On Fri, 8 Mar 2024 19:47:00 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Alexey Bakhtin has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Load root certificates from SystemRootCertificates.keychain
>
> src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 525:
>
>> 523: // Load predefined root certificates from SystemRootCertificates
>> keychain
>> 524: // SecTrustCopyAnchorCertificates includes extra root certificates
>> and can not be used here
>> 525: if(
>> SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain",
>> &keychain) != errSecSuccess ) {
>
> I'll study the API more but it looks too implementation-detail dependent to
> read the file directly. Are there any other APIs? I see one named
> `SecTrustCopyCustomAnchorCertificates`. Can it be used?
Hi @wangweij ,
Thank you for review.
Unfortunately `SecTrustCopyCustomAnchorCertificates` can not be used also. It
is used to retrieve certificates from your own created SecTrust. As I know it
is not possible to create/load SecTrust with predefined certs without
reading`/System/Library/Keychains/SystemRootCertificates.keychain`
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16722#discussion_r1518484143
