RFR: 8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA
Mikhail Yankelevich
myankelevich at openjdk.org
Tue Dec 23 12:37:25 UTC 2025
On Mon, 22 Dec 2025 17:20:56 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 87:
>>
>>> 85: }
>>> 86:
>>> 87: private static void checkNotBefore(LocalDate notBeforeDate,
>>
>> I might be wrong, but wouldn't 'Not Before' mean that it would also include the date ('Equals or After'). I think renaming it to `checkIsAfter` would be better, what do you think?
>
> I agree. However, `notBefore` was probably chosen because it is also a field in the X509Certificate. The name appears in many places. What about adding a comment:
> Check whether the certificate's `notBeforeDate` is after the distrust date for the anchor (root CA).
> Throw ValidatorException if it is after the distrust date.
That would be fine with me and I think would be helpful. Thank you!
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2643051628
More information about the security-dev
mailing list