Allow the default keystore to be configured using security.systemCACerts
Use of the property can now be disabled using -Dsecurity.systemCACerts= Move cacerts replacement to install section and retain original of this and tzdb.dat Resolves: rhbz#2077006
This commit is contained in:
parent
b53bb40201
commit
64ee130bde
|
@ -304,6 +304,10 @@
|
||||||
%global origin_nice OpenJDK
|
%global origin_nice OpenJDK
|
||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
|
|
||||||
|
# Settings for local security configuration
|
||||||
|
%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os}
|
||||||
|
%global cacerts_file /etc/pki/java/cacerts
|
||||||
|
|
||||||
# Define vendor information used by OpenJDK
|
# Define vendor information used by OpenJDK
|
||||||
%global oj_vendor Red Hat, Inc.
|
%global oj_vendor Red Hat, Inc.
|
||||||
%global oj_vendor_url "https://www.redhat.com/"
|
%global oj_vendor_url "https://www.redhat.com/"
|
||||||
|
@ -343,7 +347,7 @@
|
||||||
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
|
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
|
||||||
# eg jdk8u60-b27 -> b27
|
# eg jdk8u60-b27 -> b27
|
||||||
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
|
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
|
||||||
%global rpmrelease 4
|
%global rpmrelease 5
|
||||||
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
|
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
|
||||||
# Release will be (where N is usually a number starting at 1):
|
# Release will be (where N is usually a number starting at 1):
|
||||||
# - 0.N%%{?extraver}%%{?dist} for EA releases,
|
# - 0.N%%{?extraver}%%{?dist} for EA releases,
|
||||||
|
@ -829,6 +833,7 @@ exit 0
|
||||||
%{_jvmdir}/%{jrelnk -- %{?1}}
|
%{_jvmdir}/%{jrelnk -- %{?1}}
|
||||||
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
|
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
|
||||||
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
|
||||||
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream
|
||||||
%dir %{_jvmdir}/%{jredir -- %{?1}}
|
%dir %{_jvmdir}/%{jredir -- %{?1}}
|
||||||
%dir %{_jvmdir}/%{jredir -- %{?1}}/bin
|
%dir %{_jvmdir}/%{jredir -- %{?1}}/bin
|
||||||
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib
|
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib
|
||||||
|
@ -957,6 +962,7 @@ exit 0
|
||||||
%{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
|
||||||
%{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
|
||||||
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
|
||||||
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream
|
||||||
%{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
|
||||||
%{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
|
||||||
%{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
|
%{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
|
||||||
|
@ -1475,7 +1481,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_
|
||||||
Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch
|
Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch
|
||||||
# PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
|
# PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
|
||||||
# PR3575, RH1567204: System cacerts database handling should not affect jssecacerts
|
# PR3575, RH1567204: System cacerts database handling should not affect jssecacerts
|
||||||
Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
|
# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
|
||||||
|
# Must be applied after FIPS patch as it also changes java.security
|
||||||
|
Patch539: pr2888-rh2055274-support_system_cacerts.patch
|
||||||
# enable build of speculative store bypass hardened alt-java
|
# enable build of speculative store bypass hardened alt-java
|
||||||
Patch600: rh1750419-redhat_alt_java.patch
|
Patch600: rh1750419-redhat_alt_java.patch
|
||||||
# JDK-8218811: replace open by os::open in hotspot coding
|
# JDK-8218811: replace open by os::open in hotspot coding
|
||||||
|
@ -1933,10 +1941,11 @@ pushd %{top_level_dir_name}
|
||||||
%patch1001 -p1
|
%patch1001 -p1
|
||||||
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
||||||
%patch1000 -p1
