On Thu, 2 Mar 2023 13:33:53 GMT, Matthias Baesken <mbaes...@openjdk.org> wrote:
> After 8278449, we seem to ignore in the call > > ` if (SecTrustSettingsCopyTrustSettings(certRef, > kSecTrustSettingsDomainUser, &trustSettings) == errSecItemNotFound) ` > > all trusted certs from admin and system domains, so a lot more certs are > ignored than necessary. > Probably we should take at least the certs with trust settings from > kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin and > kSecTrustSettingsDomainSystem domains . Hi Weijun, here I found an example from Apple OpenSource https://opensource.apple.com/source/Security/Security-59754.80.3/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp.auto.html and https://opensource.apple.com/source/Security/Security-57740.51.3/trust/SecTrustSettingsPriv.h.auto.html they have there a " wrapper around SecTrustSettingsCopyCertificates that combines user and admin domain outputs." (SecTrustSettingsCopyCertificatesForUserAdminDomains). Seems at least those 2 domains need to be considered. That#s what I found also in some other projects (e.g. Go). ------------- PR Comment: https://git.openjdk.org/jdk/pull/12829#issuecomment-1508008557