[jdk8u-dev] RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs [v2]
Severin Gehwolf
sgehwolf at openjdk.org
Tue Feb 25 17:00:43 UTC 2025
> Please review this backport of adding distrust for certificates rooted by Camerfirma. The JDK 11u patch didn't apply cleanly due to the following reasons:
>
> - `Set.of()` => `Collections.unmodifiableSet(new HashSet<>(Arrays.asList()))` in `CamerfirmaTLSPolicy.java`
> - `LocalDate.ofInstant()` => `Date.toInstant().atZone(ZoneOffset.UTC).toLocalDate()`
> - `java.security-<os>` file duplications
> - `/test/lib` => `/lib/security` in `Camerfirma.java` test
> - One copyright hunk didn't apply. Applied manually.
>
> Testing:
> - [x] tests in `sun/security/ssl/X509TrustManagerImpl` including the new `Camerfirma.java` test which fails for unpatched and passes with patched JDK 8u.
Severin Gehwolf has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
- Merge branch 'jdk-8339560-unaddressed-comments-backport' into jdk-8346587-camerfirma-root-distrust
- JDK 8u adjustments for CamerfirmaTLSPolicy
- 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
-------------
Changes:
- all: https://git.openjdk.org/jdk8u-dev/pull/627/files
- new: https://git.openjdk.org/jdk8u-dev/pull/627/files/701a9c1e..0b637d1a
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk8u-dev&pr=627&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk8u-dev&pr=627&range=00-01
Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod
Patch: https://git.openjdk.org/jdk8u-dev/pull/627.diff
Fetch: git fetch https://git.openjdk.org/jdk8u-dev.git pull/627/head:pull/627
PR: https://git.openjdk.org/jdk8u-dev/pull/627
More information about the jdk8u-dev
mailing list