|
 |
221ce3 |
commit c28417b0f421b80cd7efa339a3cce5609aafc880
|
|
|
221ce3 |
Author: Andrew John Hughes <andrew@openjdk.org>
|
|
|
221ce3 |
Date: Mon Apr 18 20:04:49 2022 +0100
|
|
|
221ce3 |
|
|
|
221ce3 |
Support security.systemCACerts security property which can be disabled with -Djava.security.disableSystemCACerts=true
|
|
|
221ce3 |
|
|
|
221ce3 |
PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
|
|
|
221ce3 |
PR3575: System cacerts database handling should not affect jssecacerts
|
|
|
221ce3 |
RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
|
|
|
221ce3 |
|
|
|
221ce3 |
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
|
221ce3 |
index e7b4763db53..4b38d1f9465 100644
|
|
|
221ce3 |
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
|
221ce3 |
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
|
221ce3 |
@@ -68,7 +68,7 @@ final class TrustStoreManager {
|
|
|
221ce3 |
* The preference of the default trusted KeyStore is:
|
|
|
221ce3 |
* javax.net.ssl.trustStore
|
|
|
221ce3 |
* jssecacerts
|
|
|
221ce3 |
- * cacerts
|
|
|
221ce3 |
+ * cacerts (system and local)
|
|
|
221ce3 |
*/
|
|
|
221ce3 |
private static final class TrustStoreDescriptor {
|
|
|
221ce3 |
private static final String fileSep = File.separator;
|
|
|
221ce3 |
@@ -79,6 +79,11 @@ final class TrustStoreManager {
|
|
|
221ce3 |
defaultStorePath + fileSep + "cacerts";
|
|
|
221ce3 |
private static final String jsseDefaultStore =
|
|
|
221ce3 |
defaultStorePath + fileSep + "jssecacerts";
|
|
|
221ce3 |
+ /* Check system cacerts DB */
|
|
|
221ce3 |
+ private static final boolean systemStoreOff =
|
|
|
221ce3 |
+ privilegedGetBooleanProperty("java.security.disableSystemCACerts");
|
|
|
221ce3 |
+ private static final String systemStore = (systemStoreOff ? defaultStore :
|
|
|
221ce3 |
+ privilegedGetSecurityProperty("security.systemCACerts"));
|
|
|
221ce3 |
|
|
|
221ce3 |
// the trust store name
|
|
|
221ce3 |
private final String storeName;
|
|
|
221ce3 |
@@ -139,28 +144,35 @@ final class TrustStoreManager {
|
|
|
221ce3 |
String storePropPassword = System.getProperty(
|
|
|
221ce3 |
"javax.net.ssl.trustStorePassword", "");
|
|
|
221ce3 |
|
|
|
221ce3 |
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
|
|
|
221ce3 |
+ SSLLogger.fine("System store disabled: " + systemStoreOff);
|
|
|
221ce3 |
+ SSLLogger.fine("System store: " + systemStore);
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
+
|
|
|
221ce3 |
String temporaryName = "";
|
|
|
221ce3 |
File temporaryFile = null;
|
|
|
221ce3 |
long temporaryTime = 0L;
|
|
|
221ce3 |
if (!"NONE".equals(storePropName)) {
|
|
|
221ce3 |
String[] fileNames =
|
|
|
221ce3 |
- new String[] {storePropName, defaultStore};
|
|
|
221ce3 |
+ new String[] {storePropName,
|
|
|
221ce3 |
+ systemStore, defaultStore};
|
|
|
221ce3 |
for (String fileName : fileNames) {
|
|
|
221ce3 |
- File f = new File(fileName);
|
|
|
221ce3 |
- if (f.isFile() && f.canRead()) {
|
|
|
221ce3 |
- temporaryName = fileName;;
|
|
|
221ce3 |
- temporaryFile = f;
|
|
|
221ce3 |
- temporaryTime = f.lastModified();
|
|
|
221ce3 |
-
|
|
|
221ce3 |
- break;
|
|
|
221ce3 |
- }
|
|
|
221ce3 |
-
|
|
|
221ce3 |
- // Not break, the file is inaccessible.
|
|
|
221ce3 |
- if (SSLLogger.isOn &&
|
|
|
221ce3 |
+ if (fileName != null && !"".equals(fileName)) {
|
|
|
221ce3 |
+ File f = new File(fileName);
|
|
|
221ce3 |
+ if (f.isFile() && f.canRead()) {
|
|
|
221ce3 |
+ temporaryName = fileName;;
|
|
|
221ce3 |
+ temporaryFile = f;
|
|
|
221ce3 |
+ temporaryTime = f.lastModified();
|
|
|
221ce3 |
+
|
|
|
221ce3 |
+ break;
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
+ // Not break, the file is inaccessible.
