Open tianyuan129 opened 1 year ago
This is because the design and implementation of the suggest
function did not consider the use by controller.
To add more context: this code is added to fix the problem that the function may return a self-signed certificate that is not the trust anchor but satisfies the trust schema's check
, as we only check packet name vs cert name, but not further move to cert name vs cert's signer.
The highlighted piece of code avoids returning all self-signed certificates.
If trust anchor is in the keychain, the key suggestor never returns it even if it's a valid signer.