RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore
Tim Jacomb
duke at openjdk.org
Fri Jan 24 21:17:28 UTC 2025
On Fri, 3 Jan 2025 16:29:57 GMT, Tim Jacomb <duke at openjdk.org> wrote:
>> Ok this isn't working properly 😢
>>
>> 1. ⛔ Fails: Marking the certificate as OS default (which for CA certs is trust: false) - with an intermediate
>> 2. ⛔ Fails: Marking the certificate as OS default without an intermediate
>> 3. ⛔ Fails: Removing the root but leaving the intermediate
>>
>> Case 2 succeeds on Java 23
>
> Interesting for root certificate `SecTrustSettingsCopyTrustSettings` returns:
>
> * -25300 (not found) when trust policy is `Use System Defaults`
> * 0 and a `kSecTrustSettingsResult` value of 3 when set to Never Trust
> * 0 and a `kSecTrustSettingsResult` value of 1 when set to Always Trust
With https://github.com/openjdk/jdk/pull/22911/commits/5102dade13f44dedd887920c407158e7d189947b
Case 2. works again.
(i.e. the basic case which previously worked with a self-signed root and no intermediate)
Case 1 and 3 are still failing, I'll have a think on Monday but may need a pointer
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901977595
More information about the security-dev
mailing list