Blame SOURCES/pr2888-rh2055274-support_system_cacerts.patch

221ce3
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
079f9a
index e7b4763db53..e8ec8467e6a 100644
221ce3
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
221ce3
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
079f9a
@@ -31,6 +31,7 @@ import java.security.*;
079f9a
 import java.security.cert.*;
079f9a
 import java.util.*;
079f9a
 import sun.security.action.*;
079f9a
+import sun.security.tools.KeyStoreUtil;
079f9a
 import sun.security.validator.TrustStoreUtil;
079f9a
 
079f9a
 /**
079f9a
@@ -68,7 +69,7 @@ final class TrustStoreManager {
221ce3
      * The preference of the default trusted KeyStore is:
221ce3
      *    javax.net.ssl.trustStore
221ce3
      *    jssecacerts
221ce3
-     *    cacerts
221ce3
+     *    cacerts (system and local)
221ce3
      */
221ce3
     private static final class TrustStoreDescriptor {
221ce3
         private static final String fileSep = File.separator;
079f9a
@@ -76,7 +77,7 @@ final class TrustStoreManager {
079f9a
                 GetPropertyAction.privilegedGetProperty("java.home") +
079f9a
                 fileSep + "lib" + fileSep + "security";
079f9a
         private static final String defaultStore =
079f9a
-                defaultStorePath + fileSep + "cacerts";
079f9a
+            KeyStoreUtil.getCacertsKeyStoreFile().getPath();
221ce3
         private static final String jsseDefaultStore =
221ce3
                 defaultStorePath + fileSep + "jssecacerts";
221ce3
 
079f9a
@@ -139,6 +140,10 @@ final class TrustStoreManager {
221ce3
                     String storePropPassword = System.getProperty(
221ce3
                             "javax.net.ssl.trustStorePassword", "");
221ce3
 
221ce3
+                    if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
079f9a
+                        SSLLogger.fine("Default store: " + defaultStore);
221ce3
+                    }
221ce3
+
221ce3
                     String temporaryName = "";
221ce3
                     File temporaryFile = null;
221ce3
                     long temporaryTime = 0L;
079f9a
@@ -146,21 +151,22 @@ final class TrustStoreManager {
221ce3
                         String[] fileNames =
079f9a
                                 new String[] {storePropName, defaultStore};
221ce3
                         for (String fileName : fileNames) {
221ce3
-                            File f = new File(fileName);
221ce3
-                            if (f.isFile() && f.canRead()) {
221ce3
-                                temporaryName = fileName;;
221ce3
-                                temporaryFile = f;
221ce3
-                                temporaryTime = f.lastModified();
221ce3
-
221ce3
-                                break;
221ce3
-                            }
221ce3
-
221ce3
-                            // Not break, the file is inaccessible.
221ce3
-                            if (SSLLogger.isOn &&
221ce3
+                            if (fileName != null && !"".equals(fileName)) {
221ce3
+                                File f = new File(fileName);
221ce3
+                                if (f.isFile() && f.canRead()) {
221ce3
+                                    temporaryName = fileName;;
221ce3
+                                    temporaryFile = f;
221ce3
+                                    temporaryTime = f.lastModified();
221ce3
+
221ce3
+                                    break;
221ce3
+                                }
221ce3
+                                // Not break, the file is inaccessible.
221ce3
+                                if (SSLLogger.isOn &&
221ce3
                                     SSLLogger.isOn("trustmanager")) {
221ce3
-                                SSLLogger.fine(
221ce3
-                                        "Inaccessible trust store: " +
221ce3
-                                        storePropName);
221ce3
+                                    SSLLogger.fine(
221ce3
+                                            "Inaccessible trust store: " +
221ce3
+                                            fileName);
221ce3
+                                }
221ce3
                             }
221ce3
                         }
221ce3
                     } else {
221ce3
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
079f9a
index fcc77786da1..f554f83a8b4 100644
221ce3
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
221ce3
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
079f9a
@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
079f9a
 
221ce3
 import java.net.URL;
221ce3
 
079f9a
+import java.security.AccessController;
221ce3
 import java.security.KeyStore;
079f9a
+import java.security.PrivilegedAction;
221ce3
+import java.security.Security;
221ce3
 
221ce3
 import java.security.cert.X509Certificate;
221ce3
 import java.text.Collator;
079f9a
@@ -54,6 +57,33 @@ public class KeyStoreUtil {
079f9a
 
079f9a
     private static final String JKS = "jks";
079f9a
 
079f9a
+    private static final String PROP_NAME = "security.systemCACerts";
079f9a
+
079f9a
+    /**
079f9a
+     * Returns the value of the security property propName, which can be overridden
079f9a
+     * by a system property of the same name
079f9a
+     *
079f9a
+     * @param  propName the name of the system or security property
079f9a
+     * @return the value of the system or security property
079f9a
+     */
079f9a
+    @SuppressWarnings("removal")
079f9a
+    public static String privilegedGetOverridable(String propName) {
079f9a
+        if (System.getSecurityManager() == null) {
079f9a
+            return getOverridableProperty(propName);
079f9a
+        } else {
079f9a
+            return AccessController.doPrivileged((PrivilegedAction<String>) () -> getOverridableProperty(propName));
079f9a
+        }
079f9a
+    }
079f9a
+
079f9a
+    private static String getOverridableProperty(String propName) {
079f9a
+        String val = System.getProperty(propName);
079f9a
+        if (val == null) {
079f9a
+            return Security.getProperty(propName);
079f9a
+        } else {
079f9a
+            return val;
079f9a
+        }
079f9a
+    }
079f9a
+
079f9a
     /**
079f9a
      * Returns true if the certificate is self-signed, false otherwise.
079f9a
      */
079f9a
@@ -96,20 +126,38 @@ public class KeyStoreUtil {
079f9a
         }
079f9a
     }
079f9a
 