|
%patch1000 -p1
|
||||||
|
# cacerts patch; must follow FIPS patch as it also alters java.security
|
||||||
|
%patch539 -p1
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# RPM-only fixes
|
# RPM-only fixes
|
||||||
%patch539
|
|
||||||
%patch600
|
%patch600
|
||||||
%patch1003
|
%patch1003
|
||||||
|
|
||||||
|
@ -2000,7 +2009,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
||||||
# Setup nss.fips.cfg
|
# Setup nss.fips.cfg
|
||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
||||||
|
|
||||||
|
# Setup security policy
|
||||||
|
sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
# How many CPU's do we have?
|
# How many CPU's do we have?
|
||||||
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
||||||
export NUM_PROC=${NUM_PROC:-1}
|
export NUM_PROC=${NUM_PROC:-1}
|
||||||
|
@ -2154,8 +2167,13 @@ function installjdk() {
|
||||||
${imagepath}/jre/lib/security/java.security
|
${imagepath}/jre/lib/security/java.security
|
||||||
|
|
||||||
# Use system-wide tzdata
|
# Use system-wide tzdata
|
||||||
rm ${imagepath}/jre/lib/tzdb.dat
|
mv ${imagepath}/jre/lib/tzdb.dat{,.upstream}
|
||||||
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
|
ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
|
||||||
|
|
||||||
|
# Rename OpenJDK cacerts database
|
||||||
|
mv ${imagepath}/jre/lib/security/cacerts{,.upstream}
|
||||||
|
# Install cacerts symlink needed by some apps which hard-code the path
|
||||||
|
ln -sv %{cacerts_file} ${imagepath}/jre/lib/security
|
||||||
|
|
||||||
# add alt-java man page
|
# add alt-java man page
|
||||||
pushd ${imagepath}
|
pushd ${imagepath}
|
||||||
|
@ -2372,13 +2390,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien
|
||||||
done
|
done
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Remove empty cacerts database
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts
|
|
||||||
# Install cacerts symlink needed by some apps which hardcode the path
|
|
||||||
pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security
|
|
||||||
ln -sf /etc/pki/java/cacerts .
|
|
||||||
popd
|
|
||||||
|
|
||||||
# Install versioned symlinks
|
# Install versioned symlinks
|
||||||
pushd $RPM_BUILD_ROOT%{_jvmdir}
|
pushd $RPM_BUILD_ROOT%{_jvmdir}
|
||||||
ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix}
|
ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix}
|
||||||
|
@ -2708,6 +2719,12 @@ cjc.mainProgram(args)
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-5
|
||||||
|
- Allow the default keystore to be configured using security.systemCACerts
|
||||||
|
- Use of the property can now be disabled using -Dsecurity.systemCACerts=
|
||||||
|
- Move cacerts replacement to install section and retain original of this and tzdb.dat
|
||||||
|
- Resolves: rhbz#2077006
|
||||||
|
|
||||||
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-4
|
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-4
|
||||||
- Switch to static builds, reducing system dependencies and making build more portable
|
- Switch to static builds, reducing system dependencies and making build more portable
|
||||||
- Resolves: rhbz#2121273
|
- Resolves: rhbz#2121273
|
||||||
|
|
|
@ -1,63 +0,0 @@
|
||||||
# HG changeset patch
|
|
||||||
# User andrew
|
|
||||||
# Date 1459487045 -3600
|
|
||||||
# Fri Apr 01 06:04:05 2016 +0100
|
|
||||||
# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
|
|
||||||
# Parent 6b81fd2227d14226f2121f2d51b464536925686e
|
|
||||||
PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
|
|
||||||
PR3575: System cacerts database handling should not affect jssecacerts
|
|
||||||
|
|
||||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
||||||
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
||||||
+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
|
||||||
@@ -72,7 +72,7 @@
|
|
||||||
* The preference of the default trusted KeyStore is:
|
|
||||||
* javax.net.ssl.trustStore
|
|
||||||
* jssecacerts
|
|
||||||
- * cacerts
|
|
||||||
+ * cacerts (system and local)
|
|
||||||
*/
|
|
||||||
private static final class TrustStoreDescriptor {
|
|
||||||
private static final String fileSep = File.separator;
|
|
||||||
@@ -83,6 +83,10 @@
|
|
||||||
defaultStorePath + fileSep + "cacerts";
|
|
||||||
private static final String jsseDefaultStore =
|
|
||||||
defaultStorePath + fileSep + "jssecacerts";
|
|
||||||
+ /* Check system cacerts DB: /etc/pki/java/cacerts */
|
|
||||||
+ private static final String systemStore =
|
|
||||||
+ fileSep + "etc" + fileSep + "pki" +
|
|
||||||
+ fileSep + "java" + fileSep + "cacerts";
|
|
||||||
|
|
||||||
// the trust store name
|
|
||||||
private final String storeName;
|
|
||||||
@@ -146,7 +150,8 @@
|
|
||||||
long temporaryTime = 0L;
|
|
||||||
if (!"NONE".equals(storePropName)) {
|
|
||||||
String[] fileNames =
|
|
||||||
- new String[] {storePropName, defaultStore};
|
|
||||||
+ new String[] {storePropName,
|
|
||||||
+ systemStore, defaultStore};
|
|
||||||
for (String fileName : fileNames) {
|
|
||||||
File f = new File(fileName);
|
|
||||||
if (f.isFile() && f.canRead()) {
|
|
||||||
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
|
||||||
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
|
||||||
+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
|
||||||
@@ -108,9 +108,14 @@
|
|
||||||
throws Exception
|
|
||||||
{
|
|
||||||
String sep = File.separator;
|
|
||||||
- File file = new File(System.getProperty("java.home") + sep
|
|
||||||
- + "lib" + sep + "security" + sep
|
|
||||||
- + "cacerts");
|
|
||||||
+ /* Check system cacerts DB first; /etc/pki/java/cacerts */
|
|
||||||
+ File file = new File(sep + "etc" + sep + "pki" + sep
|
|
||||||
+ + "java" + sep + "cacerts");
|
|
||||||
+ if (!file.exists()) {
|
|
||||||
+ file = new File(System.getProperty("java.home") + sep
|
|
||||||
+ + "lib" + sep + "security" + sep
|
|
||||||
+ + "cacerts");
|
|
||||||
+ }
|
|
||||||
if (!file.exists()) {
|
|
||||||
return null;
|
|
||||||
}
|
|
|
@ -0,0 +1,263 @@
|
||||||
|
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||||
|
index e7b4763db53..e8ec8467e6a 100644
|
||||||
|
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||||
|
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
|
||||||
|
@@ -31,6 +31,7 @@ import java.security.*;
|
||||||
|
import java.security.cert.*;
|
||||||
|
import java.util.*;
|
||||||
|
import sun.security.action.*;
|
||||||
|
+import sun.security.tools.KeyStoreUtil;
|
||||||
|
import sun.security.validator.TrustStoreUtil;
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -68,7 +69,7 @@ final class TrustStoreManager {
|
||||||
|
* The preference of the default trusted KeyStore is:
|
||||||
|
* javax.net.ssl.trustStore
|
||||||
|
* jssecacerts
|
||||||
|
- * cacerts
|
||||||
|
+ * cacerts (system and local)
|
||||||
|
*/
|
||||||
|
private static final class TrustStoreDescriptor {
|
||||||
|
private static final String fileSep = File.separator;
|
||||||
|
@@ -76,7 +77,7 @@ final class TrustStoreManager {
|
||||||
|
GetPropertyAction.privilegedGetProperty("java.home") +
|
||||||
|
fileSep + "lib" + fileSep + "security";
|
||||||
|
private static final String defaultStore =
|
||||||
|
- defaultStorePath + fileSep + "cacerts";
|
||||||
|
+ KeyStoreUtil.getCacertsKeyStoreFile().getPath();
|
||||||
|
private static final String jsseDefaultStore =
|
||||||
|
defaultStorePath + fileSep + "jssecacerts";
|
||||||
|
|
||||||
|
@@ -139,6 +140,10 @@ final class TrustStoreManager {
|
||||||
|
String storePropPassword = System.getProperty(
|
||||||
|
"javax.net.ssl.trustStorePassword", "");
|
||||||
|
|
||||||
|
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
|
||||||
|
+ SSLLogger.fine("Default store: " + defaultStore);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
String temporaryName = "";
|
||||||
|
File temporaryFile = null;
|
||||||
|
long temporaryTime = 0L;
|
||||||
|
@@ -146,21 +151,22 @@ final class TrustStoreManager {
|
||||||
|
String[] fileNames =
|
||||||
|
new String[] {storePropName, defaultStore};
|
||||||
|
for (String fileName : fileNames) {
|
||||||
|
- File f = new File(fileName);
|
||||||
|
- if (f.isFile() && f.canRead()) {
|
||||||
|
- temporaryName = fileName;;
|
||||||
|
- temporaryFile = f;
|
||||||
|
- temporaryTime = f.lastModified();
|
||||||
|
-
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // Not break, the file is inaccessible.
