> ## The change > > Without this change intermediate certificates that don't have explicit trust > settings are ignored not added to the truststore. > > > > ## Reproducer > > See https://github.com/timja/openjdk-intermediate-ca-reproducer > > Without this change the reproducer fails, and with this change it succeeds. > > ## Example failing architecture > > Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf > > Where: > * All certs are in admin domain kSecTrustSettingsDomainAdmin > * Root CA is marked as always trust > * Intermediate 1 and 2 are Unspecified > > Previously Root CA would be found but intermediate 1 and 2 would be skipped > when verifying trust settings. > > ## Background reading > > ### Rust > see also Rust Lib that is used throughout Rust ecosystem for this: > https://github.com/rustls/rustls-native-certs/blob/efe7b1d77bf6080851486535664d1dc7ef0dea68/src/macos.rs#L39-L58 > > e.g. in Deno `https://github.com/denoland/deno/pull/11491` where I've > verified it is correctly implemented and works in my setup > > ## Python > > I also looked at the Python implementation for inspiration as well (which > also works on my system): > https://github.com/sethmlarson/truststore/blob/main/src/truststore/_macos.py
Tim Jacomb has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 13 additional commits since the last revision: - Add non-trusted root CA cert - Merge branch 'master' into load-anchor-and-user-certificates-keychainstore - Executable files are not allowed... - Flag test as manual - Minor cleanups - Add new line - Add jtreg test - Release subjCerts - Revert unneeded changes - Merge branch 'master' into load-anchor-and-user-certificates-keychainstore - ... and 3 more: https://git.openjdk.org/jdk/compare/6ca5c5dd...d9605e12 ------------- Changes: - all: https://git.openjdk.org/jdk/pull/22911/files - new: https://git.openjdk.org/jdk/pull/22911/files/2d955702..d9605e12 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=22911&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=22911&range=00-01 Stats: 23118 lines in 633 files changed: 6718 ins; 13626 del; 2774 mod Patch: https://git.openjdk.org/jdk/pull/22911.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/22911/head:pull/22911 PR: https://git.openjdk.org/jdk/pull/22911
