Switch macOS native certs to retrieve from JDK #6
Conversation
|
|
||
| System.out.println(trustedRoots.size()); | ||
| for (X509Certificate root : trustedRoots) { | ||
| System.out.println(root.getSubjectDN().toString()); | ||
| } | ||
|
|
||
| Assert.assertTrue("Expected >100 system roots", trustedRoots.size() > 100); | ||
| // TODO remove when minimum Java version is 23 or higher | ||
| if (Runtime.version().feature() >= 23) { |
There was a problem hiding this comment.
I've verified this passes on Java 23
| .collect(Collectors.toList()); | ||
| } catch (KeyStoreException e) { | ||
| // only available from Java 23 | ||
| if (e.getMessage().equals("KeychainStore-ROOT not found")) { |
There was a problem hiding this comment.
https://bugs.openjdk.org/browse/JDK-8320362 was added in Java 23.
The Javadoc documented that this was only supported on Linux, although the unit tests did test for this:
If its needed to maintain this, we could restore the old code and use that to retrieve the roots on Java <23 WDYT?
There was a problem hiding this comment.
PR that does this here: #7
| } | ||
| } | ||
|
|
||
| static boolean isSelfSignedCertificate(X509Certificate certificate) { |
|
cc @shalupov |
timja
changed the title
|
Sorry for a long wait, I'm back to do a little maintenance. It's a good idea to contribute it to JDK anyway, but I don't see anything wrong with fixing this code as is. I'll try |
Thanks that’ll be great. I tried but found docs lacking a lot and limited examples. |
|
A simple test environment can be found in: |
I tried to implement #3 in #5 but I couldn't make the JNA bindings work, I'm not sure if its JNA limitations to do with constants required or if I was doing something wrong but I was hitting a solid brick wall which gave me no clues on what was wrong.
Instead I've ported this to use the Apple truststores provided by the JVM which was trivial to do.
Closes #5
This won't
fix#3 as its now dependent on the JVM.But it will be fixed by openjdk/jdk#22911 which looks like it should get merged soon-ish and then hopefully it can be backported.