From c53463feeb77b1e66d53a6decdfda3aaf7bd596a Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Fri, 3 Jan 2025 10:42:05 +0000 Subject: [PATCH 01/14] Load certificates without explicit trust settings in KeyChainStore --- .../classes/apple/security/KeychainStore.java | 11 ++-------- .../native/libosxsecurity/KeystoreImpl.m | 20 ++++++++----------- 2 files changed, 10 insertions(+), 21 deletions(-) diff --git a/src/java.base/macosx/classes/apple/security/KeychainStore.java b/src/java.base/macosx/classes/apple/security/KeychainStore.java index 6f70fccbb244b..83ed8b9b1651b 100644 --- a/src/java.base/macosx/classes/apple/security/KeychainStore.java +++ b/src/java.base/macosx/classes/apple/security/KeychainStore.java @@ -878,15 +878,8 @@ private void createTrustedCertEntry(String alias, List inputTrust, } if (tce.trustSettings.isEmpty()) { - if (isSelfSigned) { - // If a self-signed certificate has trust settings without specific entries, - // trust it for all purposes - tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value(); - } else { - // Otherwise, return immediately. The certificate is not - // added into entries. - return; - } + // If there is no trust settings then trust the certificate + tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value(); } else { List values = new ArrayList<>(); for (var oneTrust : tce.trustSettings) { diff --git a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m index 31572eaeb81f6..1d9f764a13577 100644 --- a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m +++ b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m @@ -411,15 +411,16 @@ static bool loadTrustSettings(JNIEnv *env, jmethodID jm_listAdd, jobject *inputTrust) { CFArrayRef trustSettings; - // Load trustSettings into inputTrust - if (SecTrustSettingsCopyTrustSettings(certRef, domain, &trustSettings) == errSecSuccess && trustSettings != NULL) { + if (*inputTrust == NULL) { + *inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons); if (*inputTrust == NULL) { - *inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons); - if (*inputTrust == NULL) { - CFRelease(trustSettings); - return false; - } + CFRelease(trustSettings); + return false; } + } + + // Load trustSettings into inputTrust + if (SecTrustSettingsCopyTrustSettings(certRef, domain, &trustSettings) == errSecSuccess && trustSettings != NULL) { addTrustSettingsToInputTrust(env, jm_listAdd, trustSettings, *inputTrust); CFRelease(trustSettings); } @@ -492,11 +493,6 @@ static void addCertificatesToKeystore(JNIEnv *env, jobject keyStore, goto errOut; } - // Only add certificates with trust settings - if (inputTrust == NULL) { - continue; - } - // Create java object for certificate with trust settings if (!createTrustedCertEntry(env, keyStore, certRef, jm_createTrustedCertEntry, inputTrust)) { goto errOut; From 5102dade13f44dedd887920c407158e7d189947b Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Fri, 3 Jan 2025 16:51:00 +0000 Subject: [PATCH 02/14] Tweeks to make the basic case work --- .../classes/apple/security/KeychainStore.java | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/java.base/macosx/classes/apple/security/KeychainStore.java b/src/java.base/macosx/classes/apple/security/KeychainStore.java index 83ed8b9b1651b..8df68185c748d 100644 --- a/src/java.base/macosx/classes/apple/security/KeychainStore.java +++ b/src/java.base/macosx/classes/apple/security/KeychainStore.java @@ -878,8 +878,14 @@ private void createTrustedCertEntry(String alias, List inputTrust, } if (tce.trustSettings.isEmpty()) { - // If there is no trust settings then trust the certificate - tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value(); + // If there is no trust settings and the certificate is not self-signed trust the certificate + if (!isSelfSigned) { + tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value(); + } else { + // Otherwise, return immediately. The certificate is not + // added into entries. + return; + } } else { List values = new ArrayList<>(); for (var oneTrust : tce.trustSettings) { @@ -897,9 +903,8 @@ private void createTrustedCertEntry(String alias, List inputTrust, return; } - // Trust, if explicitly trusted or result is null and certificate is self signed - if ((result == null && isSelfSigned) - || "1".equals(result) || "2".equals(result)) { + // Trust, if explicitly trusted or result is null + if (result == null || "1".equals(result) || "2".equals(result)) { // When no kSecTrustSettingsPolicy, it means everything String oid = oneTrust.getOrDefault("SecPolicyOid", KnownOIDs.anyExtendedKeyUsage.value()); From 0052cd0380b4949b9af689eae660cf3defa5e7d0 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Mon, 6 Jan 2025 11:00:01 +0000 Subject: [PATCH 03/14] Verify certificate without trustsettings before adding --- .../classes/apple/security/KeychainStore.java | 11 ++-- .../native/libosxsecurity/KeystoreImpl.m | 50 ++++++++++++++++--- 2 files changed, 45 insertions(+), 16 deletions(-) diff --git a/src/java.base/macosx/classes/apple/security/KeychainStore.java b/src/java.base/macosx/classes/apple/security/KeychainStore.java index 8df68185c748d..04058186ed397 100644 --- a/src/java.base/macosx/classes/apple/security/KeychainStore.java +++ b/src/java.base/macosx/classes/apple/security/KeychainStore.java @@ -878,14 +878,9 @@ private void createTrustedCertEntry(String alias, List inputTrust, } if (tce.trustSettings.isEmpty()) { - // If there is no trust settings and the certificate is not self-signed trust the certificate - if (!isSelfSigned) { - tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value(); - } else { - // Otherwise, return immediately. The certificate is not - // added into entries. - return; - } + // If there is no trust settings then the certificate was verified against other trusted certificates already + // or it is self signed + tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value(); } else { List values = new ArrayList<>(); for (var oneTrust : tce.trustSettings) { diff --git a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m index 1d9f764a13577..fa3d325bb00a5 100644 --- a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m +++ b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m @@ -411,16 +411,15 @@ static bool loadTrustSettings(JNIEnv *env, jmethodID jm_listAdd, jobject *inputTrust) { CFArrayRef trustSettings; - if (*inputTrust == NULL) { - *inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons); - if (*inputTrust == NULL) { - CFRelease(trustSettings); - return false; - } - } - // Load trustSettings into inputTrust if (SecTrustSettingsCopyTrustSettings(certRef, domain, &trustSettings) == errSecSuccess && trustSettings != NULL) { + if (*inputTrust == NULL) { + *inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons); + if (*inputTrust == NULL) { + CFRelease(trustSettings); + return false; + } + } addTrustSettingsToInputTrust(env, jm_listAdd, trustSettings, *inputTrust); CFRelease(trustSettings); } @@ -459,6 +458,31 @@ static bool createTrustedCertEntry(JNIEnv *env, jobject keyStore, return true; } +static bool validateCertificate(SecCertificateRef certRef) { + SecTrustRef secTrust = NULL; + CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks); + CFArraySetValueAtIndex(subjCerts, 0, certRef); + + SecPolicyRef policy = SecPolicyCreateBasicX509(); + OSStatus ortn = SecTrustCreateWithCertificates(subjCerts, policy, &secTrust); + bool result = false; + if(ortn) { + /* should never happen */ + cssmPerror("SecTrustCreateWithCertificates", ortn); + goto errOut; + } + + result = SecTrustEvaluateWithError(secTrust, NULL); +errOut: + if (policy) { + CFRelease(policy); + } + if (secTrust) { + CFRelease(secTrust); + } + return result; +} + static void addCertificatesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_createTrustedCertEntry, jclass jc_arrayListClass, @@ -493,6 +517,16 @@ static void addCertificatesToKeystore(JNIEnv *env, jobject keyStore, goto errOut; } + // If no trust settings we need to verify the certificate first + if (inputTrust == NULL) { + bool valid = validateCertificate(certRef); + if (valid) { + inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons); + } else { + continue; + } + } + // Create java object for certificate with trust settings if (!createTrustedCertEntry(env, keyStore, certRef, jm_createTrustedCertEntry, inputTrust)) { goto errOut; From c1e086099ad533fffa3e1831b13ca77bb1f3d826 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Mon, 6 Jan 2025 11:02:23 +0000 Subject: [PATCH 04/14] Revert unneeded changes --- .../macosx/classes/apple/security/KeychainStore.java | 5 +++-- src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/java.base/macosx/classes/apple/security/KeychainStore.java b/src/java.base/macosx/classes/apple/security/KeychainStore.java index 04058186ed397..ad9d4b1ebe788 100644 --- a/src/java.base/macosx/classes/apple/security/KeychainStore.java +++ b/src/java.base/macosx/classes/apple/security/KeychainStore.java @@ -898,8 +898,9 @@ private void createTrustedCertEntry(String alias, List inputTrust, return; } - // Trust, if explicitly trusted or result is null - if (result == null || "1".equals(result) || "2".equals(result)) { + // Trust, if explicitly trusted or result is null and certificate is self signed + if ((result == null && isSelfSigned) + || "1".equals(result) || "2".equals(result)) { // When no kSecTrustSettingsPolicy, it means everything String oid = oneTrust.getOrDefault("SecPolicyOid", KnownOIDs.anyExtendedKeyUsage.value()); diff --git a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m index fa3d325bb00a5..bb87c0d994101 100644 --- a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m +++ b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m @@ -460,13 +460,13 @@ static bool createTrustedCertEntry(JNIEnv *env, jobject keyStore, static bool validateCertificate(SecCertificateRef certRef) { SecTrustRef secTrust = NULL; - CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks); + CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks); CFArraySetValueAtIndex(subjCerts, 0, certRef); SecPolicyRef policy = SecPolicyCreateBasicX509(); OSStatus ortn = SecTrustCreateWithCertificates(subjCerts, policy, &secTrust); bool result = false; - if(ortn) { + if (ortn) { /* should never happen */ cssmPerror("SecTrustCreateWithCertificates", ortn); goto