8046777: apple.security.KeychainStore has a problem searching for identities
Reviewed-by: mullan
Contributed-by: David Kocher <dkocher@iterate.ch>
--- a/jdk/src/jdk.deploy.osx/macosx/classes/apple/security/KeychainStore.java Tue Nov 11 11:29:20 2014 -0800
+++ b/jdk/src/jdk.deploy.osx/macosx/classes/apple/security/KeychainStore.java Tue Nov 11 20:11:34 2014 +0000
@@ -294,11 +294,11 @@
if (entry instanceof TrustedCertEntry) {
return ((TrustedCertEntry)entry).cert;
} else {
- if (((KeyEntry)entry).chain == null) {
+ KeyEntry ke = (KeyEntry)entry;
+ if (ke.chain == null || ke.chain.length == 0) {
return null;
- } else {
- return ((KeyEntry)entry).chain[0];
}
+ return ke.chain[0];
}
} else {
return null;
@@ -618,10 +618,12 @@
Object entry = entries.get(alias);
if (entry instanceof TrustedCertEntry) {
certElem = ((TrustedCertEntry)entry).cert;
- } else if (((KeyEntry)entry).chain != null) {
- certElem = ((KeyEntry)entry).chain[0];
} else {
- continue;
+ KeyEntry ke = (KeyEntry)entry;
+ if (ke.chain == null || ke.chain.length == 0) {
+ continue;
+ }
+ certElem = ke.chain[0];
}
if (certElem.equals(cert)) {
return alias;
--- a/jdk/src/jdk.deploy.osx/macosx/native/libosx/KeystoreImpl.m Tue Nov 11 11:29:20 2014 -0800
+++ b/jdk/src/jdk.deploy.osx/macosx/native/libosx/KeystoreImpl.m Tue Nov 11 20:11:34 2014 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -279,7 +279,8 @@
// Search the user keychain list for all identities. Identities are a certificate/private key association that
// can be chosen for a purpose such as signing or an SSL connection.
SecIdentitySearchRef identitySearch = NULL;
- OSStatus err = SecIdentitySearchCreate(NULL, CSSM_KEYUSE_ANY, &identitySearch);
+ // Pass 0 if you want all identities returned by this search
+ OSStatus err = SecIdentitySearchCreate(NULL, 0, &identitySearch);
SecIdentityRef theIdentity = NULL;
OSErr searchResult = noErr;
--- a/jdk/test/sun/security/tools/keytool/ListKeychainStore.sh Tue Nov 11 11:29:20 2014 -0800
+++ b/jdk/test/sun/security/tools/keytool/ListKeychainStore.sh Tue Nov 11 20:11:34 2014 +0000
@@ -22,7 +22,7 @@
#
# @test
-# @bug 7133495 8041740 8062264
+# @bug 7133495 8041740 8062264 8046777
# @summary [macosx] KeyChain KeyStore implementation retrieves only one private key entry
if [ "${TESTJAVA}" = "" ] ; then
@@ -117,6 +117,26 @@
fi
echo "Imported keypairs from PKCS12 keystore into the keychain"
+# Generate a 2048-bit RSA keypair and import into the temporary keychain
+# (its private key is configured with non-default key usage settings)
+
+certtool c k=$TEMPORARY_KC <<EOF
+test
+r
+2048
+y
+b
+s
+y
+A
+US
+A
+A
+
+
+y
+EOF
+
# Adjust the keychain search order
echo "\"$TEMPORARY_KC\"" > $TEMPORARY_LIST
@@ -127,10 +147,11 @@
security list-keychains
# Recount the number of private key entries in the Keychain keystores
+# (3 private keys imported from PKCS12, 1 private key generated by 'certtool')
RECOUNT=`$KEYTOOL -list | grep PrivateKeyEntry | wc -l`
echo "Found $RECOUNT private key entries in the Keychain keystore"
-if [ $RECOUNT -lt `expr $COUNT + 3` ]; then
+if [ $RECOUNT -lt `expr $COUNT + 4` ]; then
echo "Error: expected >$COUNT private key entries in the Keychain keystores"
RESULT=`$CLEANUP_P12`
RESULT=`$CLEANUP_KC`
@@ -141,7 +162,7 @@
# Access controls have already been lowered (see 'security import ... -A' above)
${TESTJAVA}/bin/javac ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} -d . ${TESTSRC}/ExportPrivateKeyNoPwd.java || exit 6
-echo | ${TESTJAVA}/bin/java ${TESTVMOPTS} ExportPrivateKeyNoPwd x
+${TESTJAVA}/bin/java ${TESTVMOPTS} ExportPrivateKeyNoPwd x
if [ $? -ne 0 ]; then
echo "Error exporting private key from the temporary keychain"
RESULT=`$CLEANUP_P12`