certificates and TLS connections fail.

Fix

After loading the PKCS12 keystore, iterate over every PrivateKeyEntry and walk its certificate chain. Any X509Certificate that is its own issuer (i.e. a self-signed CA root) or any intermediate CA is re-added to the keystore as a dedicated trustedCertEntry. This matches the behaviour of PVXS's extractCAs() function and ensures interoperability with PVXS-generated keystores.

Files Changed

• core/pva/src/main/java/org/epics/pva/common/SecureSockets.java

[sonarqubecloud]

Quality Gate failed

Failed conditions
B Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE