RFR: 8320362: Load anchor certificates from Keychain keystore
Alexey Bakhtin
abakhtin at openjdk.org
Thu Jan 4 02:24:56 UTC 2024
On Mon, 20 Nov 2023 13:49:33 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Please review the proposed fix.
>>
>> The patch loads system root certificates from the MacOS Keychain with TrustSettings.
>> It allows to build a trusted certificate path using the MacOS Keychain store only.
>
> How about putting these certs into a different keystore like Windows does (there are `Windows-MY` and `Windows-ROOT` there)? Anyway, there needs a CSR and release note for this big change.
As suggested by @wangweij, the new Keychain-ROOT keystore is introduced for the trusted anchor certificates.
The Keychain-ROOT keystore is read-only and throws KeyStoreException in an attempt to modification
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16722#issuecomment-1876218683
More information about the security-dev
mailing list