RFR: 8232838: Update VerifyCACerts test to ensure cacerts contain entries for CA
Sean Mullan
mullan at openjdk.org
Wed Sep 11 12:42:04 UTC 2024
On Tue, 13 Aug 2024 20:49:35 GMT, Rajan Halade <rhalade at openjdk.org> wrote:
> Updated VerifyCACerts test to check if BasicConstraints lists "CA:true" and KeyUsage, if included, asserts the keyCertSign bit.
test/jdk/sun/security/lib/cacerts/VerifyCACerts.java line 405:
> 403: boolean[] keyUsageBits = cert.getKeyUsage();
> 404: // check that the KeyUsage extension, if included, asserts the keyCertSign bit
> 405: if (keyUsageBits != null && !keyUsageBits[5]){
I would also treat no key usage extension as an error (except for the V1 root). I would also make sure it sets the cRLSign bit.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/20573#discussion_r1754374868
More information about the security-dev
mailing list