On Sat, 4 Jan 2025 00:19:46 GMT, Alexey Bakhtin <abakh...@openjdk.org> wrote:
> I think, in this particular case, we need two iterations to add certificates > into the trust store. The first iteration will add certificates with non-null > trust settings, and the second iteration should verify and add certificates > with null trust settings. Thanks for the feedback it was very helpful, I had missed the bottom note on https://developer.apple.com/documentation/security/sectrustsettingscopytrustsettings(_:_:_:) before this. I've implemented the recommendation based on the docs in https://github.com/openjdk/jdk/pull/22911/commits/0052cd0380b4949b9af689eae660cf3defa5e7d0. All my test cases are now passing. I've added a second intermediate CA to my test setup as well although it only uses 1 by default: https://github.com/timja/openjdk-intermediate-ca-reproducer?rgh-link-date=2025-01-03T11%3A28%3A01Z I've tested by revoking trust along each part of the chain and its behaving correctly now. > Thank you for this patch. It looks correct now (see my comment about > subjCerts above) Thanks, will look into that > Is it possible to add jtreg test for this scenario? I'll look at that ~tomorrow > Also, You'll need a jbs issue to submit this PR Would it be possible for you to do it on my behalf please? I don't have access ------------- PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2572885448 PR Comment: https://git.openjdk.org/jdk/pull/22911#issuecomment-2573892019
