RFR: 8308592: Framework for CA interoperability testing [v3]

Thu Jun 1 20:28:14 UTC 2023

On Wed, 31 May 2023 22:46:53 GMT, Rajan Halade <rhalade at openjdk.org> wrote:

>> The new approach uses test URLs directly to verify interoperability with CA infrastructure. This would help us avoid having regular test fixes to update test artifacts as long as CAs keep test domains up to date.
>
> Rajan Halade has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8308592: remove unused imports

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java line 40:

> 38:  * @library /test/lib
> 39:  * @build jtreg.SkippedException
> 40:  * @build ValidatePathWithURL

You could include these on one @build line.

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java line 62:

> 60:     public static void enableOCSPOnly() {
> 61:         System.setProperty("com.sun.security.enableCRLDP", "false");
> 62:         Security.setProperty("ocsp.enable", "true");

Technically I think you could avoid setting these properties (and running in othervm mode) and instead init your `SSLContext` with a `TrustManager` and a `CertPathTrustManagerParameters` containing a `PKIXParameters` with a `PKIXRevocationChecker` configured with the desired revocation settings. However, AFAIK, you can't pass in an `SSLContext` via the `HttpsURLConnection` API, so you would need to use `HttpsClient` instead (which is only available in Java 11 and up). However, I think this is something to consider as a future enhancement, as you have more control over the various TLS settings.

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java line 99:

> 97:             // certain that test certificate anchors to trusted CA for VALID certificate
> 98:             // if the connection is successful
> 99:             Certificate[] chain = httpsURLConnection.getServerCertificates();

Mostly FYI - but another way to get the chain is to call the `getCertPath()` method of the thrown `CertPathValidatorException`. This doesn't include the root though.

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java line 109:

> 107:                 System.out.println("Finding intermediate certificate issued by CA");
> 108:                 for (Certificate cert: chain){
> 109:                     if(cert instanceof X509Certificate certificate) {

Nit: space after `if`.

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java line 158:

> 156:             throw new SkippedException("Network setup issue, skip this test", e);
> 157:         } finally {
> 158:             if(httpsURLConnection != null) {

Nit: space after `if`.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213598274
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213621334
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213634860
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213635463
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213636840