RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs [v2]
Sean Mullan
mullan at openjdk.org
Thu Jan 23 22:15:47 UTC 2025
On Thu, 23 Jan 2025 20:20:04 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/camerfirma/camerfirmachambersca-chain.pem line 1:
>>
>>> 1: -----BEGIN CERTIFICATE-----
>>
>> Can you put some basic information about the certs at the top of these files, such as the Issuer DN, etc? See the entrust pem files for examples.
>
> done
I think you added the fields for the root certificates, and not these certificates. Also, these are not root certificates, so I would remove "Root Certificate".
You can use `keytool -printcert -file ...` and just include the fields before the Extensions part, ex for one of them:
Owner: CN=Camerfirma Corporate Server II - 2015, L=Madrid (see current address at https://www.camerfirma.com/address), SERIALNUMBER=A82743287, O=AC Camerfirma S.A., OU=AC CAMERFIRMA, C=ES
Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Serial number: 621ff31c489ba136
Valid from: Thu Jan 15 04:21:16 EST 2015 until: Tue Dec 15 04:21:16 EST 2037
Certificate fingerprints:
SHA1: FE:72:7A:78:EA:0C:03:35:CD:DA:9C:2E:D7:5F:D4:D4:6F:35:C2:EF
SHA256: 66:EA:E2:70:9B:54:CD:D1:69:31:77:B1:33:2F:F0:36:CD:D0:F7:23:DB:30:39:ED:31:15:55:A6:CB:F5:FF:3E
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927751049
More information about the security-dev
mailing list