RFR: 8320362: Load anchor certificates from Keychain keystore [v5]
Weijun Wang
weijun at openjdk.org
Fri Feb 2 18:45:04 UTC 2024
On Thu, 1 Feb 2024 22:08:16 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
>> test/jdk/java/security/KeyStore/CheckMacOSKeyChainTrust.java line 55:
>>
>>> 53: // check user and admin trustsettings to find distrusted certs
>>> 54: loadUser(false);
>>> 55: loadAdmin(false);
>>
>> Not sure what the 2 lines above are for? Is it possible a cert is distrusted in user/admin store but trusted in root store and you want to make it sure it does not appear in KEYCHAINSTORE-ROOT?
>
> Yes. Exactly. The trusted cert can be distrusted in the user/admin domain, so It should not be available in the KEYCHAINSTORE-ROOT
This is OK. Although it means different people will see different root CA certs.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16722#discussion_r1476527798
More information about the security-dev
mailing list