On Thu, 2 Mar 2023 13:33:53 GMT, Matthias Baesken <mbaes...@openjdk.org> wrote:

> After 8278449, we seem to ignore in the call
> 
> `  if (SecTrustSettingsCopyTrustSettings(certRef, 
> kSecTrustSettingsDomainUser, &trustSettings) == errSecItemNotFound) `
> 
> all trusted certs from admin and system domains, so a lot more certs are 
> ignored than necessary.
> Probably we should take at least the certs with trust settings from 
> kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin and 
> kSecTrustSettingsDomainSystem domains .

Hi Weijun, here I found an example from Apple OpenSource 
https://opensource.apple.com/source/Security/Security-59754.80.3/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp.auto.html
and
https://opensource.apple.com/source/Security/Security-57740.51.3/trust/SecTrustSettingsPriv.h.auto.html

they have there a " wrapper around SecTrustSettingsCopyCertificates that 
combines user and admin domain outputs."
(SecTrustSettingsCopyCertificatesForUserAdminDomains).   Seems at least those 2 
domains need to be considered.
That#s what I found also in some other projects (e.g. Go).

-------------

PR Comment: https://git.openjdk.org/jdk/pull/12829#issuecomment-1508008557

Reply via email to