commit c28417b0f421b80cd7efa339a3cce5609aafc880
Author: Andrew John Hughes <andrew@openjdk.org>
Date:   Mon Apr 18 20:04:49 2022 +0100

    Support security.systemCACerts security property which can be disabled with -Djava.security.disableSystemCACerts=true
    
    PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
    PR3575: System cacerts database handling should not affect jssecacerts
    RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds

diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
index e7b4763db53..4b38d1f9465 100644
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -68,7 +68,7 @@ final class TrustStoreManager {
      * The preference of the default trusted KeyStore is:
      *    javax.net.ssl.trustStore
      *    jssecacerts
-     *    cacerts
+     *    cacerts (system and local)
      */
     private static final class TrustStoreDescriptor {
         private static final String fileSep = File.separator;
@@ -79,6 +79,11 @@ final class TrustStoreManager {
                 defaultStorePath + fileSep + "cacerts";
         private static final String jsseDefaultStore =
                 defaultStorePath + fileSep + "jssecacerts";
+        /* Check system cacerts DB */
+        private static final boolean systemStoreOff =
+                privilegedGetBooleanProperty("java.security.disableSystemCACerts");
+        private static final String systemStore = (systemStoreOff ? defaultStore :
+                privilegedGetSecurityProperty("security.systemCACerts"));
 
         // the trust store name
         private final String storeName;
@@ -139,28 +144,35 @@ final class TrustStoreManager {
                     String storePropPassword = System.getProperty(
                             "javax.net.ssl.trustStorePassword", "");
 
+                    if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                        SSLLogger.fine("System store disabled: " + systemStoreOff);
+                        SSLLogger.fine("System store: " + systemStore);
+                    }
+
                     String temporaryName = "";
                     File temporaryFile = null;
                     long temporaryTime = 0L;
                     if (!"NONE".equals(storePropName)) {
                         String[] fileNames =
-                                new String[] {storePropName, defaultStore};
+                                new String[] {storePropName,
+                                              systemStore, defaultStore};
                         for (String fileName : fileNames) {
-                            File f = new File(fileName);
-                            if (f.isFile() && f.canRead()) {
-                                temporaryName = fileName;;
-                                temporaryFile = f;
-                                temporaryTime = f.lastModified();
-
-                                break;
-                            }
-
-                            // Not break, the file is inaccessible.
-                            if (SSLLogger.isOn &&
+                            if (fileName != null && !"".equals(fileName)) {
+                                File f = new File(fileName);
+                                if (f.isFile() && f.canRead()) {
+                                    temporaryName = fileName;;
+                                    temporaryFile = f;
+                                    temporaryTime = f.lastModified();
+
+                                    break;
+                                }
+                                // Not break, the file is inaccessible.
+                                if (SSLLogger.isOn &&
                                     SSLLogger.isOn("trustmanager")) {
-                                SSLLogger.fine(
-                                        "Inaccessible trust store: " +
-                                        storePropName);
+                                    SSLLogger.fine(
+                                            "Inaccessible trust store: " +
+                                            fileName);
+                                }
                             }
                         }
                     } else {
@@ -390,4 +402,31 @@ final class TrustStoreManager {
             return TrustStoreUtil.getTrustedCerts(ks);
         }
     }
+
+    private static String privilegedGetSecurityProperty(final String prop) {
+        if (System.getSecurityManager() == null) {
+            return Security.getProperty(prop);
+        } else {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                @Override
+                public String run() {
+                    return Security.getProperty(prop);
+                }
+            });
+        }
+    }
+
+    /**
+     * Returns {@code true} if the {@code System} property is present and set to @{code "true"}.
+     *
+     * @param prop the name of the property to check.
+     * @return true if the property is present and set to {@code "true"}.
+     */
+    private static boolean privilegedGetBooleanProperty(final String prop) {
+        if (System.getSecurityManager() == null) {
+            return Boolean.getBoolean(prop);
+        } else {
+            return AccessController.doPrivileged(new GetBooleanAction(prop));
+        }
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
index fcc77786da1..639fc220b6b 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -34,6 +34,7 @@ import java.io.InputStreamReader;
 import java.net.URL;
 
 import java.security.KeyStore;
+import java.security.Security;
 
 import java.security.cert.X509Certificate;
 import java.text.Collator;
@@ -103,9 +104,18 @@ public class KeyStoreUtil {
         throws Exception
     {
         String sep = File.separator;
-        File file = new File(System.getProperty("java.home") + sep
-                             + "lib" + sep + "security" + sep
-                             + "cacerts");
+        File file = null;
+        /* Check system cacerts DB first */
+        String systemDB = Security.getProperty("security.systemCACerts");
+        boolean systemStoreOff = Boolean.getBoolean("java.security.disableSystemCACerts");
+        if (!systemStoreOff && systemDB != null && !"".equals(systemDB)) {
+            file = new File(systemDB);
+        }
+        if (file == null || !file.exists()) {
+            file = new File(System.getProperty("java.home") + sep
+                            + "lib" + sep + "security" + sep
+                            + "cacerts");
+        }
         if (!file.exists()) {
             return null;
         }
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index bfe0c593adb..093bc09bf95 100644
--- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix
@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
 #
 security.useSystemPropertiesFile=false
 
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
 #
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index 9d1c8fe8a8e..16c9281cc1f 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
 #
 security.useSystemPropertiesFile=false
 
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
 #
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
index 19047c61097..43e034cdeaf 100644
--- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
 #
 security.useSystemPropertiesFile=false
 
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
 #
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
index 7eda556ae13..325937e97fb 100644
--- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris
@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
 #
 security.useSystemPropertiesFile=false
 
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
 #
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
index dfa1a669aa9..92ef777e065 100644
--- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
 #
 security.useSystemPropertiesFile=false
 
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
 #
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.