search

nabla-c0d3 / trust_stores_observatory

Continuously monitor and record the content of the major platforms' root certificate stores.
MIT License
127 stars 22 forks source link

Replace ORACLE_JAVA with OPENJDK #31

Closed msuliq closed 3 months ago

msuliq commented 3 months ago

Hi, By default the library is using oracle_java trust store but openjdk is also present in the trust store files. Considering that there are differences between the two trust stores, is there a way to configure sslyze to use openjdk trust store instead of the oracle_java? Or should this be done with a monkey patch? There is nothing about this in the documentation and I have not found any other similar issue on the internet. Thank you

nabla-c0d3 commented 3 months ago

Hi, You can use the --certinfo_ca_file <trust_store.pem> option when running SSLyze to pass it any trust store that you want.

msuliq commented 3 months ago

@nabla-c0d3 I have tried running it with the optional flag --certinfo_ca_file but the response is still against the oracle_java I ran sslyze --certinfo cloudpkis.com --certinfo_ca_file /Users/msuliq/SSL/sslyze/sslyze/plugins/certificate_info/trust_stores/pem_files/openjdk.pem

and the output for trust stores is 

       Android CA Store (14.0.0_r9):      OK - Certificate is trusted
       Apple CA Store (iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10):OK - Certificate is trusted
       Java CA Store (jdk-13.0.2):        FAILED - Certificate is NOT Trusted: validation failed: CandidatesExhausted(Other("chain construction exceeds max depth"))
       Mozilla CA Store (2024-02-04):     OK - Certificate is trusted
       Supplied CA file CA Store (N/A):   OK - Certificate is trusted
       Windows CA Store (2023-12-11):     OK - Certificate is trusted

If I manually edit sslyze/plugins/certificate_info/trust_stores/trust_store_repository.py and replace trust store, then the response correctly shows trusted by openjdk.

nabla-c0d3 commented 3 months ago

The result of the validation using the supplied --certinfo_ca_file is available in the Supplied CA file CA Store entry in the output.

msuliq commented 3 months ago

Ok, but this not what my initial issue was about. I was wondering if there is any config option to use openjdk instead of oracle_java? So that in the output the line Java CA Store will be referring to the openjdk trust store

nabla-c0d3 commented 3 months ago

No there isn't