[jdk11u-dev] RFR: 8361212: Remove AffirmTrust root CAs

Severin Gehwolf sgehwolf at openjdk.org
Tue Aug 26 12:51:51 UTC 2025 

On Mon, 25 Aug 2025 13:01:54 GMT, Antonio Vieiro <avieiro at openjdk.org> wrote:

> Mostly clean backport of [JDK-8361212](https://bugs.openjdk.org/browse/JDK-8361212) that removes the AffirmTrust CAs, that  have been deactivated by Entrust but are not being transferred to Sectigo. Mostly clean but for some `switch` statements that are not expressions in 11. This is marked as `CPU25_10-critical-SQE-OK`.
> 
> Tested on Linux/x86_64 with tier1 tests and 
> 
> 
> ==============================
> Test summary
> ==============================
>    TEST                                              TOTAL  PASS  FAIL ERROR   
>    jtreg:test/jdk/sun/security                         659   659     0     0   
> ==============================
> TEST SUCCESS

Almost good to go. Since the `CAInterop.java` tests are `/manual` in JDK 11+ they don't run unless specifically asked. Please run touched tests as much as you can.

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java line 1:

> 1: /*

This file no longer compiles. I need this patch to fix it:


diff --git a/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java b/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java
index c8a4b66afc..0614f08065 100644
--- a/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java
+++ b/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java
@@ -636,6 +636,7 @@ public class CAInterop {
 
             case "teliarootcav2":
                     return new CATestURLs("https://juolukka.cover.telia.fi:10600",
+                            "https://juolukka.cover.telia.fi:10601");
 
             case "emsignrootcag1":
                     return new CATestURLs("https://testovg1.emsign.com/RootOVG1.html",

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java line 680:

> 678:                     return new CATestURLs("https://juolukka.cover.telia.fi:10600",
> 679:                             "https://juolukka.cover.telia.fi:10601");
> 680: 

This line got over-eagerly removed.

-------------

PR Review: https://git.openjdk.org/jdk11u-dev/pull/3075#pullrequestreview-3155461578
PR Review Comment: https://git.openjdk.org/jdk11u-dev/pull/3075#discussion_r2300874002
PR Review Comment: https://git.openjdk.org/jdk11u-dev/pull/3075#discussion_r2300875186

More information about the jdk-updates-dev mailing list