errOut; From abb220d72ff8adafac1a0152c5c3d116472b397b Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Mon, 6 Jan 2025 20:52:15 +0000 Subject: [PATCH 05/14] Release subjCerts --- src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m index bb87c0d994101..c5d9c18b09d89 100644 --- a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m +++ b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m @@ -480,6 +480,9 @@ static bool validateCertificate(SecCertificateRef certRef) { if (secTrust) { CFRelease(secTrust); } + if (subjCerts) { + CFRelease(subjCerts); + } return result; } From 28227c9e6e670e0c10c8e62b9bea8be7f59912a4 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Tue, 7 Jan 2025 16:56:41 +0000 Subject: [PATCH 06/14] Add jtreg test --- .../classes/apple/security/KeychainStore.java | 2 +- ...CheckMacOSKeyChainIntermediateCATrust.java | 170 ++++++++++++++++++ .../generate-mac-os-intermediate-ca-certs.sh | 25 +++ test/jdk/java/security/KeyStore/openssl.cnf | 17 ++ test/jdk/java/security/KeyStore/test-ca.pem | 20 +++ .../KeyStore/test-intermediate-ca.pem | 22 +++ 6 files changed, 255 insertions(+), 1 deletion(-) create mode 100644 test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java create mode 100755 test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh create mode 100644 test/jdk/java/security/KeyStore/openssl.cnf create mode 100644 test/jdk/java/security/KeyStore/test-ca.pem create mode 100644 test/jdk/java/security/KeyStore/test-intermediate-ca.pem diff --git a/src/java.base/macosx/classes/apple/security/KeychainStore.java b/src/java.base/macosx/classes/apple/security/KeychainStore.java index ad9d4b1ebe788..45385312c7724 100644 --- a/src/java.base/macosx/classes/apple/security/KeychainStore.java +++ b/src/java.base/macosx/classes/apple/security/KeychainStore.java @@ -879,7 +879,7 @@ private void createTrustedCertEntry(String alias, List inputTrust, if (tce.trustSettings.isEmpty()) { // If there is no trust settings then the certificate was verified against other trusted certificates already - // or it is self signed + // or it is self-signed tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value(); } else { List values = new ArrayList<>(); diff --git a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java new file mode 100644 index 0000000000000..d031dd18b8e4f --- /dev/null +++ b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java @@ -0,0 +1,170 @@ +/* + * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.nio.file.Path; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.cert.X509Certificate; +import java.util.Iterator; +import java.util.List; +import java.util.Spliterator; +import java.util.Spliterators; +import java.util.stream.Collectors; +import java.util.stream.StreamSupport; + +import jdk.test.lib.process.ProcessTools; + +import static org.junit.jupiter.api.Assertions.fail; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +/* + * @test + * @bug 8347067 + * @library /test/lib + * @requires os.family == "mac" + * @summary Check whether loading of certificates from MacOS Keychain correctly + * loads intermediate CA certificates + * @run junit CheckMacOSKeyChainIntermediateCATrust + */ +public class CheckMacOSKeyChainIntermediateCATrust { + + private static final String DIR = System.getProperty("test.src", "."); + + @Test + public void test() throws Throwable { + KeyStore ks = KeyStore.getInstance("KeychainStore"); + ks.load(null, null); + + Iterator iterator = ks.aliases().asIterator(); + List certificates = StreamSupport.stream( + Spliterators.spliteratorUnknownSize(iterator, Spliterator.ORDERED), false) + .sorted() + .map(alias -> { + try { + return (X509Certificate) ks.getCertificate(alias); + } catch (KeyStoreException e) { + throw new RuntimeException(e); + } + }) + .collect(Collectors.toList()); + + System.out.println("Verifying expected certificates are trusted"); + + String rootCASubjectName = "CN=Example CA,O=Example,C=US"; + assertThat(containsSubjectName(certificates, rootCASubjectName), "Root CA not found " + rootCASubjectName, certificates); + + String intermediateCASubjectName = "CN=Example Intermediate CA,O=Example,C=US"; + assertThat(containsSubjectName(certificates, intermediateCASubjectName), "Intermediate CA not found " + intermediateCASubjectName, certificates); + } + + @BeforeEach + public void setup() { + System.out.println("Adding certificates to key chain"); + addCertificatesToKeyChain(); + } + + @AfterEach + public void cleanup() { + System.out.println("Cleaning up"); + deleteCertificatesFromKeyChain(); + } + + private static void addCertificatesToKeyChain() { + String loginKeyChain = getLoginKeyChain(); + + Path caPath = Path.of("%s/%s".formatted(DIR, "test-ca.pem")); + List args = List.of( + "/usr/bin/security", + "add-trusted-cert", + "-k", loginKeyChain, + caPath.toString() + ); + executeProcess(args); + + caPath = Path.of("%s/%s".formatted(DIR, "test-intermediate-ca.pem")); + args = List.of( + "/usr/bin/security", + "add-certificates", + "-k", loginKeyChain, + caPath.toString() + ); + executeProcess(args); + + } + + private static String getLoginKeyChain() { + return