|
|
|
221ce3 |
+ if (SSLLogger.isOn &&
|
|
|
221ce3 |
SSLLogger.isOn("trustmanager")) {
|
|
|
221ce3 |
- SSLLogger.fine(
|
|
|
221ce3 |
- "Inaccessible trust store: " +
|
|
|
221ce3 |
- storePropName);
|
|
|
221ce3 |
+ SSLLogger.fine(
|
|
|
221ce3 |
+ "Inaccessible trust store: " +
|
|
|
221ce3 |
+ fileName);
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
}
|
|
|
221ce3 |
}
|
|
|
221ce3 |
} else {
|
|
|
221ce3 |
@@ -390,4 +402,31 @@ final class TrustStoreManager {
|
|
|
221ce3 |
return TrustStoreUtil.getTrustedCerts(ks);
|
|
|
221ce3 |
}
|
|
|
221ce3 |
}
|
|
|
221ce3 |
+
|
|
|
221ce3 |
+ private static String privilegedGetSecurityProperty(final String prop) {
|
|
|
221ce3 |
+ if (System.getSecurityManager() == null) {
|
|
|
221ce3 |
+ return Security.getProperty(prop);
|
|
|
221ce3 |
+ } else {
|
|
|
221ce3 |
+ return AccessController.doPrivileged(new PrivilegedAction<String>() {
|
|
|
221ce3 |
+ @Override
|
|
|
221ce3 |
+ public String run() {
|
|
|
221ce3 |
+ return Security.getProperty(prop);
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
+ });
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
+
|
|
|
221ce3 |
+ /**
|
|
|
221ce3 |
+ * Returns {@code true} if the {@code System} property is present and set to @{code "true"}.
|
|
|
221ce3 |
+ *
|
|
|
221ce3 |
+ * @param prop the name of the property to check.
|
|
|
221ce3 |
+ * @return true if the property is present and set to {@code "true"}.
|
|
|
221ce3 |
+ */
|
|
|
221ce3 |
+ private static boolean privilegedGetBooleanProperty(final String prop) {
|
|
|
221ce3 |
+ if (System.getSecurityManager() == null) {
|
|
|
221ce3 |
+ return Boolean.getBoolean(prop);
|
|
|
221ce3 |
+ } else {
|
|
|
221ce3 |
+ return AccessController.doPrivileged(new GetBooleanAction(prop));
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
}
|
|
|
221ce3 |
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
|
|
221ce3 |
index fcc77786da1..639fc220b6b 100644
|
|
|
221ce3 |
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
|
|
221ce3 |
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
|
|
221ce3 |
@@ -34,6 +34,7 @@ import java.io.InputStreamReader;
|
|
|
221ce3 |
import java.net.URL;
|
|
|
221ce3 |
|
|
|
221ce3 |
import java.security.KeyStore;
|
|
|
221ce3 |
+import java.security.Security;
|
|
|
221ce3 |
|
|
|
221ce3 |
import java.security.cert.X509Certificate;
|
|
|
221ce3 |
import java.text.Collator;
|
|
|
221ce3 |
@@ -103,9 +104,18 @@ public class KeyStoreUtil {
|
|
|
221ce3 |
throws Exception
|
|
|
221ce3 |
{
|
|
|
221ce3 |
String sep = File.separator;
|
|
|
221ce3 |
- File file = new File(System.getProperty("java.home") + sep
|
|
|
221ce3 |
- + "lib" + sep + "security" + sep
|
|
|
221ce3 |
- + "cacerts");
|
|
|
221ce3 |
+ File file = null;
|
|
|
221ce3 |
+ /* Check system cacerts DB first */
|
|
|
221ce3 |
+ String systemDB = Security.getProperty("security.systemCACerts");
|
|
|
221ce3 |
+ boolean systemStoreOff = Boolean.getBoolean("java.security.disableSystemCACerts");
|
|
|
221ce3 |
+ if (!systemStoreOff && systemDB != null && !"".equals(systemDB)) {
|
|
|
221ce3 |
+ file = new File(systemDB);
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
+ if (file == null || !file.exists()) {
|
|
|
221ce3 |
+ file = new File(System.getProperty("java.home") + sep
|
|
|
221ce3 |
+ + "lib" + sep + "security" + sep
|
|
|
221ce3 |
+ + "cacerts");
|
|
|
221ce3 |
+ }
|
|
|
221ce3 |
if (!file.exists()) {
|
|
|
221ce3 |
return null;
|
|
|
221ce3 |
}
|
|
|
221ce3 |
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
|
|
|
221ce3 |
index bfe0c593adb..093bc09bf95 100644
|
|
|
221ce3 |
--- a/jdk/src/share/lib/security/java.security-aix
|
|
|
221ce3 |
+++ b/jdk/src/share/lib/security/java.security-aix
|
|
|
221ce3 |
@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
|
|
|
221ce3 |
#
|
|
|
221ce3 |
security.useSystemPropertiesFile=false
|
|
|
221ce3 |
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+# Specifies the system certificate store
