2023-01-15 10:58:39 +00:00
|
|
|
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
2023-03-02 06:10:17 +00:00
|
|
|
index e7b4763db53..0005e56f528 100644
|
2023-01-15 10:58:39 +00:00
|
|
|
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
|
|
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
|
|
@@ -31,6 +31,7 @@ import java.security.*;
|
|
|
|
import java.security.cert.*;
|
|
|
|
import java.util.*;
|
|
|
|
import sun.security.action.*;
|
|
|
|
+import sun.security.tools.KeyStoreUtil;
|
|
|
|
import sun.security.validator.TrustStoreUtil;
|
|
|
|
|
|
|
|
/**
|
|
|
|
@@ -68,7 +69,7 @@ final class TrustStoreManager {
|
|
|
|
* The preference of the default trusted KeyStore is:
|
|
|
|
* javax.net.ssl.trustStore
|
|
|
|
* jssecacerts
|
|
|
|
- * cacerts
|
|
|
|
+ * cacerts (system and local)
|
|
|
|
*/
|
|
|
|
private static final class TrustStoreDescriptor {
|
|
|
|
private static final String fileSep = File.separator;
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -76,7 +77,8 @@ final class TrustStoreManager {
|
2023-01-15 10:58:39 +00:00
|
|
|
GetPropertyAction.privilegedGetProperty("java.home") +
|
|
|
|
fileSep + "lib" + fileSep + "security";
|
|
|
|
private static final String defaultStore =
|
|
|
|
- defaultStorePath + fileSep + "cacerts";
|
2023-03-02 06:10:17 +00:00
|
|
|
+ AccessController.doPrivileged((PrivilegedAction<String>) () ->
|
|
|
|
+ KeyStoreUtil.getCacertsKeyStorePath());
|
2023-01-15 10:58:39 +00:00
|
|
|
private static final String jsseDefaultStore =
|
|
|
|
defaultStorePath + fileSep + "jssecacerts";
|
|
|
|
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -139,6 +141,10 @@ final class TrustStoreManager {
|
2023-01-15 10:58:39 +00:00
|
|
|
String storePropPassword = System.getProperty(
|
|
|
|
"javax.net.ssl.trustStorePassword", "");
|
|
|
|
|
|
|
|
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
|
|
|
|
+ SSLLogger.fine("Default store: " + defaultStore);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
String temporaryName = "";
|
|
|
|
File temporaryFile = null;
|
|
|
|
long temporaryTime = 0L;
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -160,7 +166,7 @@ final class TrustStoreManager {
|
2023-01-15 10:58:39 +00:00
|
|
|
SSLLogger.isOn("trustmanager")) {
|
2023-03-02 06:10:17 +00:00
|
|
|
SSLLogger.fine(
|
|
|
|
"Inaccessible trust store: " +
|
2023-01-15 10:58:39 +00:00
|
|
|
- storePropName);
|
2023-03-02 06:10:17 +00:00
|
|
|
+ fileName);
|
2023-01-15 10:58:39 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
2023-03-02 06:10:17 +00:00
|
|
|
index fcc77786da1..3a4388964cc 100644
|
2023-01-15 10:58:39 +00:00
|
|
|
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
|
|
|
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -41,6 +41,8 @@ import java.text.Collator;
|
|
|
|
import java.util.Locale;
|
|
|
|
import java.util.ResourceBundle;
|
2023-01-15 10:58:39 +00:00
|
|
|
|
2023-03-02 06:10:17 +00:00
|
|
|
+import sun.security.util.SecurityProperties;
|
|
|
|
+
|
|
|
|
/**
|
|
|
|
* <p> This class provides several utilities to <code>KeyStore</code>.
|
|
|
|
*
|
|
|
|
@@ -54,6 +56,8 @@ public class KeyStoreUtil {
|
2023-01-15 10:58:39 +00:00
|
|
|
|
|
|
|
private static final String JKS = "jks";
|
|
|
|
|
2023-03-02 06:10:17 +00:00
|
|
|
+ private static final String SYSTEM_CA_CERTS_PROP = "security.systemCACerts";
|
2023-01-15 10:58:39 +00:00
|
|
|
+
|
|
|
|
/**
|
|
|
|
* Returns true if the certificate is self-signed, false otherwise.
|
|
|
|
*/
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -96,16 +100,30 @@ public class KeyStoreUtil {
|
2023-01-15 10:58:39 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
+ /**
|
|
|
|
+ * Returns the path to the cacerts DB
|
|
|
|
+ */
|
2023-03-02 06:10:17 +00:00
|
|
|
+ public static String getCacertsKeyStorePath()
|
2023-01-15 10:58:39 +00:00
|
|
|
+ {
|
2023-03-02 06:10:17 +00:00
|
|
|
+ // Check system DB first, preferring system property over security one
|
|
|
|
+ String systemDB = SecurityProperties
|
|
|
|
+ .privilegedGetOverridable(SYSTEM_CA_CERTS_PROP);
|
|
|
|
+ if (systemDB != null && !"".equals(systemDB) &&
|
|
|
|
+ (new File(systemDB)).isFile()) {
|
|
|
|
+ return systemDB;
|
2023-01-15 10:58:39 +00:00
|
|
|
+ }
|
2023-03-02 06:10:17 +00:00
|
|
|
+ String sep = File.separator;
|
|
|
|
+ return System.getProperty("java.home") + sep
|
|
|
|
+ + "lib" + sep + "security" + sep + "cacerts";
|
2023-01-15 10:58:39 +00:00
|
|
|
+ }
|
|
|
|
+
|
|
|
|
/**
|
|
|
|
* Returns the keystore with the configured CA certificates.
