8247418: Only validate the certificates trust if using the default key user name

Reviewed-by: asemenyuk, almatvee
This commit is contained in:
Andy Herrick 2020-06-12 11:24:09 -04:00
parent 19c5bfe42f
commit 4bc69f4255

@ -84,16 +84,21 @@ public class SigningCheck {
}
private static void validateCertificateTrust(String name) {
List<String> result = new Executor()
.setExecutable("security")
.addArguments("dump-trust-settings")
.executeWithoutExitCodeCheckAndGetOutput();
result.stream().forEachOrdered(TKit::trace);
TKit.assertTextStream(name)
.predicate((line, what) -> line.trim().endsWith(what))
.orElseThrow(() -> TKit.throwSkippedException(
"Certifcate not trusted by current user: " + name))
.apply(result.stream());
// Certificates using the default user name must be trusted by user.
// User supplied certs whose trust is set to "Use System Defaults"
// will not be listed as trusted by dump-trust-settings
if (SigningBase.DEV_NAME.equals("jpackage.openjdk.java.net")) {
List<String> result = new Executor()
.setExecutable("security")
.addArguments("dump-trust-settings")
.executeWithoutExitCodeCheckAndGetOutput();
result.stream().forEachOrdered(TKit::trace);
TKit.assertTextStream(name)
.predicate((line, what) -> line.trim().endsWith(what))
.orElseThrow(() -> TKit.throwSkippedException(
"Certifcate not trusted by current user: " + name))
.apply(result.stream());
}
}
}