[jdk8u] RFR: 8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs [v2]

Thu Sep 12 19:37:09 UTC 2024

> Hi, here is a [JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs](https://bugs.openjdk.org/browse/JDK-8337664) backport, based on openjdk/jdk11u#95.
> 
> After adjusting the file paths from 11u to 8u, the backport isn't clean, but conflicts are minimal. These include a copyright line and minor `java.security-<platform>` context mismatches. You can verify this comparing 00beb507c85f335e23e51b025c16fa6940a92262 against openjdk/jdk11u at 90ad5b18de314faca19e322bb21a4c33cec54785.
> 
> On top of that, the code still needed adjustments for the 8u codebase, which were addressed in a separate commit, 53e8134702c5967ffd886b8530ee5728907cae91. I made these adjustments in line with 68e393c051d3b5ed5b490f362c7ba97c75761ad8, the 8u backport of [JDK-8207258: Distrust TLS server certificates anchored by Symantec Root CAs](https://bugs.openjdk.org/browse/JDK-8207258).
> 
> #### Testing
> 
> I run `jdk/tier1` and all the tests under [`jdk/test/sun/security/ssl`](https://github.com/openjdk/jdk8u/tree/e32d62e2a39510f643b32d615e76f0ff9be3d9f3/jdk/test/sun/security/ssl), using 64-bit _slowdebug_ and _release_ images, locally built in _Fedora Linux 40_. Please note that this includes the new `X509TrustManagerImpl/Entrust/Distrust.java`, which I've also made fail by temporarily undoing the `java.security-linux` changes. I haven't found any regression against `master` (currently e32d62e2a39510f643b32d615e76f0ff9be3d9f3).
> 
> Regarding the failures in GitHub Actions, we can see that this also occurred in recent `jdk8u-dev` pull requests. For example:
> 
> * `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca`
>   `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca`
>     * Failed in this PR, in [_Linux x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29958948355), [_Linux x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959071363), [_Windows x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959852407) and [_Windows x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959178259)
>     * Same as openjdk/jdk8u-dev#430, in [_Linux x64 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047585/job/29766007028), [_Linux x86 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047585/job/29766074280), [_Windows ...

Francisco Ferrari Bihurriet has updated the pull request incrementally with one additional commit since the last revision:

  Wrap the FINGERPRINTS set as immutable

-------------

Changes:
  - all: https://git.openjdk.org/jdk8u/pull/61/files
  - new: https://git.openjdk.org/jdk8u/pull/61/files/53e81347..e96486dc

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk8u&pr=61&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk8u&pr=61&range=00-01

  Stats: 4 lines in 1 file changed: 2 ins; 0 del; 2 mod
  Patch: https://git.openjdk.org/jdk8u/pull/61.diff
  Fetch: git fetch https://git.openjdk.org/jdk8u.git pull/61/head:pull/61

PR: https://git.openjdk.org/jdk8u/pull/61