RFR: 8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA
Mark Powers
mpowers at openjdk.org
Mon Dec 22 17:24:16 UTC 2025
On Mon, 22 Dec 2025 10:49:51 GMT, Mikhail Yankelevich <myankelevich at openjdk.org> wrote:
>> [JDK-8369282](https://bugs.openjdk.org/browse/JDK-8369282)
>
> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 87:
>
>> 85: }
>> 86:
>> 87: private static void checkNotBefore(LocalDate notBeforeDate,
>
> I might be wrong, but wouldn't 'Not Before' mean that it would also include the date ('Equals or After'). I think renaming it to `checkIsAfter` would be better, what do you think?
I agree. However, `notBefore` was probably chosen because it is also a field in the X509Certificate. The name appears in many places. What about adding a comment:
Check whether the certificate's `notBeforeDate` is after the distrust date for the anchor (root CA).
Throw ValidatorException if it is after the distrust date.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2640605964
More information about the security-dev
mailing list