On Fri, 3 Jan 2025 15:36:33 GMT, Tim Jacomb <d...@openjdk.org> wrote:
>> src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m line 496:
>>
>>> 494:
>>> 495: // Only add certificates with trust settings
>>> 496: if (inputTrust == NULL) {
>>
>> From what I can tell non root certificates that do not have explicit trust
>> settings do not show up in `SecTrustSettingsCopyTrustSettings`, docs appear
>> to be
>> https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:)
>> but not very clear.
>>
>> ----
>>
>> I need to test that the certificate is still chained to a root and not
>> trusted as a root.
>
> Ok this isn't working properly 😢
>
> 1. â›” Fails: Marking the certificate as OS default (which for CA certs is
> trust: false) - with an intermediate
> 2. â›” Fails: Marking the certificate as OS default without an intermediate
> 3. â›” Fails: Removing the root but leaving the intermediate
>
> Case 2 succeeds on Java 23
Interesting for root certificate `SecTrustSettingsCopyTrustSettings` returns:
* -25300 (not found) when trust policy is `Use System Defaults`
* 0 and a `kSecTrustSettingsResult` value of 3 when set to Never Trust
* 0 and a `kSecTrustSettingsResult` value of 1 when set to Always Trust
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1901958401
