On Sat, 9 Mar 2024 05:40:06 GMT, Alexey Bakhtin <abakh...@openjdk.org> wrote:

>> src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 525:
>> 
>>> 523:     // Load predefined root certificates from SystemRootCertificates 
>>> keychain
>>> 524:     // SecTrustCopyAnchorCertificates includes extra root certificates 
>>> and can not be used here
>>> 525:     if( 
>>> SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain",
>>>  &keychain) != errSecSuccess ) {
>> 
>> I'll study the API more but it looks too implementation-detail dependent to 
>> read the file directly. Are there any other APIs? I see one named 
>> `SecTrustCopyCustomAnchorCertificates`. Can it be used?
>
> Hi @wangweij , 
> Thank you for review.
> Unfortunately `SecTrustCopyCustomAnchorCertificates` can not be used also. It 
> is used to retrieve certificates from your own created SecTrust. As I know it 
> is not possible to create/load SecTrust with predefined certs without 
> reading`/System/Library/Keychains/SystemRootCertificates.keychain`

Then this is the best solution we can find. I have no more comment and thanks a 
lot for the patience. You might need to finalize your CSR now.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16722#discussion_r1528674342

Reply via email to