From 24ca1206b3ba1d5dfdbab2e1042108b6543a4283 Mon Sep 17 00:00:00 2001
From: Alexey Bakhtin <alexey@azul.com>
Date: Fri, 23 Feb 2024 15:03:25 -0800
Subject: [PATCH] Load root certificates from SystemRootCertificates.keychain

---
 .../native/libosxsecurity/KeystoreImpl.m      | 35 +++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
index 86ed4d7a5c920..cca343650da16 100644
--- a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
+++ b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
@@ -515,10 +515,32 @@ static void addCertificatesToKeystoreRoot(JNIEnv *env, jobject keyStore,
                                         jclass jc_arrayListClass,
                                         jmethodID jm_arrayListCons,
                                         jmethodID jm_listAdd) {
+    SecKeychainRef keychain = NULL;
+    CFMutableArrayRef keychainList = NULL;
+    CFDictionaryRef search = NULL;
     CFArrayRef currAnchors = NULL;
 
-    // Read Trust Anchors
-    if (SecTrustCopyAnchorCertificates(&currAnchors) == errSecSuccess) {
+    // Load predefined root certificates from SystemRootCertificates keychain
+    // SecTrustCopyAnchorCertificates includes extra root certificates and can not be used here
+    if( SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain", &keychain) != errSecSuccess ) {
+        return;
+    }
+
+    keychainList = CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+    if (keychainList == NULL) {
+        goto errOut;
+    }
+    CFArrayAppendValue(keychainList, keychain);
+
+    CFTypeRef searchKeys[] = { kSecClass, kSecMatchLimit, kSecReturnRef, kSecMatchSearchList };
+    CFTypeRef searchValues[] = { kSecClassCertificate, kSecMatchLimitAll, kCFBooleanTrue, keychainList };
+    search = CFDictionaryCreate(kCFAllocatorDefault,
+                              searchKeys, searchValues, 4, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+    if (search == NULL) {
+        goto errOut;
+    }
+
+    if( SecItemCopyMatching( search, (CFTypeRef *)&currAnchors ) == errSecSuccess ){
         CFIndex nAnchors = CFArrayGetCount(currAnchors);
 
         for (CFIndex i = 0; i < nAnchors; i++) {
@@ -561,6 +583,15 @@ static void addCertificatesToKeystoreRoot(JNIEnv *env, jobject keyStore,
     if (currAnchors != NULL) {
         CFRelease(currAnchors);
     }
+    if (search != NULL) {
+        CFRelease(search);
+    }
+    if (keychainList != NULL) {
+        CFRelease(keychainList);
+    }
+    if (keychain != NULL) {
+        CFRelease(keychain);
+    }
 }
 
 /*