[jdk8u-dev] RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
Severin Gehwolf
sgehwolf at openjdk.org
Tue Feb 25 11:56:40 UTC 2025
On Tue, 25 Feb 2025 11:51:52 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:
> Please review this backport of adding distrust for certificates rooted by Camerfirma. The JDK 11u patch didn't apply cleanly due to the following reasons:
>
> - `Set.of()` => `Collections.unmodifiableSet(new HashSet<>(Arrays.asList()))` in `CamerfirmaTLSPolicy.java`
> - `LocalDate.ofInstant()` => `Date.toInstant().atZone(ZoneOffset.UTC).toLocalDate()`
> - `java.security-<os>` file duplications
> - `/test/lib` => `/lib/security` in `Camerfirma.java` test
> - One copyright hunk didn't apply. Applied manually.
>
> Testing:
> - [x] tests in `sun/security/ssl/X509TrustManagerImpl` including the new `Camerfirma.java` test which fails for unpatched and passes with patched JDK 8u.
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Camerfirma.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Symantec.java
Passed: sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java
Passed: sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java
Passed: sun/security/ssl/X509TrustManagerImpl/CertRequestOverflow.java
Passed: sun/security/ssl/X509TrustManagerImpl/CheckNullEntity.java
Passed: sun/security/ssl/X509TrustManagerImpl/ClientServer.java
Passed: sun/security/ssl/X509TrustManagerImpl/ComodoHacker.java
Passed: sun/security/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
Passed: sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java
Passed: sun/security/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
Passed: sun/security/ssl/X509TrustManagerImpl/TooManyCAs.java
Passed: sun/security/ssl/X509TrustManagerImpl/X509ExtendedTMEnabled.java
Test results: passed: 14
-------------
PR Comment: https://git.openjdk.org/jdk8u-dev/pull/627#issuecomment-2681703152
More information about the jdk8u-dev
mailing list