RFR: 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates [v3]

Christoph Langer clanger at openjdk.org
Fri May 19 09:15:49 UTC 2023


On Thu, 18 May 2023 00:00:58 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Before your new change, such a certificate is not trusted, because `SecTrustSettingsCopyTrustSettings` returns `errSecItemNotFound` so `jm_createTrustedCertEntry` is not called at all.
> 
> I am not sure if such a certificate is meant to be always trusted. Note that you can create such an entry with only `security add-certificates` but not `security add-trusted-cert`. macOS allows anyone to run the first command but prompts you for an administrator password when running the second. The name of the second command also implies that it's the only way to assign trust to a certificate, IMHO.

Hm, after thinking about this again and also comparing with behavior of curl, I think you're right. A self-signed certificate should only be trusted if it has a trust entry (e.g. added by `security add-trusted-cert`). Somehow I was under the impression that self-signed certificates should be trusted when they exist. But after reading comments etc. again I'm not sure why I thought so at all. 😜 Will update the PR...

-------------

PR Comment: https://git.openjdk.org/jdk/pull/13945#issuecomment-1554278565



More information about the security-dev mailing list