|
||||||
|
- if (SSLLogger.isOn &&
|
||||||
|
+ if (fileName != null && !"".equals(fileName)) {
|
||||||
|
+ File f = new File(fileName);
|
||||||
|
+ if (f.isFile() && f.canRead()) {
|
||||||
|
+ temporaryName = fileName;;
|
||||||
|
+ temporaryFile = f;
|
||||||
|
+ temporaryTime = f.lastModified();
|
||||||
|
+
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ // Not break, the file is inaccessible.
|
||||||
|
+ if (SSLLogger.isOn &&
|
||||||
|
SSLLogger.isOn("trustmanager")) {
|
||||||
|
- SSLLogger.fine(
|
||||||
|
- "Inaccessible trust store: " +
|
||||||
|
- storePropName);
|
||||||
|
+ SSLLogger.fine(
|
||||||
|
+ "Inaccessible trust store: " +
|
||||||
|
+ fileName);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||||
|
index fcc77786da1..f554f83a8b4 100644
|
||||||
|
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||||
|
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
|
||||||
|
@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
|
||||||
|
|
||||||
|
import java.net.URL;
|
||||||
|
|
||||||
|
+import java.security.AccessController;
|
||||||
|
import java.security.KeyStore;
|
||||||
|
+import java.security.PrivilegedAction;
|
||||||
|
+import java.security.Security;
|
||||||
|
|
||||||
|
import java.security.cert.X509Certificate;
|
||||||
|
import java.text.Collator;
|
||||||
|
@@ -54,6 +57,33 @@ public class KeyStoreUtil {
|
||||||
|
|
||||||
|
private static final String JKS = "jks";
|
||||||
|
|
||||||
|
+ private static final String PROP_NAME = "security.systemCACerts";
|
||||||
|
+
|
||||||
|
+ /**
|
||||||
|
+ * Returns the value of the security property propName, which can be overridden
|
||||||
|
+ * by a system property of the same name
|
||||||
|
+ *
|
||||||
|
+ * @param propName the name of the system or security property
|
||||||
|
+ * @return the value of the system or security property
|
||||||
|
+ */
|
||||||
|
+ @SuppressWarnings("removal")
|
||||||
|
+ public static String privilegedGetOverridable(String propName) {
|
||||||
|
+ if (System.getSecurityManager() == null) {
|
||||||
|
+ return getOverridableProperty(propName);
|
||||||
|
+ } else {
|
||||||
|
+ return AccessController.doPrivileged((PrivilegedAction<String>) () -> getOverridableProperty(propName));
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ private static String getOverridableProperty(String propName) {
|
||||||
|
+ String val = System.getProperty(propName);
|
||||||
|
+ if (val == null) {
|
||||||
|
+ return Security.getProperty(propName);
|
||||||
|
+ } else {
|
||||||
|
+ return val;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Returns true if the certificate is self-signed, false otherwise.
|
||||||
|
*/
|
||||||
|
@@ -96,20 +126,38 @@ public class KeyStoreUtil {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /**
|
||||||
|
+ * Returns the path to the cacerts DB
|
||||||
|
+ */
|
||||||
|
+ public static File getCacertsKeyStoreFile()
|
||||||
|
+ {
|
||||||
|
+ String sep = File.separator;
|
||||||
|
+ File file = null;
|
||||||
|
+ /* Check system cacerts DB first, preferring system property over security property */
|
||||||
|
+ String systemDB = privilegedGetOverridable(PROP_NAME);
|
||||||
|
+ if (systemDB != null && !"".equals(systemDB)) {
|
||||||
|
+ file = new File(systemDB);
|
||||||
|
+ }
|
||||||
|
+ if (file == null || !file.exists()) {
|
||||||
|
+ file = new File(System.getProperty("java.home") + sep
|
||||||
|
+ + "lib" + sep + "security" + sep
|
||||||
|
+ + "cacerts");
|
||||||
|
+ }
|
||||||
|
+ if (file.exists()) {
|
||||||
|
+ return file;
|
||||||
|
+ }
|
||||||
|
+ return null;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Returns the keystore with the configured CA certificates.
