[jdk8u-dev] RFR: 8361212: Remove AffirmTrust root CAs

Thu Aug 28 00:16:47 UTC 2025

On Wed, 27 Aug 2025 12:55:57 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:

> Backport of JDK-8361212 to remove expired certificates. The patch is almost clean as compared to the JDK 11 version (modulo path suffeling).
> 
> Testing:
> 
> Passed: sun/security/lib/cacerts/VerifyCACerts.java
> FAILED: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certainlyroote1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certainlyrootr1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#digicerttlseccrootg5
> FAILED: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#digicerttlsrsarootg5
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#emsigneccrootcag3
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#emsignrootcag1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigne46
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignr46
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAIntero...

Looks good. Only some contextual differences and the different `@run` lines differ from the 11u patch.

Please apply for approval.

-------------

Marked as reviewed by andrew (Reviewer).

PR Review: https://git.openjdk.org/jdk8u-dev/pull/684#pullrequestreview-3162371026