[jdk8u-dev] RFR: 8308592: Framework for CA interoperability testing

Severin Gehwolf sgehwolf at openjdk.org
Mon Nov 27 19:43:13 UTC 2023


On Fri, 24 Nov 2023 08:24:59 GMT, Andrew John Hughes <andrew at openjdk.org> wrote:

> Hi all,
> 
> This pull request contains a backport of commit [da57d2a1](https://github.com/openjdk/jdk/commit/da57d2a1eb409ddc64117865c7d24ed518421cab) from the [openjdk/jdk](https://git.openjdk.org/jdk) repository.
> 
> The commit being backported was authored by Rajan Halade on 19 Sep 2023 and was reviewed by Sean Mullan. It was backported to 17u on 2023-09-28 and 11u on 2023-10-11
> 
> It reworks the certificate tests to use test portals rather than having to maintain copies of the certificates in the OpenJDK repository and so should reduce the maintenance cost of these tests going forward. The fix has already been backported to 21u and Oracle-17u.
> 
> There were conflicts in the removals of `ActalisCA.java`, `BuypassCA.java`, `LetsEncryptCA.java` and `QuoVadisCA.java`, due to changes not in 8u. For the first of these, we backported JDK-8297955 (see #388) as it also contains a code change. As the other three are only test changes, we assumed these bugs to be resolved by the replacement of the individual tests with `CAInterop.java`.
> 
> The `ValidatePathWithURL.java` class had to be modified slightly to work with the 8u `cacerts`. These changes were based on the existing `ValidatePathWithParams.java`.
> 
> All tests pass with the exception of the OCSP case of `certignarootca`. This fails with `Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder`. While not ideal, I don't think this is an issue with the testing backport so I'd suggest we look into this and fix it later, while getting this in so that pending certificate updates can go in. It seems to be 8u specific (the case passed on 11u). The CRL case does pass as does `CertignaCA.java` (not sure why there are two tests for this one).

This looks good. The reason why `certignarootca` test fails is the different defaults for `jdk.tls.client.enableStatusRequestExtension` between JDK 11 and JDK 8 in `SSLContextImpl.java`. The former has it set to `true` the latter to `false` as per the TLS 1.3 backport to 8. Without it the `ClientHello` won't have the `status_request` extension, which is required for the test to pass.

I suggest to set this to `true` in the affected test only (or set it to true globally in `CAInterop.java`). Either way I'd include this in this backport.

-------------

PR Review: https://git.openjdk.org/jdk8u-dev/pull/390#pullrequestreview-1751221660


More information about the jdk8u-dev mailing list