Path.of(System.getProperty("user.home"), "Library/Keychains/login.keychain-db").toString(); + } + + private static void executeProcess(List params) { + System.out.println("Command line: " + params); + try { + int exitStatus = ProcessTools.executeProcess(params.toArray(new String[0])).getExitValue(); + if (exitStatus != 0) { + fail("Process started with: " + params + " failed"); + } + } catch (Throwable e) { + fail(e.getMessage()); + } + } + + private static void deleteCertificatesFromKeyChain() { + executeProcess( + List.of( + "/usr/bin/security", + "delete-certificate", + "-c", "Example CA", + "-t" + ) + ); + + executeProcess( + List.of( + "/usr/bin/security", + "delete-certificate", + "-c", "Example Intermediate CA", + "-t" + ) + ); + } + + private static boolean containsSubjectName(List certificates, String subjectName) { + return certificates.stream() + .map(cert -> cert.getSubjectX500Principal().getName()) + .anyMatch(name -> name.contains(subjectName)); + } + + private static List getSubjects(List certificates) { + return certificates.stream() + .map(cert -> cert.getSubjectX500Principal().getName()) + .toList(); + } + + private static void assertThat(boolean expected, String message, List certificates) { + if (!expected) { + throw new AssertionError(message + ", subjects: " + getSubjects(certificates)); + } + } +} diff --git a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh new file mode 100755 index 0000000000000..a6ebfc1fca08f --- /dev/null +++ b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +set -ex + +cd "$(dirname "$0")" + +openssl genrsa -out root.key 2048 +openssl req -x509 -sha256 -nodes -extensions v3_ca -key root.key -subj "/C=US/O=Example/CN=Example CA" -days 3650 -out test-ca.pem + +openssl genrsa -out intermediate.key 2048 +openssl req -new -sha256 -nodes -key intermediate.key \ + -subj "/C=US/O=Example/CN=Example Intermediate CA" -out test-intermediate-ca.csr + +openssl x509 -req \ + -extensions v3_ca \ + -extfile openssl.cnf \ + -in test-intermediate-ca.csr \ + -CA test-ca.pem \ + -CAkey root.key \ + -CAcreateserial \ + -out test-intermediate-ca.pem \ + -days 3650 \ + -sha256 + + rm -f root.key test-intermediate-ca.csr intermediate.key test-ca.srl \ No newline at end of file diff --git a/test/jdk/java/security/KeyStore/openssl.cnf b/test/jdk/java/security/KeyStore/openssl.cnf new file mode 100644 index 0000000000000..d7dd4e40a40a3 --- /dev/null +++ b/test/jdk/java/security/KeyStore/openssl.cnf @@ -0,0 +1,17 @@ +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true diff --git a/test/jdk/java/security/KeyStore/test-ca.pem b/test/jdk/java/security/KeyStore/test-ca.pem new file mode 100644 index 0000000000000..36543be983af9 --- /dev/null +++ b/test/jdk/java/security/KeyStore/test-ca.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUHYTHHRJWyWjKpg5H2acbXj0aDeUwDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1wbGUxEzARBgNVBAMMCkV4 +YW1wbGUgQ0EwHhcNMjUwMTA3MTUxMzExWhcNMzUwMTA1MTUxMzExWjA0MQswCQYD +VQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTETMBEGA1UEAwwKRXhhbXBsZSBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANQtNFDwJ8KayH0hFHCioT18 +aMToU8SNBT+ogKT7rQhWkqC4aBVS+H3JSN1vG/RN+qWFS/DrTpUb5tVY9mYH5s4p +PqnXXN1EIoOgn+2vYB7sMY/MyAzn3MynDNHE0QYKdxK3H06BrmTgDiDcpYEexRex +B/3p9daJrU9L/EK4l41Vk7jOqu3wq39ECvAdMpt1eIg02nUS1EIxLmfoFRSHHtRf +rRPAU84BdGCYMWuBfxcXqMn4PumfkS3AoG6ul277FUNsvjlmEoQeotuXwCz1ELyy +U3uHnSFItPs/69Bg2FxAeig9zbAnYO9eCYPrhME452tROnOqhm0LjZjR8R4Lbl0C +AwEAAaNTMFEwHQYDVR0OBBYEFGt4wbms5GC1yWwh2TytpEuHpMReMB8GA1UdIwQY +MBaAFGt4wbms5GC1yWwh2TytpEuHpMReMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAaq5JrVfinF53fBQKwBZYXv7Afr/H04GYVhXqAtl1n65Maj +si4GRBDSyhMWUrwHFNH4SIGHu4LZU2aROXIXrJl3qFXFl3WfdyVZTNjssgVcKFxl +Uav+pISUiIpAZPV55tFkE/2gmpkLUyhaiUQvql4XTZDSU8mTcWovzMVusXQtfo+L +O848Fspo30BvPEUUt1BOhqKwWbHV/2WJ4vYJPt6jFGnDMZHdILCp/DOXBxHS0pxd +0Tofrfum0MUbtScuzjM/otMduwjSalrDhkNLsLxLueXTf6dtnE9CLxaWXhWlAJ70 +0mGFdwvYtLEbLTJKtqqq+lafAt5Af69VoqM1jjo= +-----END CERTIFICATE----- diff --git a/test/jdk/java/security/KeyStore/test-intermediate-ca.pem b/test/jdk/java/security/KeyStore/test-intermediate-ca.pem new file mode 100644 index 0000000000000..41f3219b7c0cd --- /dev/null +++ b/test/jdk/java/security/KeyStore/test-intermediate-ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpTCCAo2gAwIBAgIUBdWVSNEFs3LuTagptBgmihEZrVowDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1wbGUxEzARBgNVBAMMCkV4 +YW1wbGUgQ0EwHhcNMjUwMTA3MTUxMzExWhcNMzUwMTA1MTUxMzExWjBBMQswCQYD +VQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTEgMB4GA1UEAwwXRXhhbXBsZSBJbnRl +cm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXK7MQ +/LfR/zm8fV677S2NCsBVdizTsE5ugYuXGNlrbF26pcyJhK8N/T2l2HAz2UszzRB2 +ZpqyE21SpepYATvG9M3moPEkFiojmhS+3mPhRhgTAxAIYA+hQ+8ics6C2zCvl2vw +5PpHdbZiL+2K/j+DtZxfmJoG0HYWMHeqlbA3smEkNOfOS9rc0kGpu3Q4mCLO+kmb +IofGf9ASsuyWH9GgxCcmUlu6UTRvt57LlTcaz3mncq6V++UDZHOmyTa6q9GIgTUc +sTfcS0aMXfBvsw6eZhlTcWvkXQaJRVb6UeGJwx/Kq715XphWJ9wXc4pT/f7nHinc +utdXjnayO+o3Vk85AgMBAAGjgaEwgZ4wHQYDVR0OBBYEFGlsam1VG6UErlvVa1+p +40CuawniMG8GA1UdIwRoMGaAFGt4wbms5GC1yWwh2TytpEuHpMReoTikNjA0MQsw +CQYDVQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTETMBEGA1UEAwwKRXhhbXBsZSBD +QYIUHYTHHRJWyWjKpg5H2acbXj0aDeUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAS9n0MIie2TCo+5Wbur7RrX4aOMrKooZwSYxyvb4c+U6zNYBZmkwI +Pqk/LYNU6FMCKCg/PT4kcgGAu+UeYb6K2Llwyej4Tjy/8bCOXgrPTzP4f0COg2wi +y1SlMSEolhslJV46HlZHtrASpE8mj7mh3RRTAkn86gCEd7A/CdQgMrTiwVjOGrza +B5/UGJpVUvm7W5H1UXunYqFrVaMIN0zWfaj4lRgzLAkZ7ldLdBA7mIbc2/C9JSvX +dCezRkjJpIHbXjojtDek1vDy/UopyQRYpz2CPu62o8iM9Iw6M7SzF6d8ud9rzeZ1 +zwtxTCJqohwP3t132oxoYwEyYpF+Xcrvhg== +-----END CERTIFICATE----- From db386f979f59dc7c3107f5af116cd7983c4edeb7 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Tue, 7 Jan 2025 17:01:49 +0000 Subject: [PATCH 07/14] Add new line --- .../security/KeyStore/generate-mac-os-intermediate-ca-certs.