fixes #4156

for Windows fallback on JDK shipped cacert file if well-known CA are not present

src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java

@@ -18,7 +18,7 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 	public SSLContext getContext(SecureRandom csprng) throws SSLContextBuildException {
 		try {
 			KeyStore truststore = getTruststore();
-			truststore.load(null, null);
+			ensureLoaded(truststore);
 
 			TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 			tmf.init(truststore);
@@ -30,4 +30,13 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 			throw new SSLContextBuildException(e);
 		}
 	}
+
+	static void ensureLoaded(KeyStore truststore) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
+		try {
+			truststore.aliases();
+		} catch (KeyStoreException e) {
+			// Not initialized yet (e.g. custom KeyStore SPI); initialize without replacing preloaded stores.
+			truststore.load(null, null);
+		}
+	}
 }

src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java

@@ -2,20 +2,51 @@ package org.cryptomator.networking;
 
 import org.cryptomator.integrations.common.OperatingSystem;
 
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.NoSuchFileException;
+import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.cert.CertificateException;
+import java.util.List;
 
 /**
- * SSLContextProvider for Windows using the Windows certificate store as trust store
+ * SSLContextProvider for Windows using the Windows certificate store as trust store and the bundled JDK cacerts as fallback
  * <p>
  * In order to work, the jdk.crypto.mscapi jmod is needed
  */
 @OperatingSystem(OperatingSystem.Value.WINDOWS)
 public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 
+	private static final String DEFAULT_TRUSTSTORE_PASSWORD = "";
+
 	@Override
-	KeyStore getTruststore() throws KeyStoreException {
-		return KeyStore.getInstance("WINDOWS-ROOT");
+	KeyStore getTruststore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
+		var windowsKeyStore = KeyStore.getInstance("WINDOWS-ROOT");
+		var jdkKeyStore = getShippedCaCertsStore();
+		ensureLoaded(windowsKeyStore);
+		ensureLoaded(jdkKeyStore);
+		try {
+			CombinedKeyStoreSpi spi = CombinedKeyStoreSpi.create(windowsKeyStore, jdkKeyStore);
+			Provider dummyProvider = new Provider("CombinedKeyStoreProvider", "1.0", "Provides a combined, read-only KeyStore") {};
+			return new KeyStore(spi, dummyProvider, "CombinedKeyStoreProvider") {};
+		} catch (IllegalArgumentException e) {
+			throw new KeyStoreException(e);
+		}
+	}
+
+	KeyStore getShippedCaCertsStore() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
+		var javaHome = Path.of(System.getProperty("java.home"));
+		var trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray();
+		for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) {
+			if (Files.isRegularFile(candidate)) {
+				return KeyStore.getInstance(candidate.toFile(), trustStorePassword);
+			}
+		}
+		throw new NoSuchFileException("Could not locate cacerts below java.home: " + javaHome);
 	}
 
 }