[8u] Request for enhancement backport approval for CR 8207258- Distrust TLS server certificates anchored by Symantec Root CAs
Aleksey Shipilev
shade at redhat.com
Tue Feb 26 11:28:11 UTC 2019
On 2/25/19 10:43 PM, Liu, Xin wrote:
> JDK-8207258 <https://bugs.openjdk.java.net/browse/JDK-8207258>: Distrust TLS server certificates
> anchored by Symantec Root CAs
> http://cr.openjdk.java.net/~phh/8207258/webrev.8u.00/
*) So this patch adds changes the keystore acquisition code in
test/lib/security/CheckBlacklistedCerts.java, and it is not present in original change. Why?
44 final KeyStore ks = SecurityUtils.getCacertsKeyStore();
> JDK-8216280 <https://bugs.openjdk.java.net/browse/JDK-8216280%5d>: Allow later Symantec Policy
> distrust date for two Apple SubCAs
>
> http://cr.openjdk.java.net/~phh/8216280/webrev.8u.00/
*) Indenting in SymantecTLSPolicy.java seems off at L193-195. Also superfluous newline at L196.
190 if (notBeforeDate.isAfter(distrustDate)) {
191 throw new ValidatorException
192 ("TLS Server certificate issued after " + distrustDate +
193 " and anchored by a distrusted legacy Symantec root CA: "
194 + anchor.getSubjectX500Principal(),
195 ValidatorException.T_UNTRUSTED_CERT, anchor);
196
197 }
Seems fine otherwise.
-Aleksey
More information about the jdk8u-dev
mailing list