RFR: 8202651: Test ActalisCA.java and ComodoCA fails

Rajan Halade rajan.halade at oracle.com
Wed May 22 17:35:05 UTC 2019 

On 5/22/19 9:34 AM, Sean Mullan wrote:
> On 5/22/19 12:04 PM, Rajan Halade wrote:
>> On 5/22/19 8:39 AM, Sean Mullan wrote:
>>> On 5/21/19 5:31 PM, Rajan Halade wrote:
>>>> Please review this fix to update test certificates used in Actalis 
>>>> and Comodo CA interop tests. The bug also mentioned QuoVadisCA test 
>>>> but I am not able to reproduce the failure. For Actalis CA, I 
>>>> couldn't get revoked test certificate but the test is updated for 
>>>> valid certificate and will pass now by skipping expired revoked chain.
>>>
>>> It looks like the test is still expecting a revoked status - is that 
>>> still working because the IntCA is revoked?:
>> It is working because revoked certificate is expired, test is skipped 
>> then.
>
> Have you asked Actalis for a new revoked test certificate? If you 
> can't get one, I would remove the revoked certificates and the test 
> for it then, since you are not testing that behavior anymore and that 
> is not apparent from the test right now.
I will follow up with CA then and leave this bug open for now.
>
> Also do you know why the revocation check for the intermediate CA is 
> not working?
Revocation check on intermediate CA is working fine. INT_REVOKED is a 
good certificate, may name is misleading. INT_REVOKED here means that 
this is a intermediate CA for revoked EE certificate.

Thanks,
Rajan
>
>>>
>>>  232         // Validate Revoked
>>>  233         pathValidator.validate(new String[]{REVOKED, INT_REVOKED},
>>>  234                 ValidatePathWithParams.Status.REVOKED,
>>>  235                 "Fri Jan 29 01:06:42 PST 2016", System.out);
>>>  236
>>>
>>> It should be ok if the revoked certificate is expired though as you 
>>> can set the validation date to the past (within the interval where 
>>> the certificate is still valid).
>>> Or is it because the Actalis OCSP responder is no longer reporting 
>>> that the certificate is revoked?
>> Earlier test had past validation with OCSP but for some time now OCSP 
>> is returning UNKNOWN status instead of REVOKED. This could be an 
>> issue depending on how implementation treats UNKNOWN status. We will 
>> have to follow up with CA to check on policy - Is this only happening 
>> because we are using test certificate or is it a policy?
>
> It depends, if it is a TLS certificate then it is usually acceptable 
> to report the revoked certificate as UNKNOWN after it expires since 
> you should not be trusting expired TLS certificates. For a code 
> signing certificate, it is better to retain the REVOKED status for a 
> longer time period after it expires since it may still be in use (for 
> example, in a timestamped application).
>
> --Sean
>
>>
>> Thanks,
>> Rajan
>>>
>>> --Sean
>>>
>>>>
>>>> Webrev: http://cr.openjdk.java.net/~rhalade/8202651/webrev.00/
>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8202651
>>>>
>>>> Thanks,
>>>> Rajan
>>

More information about the security-dev mailing list