[jdk8u-dev] RFR: 8308592: Framework for CA interoperability testing [v4]
Severin Gehwolf
sgehwolf at openjdk.org
Tue Nov 28 15:53:12 UTC 2023
On Tue, 28 Nov 2023 15:12:49 GMT, Andrew John Hughes <andrew at openjdk.org> wrote:
>> Hi all,
>>
>> This pull request contains a backport of commit [da57d2a1](https://github.com/openjdk/jdk/commit/da57d2a1eb409ddc64117865c7d24ed518421cab) from the [openjdk/jdk](https://git.openjdk.org/jdk) repository.
>>
>> The commit being backported was authored by Rajan Halade on 19 Sep 2023 and was reviewed by Sean Mullan. It was backported to 17u on 2023-09-28 and 11u on 2023-10-11
>>
>> It reworks the certificate tests to use test portals rather than having to maintain copies of the certificates in the OpenJDK repository and so should reduce the maintenance cost of these tests going forward. The fix has already been backported to 21u and Oracle-17u.
>>
>> There were conflicts in the removals of `ActalisCA.java`, `BuypassCA.java`, `LetsEncryptCA.java` and `QuoVadisCA.java`, due to changes not in 8u. For the first of these, we backported JDK-8297955 (see #388) as it also contains a code change. As the other three are only test changes, we assumed these bugs to be resolved by the replacement of the individual tests with `CAInterop.java`.
>>
>> The `ValidatePathWithURL.java` class had to be modified slightly to work with the 8u `cacerts`. These changes were based on the existing `ValidatePathWithParams.java`.
>>
>> All tests pass with the exception of the OCSP case of `certignarootca`. This fails with `Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder`. While not ideal, I don't think this is an issue with the testing backport so I'd suggest we look into this and fix it later, while getting this in so that pending certificate updates can go in. It seems to be 8u specific (the case passed on 11u). The CRL case does pass as does `CertignaCA.java` (not sure why there are two tests for this one).
>
> Andrew John Hughes has updated the pull request incrementally with one additional commit since the last revision:
>
> Explicitly enable stapling, which is disabled by default in the 8u backport of TLS 1.3
LGTM.
-------------
Marked as reviewed by sgehwolf (Reviewer).
PR Review: https://git.openjdk.org/jdk8u-dev/pull/390#pullrequestreview-1753259750
More information about the jdk8u-dev
mailing list