RFR: 8349759: Fix CertificateBuilder and SimpleOCSPServer test utilities to support PQC algorithms [v3]

Sean Mullan mullan at openjdk.org
Wed Feb 19 22:37:51 UTC 2025 

On Thu, 13 Feb 2025 22:29:46 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:

>> Also,  should it be moved to somewhere else like jdk/test/sun/security/provider/certpath?
>
>> Also, should it be moved to somewhere else like jdk/test/sun/security/provider/certpath?
> 
> Hmmm...not sure about that, but maybe an explanation is in order: Because the JDK only implements the client side with OCSP, we rely on CertPathValidator to handle the path validation and that has never been a problem with PQC.  When I did OCSP stapling a long time ago (JDK 9) that was when I wanted a way to build certs (good and malformed ones) and make OCSP servers that didn't need to fork processes outside the jtreg framework or need 3rd party code.  That meant I had to implement the server-side (consumption of requests and generation of responses) and that's where things needed some tuning up.  So it isn't really a CPV problem, it's a testcode problem.  In order to exercise it and ensure that it worked for all the algs we use to sign stuff, I made this test-the-test-code test and at the suggestion of @rhalade I located in the lib-test tree.  Using CPV in the test was mainly a way for me to drive the OCSP request from the JDK code.  That it also validates consumption of the sign
 ed response and the cert chain is a nice freebie.
> 
> Not opposed to making the changes, I just didn't know if it was the right way to go considering that I'm not changing any actual JDK code, just test helper classes so in the future we can do PQC cert chains and OCSP servers for our tests.

No, I take back my comment - your explanation and the location makes sense. I hadn't realized it was a test testing a test server on my initial scan. I think the test summary should be more general and explain what the test is doing. Right now it says "Fix CertificateBuilder and SimpleOCSPServer test utilities to support PQC algorithms" but that is a side effect of adding this test, and not the main purpose of the test.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23566#discussion_r1962465483

More information about the core-libs-dev mailing list