rpms/java-1.8.0-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity
d5c8712f0f
java-1.8.0-openjdk/pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch
Andrew Hughes f7c0e1142a Update cacerts patch to fix OPENJDK-1433 SecurityManager issue 
Update to shenandoah-jdk8u352-b09 (GA)
Update release notes for shenandoah-8u352-b09.

Resolves: rhbz#2162714
2023-01-24 02:33:33 +00:00

194 lines
7.3 KiB
Diff
Raw Blame History

diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
index e7b4763db53..0005e56f528 100644
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -31,6 +31,7 @@ import java.security.*;
import java.security.cert.*;
import java.util.*;
import sun.security.action.*;
+import sun.security.tools.KeyStoreUtil;
import sun.security.validator.TrustStoreUtil;
/**
@@ -68,7 +69,7 @@ final class TrustStoreManager {
* The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore
* jssecacerts
- * cacerts
+ * cacerts (system and local)
*/
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
@@ -76,7 +77,8 @@ final class TrustStoreManager {
GetPropertyAction.privilegedGetProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore =
- defaultStorePath + fileSep + "cacerts";
+ AccessController.doPrivileged((PrivilegedAction<String>) () ->
+ KeyStoreUtil.getCacertsKeyStorePath());
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";
@@ -139,6 +141,10 @@ final class TrustStoreManager {
String storePropPassword = System.getProperty(
"javax.net.ssl.trustStorePassword", "");
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+ SSLLogger.fine("Default store: " + defaultStore);
+ }
+
String temporaryName = "";
File temporaryFile = null;
long temporaryTime = 0L;
@@ -160,7 +166,7 @@ final class TrustStoreManager {
SSLLogger.isOn("trustmanager")) {
SSLLogger.fine(
"Inaccessible trust store: " +
- storePropName);
+ fileName);
}
}
} else {
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
index fcc77786da1..3a4388964cc 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -41,6 +41,8 @@ import java.text.Collator;
import java.util.Locale;
import java.util.ResourceBundle;
+import sun.security.util.SecurityProperties;
+
/**
* <p> This class provides several utilities to <code>KeyStore</code>.
*
@@ -54,6 +56,8 @@ public class KeyStoreUtil {
private static final String JKS = "jks";
+ private static final String SYSTEM_CA_CERTS_PROP = "security.systemCACerts";
+
/**
* Returns true if the certificate is self-signed, false otherwise.
*/
@@ -96,16 +100,30 @@ public class KeyStoreUtil {
}
}
+ /**
+ * Returns the path to the cacerts DB
+ */
+ public static String getCacertsKeyStorePath()
+ {
+ // Check system DB first, preferring system property over security one
+ String systemDB = SecurityProperties
+ .privilegedGetOverridable(SYSTEM_CA_CERTS_PROP);
+ if (systemDB != null && !"".equals(systemDB) &&
+ (new File(systemDB)).isFile()) {
+ return systemDB;
+ }
+ String sep = File.separator;
+ return System.getProperty("java.home") + sep
+ + "lib" + sep + "security" + sep + "cacerts";
+ }
+
/**
* Returns the keystore with the configured CA certificates.
*/
public static KeyStore getCacertsKeyStore()
throws Exception
{
- String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
+ File file = new File(getCacertsKeyStorePath());
if (!file.exists()) {
return null;
}
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index 681a24b905d..ecb8bc43a6c 100644
--- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix
@@ -294,6 +294,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index 789c19a8cba..2546fdec9b2 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -307,6 +307,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
index d4da666af3b..1a20027c02b 100644
--- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
index 300132384a1..6299e0a3c7b 100644
--- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris
@@ -295,6 +295,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
index 64db5a5cd1e..823994f3466 100644
--- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows
@@ -297,6 +297,12 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using an empty value
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
Reference in New Issue View Git Blame Copy Permalink