RFR: 8202651: Test ActalisCA.java and ComodoCA fails

Sean Mullan sean.mullan at oracle.com
Wed May 22 16:34:56 UTC 2019 

On 5/22/19 12:04 PM, Rajan Halade wrote:
> On 5/22/19 8:39 AM, Sean Mullan wrote:
>> On 5/21/19 5:31 PM, Rajan Halade wrote:
>>> Please review this fix to update test certificates used in Actalis 
>>> and Comodo CA interop tests. The bug also mentioned QuoVadisCA test 
>>> but I am not able to reproduce the failure. For Actalis CA, I 
>>> couldn't get revoked test certificate but the test is updated for 
>>> valid certificate and will pass now by skipping expired revoked chain.
>>
>> It looks like the test is still expecting a revoked status - is that 
>> still working because the IntCA is revoked?:
> It is working because revoked certificate is expired, test is skipped then.

Have you asked Actalis for a new revoked test certificate? If you can't 
get one, I would remove the revoked certificates and the test for it 
then, since you are not testing that behavior anymore and that is not 
apparent from the test right now.

Also do you know why the revocation check for the intermediate CA is not 
working?

>>
>>  232         // Validate Revoked
>>  233         pathValidator.validate(new String[]{REVOKED, INT_REVOKED},
>>  234                 ValidatePathWithParams.Status.REVOKED,
>>  235                 "Fri Jan 29 01:06:42 PST 2016", System.out);
>>  236
>>
>> It should be ok if the revoked certificate is expired though as you 
>> can set the validation date to the past (within the interval where the 
>> certificate is still valid).
>> Or is it because the Actalis OCSP responder is no longer reporting 
>> that the certificate is revoked?
> Earlier test had past validation with OCSP but for some time now OCSP is 
> returning UNKNOWN status instead of REVOKED. This could be an issue 
> depending on how implementation treats UNKNOWN status. We will have to 
> follow up with CA to check on policy - Is this only happening because we 
> are using test certificate or is it a policy?

It depends, if it is a TLS certificate then it is usually acceptable to 
report the revoked certificate as UNKNOWN after it expires since you 
should not be trusting expired TLS certificates. For a code signing 
certificate, it is better to retain the REVOKED status for a longer time 
period after it expires since it may still be in use (for example, in a 
timestamped application).

--Sean

> 
> Thanks,
> Rajan
>>
>> --Sean
>>
>>>
>>> Webrev: http://cr.openjdk.java.net/~rhalade/8202651/webrev.00/
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8202651
>>>
>>> Thanks,
>>> Rajan
>

More information about the security-dev mailing list