RFR: JDK-8303465: KeyStore of type KeychainStore, provider Apple shows different behavior after 8278449
Weijun Wang
weijun at openjdk.org
Fri Mar 3 15:19:13 UTC 2023
On Thu, 2 Mar 2023 13:33:53 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:
> After 8278449, we seem to ignore in the call
>
> ` if (SecTrustSettingsCopyTrustSettings(certRef, kSecTrustSettingsDomainUser, &trustSettings) == errSecItemNotFound) `
>
> all trusted certs from admin and system domains, so a lot more certs are ignored than necessary.
> Probably we should take at least the certs with trust settings from kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin and kSecTrustSettingsDomainSystem domains .
Maybe it's only the testing machines are too clean and simply do not have any trusted settings. I tried `security dump-trust-settings -s` there and it shows all root CAs.
I've made a small change to the test and it will not fail when exit value is not 0.
-------------
PR: https://git.openjdk.org/jdk/pull/12829
More information about the security-dev
mailing list