RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs [v2]
Mark Powers
mpowers at openjdk.org
Thu Jan 23 20:23:41 UTC 2025
On Thu, 23 Jan 2025 17:56:06 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> comments from Sean
>
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Camerfirma.java line 58:
>
>> 56:
>> 57: public static void main(String[] args) throws Exception {
>> 58: String prop = Security.getProperty("jdk.certpath.disabledAlgorithms");
>
> Can you add a comment here saying that some (all?) of the test certificates are signed with SHA-1 so we need to remove the constraint that disallows SHA-1 certificates?
fixed
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Distrust.java line 1:
>
>> 1: /*
>
> Update copyright date.
oops
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/camerfirma/camerfirmachambersca-chain.pem line 1:
>
>> 1: -----BEGIN CERTIFICATE-----
>
> Can you put some basic information about the certs at the top of these files, such as the Issuer DN, etc? See the entrust pem files for examples.
done
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927630573
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927631066
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927630827
More information about the security-dev
mailing list