RFR: 8320362: Load anchor certificates from Keychain keystore [v5]
Alexey Bakhtin
abakhtin at openjdk.org
Fri Feb 23 23:10:56 UTC 2024
On Fri, 16 Feb 2024 15:01:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> > `security dump-trust-settings -s` returns only predefined root certificates. KEYCHAINSTORE-ROOT additionally contains installed root trusted certificates in the system domain
>
> Are you sure they should be added into this keystore? It looks like all the extra certs in KEYCHAINSTORE-ROOT that are not in `security dump-trust-settings -s` are all inside KEYCHAINSTORE. Maybe that's where they should belong to?
Thank you. You are right. It is better if KEYCHAINSTORE-ROOT contains only predefined roots. Unfortunately, SecTrustCopyAnchorCertificates can not be used in this case.
I have updated the patch to read certificates from the "/System/Library/Keychains/SystemRootCertificates.keychain" keychain
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16722#issuecomment-1962117463
More information about the security-dev
mailing list