-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates #13945
Conversation
👋 Welcome back clanger! A progress list of the required criteria for merging this PR into |
@RealCLanger The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
Hi Christoph, I do not see any reference to kSecTrustSettingsDomainSystem in your coding. Handling at least kSecTrustSettingsDomainUser and kSecTrustSettingsDomainAdmin is good but I am not sure about kSecTrustSettingsDomainSystem . Did you find some documentation why it should be omitted ? |
Additionally, the return value of SecTrustSettingsCopyTrustSettings (https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting) should better be checked. |
Hi Matthias, |
Yes this seems to be the case. Could you maybe add a one liner comment to libosxsecurity/KeystoreImpl.m (near to the user and admin domain handling) summarizing what you said? And I still prefer checking the return values of the calls to SecTrustSettingsCopyTrustSettings . |
Done. 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding CFArrayGetValueAtIndex, when looking at other usages of the function in the codebase the result is NULL checked usually. Should we do this here too? I admit the old coding does not have it as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, can it really be NULL? I mean before we check the array size and then iterate the valid range.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So please check the CFArrayGetValueAtIndex usage, but otherwise looks okay to me now, thanks for the adjustments.
@RealCLanger This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 226 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Please don't integrate this until I or someone from my team reviews it. Thanks. |
No matter what |
Sure. |
Yes, I will call As I outlined in my initial PR description, point 3, the actual check whether a certificate is self-signed is done in the Makes sense? |
Before your new change, such a certificate is not trusted, because I am not sure if such a certificate is meant to be always trusted. Note that you can create such an entry with only |
Hm, after thinking about this again and also comparing with behavior of curl, I think you're right. A self-signed certificate should only be trusted if it has a trust entry (e.g. added by |
@@ -804,8 +803,26 @@ private void createTrustedCertEntry(String alias, List<String> inputTrust, | |||
tce.cert = cert; | |||
tce.certRef = keychainItemRef; | |||
|
|||
// Check whether a certificate with same alias already exists and is the same | |||
// If yes, we can return here - the existing entry must have the same | |||
// properties and trust settings |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is always true, right? I'm not sure how this could happen.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This handles the case, when a certificate is in both, the login (user) and system keychain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you know "the existing entry must have the same properties and trust settings"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trust settings are stored per certificate. That is, when you do security add-trusted-cert
, you have to pass a certificate that the entry is created for. It does not matter then, if the certificate is actually present/loaded into any keychain. If the certificate is not in the keychain, a security dump-trust-settings
will not show the trust entry then but after you add it, it gets visible.
So, that means, if two certificates are the same, no matter if they were loaded from different keychains or under different aliases (don't know whether the latter is possible though), they will share the same trust records.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Thanks.
Since you removed the key usage checks, can you update the PR description please? |
Done. |
The code change looks fine to me. Thanks. Since this is rather a big behavior change, I think a CSR and a release note are required. The previous release note on this is at https://www.oracle.com/java/technologies/javase/19-relnote-issues.html#JDK-8278449. |
Thanks for the review. As for CSR and release note, I guess one could do both, sure. However, it's quite a bit of overhead. And, for JDK-8278449, I don't see a CSR either. 😉 I would consider this change rather as a bugfix for JDK-8278449. So, if you really want me to do it, I'll do it. But please help me to get this processed quickly as I want to get this fix integrated ideally through this week. Please let me know your decision. Thanks. |
I've started the CSR at https://bugs.openjdk.org/browse/JDK-8308690. Please edit if there is any issue. At the same time, please write a release note. See https://openjdk.org/guide/#release-notes for the process. |
Thanks. I've created a release note and Edited the CSR. Please review both. When you are fine with the CSR, I can finalize it. |
I think you can finalize the CSR now. |
Thx for the hint, done. |
@wangweij The CSR is approved. Would you like to review/approve the PR now? |
Thx. |
Going to push as commit ac41c03.
Your commit was automatically rebased without conflicts. |
@RealCLanger Pushed as commit ac41c03. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
With this PR we try to be better in loading certificates from the MacOS Keychain into a JDK Trust store.
The current implementation after JDK-8278449 would only load/trust certificates from an identity (with private key available) and certificates that have explicit trust set in the user domain (as shown by security dump-trust-settings). This, however is not sufficient and does not match the MacOS system behavior, e.g. if you compare with tools like curl or Safari.
This change does the following:
I have added a test that verifies whether certificates that should be trusted from "security dump-trust-settings" are contained in the keystore and those that should be disallowed are absent.
Progress
Issues
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/13945/head:pull/13945
$ git checkout pull/13945
Update a local copy of the PR:
$ git checkout pull/13945
$ git pull https://git.openjdk.org/jdk.git pull/13945/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 13945
View PR using the GUI difftool:
$ git pr show -t 13945
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/13945.diff
Webrev
Link to Webrev Comment