From da3c5e901f61353f6f7fa9272056d0ad0fedc4ff Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Feb 2026 15:15:48 +0100 Subject: [PATCH 1/6] fixes #4156 for Windows fallback on JDK shipped cacert file if well-known CA are not present --- .../SSLContextDifferentTrustStoreBase.java | 11 +++++- .../SSLContextWithWindowsCertStore.java | 37 +++++++++++++++++-- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java b/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java index 87e1b82ef..5da47597a 100644 --- a/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java +++ b/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java @@ -18,7 +18,7 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider { public SSLContext getContext(SecureRandom csprng) throws SSLContextBuildException { try { KeyStore truststore = getTruststore(); - truststore.load(null, null); + ensureLoaded(truststore); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(truststore); @@ -30,4 +30,13 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider { throw new SSLContextBuildException(e); } } + + static void ensureLoaded(KeyStore truststore) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { + try { + truststore.aliases(); + } catch (KeyStoreException e) { + // Not initialized yet (e.g. custom KeyStore SPI); initialize without replacing preloaded stores. + truststore.load(null, null); + } + } } diff --git a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java index 0f1ea04b5..1db06e5b1 100644 --- a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java +++ b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java @@ -2,20 +2,51 @@ package org.cryptomator.networking; import org.cryptomator.integrations.common.OperatingSystem; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.NoSuchFileException; +import java.nio.file.Path; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.Provider; +import java.security.cert.CertificateException; +import java.util.List; /** - * SSLContextProvider for Windows using the Windows certificate store as trust store + * SSLContextProvider for Windows using the Windows certificate store as trust store and the bundled JDK cacerts as fallback *

* In order to work, the jdk.crypto.mscapi jmod is needed */ @OperatingSystem(OperatingSystem.Value.WINDOWS) public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStoreBase implements SSLContextProvider { + private static final String DEFAULT_TRUSTSTORE_PASSWORD = ""; + @Override - KeyStore getTruststore() throws KeyStoreException { - return KeyStore.getInstance("WINDOWS-ROOT"); + KeyStore getTruststore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { + var windowsKeyStore = KeyStore.getInstance("WINDOWS-ROOT"); + var jdkKeyStore = getShippedCaCertsStore(); + ensureLoaded(windowsKeyStore); + ensureLoaded(jdkKeyStore); + try { + CombinedKeyStoreSpi spi = CombinedKeyStoreSpi.create(windowsKeyStore, jdkKeyStore); + Provider dummyProvider = new Provider("CombinedKeyStoreProvider", "1.0", "Provides a combined, read-only KeyStore") {}; + return new KeyStore(spi, dummyProvider, "CombinedKeyStoreProvider") {}; + } catch (IllegalArgumentException e) { + throw new KeyStoreException(e); + } + } + + KeyStore getShippedCaCertsStore() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException { + var javaHome = Path.of(System.getProperty("java.home")); + var trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray(); + for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) { + if (Files.isRegularFile(candidate)) { + return KeyStore.getInstance(candidate.toFile(), trustStorePassword); + } + } + throw new NoSuchFileException("Could not locate cacerts below java.home: " + javaHome); } } From f884861373af0ba1d331b6dc3ffae8f46006bf23 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Feb 2026 15:48:35 +0100 Subject: [PATCH 2/6] skip fallback if failing to load --- .../SSLContextWithWindowsCertStore.java | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java index 1db06e5b1..5a179e56e 100644 --- a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java +++ b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java @@ -1,10 +1,12 @@ package org.cryptomator.networking; +import org.cryptomator.common.Nullable; import org.cryptomator.integrations.common.OperatingSystem; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import java.io.IOException; import java.nio.file.Files; -import java.nio.file.NoSuchFileException; import java.nio.file.Path; import java.security.KeyStore; import