|
||||||
|
*/
|
||||||
|
public static KeyStore getCacertsKeyStore()
|
||||||
|
throws Exception
|
||||||
|
{
|
||||||
|
- String sep = File.separator;
|
||||||
|
- File file = new File(System.getProperty("java.home") + sep
|
||||||
|
- + "lib" + sep + "security" + sep
|
||||||
|
- + "cacerts");
|
||||||
|
- if (!file.exists()) {
|
||||||
|
- return null;
|
||||||
|
- }
|
||||||
|
KeyStore caks = null;
|
||||||
|
+ File file = getCacertsKeyStoreFile();
|
||||||
|
+ if (file == null) { return null; }
|
||||||
|
try (FileInputStream fis = new FileInputStream(file)) {
|
||||||
|
caks = KeyStore.getInstance(JKS);
|
||||||
|
caks.load(fis, null);
|
||||||
|
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
|
||||||
|
index bfe0c593adb..093bc09bf95 100644
|
||||||
|
--- a/jdk/src/share/lib/security/java.security-aix
|
||||||
|
+++ b/jdk/src/share/lib/security/java.security-aix
|
||||||
|
@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
|
||||||
|
#
|
||||||
|
security.useSystemPropertiesFile=false
|
||||||
|
|
||||||
|
+#
|
||||||
|
+# Specifies the system certificate store
|
||||||
|
+# This property may be disabled using
|
||||||
|
+# -Djava.security.disableSystemCACerts=true
|
||||||
|
+#
|
||||||
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Determines the default key and trust manager factory algorithms for
|
||||||
|
# the javax.net.ssl package.
|
||||||
|
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
|
||||||
|
index 9d1c8fe8a8e..16c9281cc1f 100644
|
||||||
|
--- a/jdk/src/share/lib/security/java.security-linux
|
||||||
|
+++ b/jdk/src/share/lib/security/java.security-linux
|
||||||
|
@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
|
||||||
|
#
|
||||||
|
security.useSystemPropertiesFile=false
|
||||||
|
|
||||||
|
+#
|
||||||
|
+# Specifies the system certificate store
|
||||||
|
+# This property may be disabled using
|
||||||
|
+# -Djava.security.disableSystemCACerts=true
|
||||||
|
+#
|
||||||
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Determines the default key and trust manager factory algorithms for
|
||||||
|
# the javax.net.ssl package.
|
||||||
|
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
|
||||||
|
index 19047c61097..43e034cdeaf 100644
|
||||||
|
--- a/jdk/src/share/lib/security/java.security-macosx
|
||||||
|
+++ b/jdk/src/share/lib/security/java.security-macosx
|
||||||
|
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
|
||||||
|
#
|
||||||
|
security.useSystemPropertiesFile=false
|
||||||
|
|
||||||
|
+#
|
||||||
|
+# Specifies the system certificate store
|
||||||
|
+# This property may be disabled using
|
||||||
|
+# -Djava.security.disableSystemCACerts=true
|
||||||
|
+#
|
||||||
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Determines the default key and trust manager factory algorithms for
|
||||||
|
# the javax.net.ssl package.
|
||||||
|
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
|
||||||
|
index 7eda556ae13..325937e97fb 100644
|
||||||
|
--- a/jdk/src/share/lib/security/java.security-solaris
|
||||||
|
+++ b/jdk/src/share/lib/security/java.security-solaris
|
||||||
|
@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
|
||||||
|
#
|
||||||
|
security.useSystemPropertiesFile=false
|
||||||
|
|
||||||
|
+#
|
||||||
|
+# Specifies the system certificate store
|
||||||
|
+# This property may be disabled using
|
||||||
|
+# -Djava.security.disableSystemCACerts=true
|
||||||
|
+#
|
||||||
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Determines the default key and trust manager factory algorithms for
|
||||||
|
# the javax.net.ssl package.
|
||||||
|
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
|
||||||
|
index dfa1a669aa9..92ef777e065 100644
|
||||||
|
--- a/jdk/src/share/lib/security/java.security-windows
|
||||||
|
+++ b/jdk/src/share/lib/security/java.security-windows
|
||||||
|
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
|
||||||
|
#
|
||||||
|
security.useSystemPropertiesFile=false
|
||||||
|
|
||||||
|
+#
|
||||||
|
+# Specifies the system certificate store
|
||||||
|
+# This property may be disabled using
|
||||||
|
+# -Djava.security.disableSystemCACerts=true
|
||||||
|
+#
|
||||||
|
+security.systemCACerts=${java.home}/lib/security/cacerts
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Determines the default key and trust manager factory algorithms for
|
||||||
|
# the javax.net.ssl package.
|
Loading…
Reference in New Issue