Skip to content

Commit 0052cd0

Browse files
timjatimja
committed
Verify certificate without trustsettings before adding
1 parent 5102dad commit 0052cd0

2 files changed

Lines changed: 45 additions & 16 deletions

File tree

src/java.base/macosx/classes/apple/security/KeychainStore.java

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -878,14 +878,9 @@ private void createTrustedCertEntry(String alias, List<String> inputTrust,
878878
}
879879

880880
if (tce.trustSettings.isEmpty()) {
881-
// If there is no trust settings and the certificate is not self-signed trust the certificate
882-
if (!isSelfSigned) {
883-
tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value();
884-
} else {
885-
// Otherwise, return immediately. The certificate is not
886-
// added into entries.
887-
return;
888-
}
881+
// If there is no trust settings then the certificate was verified against other trusted certificates already
882+
// or it is self signed
883+
tce.trustedKeyUsageValue = KnownOIDs.anyExtendedKeyUsage.value();
889884
} else {
890885
List<String> values = new ArrayList<>();
891886
for (var oneTrust : tce.trustSettings) {

src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m

Lines changed: 42 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -411,16 +411,15 @@ static bool loadTrustSettings(JNIEnv *env,
411411
jmethodID jm_listAdd,
412412
jobject *inputTrust) {
413413
CFArrayRef trustSettings;
414-
if (*inputTrust == NULL) {
415-
*inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons);
416-
if (*inputTrust == NULL) {
417-
CFRelease(trustSettings);
418-
return false;
419-
}
420-
}
421-
422414
// Load trustSettings into inputTrust
423415
if (SecTrustSettingsCopyTrustSettings(certRef, domain, &trustSettings) == errSecSuccess && trustSettings != NULL) {
416+
if (*inputTrust == NULL) {
417+
*inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons);
418+
if (*inputTrust == NULL) {
419+
CFRelease(trustSettings);
420+
return false;
421+
}
422+
}
424423
addTrustSettingsToInputTrust(env, jm_listAdd, trustSettings, *inputTrust);
425424
CFRelease(trustSettings);
426425
}
@@ -459,6 +458,31 @@ static bool createTrustedCertEntry(JNIEnv *env, jobject keyStore,
459458
return true;
460459
}
461460

461+
static bool validateCertificate(SecCertificateRef certRef) {
462+
SecTrustRef secTrust = NULL;
463+
CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
464+
CFArraySetValueAtIndex(subjCerts, 0, certRef);
465+
466+
SecPolicyRef policy = SecPolicyCreateBasicX509();
467+
OSStatus ortn = SecTrustCreateWithCertificates(subjCerts, policy, &secTrust);
468+
bool result = false;
469+
if(ortn) {
470+
/* should never happen */
471+
cssmPerror("SecTrustCreateWithCertificates", ortn);
472+
goto errOut;
473+
}
474+
475+
result = SecTrustEvaluateWithError(secTrust, NULL);
476+
errOut:
477+
if (policy) {
478+
CFRelease(policy);
479+
}
480+
if (secTrust) {
481+
CFRelease(secTrust);
482+
}
483+
return result;
484+
}
485+
462486
static void addCertificatesToKeystore(JNIEnv *env, jobject keyStore,
463487
jmethodID jm_createTrustedCertEntry,
464488
jclass jc_arrayListClass,
@@ -493,6 +517,16 @@ static void addCertificatesToKeystore(JNIEnv *env, jobject keyStore,
493517
goto errOut;
494518
}
495519

520+
// If no trust settings we need to verify the certificate first
521+
if (inputTrust == NULL) {
522+
bool valid = validateCertificate(certRef);
523+
if (valid) {
524+
inputTrust = (*env)->NewObject(env, jc_arrayListClass, jm_arrayListCons);
525+
} else {
526+
continue;
527+
}
528+
}
529+
496530
// Create java object for certificate with trust settings
497531
if (!createTrustedCertEntry(env, keyStore, certRef, jm_createTrustedCertEntry, inputTrust)) {
498532
goto errOut;

0 commit comments

Comments
 (0)