RFR: 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates

Matthias Baesken mbaesken at openjdk.org
Wed May 17 07:39:45 UTC 2023

On Wed, 17 May 2023 07:14:06 GMT, Christoph Langer <clanger at openjdk.org> wrote:

> > Hi Christoph, I do not see any reference to kSecTrustSettingsDomainSystem in your coding. Handling at least kSecTrustSettingsDomainUser and kSecTrustSettingsDomainAdmin is good but I am not sure about kSecTrustSettingsDomainSystem . Did you find some documentation why it should be omitted ?
> Hi Matthias, yes, I think it is not nicely documented. I've seen in testing, that kSecTrustSettingsDomainSystem merely holds information for trusted root CAs. So in theory, we could add this. However, other code in that area that we've found out in the wild doesn't do it as well. Let's see what others think about this.

Yes this seems to be the case.  Could you maybe add a one liner comment to  libosxsecurity/KeystoreImpl.m (near to the user and admin domain handling)  summarizing what you said? And I still prefer checking the return values of the calls to SecTrustSettingsCopyTrustSettings .


PR Comment: https://git.openjdk.org/jdk/pull/13945#issuecomment-1550901380

More information about the security-dev mailing list