079f9a
+    /**
079f9a
+     * Returns the path to the cacerts DB
079f9a
+     */
079f9a
+    public static File getCacertsKeyStoreFile()
079f9a
+    {
079f9a
+        String sep = File.separator;
221ce3
+        File file = null;
079f9a
+        /* Check system cacerts DB first, preferring system property over security property */
079f9a
+        String systemDB = privilegedGetOverridable(PROP_NAME);
079f9a
+        if (systemDB != null && !"".equals(systemDB)) {
221ce3
+            file = new File(systemDB);
221ce3
+        }
221ce3
+        if (file == null || !file.exists()) {
221ce3
+            file = new File(System.getProperty("java.home") + sep
221ce3
+                            + "lib" + sep + "security" + sep
221ce3
+                            + "cacerts");
221ce3
+        }
079f9a
+        if (file.exists()) {
079f9a
+            return file;
079f9a
+        }
079f9a
+        return null;
079f9a
+    }
079f9a
+
079f9a
     /**
079f9a
      * Returns the keystore with the configured CA certificates.
079f9a
      */
079f9a
     public static KeyStore getCacertsKeyStore()
079f9a
         throws Exception
079f9a
     {
079f9a
-        String sep = File.separator;
079f9a
-        File file = new File(System.getProperty("java.home") + sep
079f9a
-                             + "lib" + sep + "security" + sep
079f9a
-                             + "cacerts");
079f9a
-        if (!file.exists()) {
079f9a
-            return null;
079f9a
-        }
079f9a
         KeyStore caks = null;
079f9a
+        File file = getCacertsKeyStoreFile();
079f9a
+        if (file == null) { return null; }
079f9a
         try (FileInputStream fis = new FileInputStream(file)) {
079f9a
             caks = KeyStore.getInstance(JKS);
079f9a
             caks.load(fis, null);
221ce3
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
221ce3
index bfe0c593adb..093bc09bf95 100644
221ce3
--- a/jdk/src/share/lib/security/java.security-aix
221ce3
+++ b/jdk/src/share/lib/security/java.security-aix
221ce3
@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
221ce3
 #
221ce3
 security.useSystemPropertiesFile=false
221ce3
 
221ce3
+#
221ce3
+# Specifies the system certificate store
221ce3
+# This property may be disabled using
221ce3
+# -Djava.security.disableSystemCACerts=true
221ce3
+#
221ce3
+security.systemCACerts=${java.home}/lib/security/cacerts
221ce3
+
221ce3
 #
221ce3
 # Determines the default key and trust manager factory algorithms for
221ce3
 # the javax.net.ssl package.
221ce3
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
221ce3
index 9d1c8fe8a8e..16c9281cc1f 100644
221ce3
--- a/jdk/src/share/lib/security/java.security-linux
221ce3
+++ b/jdk/src/share/lib/security/java.security-linux
221ce3
@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
221ce3
 #
221ce3
 security.useSystemPropertiesFile=false
221ce3
 
221ce3
+#
221ce3
+# Specifies the system certificate store
221ce3
+# This property may be disabled using
221ce3
+# -Djava.security.disableSystemCACerts=true
221ce3
+#
221ce3
+security.systemCACerts=${java.home}/lib/security/cacerts
221ce3
+
221ce3
 #
221ce3
 # Determines the default key and trust manager factory algorithms for
221ce3
 # the javax.net.ssl package.
221ce3
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
221ce3
index 19047c61097..43e034cdeaf 100644
221ce3
--- a/jdk/src/share/lib/security/java.security-macosx
221ce3
+++ b/jdk/src/share/lib/security/java.security-macosx
221ce3
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
221ce3
 #
221ce3
 security.useSystemPropertiesFile=false
221ce3
 
221ce3
+#
221ce3
+# Specifies the system certificate store
221ce3
+# This property may be disabled using
221ce3
+# -Djava.security.disableSystemCACerts=true
221ce3
+#
221ce3
+security.systemCACerts=${java.home}/lib/security/cacerts
221ce3
+
221ce3
 #
221ce3
 # Determines the default key and trust manager factory algorithms for
221ce3
 # the javax.net.ssl package.
221ce3
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
221ce3
index 7eda556ae13..325937e97fb 100644
221ce3
--- a/jdk/src/share/lib/security/java.security-solaris
221ce3
+++ b/jdk/src/share/lib/security/java.security-solaris
221ce3
@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
221ce3
 #
221ce3
 security.useSystemPropertiesFile=false
221ce3
 
221ce3
+#
221ce3
+# Specifies the system certificate store
221ce3
+# This property may be disabled using
221ce3
+# -Djava.security.disableSystemCACerts=true
221ce3
+#
221ce3
+security.systemCACerts=${java.home}/lib/security/cacerts
221ce3
+
221ce3
 #
221ce3
 # Determines the default key and trust manager factory algorithms for
221ce3
 # the javax.net.ssl package.
221ce3
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
221ce3
index dfa1a669aa9..92ef777e065 100644
221ce3
--- a/jdk/src/share/lib/security/java.security-windows
221ce3
+++ b/jdk/src/share/lib/security/java.security-windows
221ce3
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
221ce3
 #
221ce3
 security.useSystemPropertiesFile=false
221ce3
 
221ce3
+#
221ce3
+# Specifies the system certificate store
221ce3
+# This property may be disabled using
221ce3
+# -Djava.security.disableSystemCACerts=true
221ce3
+#
221ce3
+security.systemCACerts=${java.home}/lib/security/cacerts
221ce3
+
221ce3
 #
221ce3
 # Determines the default key and trust manager factory algorithms for
221ce3
 # the javax.net.ssl package.