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh index a6ebfc1fca08f..6a61fbd79e7de 100755 --- a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh +++ b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh @@ -22,4 +22,5 @@ openssl x509 -req \ -days 3650 \ -sha256 - rm -f root.key test-intermediate-ca.csr intermediate.key test-ca.srl \ No newline at end of file + rm -f root.key test-intermediate-ca.csr intermediate.key test-ca.srl + \ No newline at end of file From 7cf32ddf335ef1306658c4f7610a8566846d27b7 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Tue, 7 Jan 2025 17:04:45 +0000 Subject: [PATCH 08/14] Minor cleanups --- .../KeyStore/CheckMacOSKeyChainIntermediateCATrust.java | 5 ++--- .../KeyStore/generate-mac-os-intermediate-ca-certs.sh | 3 +-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java index d031dd18b8e4f..7413b04290a47 100644 --- a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java +++ b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java @@ -29,7 +29,6 @@ import java.util.List; import java.util.Spliterator; import java.util.Spliterators; -import java.util.stream.Collectors; import java.util.stream.StreamSupport; import jdk.test.lib.process.ProcessTools; @@ -44,7 +43,7 @@ * @bug 8347067 * @library /test/lib * @requires os.family == "mac" - * @summary Check whether loading of certificates from MacOS Keychain correctly + * @summary Check whether loading of certificates from macOS Keychain correctly * loads intermediate CA certificates * @run junit CheckMacOSKeyChainIntermediateCATrust */ @@ -68,7 +67,7 @@ public void test() throws Throwable { throw new RuntimeException(e); } }) - .collect(Collectors.toList()); + .toList(); System.out.println("Verifying expected certificates are trusted"); diff --git a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh index 6a61fbd79e7de..a25a4e34aefbd 100755 --- a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh +++ b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh @@ -22,5 +22,4 @@ openssl x509 -req \ -days 3650 \ -sha256 - rm -f root.key test-intermediate-ca.csr intermediate.key test-ca.srl - \ No newline at end of file +rm -f root.key test-intermediate-ca.csr intermediate.key test-ca.srl From b8d9e0fe8ebc45df8787c2564b458030fbf75f5a Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Tue, 7 Jan 2025 20:44:55 +0000 Subject: [PATCH 09/14] Flag test as manual --- test/jdk/TEST.groups | 3 ++- .../KeyStore/CheckMacOSKeyChainIntermediateCATrust.java | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/test/jdk/TEST.groups b/test/jdk/TEST.groups index d3b0b3009cafc..8eaab28c9cd51 100644 --- a/test/jdk/TEST.groups +++ b/test/jdk/TEST.groups @@ -657,7 +657,8 @@ jdk_core_manual_interactive = \ jdk_security_manual_interactive = \ sun/security/tools/keytool/i18n.java \ com/sun/security/auth/callback/TextCallbackHandler/Password.java \ - sun/security/krb5/config/native/TestDynamicStore.java + sun/security/krb5/config/native/TestDynamicStore.java \ + java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java # Test sets for running inside container environment jdk_containers_extended = \ diff --git a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java index 7413b04290a47..4ec1d59f7eb8e 100644 --- a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java +++ b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java @@ -45,7 +45,7 @@ * @requires os.family == "mac" * @summary Check whether loading of certificates from macOS Keychain correctly * loads intermediate CA certificates - * @run junit CheckMacOSKeyChainIntermediateCATrust + * @run junit/manual CheckMacOSKeyChainIntermediateCATrust */ public class CheckMacOSKeyChainIntermediateCATrust { From 2d9557026ed7af35b61a6fbe80f402e4f22175aa Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Wed, 8 Jan 2025 09:07:44 +0000 Subject: [PATCH 10/14] Executable files are not allowed... --- .../security/KeyStore/generate-mac-os-intermediate-ca-certs.