RFR: 8320362: Load anchor certificates from Keychain keystore [v7]
Weijun Wang
weijun at openjdk.org
Fri Mar 8 19:52:00 UTC 2024
On Fri, 23 Feb 2024 23:07:07 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
>> Please review the proposed fix.
>>
>> The patch loads system root certificates from the MacOS Keychain with TrustSettings.
>> It allows to build a trusted certificate path using the MacOS Keychain store only.
>
> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
>
> Load root certificates from SystemRootCertificates.keychain
src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 525:
> 523: // Load predefined root certificates from SystemRootCertificates keychain
> 524: // SecTrustCopyAnchorCertificates includes extra root certificates and can not be used here
> 525: if( SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain", &keychain) != errSecSuccess ) {
I'll study the API more but it looks too implementation-detail dependent to read the file directly. Are there any other APIs? I see one named `SecTrustCopyCustomAnchorCertificates`. Can it be used?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16722#discussion_r1518225296
More information about the security-dev
mailing list