|
|
|
221ce3 |
+# This property may be disabled using
|
|
|
221ce3 |
+# -Djava.security.disableSystemCACerts=true
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
221ce3 |
+
|
|
|
221ce3 |
#
|
|
|
221ce3 |
# Determines the default key and trust manager factory algorithms for
|
|
|
221ce3 |
# the javax.net.ssl package.
|
|
|
221ce3 |
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
|
|
|
221ce3 |
index 9d1c8fe8a8e..16c9281cc1f 100644
|
|
|
221ce3 |
--- a/jdk/src/share/lib/security/java.security-linux
|
|
|
221ce3 |
+++ b/jdk/src/share/lib/security/java.security-linux
|
|
|
221ce3 |
@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
|
|
|
221ce3 |
#
|
|
|
221ce3 |
security.useSystemPropertiesFile=false
|
|
|
221ce3 |
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+# Specifies the system certificate store
|
|
|
221ce3 |
+# This property may be disabled using
|
|
|
221ce3 |
+# -Djava.security.disableSystemCACerts=true
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
221ce3 |
+
|
|
|
221ce3 |
#
|
|
|
221ce3 |
# Determines the default key and trust manager factory algorithms for
|
|
|
221ce3 |
# the javax.net.ssl package.
|
|
|
221ce3 |
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
|
|
|
221ce3 |
index 19047c61097..43e034cdeaf 100644
|
|
|
221ce3 |
--- a/jdk/src/share/lib/security/java.security-macosx
|
|
|
221ce3 |
+++ b/jdk/src/share/lib/security/java.security-macosx
|
|
|
221ce3 |
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
|
|
|
221ce3 |
#
|
|
|
221ce3 |
security.useSystemPropertiesFile=false
|
|
|
221ce3 |
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+# Specifies the system certificate store
|
|
|
221ce3 |
+# This property may be disabled using
|
|
|
221ce3 |
+# -Djava.security.disableSystemCACerts=true
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
221ce3 |
+
|
|
|
221ce3 |
#
|
|
|
221ce3 |
# Determines the default key and trust manager factory algorithms for
|
|
|
221ce3 |
# the javax.net.ssl package.
|
|
|
221ce3 |
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
|
|
|
221ce3 |
index 7eda556ae13..325937e97fb 100644
|
|
|
221ce3 |
--- a/jdk/src/share/lib/security/java.security-solaris
|
|
|
221ce3 |
+++ b/jdk/src/share/lib/security/java.security-solaris
|
|
|
221ce3 |
@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
|
|
|
221ce3 |
#
|
|
|
221ce3 |
security.useSystemPropertiesFile=false
|
|
|
221ce3 |
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+# Specifies the system certificate store
|
|
|
221ce3 |
+# This property may be disabled using
|
|
|
221ce3 |
+# -Djava.security.disableSystemCACerts=true
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
221ce3 |
+
|
|
|
221ce3 |
#
|
|
|
221ce3 |
# Determines the default key and trust manager factory algorithms for
|
|
|
221ce3 |
# the javax.net.ssl package.
|
|
|
221ce3 |
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
|
|
|
221ce3 |
index dfa1a669aa9..92ef777e065 100644
|
|
|
221ce3 |
--- a/jdk/src/share/lib/security/java.security-windows
|
|
|
221ce3 |
+++ b/jdk/src/share/lib/security/java.security-windows
|
|
|
221ce3 |
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
|
|
|
221ce3 |
#
|
|
|
221ce3 |
security.useSystemPropertiesFile=false
|
|
|
221ce3 |
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+# Specifies the system certificate store
|
|
|
221ce3 |
+# This property may be disabled using
|
|
|
221ce3 |
+# -Djava.security.disableSystemCACerts=true
|
|
|
221ce3 |
+#
|
|
|
221ce3 |
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
221ce3 |
+
|
|
|
221ce3 |
#
|
|
|
221ce3 |
# Determines the default key and trust manager factory algorithms for
|
|
|
221ce3 |
# the javax.net.ssl package.
|