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh diff --git a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh old mode 100755 new mode 100644 From d9605e1283c1bb6abd5c62745c79530c0977a919 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Sun, 26 Jan 2025 22:55:58 +0000 Subject: [PATCH 11/14] Add non-trusted root CA cert --- ...CheckMacOSKeyChainIntermediateCATrust.java | 47 ++++++++++++++----- .../generate-mac-os-intermediate-ca-certs.sh | 5 +- .../security/KeyStore/non-trusted-test-ca.pem | 21 +++++++++ 3 files changed, 60 insertions(+), 13 deletions(-) create mode 100644 test/jdk/java/security/KeyStore/non-trusted-test-ca.pem diff --git a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java index 4ec1d59f7eb8e..9059eccdba88f 100644 --- a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java +++ b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java @@ -34,8 +34,8 @@ import jdk.test.lib.process.ProcessTools; import static org.junit.jupiter.api.Assertions.fail; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; /* @@ -76,16 +76,19 @@ public void test() throws Throwable { String intermediateCASubjectName = "CN=Example Intermediate CA,O=Example,C=US"; assertThat(containsSubjectName(certificates, intermediateCASubjectName), "Intermediate CA not found " + intermediateCASubjectName, certificates); + + String nonTrustedCASubjectName = "CN=Non Trusted Example CA,O=Example,C=US"; + assertThat(not(containsSubjectName(certificates, nonTrustedCASubjectName)), "Non trusted CA found " + nonTrustedCASubjectName, certificates); } - @BeforeEach - public void setup() { + @BeforeAll + static void setup() { System.out.println("Adding certificates to key chain"); addCertificatesToKeyChain(); } - @AfterEach - public void cleanup() { + @AfterAll + static void cleanup() { System.out.println("Cleaning up"); deleteCertificatesFromKeyChain(); } @@ -102,6 +105,15 @@ private static void addCertificatesToKeyChain() { ); executeProcess(args); + caPath = Path.of("%s/%s".formatted(DIR, "non-trusted-test-ca.pem")); + args = List.of( + "/usr/bin/security", + "add-certificates", + "-k", loginKeyChain, + caPath.toString() + ); + executeProcess(args); + caPath = Path.of("%s/%s".formatted(DIR, "test-intermediate-ca.pem")); args = List.of( "/usr/bin/security", @@ -120,16 +132,23 @@ private static String getLoginKeyChain() { private static void executeProcess(List params) { System.out.println("Command line: " + params); try { - int exitStatus = ProcessTools.executeProcess(params.toArray(new String[0])).getExitValue(); - if (exitStatus != 0) { - fail("Process started with: " + params + " failed"); - } - } catch (Throwable e) { - fail(e.getMessage()); + ProcessTools.executeProcess(params.toArray(new String[0])) + .shouldHaveExitValue(0); + } catch (Exception e) { + fail("Unexpected exception: " + e); } } private static void deleteCertificatesFromKeyChain() { + executeProcess( + List.of( + "/usr/bin/security", + "delete-certificate", + "-c", "Non Trusted Example CA", + "-t" + ) + ); + executeProcess( List.of( "/usr/bin/security", @@ -149,6 +168,10 @@ private static void deleteCertificatesFromKeyChain() { ); } + private static boolean not(boolean condition) { + return !condition; + } + private static boolean containsSubjectName(List certificates, String subjectName) { return certificates.stream() .map(cert -> cert.getSubjectX500Principal().getName()) diff --git a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh index a25a4e34aefbd..4236ec6589a8a 100644 --- a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh +++ b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh @@ -22,4 +22,7 @@ openssl x509 -req \ -days 3650 \ -sha256 -rm -f root.key test-intermediate-ca.csr intermediate.key test-ca.srl +openssl genrsa -out non-trusted-root.key 2048 +openssl req -x509 -sha256 -nodes -extensions v3_ca -key non-trusted-root.key -subj "/C=US/O=Example/CN=Non Trusted Example CA" -days 3650 -out non-trusted-test-ca.pem + +rm -f non-trusted-root.key root.key test-intermediate-ca.csr intermediate.key test-ca.srl diff --git a/test/jdk/java/security/KeyStore/non-trusted-test-ca.pem b/test/jdk/java/security/KeyStore/non-trusted-test-ca.pem new file mode 100644 index 0000000000000..f82c0c337b8d1 --- /dev/null +++ b/test/jdk/java/security/KeyStore/non-trusted-test-ca.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYTCCAkmgAwIBAgIUfsgXAir7EToLxt+9WCYfhfuiGt8wDQYJKoZIhvcNAQEL +BQAwQDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHzAdBgNVBAMMFk5v +biBUcnVzdGVkIEV4YW1wbGUgQ0EwHhcNMjUwMTI2MjIyNDQzWhcNMzUwMTI0MjIy +NDQzWjBAMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTEfMB0GA1UEAwwW +Tm9uIFRydXN0ZWQgRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALQyfO8sEDsp7qDH8OWjotinxyjTNjJ0I0Cke8pPHU73wL18ZFV8OvoI +OGTcYGFjRjOnjKUDFT6qC4oupGh8+NSfslqNQ35l4nU1tYRB81QHfAyCMq3gSVoU +hgaZle9x2rJrawAkxLE8xMrOkmM0r805O7x+hu9Bj3PwxQ0ubN5cb3SFvBhhlkss +8q9qUfK9mLQavgfp/U1WgtlnX4GP+HFAzthcz4ENagMpUuD1h9aDtFPNJREkTGhX +mh+U7zkVZjP9waN5p2monsZIsSLvrdAfnySBjceueHHOi9l/OYUG3wayWvNmxnpV +RtI1Zs4l7qs/mWGrqy4Fl2iwGZ3sy0UCAwEAAaNTMFEwHQYDVR0OBBYEFAY88dZY ++LJgqAqbFYtmGzqyyD1oMB8GA1UdIwQYMBaAFAY88dZY+LJgqAqbFYtmGzqyyD1o +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGSr3ifbi5AX4EO/ +eN1CK+XKPgbnVI6NrtyZfjDja1RmbYPFcuRaSDdH/8y3oHLhgJzyu/vFtvMJps/B +JslYlIZHxhSC2sSqg2FrA5JQZlNfDSF2pRqk0Gs9xQj+ZtGbmUj0c+aOB5edjD/C +h0GIh0WL+WtKAl6VNI+urqYuiQ19CBPuF8OAMkpC/MYQocAtGhsRrlsMtMApJcvX +NAzf+3a+eUyEZnpcj7fkpGuBsKS0giNWVVtyNXMOoHL3L1PBqbI7lIQdHiBdivTm +Cg+icgOLBXsouJzovjT1bNL3JTU3v7z2/hYr0x5gC9yK/rS79uVcpxvTU3gub8WB +HK1MYhc= +-----END CERTIFICATE----- From 7d22f46fb3240201164e67bd8c08d2927fb31bd5 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Sun, 26 Jan 2025 23:01:18 +0000 Subject: [PATCH 12/14] Revert unneeded change --- .../CheckMacOSKeyChainIntermediateCATrust.