RFR: 8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA [v2]

Sean Mullan mullan at openjdk.org
Fri Jan 2 15:40:21 UTC 2026 

On Wed, 24 Dec 2025 19:35:48 GMT, Mark Powers <mpowers at openjdk.org> wrote:

>> [JDK-8369282](https://bugs.openjdk.org/browse/JDK-8369282)
>
> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
> 
>   comment from Mikhail

src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java line 89:

> 87: 
> 88:     /**
> 89:      * Distrust TLS Server certificates anchored by a Chunghwa ePKI root CA and

s/a Chunghwa ePKI root CA/the Chunghwa ePKI root CA/

src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 46:

> 44:     private static final Debug debug = Debug.getInstance("certpath");
> 45: 
> 46:     // SHA-256 certificate fingerprints of distrusted root for TLS

s/fingerprints/fingerprint/

src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 53:

> 51:             "C0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5";
> 52: 
> 53:     // Any TLS Server certificate that is anchored by one of the Chunghwa

s/one of the/the/

src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 54:

> 52: 
> 53:     // Any TLS Server certificate that is anchored by one of the Chunghwa
> 54:     // roots above and is issued after this date will be distrusted.

s/roots/root/

test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 49:

> 47:     private static final String CERT_PATH = "chains" + File.separator + "chunghwa";
> 48: 
> 49:     // Each of the roots have a test certificate chain stored in a file

Only one root is distrusted, so change this comment to "The ePKI root has a test ..."

test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 63:

> 61:         String prop = Security.getProperty("jdk.certpath.disabledAlgorithms");
> 62:         String newProp = prop.replace(", SHA1 jdkCA & usage TLSServer", "");
> 63:         Security.setProperty("jdk.certpath.disabledAlgorithms", newProp);

These lines shouldn't be necessary, the test cert is signed with SHA256withRSA.

test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/chunghwa/chunghwaepkirootca-chain.pem line 1:

> 1: -----BEGIN CERTIFICATE-----

Can you add a header describing the main fields of the certificate similar to the camerfirma chain?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657870076
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657894340
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657895688
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657896145
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657887853
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657890476
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657881716

More information about the security-dev mailing list