|
|
|
|
*/
|
|
|
|
public static KeyStore getCacertsKeyStore()
|
|
|
|
throws Exception
|
|
|
|
{
|
|
|
|
- String sep = File.separator;
|
|
|
|
- File file = new File(System.getProperty("java.home") + sep
|
|
|
|
- + "lib" + sep + "security" + sep
|
|
|
|
- + "cacerts");
|
2023-03-02 06:10:17 +00:00
|
|
|
+ File file = new File(getCacertsKeyStorePath());
|
|
|
|
if (!file.exists()) {
|
|
|
|
return null;
|
|
|
|
}
|
2023-01-15 10:58:39 +00:00
|
|
|
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
|
2023-03-02 06:10:17 +00:00
|
|
|
index 681a24b905d..ecb8bc43a6c 100644
|
2023-01-15 10:58:39 +00:00
|
|
|
--- a/jdk/src/share/lib/security/java.security-aix
|
|
|
|
+++ b/jdk/src/share/lib/security/java.security-aix
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -294,6 +294,12 @@ security.overridePropertiesFile=true
|
2023-01-15 10:58:39 +00:00
|
|
|
#
|
|
|
|
security.useSystemPropertiesFile=false
|
|
|
|
|
|
|
|
+#
|
|
|
|
+# Specifies the system certificate store
|
2023-03-02 06:10:17 +00:00
|
|
|
+# This property may be disabled using an empty value
|
2023-01-15 10:58:39 +00:00
|
|
|
+#
|
|
|
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
|
+
|
|
|
|
#
|
|
|
|
# Determines the default key and trust manager factory algorithms for
|
|
|
|
# the javax.net.ssl package.
|
|
|
|
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
|
2023-03-02 06:10:17 +00:00
|
|
|
index 789c19a8cba..2546fdec9b2 100644
|
2023-01-15 10:58:39 +00:00
|
|
|
--- a/jdk/src/share/lib/security/java.security-linux
|
|
|
|
+++ b/jdk/src/share/lib/security/java.security-linux
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -307,6 +307,12 @@ security.overridePropertiesFile=true
|
2023-01-15 10:58:39 +00:00
|
|
|
#
|
|
|
|
security.useSystemPropertiesFile=false
|
|
|
|
|
|
|
|
+#
|
|
|
|
+# Specifies the system certificate store
|
2023-03-02 06:10:17 +00:00
|
|
|
+# This property may be disabled using an empty value
|
2023-01-15 10:58:39 +00:00
|
|
|
+#
|
|
|
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
|
+
|
|
|
|
#
|
|
|
|
# Determines the default key and trust manager factory algorithms for
|
|
|
|
# the javax.net.ssl package.
|
|
|
|
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
|
2023-03-02 06:10:17 +00:00
|
|
|
index d4da666af3b..1a20027c02b 100644
|
2023-01-15 10:58:39 +00:00
|
|
|
--- a/jdk/src/share/lib/security/java.security-macosx
|
|
|
|
+++ b/jdk/src/share/lib/security/java.security-macosx
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
|
2023-01-15 10:58:39 +00:00
|
|
|
#
|
|
|
|
security.useSystemPropertiesFile=false
|
|
|
|
|
|
|
|
+#
|
|
|
|
+# Specifies the system certificate store
|
2023-03-02 06:10:17 +00:00
|
|
|
+# This property may be disabled using an empty value
|
2023-01-15 10:58:39 +00:00
|
|
|
+#
|
|
|
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
|
+
|
|
|
|
#
|
|
|
|
# Determines the default key and trust manager factory algorithms for
|
|
|
|
# the javax.net.ssl package.
|
|
|
|
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
|
2023-03-02 06:10:17 +00:00
|
|
|
index 300132384a1..6299e0a3c7b 100644
|
2023-01-15 10:58:39 +00:00
|
|
|
--- a/jdk/src/share/lib/security/java.security-solaris
|
|
|
|
+++ b/jdk/src/share/lib/security/java.security-solaris
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -295,6 +295,12 @@ security.overridePropertiesFile=true
|
2023-01-15 10:58:39 +00:00
|
|
|
#
|
|
|
|
security.useSystemPropertiesFile=false
|
|
|
|
|
|
|
|
+#
|
|
|
|
+# Specifies the system certificate store
|
2023-03-02 06:10:17 +00:00
|
|
|
+# This property may be disabled using an empty value
|
2023-01-15 10:58:39 +00:00
|
|
|
+#
|
|
|
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
|
+
|
|
|
|
#
|
|
|
|
# Determines the default key and trust manager factory algorithms for
|
|
|
|
# the javax.net.ssl package.
|
|
|
|
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
|
2023-03-02 06:10:17 +00:00
|
|
|
index 64db5a5cd1e..823994f3466 100644
|
2023-01-15 10:58:39 +00:00
|
|
|
--- a/jdk/src/share/lib/security/java.security-windows
|
|
|
|
+++ b/jdk/src/share/lib/security/java.security-windows
|
2023-03-02 06:10:17 +00:00
|
|
|
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
|
2023-01-15 10:58:39 +00:00
|
|
|
#
|
|
|
|
security.useSystemPropertiesFile=false
|
|
|
|
|
|
|
|
+#
|
|
|
|
+# Specifies the system certificate store
|
2023-03-02 06:10:17 +00:00
|
|
|
+# This property may be disabled using an empty value
|
2023-01-15 10:58:39 +00:00
|
|
|
+#
|
|
|
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
|
|
|
+
|
|
|
|
#
|
|
|
|
# Determines the default key and trust manager factory algorithms for
|
|
|
|
# the javax.net.ssl package.
|