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java index 9059eccdba88f..4df0d4a095423 100644 --- a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java +++ b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java @@ -34,8 +34,8 @@ import jdk.test.lib.process.ProcessTools; import static org.junit.jupiter.api.Assertions.fail; -import org.junit.jupiter.api.AfterAll; -import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; /* @@ -81,14 +81,14 @@ public void test() throws Throwable { assertThat(not(containsSubjectName(certificates, nonTrustedCASubjectName)), "Non trusted CA found " + nonTrustedCASubjectName, certificates); } - @BeforeAll - static void setup() { + @BeforeEach + void setup() { System.out.println("Adding certificates to key chain"); addCertificatesToKeyChain(); } - @AfterAll - static void cleanup() { + @AfterEach + void cleanup() { System.out.println("Cleaning up"); deleteCertificatesFromKeyChain(); } From 2125a8e787ca3e52c45ede702ea9a8e049563e60 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Mon, 27 Jan 2025 21:30:55 +0000 Subject: [PATCH 13/14] Add intermediate CA negative test --- ...CheckMacOSKeyChainIntermediateCATrust.java | 20 ++++++++--- .../generate-mac-os-intermediate-ca-certs.sh | 18 +++++++++- .../KeyStore/non-trusted-intermediate-ca.pem | 23 +++++++++++++ .../security/KeyStore/non-trusted-test-ca.pem | 34 +++++++++---------- 4 files changed, 73 insertions(+), 22 deletions(-) create mode 100644 test/jdk/java/security/KeyStore/non-trusted-intermediate-ca.pem diff --git a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java index 4df0d4a095423..21d2255c135de 100644 --- a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java +++ b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java @@ -50,6 +50,7 @@ public class CheckMacOSKeyChainIntermediateCATrust { private static final String DIR = System.getProperty("test.src", "."); + static boolean verbose = false; // avoid too verbose output @Test public void test() throws Throwable { @@ -72,13 +73,20 @@ public void test() throws Throwable { System.out.println("Verifying expected certificates are trusted"); String rootCASubjectName = "CN=Example CA,O=Example,C=US"; - assertThat(containsSubjectName(certificates, rootCASubjectName), "Root CA not found " + rootCASubjectName, certificates); + assertThat(containsSubjectName(certificates, rootCASubjectName), + "Root CA not found " + rootCASubjectName, certificates); String intermediateCASubjectName = "CN=Example Intermediate CA,O=Example,C=US"; - assertThat(containsSubjectName(certificates, intermediateCASubjectName), "Intermediate CA not found " + intermediateCASubjectName, certificates); + assertThat(containsSubjectName(certificates, intermediateCASubjectName), + "Intermediate CA not found " + intermediateCASubjectName, certificates); String nonTrustedCASubjectName = "CN=Non Trusted Example CA,O=Example,C=US"; - assertThat(not(containsSubjectName(certificates, nonTrustedCASubjectName)), "Non trusted CA found " + nonTrustedCASubjectName, certificates); + assertThat(not(containsSubjectName(certificates, nonTrustedCASubjectName)), + "Non trusted CA found " + nonTrustedCASubjectName, certificates); + + String nonTrustedIntermediateCASubjectName = "CN=Non Trusted Example Intermediate CA,O=Example,C=US"; + assertThat(not(containsSubjectName(certificates, nonTrustedIntermediateCASubjectName)), + "Non trusted intermediate CA found " + nonTrustedIntermediateCASubjectName, certificates); } @BeforeEach @@ -186,7 +194,11 @@ private static List getSubjects(List certificates) { private static void assertThat(boolean expected, String message, List certificates) { if (!expected) { - throw new AssertionError(message + ", subjects: " + getSubjects(certificates)); + String errMessage = message; + if (verbose) { + errMessage += ", subjects: " + getSubjects(certificates); + } + throw new AssertionError(errMessage); } } } diff --git a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh index 4236ec6589a8a..5434f4baa8f9b 100644 --- a/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh +++ b/test/jdk/java/security/KeyStore/generate-mac-os-intermediate-ca-certs.sh @@ -25,4 +25,20 @@ openssl x509 -req \ openssl genrsa -out non-trusted-root.key 2048 openssl req -x509 -sha256 -nodes -extensions v3_ca -key non-trusted-root.key -subj "/C=US/O=Example/CN=Non Trusted Example CA" -days 3650 -out non-trusted-test-ca.pem -rm -f non-trusted-root.key root.key test-intermediate-ca.csr intermediate.key test-ca.srl +openssl genrsa -out non-trusted-intermediate.key 2048 +openssl req -new -sha256 -nodes -key non-trusted-intermediate.key \ + -subj "/C=US/O=Example/CN=Non Trusted Example Intermediate CA" -out non-trusted-intermediate-ca.csr + +openssl x509 -req \ + -extensions v3_ca \ + -extfile openssl.cnf \ + -in non-trusted-intermediate-ca.csr \ + -CA non-trusted-test-ca.pem \ + -CAkey non-trusted-root.key \ + -CAcreateserial \ + -out non-trusted-intermediate-ca.pem \ + -days 3650 \ + -sha256 + +rm -f non-trusted-root.key root.key test-intermediate-ca.csr intermediate.key test-ca.srl non-trusted-intermediate.key \ + non-trusted-intermediate-ca.csr non-trusted-test-ca.srl diff --git a/test/jdk/java/security/KeyStore/non-trusted-intermediate-ca.pem b/test/jdk/java/security/KeyStore/non-trusted-intermediate-ca.pem new file mode 100644 index 0000000000000..f4ab40a96508f --- /dev/null +++ b/test/jdk/java/security/KeyStore/non-trusted-intermediate-ca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIUFqJJqie2b55pDsftOOBqkWJuX6owDQYJKoZIhvcNAQEL +BQAwQDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHzAdBgNVBAMMFk5v +biBUcnVzdGVkIEV4YW1wbGUgQ0EwHhcNMjUwMTI3MjEyNDM2WhcNMzUwMTI1MjEy +NDM2WjBNMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTEsMCoGA1UEAwwj +Tm9uIFRydXN0ZWQgRXhhbXBsZSBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCszrhwXVvR5QkSOoIJg0S5Ij1CqAuYf+WS9Ym6 +itSzk744j4P2pVd7rM+1SfUfVqY7dFoE7JSQBTw3i/ruo7Zl/USuXFZa93w6g3TB +g0sqA2N4UmNm5Y588Dd2cGIBZgNVvwQzsiG6zWdTppH0rL91hgy32M/CGkVH6WaU +nK4xCe5PiheGkvJBn6OaeqWpG0K76fDWmucUzaMv0b+DmRQ4GsXbwloiKndchGzE +/56EcHNAr1mgvnh+ADTXPKjEsHWv+1cQk4ql4Di53GvVJ/n6eh6K8aGD10OyQlIL +Tk82LI+FxiPvRHF/uBUjndgZsK9k/txDm5VY1z4mpMCd2h1nAgMBAAGjga0wgaow +HQYDVR0OBBYEFIhW8ihXHrc2ywJqt9xZbrcYcNzlMHsGA1UdIwR0MHKAFAy/+rvH +8b9QCumbjj7Q6+9hW9ImoUSkQjBAMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHRXhh +bXBsZTEfMB0GA1UEAwwWTm9uIFRydXN0ZWQgRXhhbXBsZSBDQYIUQWptFePVwo9i +HM6KUT93F4mkQvYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfEsL +/d07gw8xFs8hMTvXK/5PKEw4WuxoytrWDfwIUJpWJBOjcCmlZnSmwdZ12PHQ1mB9 +oHLr/RZKxYYn2MP9GqDrFTV+wAAAiIw5eU92HQOmPEgXIYhzsvfm29qwR1tdiAQE +4tXc7Y3O2B1b7lcJGbhjAt+/RkDcvT7Pi5jYd2F3apsKPo8GsC0zCsX/t7SnOxhj +qmPsEsBphBfE/dzqkow/iVWPGjvaV2rOrspGOfjF+j+APJNqBuH05uFR7GGaQ2Fm +mhh+nWmmDod/rJpQP5ToTdLeYki9DMsaJjqth1VF5rWUhOzfWczdOFD5szrxxJcV +L+iJJspxFIvQpS3Pgg== +-----END CERTIFICATE----- diff --git a/test/jdk/java/security/KeyStore/non-trusted-test-ca.pem b/test/jdk/java/security/KeyStore/non-trusted-test-ca.pem index f82c0c337b8d1..9d19a49a71d10 100644 --- a/test/jdk/java/security/KeyStore/non-trusted-test-ca.pem +++ b/test/jdk/java/security/KeyStore/non-trusted-test-ca.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDYTCCAkmgAwIBAgIUfsgXAir7EToLxt+9WCYfhfuiGt8wDQYJKoZIhvcNAQEL +MIIDYTCCAkmgAwIBAgIUQWptFePVwo9iHM6KUT93F4mkQvYwDQYJKoZIhvcNAQEL BQAwQDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHzAdBgNVBAMMFk5v -biBUcnVzdGVkIEV4YW1wbGUgQ0EwHhcNMjUwMTI2MjIyNDQzWhcNMzUwMTI0MjIy -NDQzWjBAMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTEfMB0GA1UEAwwW +biBUcnVzdGVkIEV4YW1wbGUgQ0EwHhcNMjUwMTI3MjEyMzU4WhcNMzUwMTI1MjEy +MzU4WjBAMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTEfMB0GA1UEAwwW Tm9uIFRydXN0ZWQgRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBALQyfO8sEDsp7qDH8OWjotinxyjTNjJ0I0Cke8pPHU73wL18ZFV8OvoI -OGTcYGFjRjOnjKUDFT6qC4oupGh8+NSfslqNQ35l4nU1tYRB81QHfAyCMq3gSVoU -hgaZle9x2rJrawAkxLE8xMrOkmM0r805O7x+hu9Bj3PwxQ0ubN5cb3SFvBhhlkss -8q9qUfK9mLQavgfp/U1WgtlnX4GP+HFAzthcz4ENagMpUuD1h9aDtFPNJREkTGhX -mh+U7zkVZjP9waN5p2monsZIsSLvrdAfnySBjceueHHOi9l/OYUG3wayWvNmxnpV -RtI1Zs4l7qs/mWGrqy4Fl2iwGZ3sy0UCAwEAAaNTMFEwHQYDVR0OBBYEFAY88dZY -+LJgqAqbFYtmGzqyyD1oMB8GA1UdIwQYMBaAFAY88dZY+LJgqAqbFYtmGzqyyD1o -MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGSr3ifbi5AX4EO/ -eN1CK+XKPgbnVI6NrtyZfjDja1RmbYPFcuRaSDdH/8y3oHLhgJzyu/vFtvMJps/B -JslYlIZHxhSC2sSqg2FrA5JQZlNfDSF2pRqk0Gs9xQj+ZtGbmUj0c+aOB5edjD/C -h0GIh0WL+WtKAl6VNI+urqYuiQ19CBPuF8OAMkpC/MYQocAtGhsRrlsMtMApJcvX -NAzf+3a+eUyEZnpcj7fkpGuBsKS0giNWVVtyNXMOoHL3L1PBqbI7lIQdHiBdivTm -Cg+icgOLBXsouJzovjT1bNL3JTU3v7z2/hYr0x5gC9yK/rS79uVcpxvTU3gub8WB -HK1MYhc= +AQoCggEBAKMh6zqtUcvDLwQJTQcKX4XLQ65MrS81OXpzgajZmgd4vgdv/1PtcXkR +Tzqpeyi137BSvn0VM3CM5e4YLHVwg7iarv92v+gEq+sZcErONbdIvHYGp4J9t+1o +YQHfFsGf1juJe6Ey2s4P10FdWLQN+3BMZXwAnaaGCXnYCixs7ocdIpbobUdRLasF +N0NRQ4BZk+vgmqcC69rB66bNUJhkb40mdcqf0aPCpWnd/MHit/NQ/VXyAIEjllZk +i4Jd5aoouOvjI8a7Pp0z+GHFU4RwQjuFfbJvSyeQ5OL1PAn74amwLMnHF+FBJIuW +jwIWmPNDyU9I9WL2YEmi42xhc3R5XIkCAwEAAaNTMFEwHQYDVR0OBBYEFAy/+rvH +8b9QCumbjj7Q6+9hW9ImMB8GA1UdIwQYMBaAFAy/+rvH8b9QCumbjj7Q6+9hW9Im +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHouuX960Xzb4M1m +QcNV6m7mAjZDdAlRkuTq3ba1dycH8hJrsT3uE3YNXEKiBIkGCYcX1KXomCgWNOdR +AFc10nV4GV0Com149kmD5oeBp9auqmaSPWTJQxyi7dj/gjNGCfbjf/GD3O1qmfqN +RjKQqluP0koXZjUqL3LJro91XNMDxcQH0CcDdhHv6R7Ob0UndaW1neIljo8U0JFx +yMA+pIua3QppElvynSBSlK5jSDmuVTLrRM401hx/1isKAUmCoz9zuVzjygxt8bdL +gKu66Ze/7RRUee2HxEOxkw53gYfBan+918UXd6feq3nC8A9g6v2L6M6/UkWeTiLs +4KjanI4= -----END CERTIFICATE----- From 59ceebc4acf2c39c86c45b1aa6746bf619417cea Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Mon, 27 Jan 2025 22:39:45 +0000 Subject: [PATCH 14/14] Make test output easier to read --- .../KeyStore/CheckMacOSKeyChainIntermediateCATrust.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java index 21d2255c135de..1369d7826fc1a 100644 --- a/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java +++ b/test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java @@ -196,7 +196,7 @@ private static void assertThat(boolean expected, String message, List