[jdk11u-dev] RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
Antonio Vieiro
duke at openjdk.org
Thu Feb 13 18:57:41 UTC 2025
On Thu, 13 Feb 2025 18:52:18 GMT, Antonio Vieiro <duke at openjdk.org> wrote:
> Almost clean backport of [JDK-8346587](https://bugs.openjdk.org/browse/JDK-8346587) to distrust TLS server certificates issued after April 15, 2025 and anchored by Camerfirma Root CAs.
>
> This is on top of [this previous PR](https://github.com/openjdk/jdk11u-dev/pull/2993) for [JDK-8339560](https://bugs.openjdk.org/browse/JDK-8339560) ("Unaddressed comments during code review of JDK-8337664").
>
> The backport is not completely clean because it required a change in line 98 of `CamerfirmaTLSPolicy.java` since [JDK-8270946](https://bugs.openjdk.org/browse/JDK-8270946) has not been backported to 11.
>
> Passes `tier1` and `jdk/sun/security` tests:
>
>
> ==============================
> Test summary
> ==============================
> TEST TOTAL PASS FAIL ERROR
> jtreg:test/hotspot/jtreg:tier1 1497 1497 0 0
> jtreg:test/jdk:tier1 1899 1899 0 0
> jtreg:test/langtools:tier1 3941 3941 0 0
> jtreg:test/nashorn:tier1 0 0 0 0
> jtreg:test/jaxp:tier1 0 0 0 0
> ==============================
> TEST SUCCESS
>
>
> ==============================
> Test summary
> ==============================
> TEST TOTAL PASS FAIL ERROR
> jtreg:test/jdk/sun/security 657 657 0 0
> ==============================
> TEST SUCCESS
src/java.base/share/classes/sun/security/validator/CamerfirmaTLSPolicy.java line 98:
> 96:
> 97: private static String fingerprint(X509Certificate cert) {
> 98: return X509CertImpl.getFingerprint("SHA-256", cert);
This reads
return X509CertImpl.getFingerprint("SHA-256", cert, debug);
in JDK-17 and above.
-------------
PR Review Comment: https://git.openjdk.org/jdk11u-dev/pull/2994#discussion_r1955058882
More information about the jdk-updates-dev
mailing list