RFR: 8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates [v6]
Christoph Langer
clanger at openjdk.org
Tue May 23 06:54:49 UTC 2023
On Mon, 22 May 2023 22:43:18 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> This handles the case, when a certificate is in both, the login (user) and system keychain.
>
> How do you know "the existing entry must have the same properties and trust settings"?
Trust settings are stored per certificate. That is, when you do `security add-trusted-cert`, you have to pass a certificate that the entry is created for. It does not matter then, if the certificate is actually present/loaded into any keychain. If the certificate is not in the keychain, a `security dump-trust-settings` will not show the trust entry then but after you add it, it gets visible.
So, that means, if two certificates are the same, no matter if they were loaded from different keychains or under different aliases (don't know whether the latter is possible though), they will share the same trust records.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13945#discussion_r1201622626
More information about the security-dev
mailing list