Skip to content

Fix CA certificate extraction from PKCS12 key entry chains in SecureSockets #3779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kasemir merged 1 commit into from
Apr 15, 2026
+23 −0
Merged

Fix CA certificate extraction from PKCS12 key entry chains in SecureSockets #3779

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions core/pva/src/main/java/org/epics/pva/common/SecureSockets.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
* @return {@link SSLContext} with 'keystore' and 'truststore' set to content of keystore
* @throws Exception on error
*/
private static SSLContext createContext(final String keychain_setting) throws Exception

Check failure on line 70 in core/pva/src/main/java/org/epics/pva/common/SecureSockets.java

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Refactor this method to reduce its Cognitive Complexity from 35 to the 15 allowed. 


See more on https://sonarcloud.io/project/issues?id=ControlSystemStudio_phoebus&issues=AZ2RmF_1d3dIY_xVwymx&open=AZ2RmF_1d3dIY_xVwymx&pullRequest=3779
{
final String path;
final char[] pass;
Expand Down Expand Up @@ -113,6 +113,29 @@
final String principal = x509.getSubjectX500Principal().toString();
logger.log(Level.FINE, "Keychain alias '" + alias + "' is X509 key and certificate for " + principal);
keychain_x509_certificates.put(principal, x509);

// Add CA certs from the key entry's chain as trusted entries.
// Java's TrustManagerFactory only trusts trustedCertEntry aliases,
// not the CA chain attached to a keyEntry.
// PVXS does the equivalent in extractCAs() (openssl.cpp).
final Certificate[] chain = key_store.getCertificateChain(alias);
if (chain != null)
{
for (int i = 1; i < chain.length; i++)
{
if (chain[i] instanceof X509Certificate ca_cert)

Check warning on line 126 in core/pva/src/main/java/org/epics/pva/common/SecureSockets.java

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Rename this local variable to match the regular expression '^[a-z][a-zA-Z0-9]*$'. 


See more on https://sonarcloud.io/project/issues?id=ControlSystemStudio_phoebus&issues=AZ2RmF_1d3dIY_xVwymv&open=AZ2RmF_1d3dIY_xVwymv&pullRequest=3779
{
final String ca_alias = "ca-chain-" + alias + "-" + i;
if (! key_store.containsAlias(ca_alias))
{
key_store.setCertificateEntry(ca_alias, ca_cert);
final String ca_name = ca_cert.getSubjectX500Principal().toString();
logger.log(Level.FINE, "Added CA from chain as trusted: " + ca_name);

Check warning on line 133 in core/pva/src/main/java/org/epics/pva/common/SecureSockets.java

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use the built-in formatting to construct this argument. 


See more on https://sonarcloud.io/project/issues?id=ControlSystemStudio_phoebus&issues=AZ2RmF_1d3dIY_xVwymw&open=AZ2RmF_1d3dIY_xVwymw&pullRequest=3779

Check warning on line 133 in core/pva/src/main/java/org/epics/pva/common/SecureSockets.java

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Format specifiers or lambda should be used instead of string concatenation. 


See more on https://sonarcloud.io/project/issues?id=ControlSystemStudio_phoebus&issues=AZ2RmF_1d3dIY_xVwymy&open=AZ2RmF_1d3dIY_xVwymy&pullRequest=3779
keychain_x509_certificates.put(ca_name, ca_cert);
}
}
}
}
}
// Could print 'key', but jdk.event.security logger already logs the cert at FINE level
// and logging the key would show the private key
Expand Down
Loading