## The change Without this change intermediate certificates that don't have explicit trust settings are ignored not added to the truststore.
## Reproducer See https://github.com/timja/openjdk-intermediate-ca-reproducer Without this change the reproducer fails, and with this change it succeeds. ## Example failing architecture Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf Where: * All certs are in admin domain kSecTrustSettingsDomainAdmin * Root CA is marked as always trust * Intermediate 1 and 2 are Unspecified Previously Root CA would be found but intermediate 1 and 2 would be skipped when verifying trust settings. ## Background reading ### Rust see also Rust Lib that is used throughout Rust ecosystem for this: https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58 e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've verified it is correctly implemented and works in my setup ## Python I also looked at the Python implementation for inspiration as well (which also works on my system): https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py ------------- Commit messages: - Executable files are not allowed... - Flag test as manual - Minor cleanups - Add new line - Add jtreg test - Release subjCerts - Revert unneeded changes - Merge branch 'master' into load-anchor-and-user-certificates-keychainstore - Verify certificate without trustsettings before adding - Tweeks to make the basic case work - ... and 1 more: https://git.openjdk.org/jdk/compare/f1d85ab3...2d955702 Changes: https://git.openjdk.org/jdk/pull/22911/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=22911&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8347067 Stats: 299 lines in 8 files changed: 287 ins; 6 del; 6 mod Patch: https://git.openjdk.org/jdk/pull/22911.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/22911/head:pull/22911 PR: https://git.openjdk.org/jdk/pull/22911