java.security.KeyStoreException; @@ -21,12 +23,17 @@ import java.util.List; @OperatingSystem(OperatingSystem.Value.WINDOWS) public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStoreBase implements SSLContextProvider { - private static final String DEFAULT_TRUSTSTORE_PASSWORD = ""; + private static final Logger LOG = LoggerFactory.getLogger(SSLContextWithWindowsCertStore.class); + private static final String DEFAULT_TRUSTSTORE_PASSWORD = "changeit"; //default JDK cacerts password @Override KeyStore getTruststore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { var windowsKeyStore = KeyStore.getInstance("WINDOWS-ROOT"); var jdkKeyStore = getShippedCaCertsStore(); + if (jdkKeyStore == null) { + return windowsKeyStore; + } + ensureLoaded(windowsKeyStore); ensureLoaded(jdkKeyStore); try { @@ -38,15 +45,20 @@ public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStor } } - KeyStore getShippedCaCertsStore() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException { + @Nullable + KeyStore getShippedCaCertsStore() { var javaHome = Path.of(System.getProperty("java.home")); var trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray(); for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) { - if (Files.isRegularFile(candidate)) { - return KeyStore.getInstance(candidate.toFile(), trustStorePassword); + try { + if (Files.isRegularFile(candidate)) { + return KeyStore.getInstance(candidate.toFile(), trustStorePassword); + } + } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) { + LOG.info("Unable to load fallback cacerts {} file. Skipping fallback.", candidate, e); } } - throw new NoSuchFileException("Could not locate cacerts below java.home: " + javaHome); + return null; } } From 792734b48659f0de79b8e81b44670c40d7cca062 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Feb 2026 16:20:34 +0100 Subject: [PATCH 3/6] add unit tests --- .../SSLContextWithWindowsCertStore.java | 13 ++- .../SSLContextWithWindowsCertStoreTest.java | 97 +++++++++++++++++++ 2 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 src/test/java/org/cryptomator/networking/SSLContextWithWindowsCertStoreTest.java diff --git a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java index 5a179e56e..83815b611 100644 --- a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java +++ b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java @@ -2,6 +2,7 @@ package org.cryptomator.networking; import org.cryptomator.common.Nullable; import org.cryptomator.integrations.common.OperatingSystem; +import org.jetbrains.annotations.VisibleForTesting; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -14,6 +15,7 @@ import java.security.NoSuchAlgorithmException; import java.security.Provider; import java.security.cert.CertificateException; import java.util.List; +import java.util.Properties; /** * SSLContextProvider for Windows using the Windows certificate store as trust store and the bundled JDK cacerts as fallback @@ -47,8 +49,15 @@ public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStor @Nullable KeyStore getShippedCaCertsStore() { - var javaHome = Path.of(System.getProperty("java.home")); - var trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray(); + return getCaCertsStoreByProperties(System.getProperties()); + } + + //for testability + @VisibleForTesting + @Nullable + KeyStore getCaCertsStoreByProperties(Properties props) { + var javaHome = Path.of(props.getProperty("java.home")); + var trustStorePassword = props.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray(); for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) { try { if (Files.isRegularFile(candidate)) { diff --git a/src/test/java/org/cryptomator/networking/SSLContextWithWindowsCertStoreTest.java b/src/test/java/org/cryptomator/networking/SSLContextWithWindowsCertStoreTest.java new file mode 100644 index 000000000..dca3c3ced --- /dev/null +++ b/src/test/java/org/cryptomator/networking/SSLContextWithWindowsCertStoreTest.java @@ -0,0 +1,97 @@ +package org.cryptomator.networking; + +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.io.TempDir; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.util.Properties; + +public class SSLContextWithWindowsCertStoreTest { + + private static final String JAVA_HOME_PROP = "java.home"; + private static final String TRUSTSTORE_PASSWORD_PROP = "javax.net.ssl.trustStorePassword"; + + @TempDir + Path tmpDir; + + @Test + public void testGetCaCertsStoreByPropertiesReturnsNullIfNoCandidateExists() { + var props = propsFor(tmpDir, null); + + var inTest = new SSLContextWithWindowsCertStore(); + + Assertions.assertNull(inTest.getCaCertsStoreByProperties(props)); + } + + @Test + public void testGetCaCertsStoreByPropertiesLoadsLibSecurityCacertsByDefault() throws Exception { + var cacerts = tmpDir.resolve("lib/security/cacerts"); + writePkcs12Keystore(cacerts, "changeit".toCharArray()); + var props = propsFor(tmpDir, null); + + var inTest = new SSLContextWithWindowsCertStore(); + + Assertions.assertNotNull(inTest.getCaCertsStoreByProperties(props)); + } + + @Test + public void testGetCaCertsStoreByPropertiesTriesSecondCandidateAfterFirstFails() throws Exception { + var invalidLibCacerts = tmpDir.resolve("lib/security/cacerts"); + Files.createDirectories(invalidLibCacerts.getParent()); + Files.writeString(invalidLibCacerts, "not a keystore"); + var confCacerts = tmpDir.resolve("conf/security/cacerts"); + writePkcs12Keystore(confCacerts, "changeit".toCharArray()); + var props = propsFor(tmpDir, null); + + var inTest = new SSLContextWithWindowsCertStore(); + + Assertions.assertNotNull(inTest.getCaCertsStoreByProperties(props)); + } + + @Test + public void testGetCaCertsStoreByPropertiesReturnsNullOnWrongPassword() throws Exception { + var cacerts = tmpDir.resolve("lib/security/cacerts"); + writePkcs12Keystore(cacerts, "changeit".toCharArray()); + var props = propsFor(tmpDir, "wrong-password"); + + var inTest = new SSLContextWithWindowsCertStore(); + + Assertions.assertNull(inTest.getCaCertsStoreByProperties(props)); + } + + @Test + public void testGetCaCertsStoreByPropertiesUsesCustomPasswordProperty() throws Exception { + var cacerts = tmpDir.resolve("lib/security/cacerts"); + writePkcs12Keystore(cacerts, "custom-password".toCharArray()); + var props = propsFor(tmpDir, "custom-password"); + + var inTest = new SSLContextWithWindowsCertStore(); + + Assertions.assertNotNull(inTest.getCaCertsStoreByProperties(props)); + } + + private static void writePkcs12Keystore(Path target, char[] password) throws CertificateException, IOException, NoSuchAlgorithmException, java.security.KeyStoreException { + Files.createDirectories(target.getParent()); + var keystore = KeyStore.getInstance("PKCS12"); + keystore.load(null, null); + try (var out = Files.newOutputStream(target)) { + keystore.store(out, password); + } + } + + private static Properties propsFor(Path javaHome, String truststorePassword) { + var props = new Properties(); + props.setProperty(JAVA_HOME_PROP, javaHome.toString()); + if (truststorePassword != null) { + props.setProperty(TRUSTSTORE_PASSWORD_PROP, truststorePassword); + } + return props; + } + +} From 4d62f2303dc15959f68229c08b1779d90feb7df9 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Feb 2026 16:27:57 +0100 Subject: [PATCH 4/6] prepare version 1.18.1 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d93a96cc2..fddfd38c8 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.cryptomator cryptomator - 1.18.0 + 1.18.1 Cryptomator Desktop App From d6010889482423fef74feb0b071d089a5ef46869 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Feb 2026 16:44:50 +0100 Subject: [PATCH 5/6] [skip metadata check] update workflow for hotfix --- .github/workflows/release-check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-check.yml b/.github/workflows/release-check.yml index e1739326e..4d36fa70d 100644 --- a/.github/workflows/release-check.yml +++ b/.github/workflows/release-check.yml @@ -43,6 +43,7 @@ jobs: exit 1 fi - name: Validate release in org.cryptomator.Cryptomator.metainfo.xml file + if: ${{ ! contains(github.event.commits.message, '[skip metadata check]') }} run: | if ! grep -q "" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml" From 50f6a8778893beb465d730a1fe9578e9e879ce13 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Feb 2026 16:49:29 +0100 Subject: [PATCH 6/6] [skip metadata check] fix release check workflow --- .github/workflows/release-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-check.yml b/.github/workflows/release-check.yml index 4d36fa70d..e2bfdb8ea 100644 --- a/.github/workflows/release-check.yml +++ b/.github/workflows/release-check.yml @@ -43,7 +43,7 @@ jobs: exit 1 fi - name: Validate release in org.cryptomator.Cryptomator.metainfo.xml file - if: ${{ ! contains(github.event.commits.message, '[skip metadata check]') }} + if: ${{ ! (contains(github.event.head_commit.message, '[skip metadata check]') || contains(github.event.head_commit.message, '[metadata check skip]')) }} run: | if ! grep -q "" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"