RFR: JDK-8303465: KeyStore of type KeychainStore, provider Apple shows different behavior after 8278449
Matthias Baesken
mbaesken at openjdk.org
Fri Apr 14 06:48:34 UTC 2023
On Thu, 2 Mar 2023 13:33:53 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:
> After 8278449, we seem to ignore in the call
>
> ` if (SecTrustSettingsCopyTrustSettings(certRef, kSecTrustSettingsDomainUser, &trustSettings) == errSecItemNotFound) `
>
> all trusted certs from admin and system domains, so a lot more certs are ignored than necessary.
> Probably we should take at least the certs with trust settings from kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin and kSecTrustSettingsDomainSystem domains .
Hi Weijun, here I found an example from Apple OpenSource
https://opensource.apple.com/source/Security/Security-59754.80.3/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp.auto.html
and
https://opensource.apple.com/source/Security/Security-57740.51.3/trust/SecTrustSettingsPriv.h.auto.html
they have there a " wrapper around SecTrustSettingsCopyCertificates that combines user and admin domain outputs."
(SecTrustSettingsCopyCertificatesForUserAdminDomains). Seems at least those 2 domains need to be considered.
That#s what I found also in some other projects (e.g. Go).
-------------
PR Comment: https://git.openjdk.org/jdk/pull/12829#issuecomment-1508008557
More information about the security-dev
mailing list