[jdk8u] RFR: 8359170: Add 2 TLS and 2 CS Sectigo roots

Antonio Vieiro duke at openjdk.org
Mon Jun 16 09:37:37 UTC 2025 

On Fri, 13 Jun 2025 14:18:40 GMT, Antonio Vieiro <duke at openjdk.org> wrote:

> Not a clean backport of [JDK-8359170](https://bugs.openjdk.org/browse/JDK-8359170) from 11. This is a late CPU25_07-critical-approved enhancement request to include root certificates that are already widely used.
> 
> The backport is not clean as some files have changed locations in 8. 
> 
> Also **I removed the `/manual` stanza from the tests in `CAInterop.java` and the newly added `SectigoCSRootCAs.java`**, since [JDK-8334441](https://bugs.openjdk.org/browse/JDK-8334441) has not yet been backported to jdk8u.
> 
> `jdk_security_infra` tests:
> 6 failed (possibly due to the reasons described in [JDK-8334441](https://bugs.openjdk.org/browse/JDK-8334441): network timeouts, expired certificates, ...) unrelated.  Modified and new tests pass:
> 
> [...]
> Passed: security/infra/java/security/cert/CertPathValidator/certification/EmSignRootG2CA.java
> Passed: security/infra/java/security/cert/CertPathValidator/certification/HaricaCA.java
> Passed: security/infra/java/security/cert/CertPathValidator/certification/SectigoCSRootCAs.java <---
> Passed: sun/security/lib/cacerts/VerifyCACerts.java <---
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sectigotlsroote46 <---
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sectigotlsrootr46 <---
> Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca
> Passed: security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
> Test results: passed: 50; failed: 6
> Test results: passed: 50; failed: 6
> TEST STATS: name=jdk_security_infra  run=56  pass=50  fail=6
> 
> 
> `jdk_security`:
> 3 failed, unrelated.
> 
> FAILED: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
> FAILED: sun/security/pkcs11/Signature/TestDSAKeyLength.java
> FAILED: sun/security/tools/jarsigner/TimestampCheck.java
> TEST STATS: name=jdk_security  run=1120  pass=1117  fail=3

> The failing tests are fixed by [JDK-8345414](https://bugs.openjdk.org/browse/JDK-8345414) which I'll be bringing to 8u once it's in 11u. As can be seen from the 11u PR - [openjdk/jdk11u-dev#3048](https://github.com/openjdk/jdk11u-dev/pull/3048) - the tests failing here fail there too. I don't see them being run in the 11u PR for this issue and I suspect they don't get run often, because `\manual` has been used to hide the failures.

That's great news. I'm not sure JDK-8345414 is enough to remove all the errors in `jdk_security_infra` tests in JDK8, though (I havent tried it either). 

Also we may want to remove some additional `/manual` stuff and run them by default in 11 and 8. The less we hide under the carpet the better.

-------------

PR Comment: https://git.openjdk.org/jdk8u/pull/75#issuecomment-2975813567

More information about the jdk8u-dev mailing list