[jdk8u] RFR: 8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs [v2]

Severin Gehwolf sgehwolf at openjdk.org
Thu Sep 12 19:45:15 UTC 2024 

On Thu, 12 Sep 2024 19:37:09 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:

>> Hi, here is a [JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs](https://bugs.openjdk.org/browse/JDK-8337664) backport, based on openjdk/jdk11u#95.
>> 
>> After adjusting the file paths from 11u to 8u, the backport isn't clean, but conflicts are minimal. These include a copyright line and minor `java.security-<platform>` context mismatches. You can verify this comparing 00beb507c85f335e23e51b025c16fa6940a92262 against openjdk/jdk11u at 90ad5b18de314faca19e322bb21a4c33cec54785.
>> 
>> On top of that, the code still needed adjustments for the 8u codebase, which were addressed in a separate commit, 53e8134702c5967ffd886b8530ee5728907cae91. I made these adjustments in line with 68e393c051d3b5ed5b490f362c7ba97c75761ad8, the 8u backport of [JDK-8207258: Distrust TLS server certificates anchored by Symantec Root CAs](https://bugs.openjdk.org/browse/JDK-8207258).
>> 
>> #### Testing
>> 
>> I run `jdk/tier1` and all the tests under [`jdk/test/sun/security/ssl`](https://github.com/openjdk/jdk8u/tree/e32d62e2a39510f643b32d615e76f0ff9be3d9f3/jdk/test/sun/security/ssl), using 64-bit _slowdebug_ and _release_ images, locally built in _Fedora Linux 40_. Please note that this includes the new `X509TrustManagerImpl/Entrust/Distrust.java`, which I've also made fail by temporarily undoing the `java.security-linux` changes. I haven't found any regression against `master` (currently e32d62e2a39510f643b32d615e76f0ff9be3d9f3).
>> 
>> Regarding the failures in GitHub Actions, we can see that this also occurred in recent `jdk8u-dev` pull requests. For example:
>> 
>> * `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca`
>>   `security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca`
>>     * Failed in this PR, in [_Linux x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29958948355), [_Linux x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959071363), [_Windows x64 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959852407) and [_Windows x86 (jdk/tier1)_](https://github.com/franferrax/jdk8u/actions/runs/10800436167/job/29959178259)
>>     * Same as openjdk/jdk8u-dev#430, in [_Linux x64 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047585/job/29766007028), [_Linux x86 (jdk/tier1)_](https://github.com/ktakakuri/jdk8u-dev/actions/runs/10733047...
>
> Francisco Ferrari Bihurriet has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Wrap the FINGERPRINTS set as immutable

Looks good.

-------------

Marked as reviewed by sgehwolf (Reviewer).

PR Review: https://git.openjdk.org/jdk8u/pull/61#pullrequestreview-2301268288

More information about the jdk8u-dev mailing list