RFR: 8307134: Add GTS root CAs [v3]

Jiangli Zhou jiangli at openjdk.org
Tue May 2 21:14:17 UTC 2023

On Tue, 2 May 2023 20:36:57 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> The original R4 did not have the digitalSignature keyUsage set. This root signs OCSP responses, so it needed to be reissued to comply with section of the CA/B Forum baseline requirements. The only change between the two versions aside from the serial number is the addition of the digitalSignature key usage bit.
> Thanks for the explanation. Please file a different issue for this change, since it is outside the scope of this issue, which is to specifically add new roots that have been approved by the Java SE CA Root Program processes. Updated roots, even for small changes such as this, should be handled and approved using an equivalent process.

Reverted src/java.base/share/data/cacerts/globalsigneccrootcar4 in this PR. Looks like the update for "globalsigneccrootcar4 [jdk]" in test/jdk/sun/security/lib/cacerts/VerifyCACerts.java also needs to be reverted, otherwise the test fails with the following error. I'll go ahead and revert that as well.

ERROR: wrong checksum72:03:89:C2:7B:BF:87:87:E1:65:44:6E:43:5C:65:FF:B5:E8:F9:4C:8A:D1:63:6D:D1:91:4C:AD:1C:9A:CB:3B
Expected checksum23:6E:7A:1C:37:AD:82:31:FD:32:E8:31:63:4B:1A:88:BA:1A:4D:F6:D3:91:CD:0F:B4:09:EC:55:9A:B2:01:51
ERROR: globalsigneccrootcar4 [jdk] SHA-256 fingerprint is incorrect
java.lang.RuntimeException: At least one cacert test failed
        at VerifyCACerts.main(VerifyCACerts.java:380)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:578)
        at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
        at java.base/java.lang.Thread.run(Thread.java:1592)


PR Review Comment: https://git.openjdk.org/jdk/pull/13754#discussion_r1183055459

More information about the security-dev mailing list