Re: Remove an "Always Trust" permission from OpenJDK/IcedTea Plugin
I don't think I've been much help.
> Hi,
>
> Am Freitag, den 22.04.2011, 21:19 +0900 schrieb Joel Rees:
>> You say options, does that mean you did or did not find the browser
>> certificate store dialog?
>
> I did find it, but the trusted certificate was not in the list. I think
> it is being added at another place. But I was unable to locate it.
>
>> > Therefore I think that the certificate is marked trusted by OpenJDK.
>> > But I'm unable to find the default keystore.
>>
>> Have you tried installing the openJDK Policy Tool (GUI) and/or
>> Monitoring and Management Console (JConsole)?
>
> Yes, but it did not help me to find the certificate store location.
That's awkward.
>> > It should be possible to add and remove trusted certificates with the
>> > keytool command, but I have to specify the keystore.
>> >
>> > Any idea where OpenJDK might have it's default keystore?
>> > Or am I looking the wrong way at that problem?
>>
>> I think the policy tool can tell you what it's using. Then again, I
>> thnk the command line policy tool should use the default if it's going
>> to use the default.
>
> I also thought so, but it requires you to specify a key store location.
> This differs to what I found in the documentation of the oracle keytool.
hmmm
> | Keystore Location
> |
> | Each keytool command has a -keystore option for specifying the name
> | and location of the persistent keystore file for the keystore managed
> | by keytool. The keystore is by default stored in a file
> | named .keystore in the user's home directory, as determined by the
> | "user.home" system property. Given user name uName, the "user.home"
> | property value defaults to
> |
> | C:\Winnt\Profiles\uName on multi-user Windows NT systems
> | C:\Windows\Profiles\uName on multi-user Windows 95 systems
> | C:\Windows on single-user Windows 95 systems
> |
> | Thus, if the user name is "cathy", "user.home" defaults to
> |
> | C:\Winnt\Profiles\cathy on multi-user Windows NT systems
> | C:\Windows\Profiles\cathy on multi-user Windows 95 systems
Well, that's a nice MSWindows-specific bit of help. :-(
> Source:
> http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
Yeah, MSWindows-specific. I wonder if there is a similar page for
Linux. (Oracle isn't very helpful for free.)
> I do not have a .keystore file though. Using `find . -name *keystore*`
> will only give me gnome keyring's keystore, which does not hold the
> certificate either.
I'm thinking they've hidden all that stuff in a database sort of file.
In the .mozilla directory. Except that would be what the browser shows
you when you check the browser's certificate list.
> Just gave it a try and switched to oracles JRE. That one asked me again
> if I want to trust the certificate. Seems that OpenJDK and SUN/Oracle
> JRE do not share the same keystore. Unless it got purged during the
> uninstall.
Gone with the purge is a possibility.
> But still I'm not sure how to undo an "Always Trust" option with oracles
> JRE or OpenJDK. Probably these options are not meant to be undone :-)
Well, yeah, TBH, the general appoach is to revoke the certificate,
rather than remove it. That puts an entry in the revocation list and
prevents a bad certificate from being accepted blindly again.
Again, sorry I'm not much help.
Reply to: