RFR: 8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA [v2]
Mark Powers
mpowers at openjdk.org
Sat Jan 3 03:00:01 UTC 2026
On Fri, 2 Jan 2026 15:04:28 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> comment from Mikhail
>
> src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java line 89:
>
>> 87:
>> 88: /**
>> 89: * Distrust TLS Server certificates anchored by a Chunghwa ePKI root CA and
>
> s/a Chunghwa ePKI root CA/the Chunghwa ePKI root CA/
fixed
> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 46:
>
>> 44: private static final Debug debug = Debug.getInstance("certpath");
>> 45:
>> 46: // SHA-256 certificate fingerprints of distrusted root for TLS
>
> s/fingerprints/fingerprint/
fixed
> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 53:
>
>> 51: "C0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5";
>> 52:
>> 53: // Any TLS Server certificate that is anchored by one of the Chunghwa
>
> s/one of the/the/
fixed
> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 54:
>
>> 52:
>> 53: // Any TLS Server certificate that is anchored by one of the Chunghwa
>> 54: // roots above and is issued after this date will be distrusted.
>
> s/roots/root/
fixed
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 49:
>
>> 47: private static final String CERT_PATH = "chains" + File.separator + "chunghwa";
>> 48:
>> 49: // Each of the roots have a test certificate chain stored in a file
>
> Only one root is distrusted, so change this comment to "The ePKI root has a test ..."
fixed
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 63:
>
>> 61: String prop = Security.getProperty("jdk.certpath.disabledAlgorithms");
>> 62: String newProp = prop.replace(", SHA1 jdkCA & usage TLSServer", "");
>> 63: Security.setProperty("jdk.certpath.disabledAlgorithms", newProp);
>
> These lines shouldn't be necessary, the test cert is signed with SHA256withRSA.
Good catch. Camerfirma has the same problem but I don't think it's worth the effort to fix.
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/chunghwa/chunghwaepkirootca-chain.pem line 1:
>
>> 1: -----BEGIN CERTIFICATE-----
>
> Can you add a header describing the main fields of the certificate similar to the camerfirma chain?
fixed
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672750
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672869
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672903
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672924
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672808
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672827
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672790
More information about the security-dev
mailing list