[jdk8u-dev] RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
Severin Gehwolf
sgehwolf at openjdk.org
Tue Feb 25 11:56:40 UTC 2025
Please review this backport of adding distrust for certificates rooted by Camerfirma. The JDK 11u patch didn't apply cleanly due to the following reasons:
- `Set.of()` => `Collections.unmodifiableSet(new HashSet<>(Arrays.asList()))` in `CamerfirmaTLSPolicy.java`
- `LocalDate.ofInstant()` => `Date.toInstant().atZone(ZoneOffset.UTC).toLocalDate()`
- `java.security-<os>` file duplications
- `/test/lib` => `/lib/security` in `Camerfirma.java` test
- One copyright hunk didn't apply. Applied manually.
Testing:
- [x] tests in `sun/security/ssl/X509TrustManagerImpl` including the new `Camerfirma.java` test which fails for unpatched and passes with patched JDK 8u.
-------------
Depends on: https://git.openjdk.org/jdk8u-dev/pull/626
Commit messages:
- JDK 8u adjustments for CamerfirmaTLSPolicy
- 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
Changes: https://git.openjdk.org/jdk8u-dev/pull/627/files
Webrev: https://webrevs.openjdk.org/?repo=jdk8u-dev&pr=627&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8346587
Stats: 412 lines in 12 files changed: 404 ins; 0 del; 8 mod
Patch: https://git.openjdk.org/jdk8u-dev/pull/627.diff
Fetch: git fetch https://git.openjdk.org/jdk8u-dev.git pull/627/head:pull/627
PR: https://git.openjdk.org/jdk8u-dev/pull/627
More information about the jdk8u-dev
mailing list