RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
Sean Mullan
mullan at openjdk.org
Thu Jan 23 18:01:47 UTC 2025
On Wed, 8 Jan 2025 23:27:34 GMT, Mark Powers <mpowers at openjdk.org> wrote:
> [JDK-8346587](https://bugs.openjdk.org/browse/JDK-8346587)
test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Camerfirma.java line 58:
> 56:
> 57: public static void main(String[] args) throws Exception {
> 58: String prop = Security.getProperty("jdk.certpath.disabledAlgorithms");
Can you add a comment here saying that some (all?) of the test certificates are signed with SHA-1 so we need to remove the constraint that disallows SHA-1 certificates?
test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Distrust.java line 1:
> 1: /*
Update copyright date.
test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/camerfirma/camerfirmachambersca-chain.pem line 1:
> 1: -----BEGIN CERTIFICATE-----
Can you put some basic information about the certs at the top of these files, such as the Issuer DN, etc? See the entrust pem files for examples.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927427764
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927420690
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927422098
More information about the security-dev
mailing list