[jdk8u-dev] RFR: 8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA
Andrew John Hughes
andrew at openjdk.org
Fri Feb 27 23:52:55 UTC 2026
A necessary certificate status change that should be synchronised across all JDKs.
The code changes applied cleanly, but then most of the change is new files. In `ChunghwaTLSPolicy.java`, it was necessary to replace `LocalDate.ofInstant(d.toInstant(),z)` (not present in 8u) with the equivalent `d.toInstant().atZone(z).toLocalDate()` as was also done for `CamerfirmaTLSPolicy.java` (the two are close to identical bar the differing dates and certificate details).
Other than that, it was necessary to manually apply the copyright header change in `CADistrustPolicy.java` (the start date differs for some reason) and to duplicate the `java.security` changes to the five variants in 8u, plus the obvious path shuffling.
The new test passed:
~~~
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Camerfirma.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Symantec.java
Test results: passed: 4
~~~
-------------
Commit messages:
- Backport 53b9617326389588780a560799444f170175df8d
Changes: https://git.openjdk.org/jdk8u-dev/pull/764/files
Webrev: https://webrevs.openjdk.org/?repo=jdk8u-dev&pr=764&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8369282
Stats: 264 lines in 9 files changed: 258 ins; 0 del; 6 mod
Patch: https://git.openjdk.org/jdk8u-dev/pull/764.diff
Fetch: git fetch https://git.openjdk.org/jdk8u-dev.git pull/764/head:pull/764
PR: https://git.openjdk.org/jdk8u-dev/pull/764
More information about the jdk8u-dev
mailing list