RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore
Tim Jacomb
duke at openjdk.org
Fri Jan 24 21:17:27 UTC 2025
On Sat, 4 Jan 2025 00:19:46 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
> I think, in this particular case, we need two iterations to add certificates into the trust store. The first iteration will add certificates with non-null trust settings, and the second iteration should verify and add certificates with null trust settings.
Thanks for the feedback it was very helpful, I had missed the bottom note on https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) before this.
I've implemented the recommendation based on the docs in https://github.com/openjdk/jdk/pull/22911/commits/0052cd0380b4949b9af689eae660cf3defa5e7d0.
All my test cases are now passing.
I've added a second intermediate CA to my test setup as well although it only uses 1 by default:
https://github.com/timja/openjdk-intermediate-ca-reproducer?rgh-link-date=2025-01-03T11%3A28%3A01Z
I've tested by revoking trust along each part of the chain and its behaving correctly now.
> Thank you for this patch. It looks correct now (see my comment about subjCerts above)
Thanks, will look into that
> Is it possible to add jtreg test for this scenario?
I'll look at that ~tomorrow
> Also, You'll need a jbs issue to submit this PR
Would it be possible for you to do it on my behalf please? I don't have access
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2572885448
PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2573892019
More information about the security-dev
mailing list