RFR: 8202651: Test ActalisCA.java and ComodoCA fails
Rajan Halade
rajan.halade at oracle.com
Wed May 22 16:04:51 UTC 2019
On 5/22/19 8:39 AM, Sean Mullan wrote:
> On 5/21/19 5:31 PM, Rajan Halade wrote:
>> Please review this fix to update test certificates used in Actalis
>> and Comodo CA interop tests. The bug also mentioned QuoVadisCA test
>> but I am not able to reproduce the failure. For Actalis CA, I
>> couldn't get revoked test certificate but the test is updated for
>> valid certificate and will pass now by skipping expired revoked chain.
>
> It looks like the test is still expecting a revoked status - is that
> still working because the IntCA is revoked?:
It is working because revoked certificate is expired, test is skipped then.
>
> 232 // Validate Revoked
> 233 pathValidator.validate(new String[]{REVOKED, INT_REVOKED},
> 234 ValidatePathWithParams.Status.REVOKED,
> 235 "Fri Jan 29 01:06:42 PST 2016", System.out);
> 236
>
> It should be ok if the revoked certificate is expired though as you
> can set the validation date to the past (within the interval where the
> certificate is still valid).
> Or is it because the Actalis OCSP responder is no longer reporting
> that the certificate is revoked?
Earlier test had past validation with OCSP but for some time now OCSP is
returning UNKNOWN status instead of REVOKED. This could be an issue
depending on how implementation treats UNKNOWN status. We will have to
follow up with CA to check on policy - Is this only happening because we
are using test certificate or is it a policy?
Thanks,
Rajan
>
> --Sean
>
>>
>> Webrev: http://cr.openjdk.java.net/~rhalade/8202651/webrev.00/
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8202651
>>
>> Thanks,
>> Rajan
More information about the security-dev
mailing list