On Wed, 17 May 2023 07:14:06 GMT, Christoph Langer <clan...@openjdk.org> wrote:
> > Hi Christoph, I do not see any reference to kSecTrustSettingsDomainSystem > > in your coding. Handling at least kSecTrustSettingsDomainUser and > > kSecTrustSettingsDomainAdmin is good but I am not sure about > > kSecTrustSettingsDomainSystem . Did you find some documentation why it > > should be omitted ? > > Hi Matthias, yes, I think it is not nicely documented. I've seen in testing, > that kSecTrustSettingsDomainSystem merely holds information for trusted root > CAs. So in theory, we could add this. However, other code in that area that > we've found out in the wild doesn't do it as well. Let's see what others > think about this. Yes this seems to be the case. Could you maybe add a one liner comment to libosxsecurity/KeystoreImpl.m (near to the user and admin domain handling) summarizing what you said? And I still prefer checking the return values of the calls to SecTrustSettingsCopyTrustSettings . ------------- PR Comment: https://git.openjdk.org/jdk/pull/13945#issuecomment-1550901380
