[jdk8u-dev] RFR: 8361212: Remove AffirmTrust root CAs
Severin Gehwolf
sgehwolf at openjdk.org
Wed Aug 27 13:04:09 UTC 2025
Backport of JDK-8361212 to remove expired certificates. The patch is almost clean as compared to the JDK 11 version (modulo path suffeling).
Testing:
Passed: sun/security/lib/cacerts/VerifyCACerts.java
FAILED: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certainlyroote1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certainlyrootr1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#digicerttlseccrootg5
FAILED: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#digicerttlsrsarootg5
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#emsigneccrootcag3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#emsignrootcag1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigne46
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignr46
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftecc2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftrsa2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca1g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca2g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca3g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sectigotlsroote46
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sectigotlsrootr46
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#ssltlsrootecc2022
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#ssltlsrootrsa2022
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#starfieldrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliarootcav2
FAILED: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#twcaglobalrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/DigicertCSRootG5.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/EmSignRootG2CA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/HaricaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/SectigoCSRootCAs.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Camerfirma.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Symantec.java
Passed: sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java
Passed: sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java
Passed: sun/security/ssl/X509TrustManagerImpl/CertRequestOverflow.java
Passed: sun/security/ssl/X509TrustManagerImpl/CheckNullEntity.java
Passed: sun/security/ssl/X509TrustManagerImpl/ClientServer.java
Passed: sun/security/ssl/X509TrustManagerImpl/ComodoHacker.java
Passed: sun/security/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
Passed: sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java
Passed: sun/security/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
Passed: sun/security/ssl/X509TrustManagerImpl/TooManyCAs.java
Passed: sun/security/ssl/X509TrustManagerImpl/X509ExtendedTMEnabled.java
Test results: passed: 66; failed: 3
`CAInterop.java#actalisauthenticationrootca` is JDK-8366176. `CAInterop.java#digicerttlsrsarootg5` fails intermittently (no bug yet) and `CAInterop.java#teliasonerarootcav1` fails with `java.lang.RuntimeException: Intermediate Root CA not found in the chain` which is present in jdk-head as well. Unrelated to this patch.
-------------
Commit messages:
- Backport 5173435bfd0db5db0113a6209f2f827b16598596
Changes: https://git.openjdk.org/jdk8u-dev/pull/684/files
Webrev: https://webrevs.openjdk.org/?repo=jdk8u-dev&pr=684&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8361212
Stats: 503 lines in 12 files changed: 0 ins; 491 del; 12 mod
Patch: https://git.openjdk.org/jdk8u-dev/pull/684.diff
Fetch: git fetch https://git.openjdk.org/jdk8u-dev.git pull/684/head:pull/684
PR: https://git.openjdk.org/jdk8u-dev/pull/684
More information about the jdk8u-dev
mailing list