RFR: 8325766: Review seclibs tests for cert expiry [v3]
Artur Barashev
abarashev at openjdk.org
Thu Apr 3 20:33:55 UTC 2025
On Tue, 18 Mar 2025 14:58:51 GMT, Matthew Donovan <mdonovan at openjdk.org> wrote:
>> This PR updates the CertificateBuilder with a new method that creates a new instance with common fields (subject name, public key, serial number, validity, and key uses) filled-in. One test, IPIdentities.java, is updated to show how the method can be used to create various certificates. I attached screenshots that compare the old hard-coded certificates (left) with the new generated certificates.
>>
>> 
>> 
>> 
>
> Matthew Donovan has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains seven commits:
>
> - reversed order of DN strings when making certificates.
> - Merge branch 'master' into certbuilder
> - Merge branch 'master' into certbuilder
> - Merge branch 'master' into certbuilder
> - Merge branch 'master' into certbuilder
> - changed boolean array initialization
> - 8325766: Review seclibs tests for cert expiry
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java line 243:
> 241: .addBasicConstraintsExt(false, false, -1)
> 242: .addExtension(CertificateBuilder.createIPSubjectAltNameExt(true, "127.0.0.1"))
> 243: .build(trustedCert, caKeys.getPrivate(), "MD5WithRSA");
MD5 algorithm is not allowed in TLSv1.3
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java line 255:
> 253: .addExtension(CertificateBuilder.createIPSubjectAltNameExt(true, "127.0.0.1"))
> 254: .addBasicConstraintsExt(false, false, -1)
> 255: .build(trustedCert, caKeys.getPrivate(), "MD5WithRSA");
Same as above: MD5 algorithm is not allowed in TLSv1.3 certificates
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23700#discussion_r2027699283
PR Review Comment: https://git.openjdk.org/jdk/pull/23700#discussion_r2027699952
More information about the security-dev
mailing list