GH-39014: [Java] Add default truststore along with KeychainStore when on Mac system #39235
Conversation
|
|
| @@ -156,16 +166,9 @@ public static InputStream getCertificateInputStreamFromSystem(String password) t | |||
| keyStoreList.add(getKeyStoreInstance("Windows-MY")); | |||
| } else if (isMac()) { | |||
| keyStoreList.add(getKeyStoreInstance("KeychainStore")); | |||
There was a problem hiding this comment.
Is it not necessary to delete this method now?
There was a problem hiding this comment.
I considered it, but I don't see the harm in keeping it, especially if users are now importing certificates into their user keychain as a workaround.
There was a problem hiding this comment.
Okay, thanks for letting me know.
There was a problem hiding this comment.
Not a big deal to keep it for now imho.
github-actions
bot
added
awaiting committer review
| throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { | ||
| try (InputStream fileInputStream = getKeystoreInputStream()) { | ||
| KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); | ||
| keyStore.load(fileInputStream, password == null ? null : password.toCharArray()); |
There was a problem hiding this comment.
Does it need to load all cacerts files? Is there a way to restrict files needed to be loaded based on security concerns?
There was a problem hiding this comment.
Could you elaborate on the security concerns from loading all the cacerts files?
There was a problem hiding this comment.
Based on the current user workaround, there is no more question for my side #39235 (comment)
There was a problem hiding this comment.
It looks good to me. Maybe it would be better to name this method geetDefaultTrustStore() but that's not a big deal.
|
Thanks for the PR. I'm doing a pass as well 😄 |
| throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { | ||
| try (InputStream fileInputStream = getKeystoreInputStream()) { | ||
| KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); | ||
| keyStore.load(fileInputStream, password == null ? null : password.toCharArray()); |
There was a problem hiding this comment.
It looks good to me. Maybe it would be better to name this method geetDefaultTrustStore() but that's not a big deal.
| @@ -156,16 +166,9 @@ public static InputStream getCertificateInputStreamFromSystem(String password) t | |||
| keyStoreList.add(getKeyStoreInstance("Windows-MY")); | |||
| } else if (isMac()) { | |||
| keyStoreList.add(getKeyStoreInstance("KeychainStore")); | |||
There was a problem hiding this comment.
Not a big deal to keep it for now imho.
| @@ -156,16 +166,9 @@ public static InputStream getCertificateInputStreamFromSystem(String password) t | |||
| keyStoreList.add(getKeyStoreInstance("Windows-MY")); | |||
| } else if (isMac()) { | |||
| keyStoreList.add(getKeyStoreInstance("KeychainStore")); | |||
| keyStoreList.add(getDefaultKeyStoreInstance(password)); | |||
There was a problem hiding this comment.
Does the order matter? Should the system key store come first?
There was a problem hiding this comment.
It appears order does not matter, given that pemWriter writes data for all keystores added to the keystore list. I also did a manual test that required the default keystore and it passed successfully.
github-actions
bot
added
awaiting merge
|
After merging your PR, Conbench analyzed the 5 benchmarking runs that have been run so far on merge-commit cd5a1bd. There were no benchmark performance regressions. 🎉 The full Conbench report has more details. |
…e when on Mac system (apache#39235) ### Rationale for this change As described in apache#39014, when using the system TrustStore on Mac, the certificates returned do not include Root CAs trusted by the system. This change adds the default KeyStore instance along with the KeyChainStore to include trusted Root CAs. The reason we add the default KeyStore instance is because there is no easy way to get the certificates from the System Roots keychain. ### What changes are included in this PR? I've updated ClientAuthenticationUtils to get the default KeyStore instance when the operating system is macOS and have updated the tests to include this change. ### Are these changes tested? See changes made in ClientAuthenticationUtilsTest.java. ### Are there any user-facing changes? No * Closes: apache#39014 Authored-by: Ravjot Brar <ravjot.brar@dremio.com> Signed-off-by: David Li <li.davidm96@gmail.com>
…e when on Mac system (apache#39235) ### Rationale for this change As described in apache#39014, when using the system TrustStore on Mac, the certificates returned do not include Root CAs trusted by the system. This change adds the default KeyStore instance along with the KeyChainStore to include trusted Root CAs. The reason we add the default KeyStore instance is because there is no easy way to get the certificates from the System Roots keychain. ### What changes are included in this PR? I've updated ClientAuthenticationUtils to get the default KeyStore instance when the operating system is macOS and have updated the tests to include this change. ### Are these changes tested? See changes made in ClientAuthenticationUtilsTest.java. ### Are there any user-facing changes? No * Closes: apache#39014 Authored-by: Ravjot Brar <ravjot.brar@dremio.com> Signed-off-by: David Li <li.davidm96@gmail.com>
Rationale for this change
As described in #39014, when using the system TrustStore on Mac, the certificates returned do not include Root CAs trusted by the system. This change adds the default KeyStore instance along with the KeyChainStore to include trusted Root CAs. The reason we add the default KeyStore instance is because there is no easy way to get the certificates from the System Roots keychain.
What changes are included in this PR?
I've updated ClientAuthenticationUtils to get the default KeyStore instance when the operating system is macOS and have updated the tests to include this change.
Are these changes tested?
See changes made in ClientAuthenticationUtilsTest.java.
Are there any user-facing changes?
No