RFR: 8347067: Load certificates without explicit trust settings in KeyChainStore [v5]

Mon Jan 27 22:43:32 UTC 2025

> ## The change
> 
> Without this change intermediate certificates that don't have explicit trust settings are ignored not added to the truststore.
> 
> 
> 
> ## Reproducer
> 
> See https://github.com/timja/openjdk-intermediate-ca-reproducer
> 
> Without this change the reproducer fails, and with this change it succeeds.
> 
> ## Example failing architecture
> 
> Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf
> 
> Where:
> * All certs are in admin domain kSecTrustSettingsDomainAdmin
> * Root CA is marked as always trust
> * Intermediate 1 and 2 are Unspecified
> 
> Previously Root CA would be found but intermediate 1 and 2 would be skipped when verifying trust settings.
> 
> ## Background reading
> 
> ### Rust
> see also Rust Lib that is used throughout Rust ecosystem for this: 
> https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58
> 
> e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've verified it is correctly implemented and works in my setup
> 
> ## Python
> 
> I also looked at the Python implementation for inspiration as well (which also works on my system): https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py

Tim Jacomb has updated the pull request incrementally with one additional commit since the last revision:

  Make test output easier to read

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/22911/files
  - new: https://git.openjdk.org/jdk/pull/22911/files/2125a8e7..59ceebc4

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=22911&range=04
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=22911&range=03-04

  Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
  Patch: https://git.openjdk.org/jdk/pull/22911.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/22911/head:pull/22911

PR: https://git.openjdk.org/jdk/pull/22911