On Sun, 26 Jan 2025 22:58:04 GMT, Tim Jacomb <d...@openjdk.org> wrote:
>> test/jdk/java/security/KeyStore/CheckMacOSKeyChainIntermediateCATrust.java
>> line 166:
>>
>>> 164: private static void assertThat(boolean expected, String message,
>>> List<X509Certificate> certificates) {
>>> 165: if (!expected) {
>>> 166: throw new AssertionError(message + ", subjects: " +
>>> getSubjects(certificates));
>>
>> I do not like printing all KeyChain certificates on the failure. It could be
>> sensitive information.
>>
>> If you do not collect all certificates, the test could be simplified -
>> without Stream API
>
> Without this its harder to debug what went wrong, this tells you what
> subjects are found, its not the certificate itself, just e.g.
>
>
> java.lang.AssertionError: Non trusted CA not found CN=Non Trusted Example
> CA,O=Example,C=US, subjects: [ CN=StartCom Certification Authority,OU=Secure
> Digital Certificate Signing,O=StartCom Ltd.,C=IL,
> CN=TIMJA-INTERMEDIATE,O=TIMJA,ST=ES,C=UK,
> CN=TIMJA-INTERMEDIATE-2,O=TIMJA,ST=ES,C=UK, CN=TIMJA-ROOT,O=TIMJA,ST=ES]
I understand the reason for the test development, but I am still concerned
about printing this information.
Is it possible it will be disabled by default but could be enabled from the
cmdline or changing the source code?
`
static boolean verbose = false; // avoid too verbose output
`
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22911#discussion_r1931137722
