On Thu, 18 May 2023 00:00:58 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> Before your new change, such a certificate is not trusted, because > `SecTrustSettingsCopyTrustSettings` returns `errSecItemNotFound` so > `jm_createTrustedCertEntry` is not called at all. > > I am not sure if such a certificate is meant to be always trusted. Note that > you can create such an entry with only `security add-certificates` but not > `security add-trusted-cert`. macOS allows anyone to run the first command but > prompts you for an administrator password when running the second. The name > of the second command also implies that it's the only way to assign trust to > a certificate, IMHO. Hm, after thinking about this again and also comparing with behavior of curl, I think you're right. A self-signed certificate should only be trusted if it has a trust entry (e.g. added by `security add-trusted-cert`). Somehow I was under the impression that self-signed certificates should be trusted when they exist. But after reading comments etc. again I'm not sure why I thought so at all. 😜 Will update the PR... ------------- PR Comment: https://git.openjdk.org/jdk/pull/13945#issuecomment-1554278565
