RFR: 8320362: Load anchor certificates from Keychain keystore [v7]
Weijun Wang
weijun at openjdk.org
Mon Mar 18 14:30:29 UTC 2024
On Sat, 9 Mar 2024 05:40:06 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
>> src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 525:
>>
>>> 523: // Load predefined root certificates from SystemRootCertificates keychain
>>> 524: // SecTrustCopyAnchorCertificates includes extra root certificates and can not be used here
>>> 525: if( SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain", &keychain) != errSecSuccess ) {
>>
>> I'll study the API more but it looks too implementation-detail dependent to read the file directly. Are there any other APIs? I see one named `SecTrustCopyCustomAnchorCertificates`. Can it be used?
>
> Hi @wangweij ,
> Thank you for review.
> Unfortunately `SecTrustCopyCustomAnchorCertificates` can not be used also. It is used to retrieve certificates from your own created SecTrust. As I know it is not possible to create/load SecTrust with predefined certs without reading`/System/Library/Keychains/SystemRootCertificates.keychain`
Then this is the best solution we can find. I have no more comment and thanks a lot for the patience. You might need to finalize your CSR now.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16722#discussion_r1528674342
More information about the security-dev
mailing list