RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore
Tim Jacomb
duke at openjdk.org
Fri Jan 24 21:17:27 UTC 2025
On Mon, 6 Jan 2025 20:43:22 GMT, Tim Jacomb <duke at openjdk.org> wrote:
> Is it possible to add jtreg test for this scenario?
I've done some research.
I _think_ it would only be possible with manual intervention to run it.
The certificates could be generated with a script, similar to the existing https://github.com/openjdk/jdk/blob/master/test/jdk/sun/security/x509/DNSName/certs/generate-certs.sh and then checked in.
The certificates could be added to the truststore using `/usr/bin/security add-trusted-cert`, like in https://github.com/JetBrains/jvm-native-trusted-roots/blob/trunk/src/test/java/org/jetbrains/nativecerts/mac/SecurityFrameworkUtilTest.java#L114-L120
but marking the root certificate as trusted would need the user to confirm an OS prompt, https://github.com/JetBrains/jvm-native-trusted-roots#testing, i.e. I need to approve via Touch ID when I make changes to a certs trust level.
Does that add value to add a test so someone could run it manually?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2573993417
More information about the security-dev
mailing list