[jdk8u] RFR: 8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
Severin Gehwolf
sgehwolf at openjdk.org
Thu Sep 12 16:40:08 UTC 2024
On Tue, 10 Sep 2024 20:55:35 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:
> Hi, here is a [JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs](https://bugs.openjdk.org/browse/JDK-8337664) backport, based on openjdk/jdk11u#95.
>
> After adjusting the file paths from 11u to 8u, the backport isn't clean, but conflicts are minimal. These include a copyright line and minor `java.security-<platform>` context mismatches. You can verify this comparing 00beb507c85f335e23e51b025c16fa6940a92262 against openjdk/jdk11u at 90ad5b18de314faca19e322bb21a4c33cec54785.
>
> On top of that, the code still needed adjustments for the 8u codebase, which were addressed in a separate commit, 53e8134702c5967ffd886b8530ee5728907cae91. I made these adjustments in line with 68e393c051d3b5ed5b490f362c7ba97c75761ad8, the 8u backport of [JDK-8207258: Distrust TLS server certificates anchored by Symantec Root CAs](https://bugs.openjdk.org/browse/JDK-8207258).
>
> #### Testing
>
> I run `jdk/tier1` and all the tests under [`jdk/test/sun/security/ssl`](https://github.com/openjdk/jdk8u/tree/e32d62e2a39510f643b32d615e76f0ff9be3d9f3/jdk/test/sun/security/ssl), using 64-bit _slowdebug_ and _release_ images, locally built in _Fedora Linux 40_. Please note that this includes the new `X509TrustManagerImpl/Entrust/Distrust.java`, which I've also made fail by temporarily undoing the `java.security-linux` changes. I haven't found any regression against `master` (currently e32d62e2a39510f643b32d615e76f0ff9be3d9f3).
>
> Regarding the failures in GitHub Actions, we can see that this also occurred in recent `jdk8u-dev` pull requests. For example:
>
> * `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca`
> `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca`
> * Failed in this PR, in [_Linux x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29958948355), [_Linux x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959071363), [_Windows x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959852407) and [_Windows x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959178259)
> * Same as openjdk/jdk8u-dev#430, in [_Linux x64 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047585/job/29766007028), [_Linux x86 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047585/job/29766074280), [_Windows ...
Looks mostly fine.
jdk/src/share/classes/sun/security/validator/EntrustTLSPolicy.java line 49:
> 47:
> 48: // SHA-256 certificate fingerprints of distrusted roots
> 49: private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList(
Suggestion:
private static final Set<String> FINGERPRINTS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(...)));
-------------
PR Review: https://git.openjdk.org/jdk8u/pull/61#pullrequestreview-2300777198
PR Review Comment: https://git.openjdk.org/jdk8u/pull/61#discussion_r1757160631
More information about the jdk8u-dev
mailing list