On Wed, 24 Dec 2025 19:35:48 GMT, Mark Powers <[email protected]> wrote:
>> [JDK-8369282](https://bugs.openjdk.org/browse/JDK-8369282) > > Mark Powers has updated the pull request incrementally with one additional > commit since the last revision: > > comment from Mikhail src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java line 89: > 87: > 88: /** > 89: * Distrust TLS Server certificates anchored by a Chunghwa ePKI root > CA and s/a Chunghwa ePKI root CA/the Chunghwa ePKI root CA/ src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 46: > 44: private static final Debug debug = Debug.getInstance("certpath"); > 45: > 46: // SHA-256 certificate fingerprints of distrusted root for TLS s/fingerprints/fingerprint/ src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 53: > 51: > "C0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5"; > 52: > 53: // Any TLS Server certificate that is anchored by one of the Chunghwa s/one of the/the/ src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java line 54: > 52: > 53: // Any TLS Server certificate that is anchored by one of the Chunghwa > 54: // roots above and is issued after this date will be distrusted. s/roots/root/ test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 49: > 47: private static final String CERT_PATH = "chains" + File.separator + > "chunghwa"; > 48: > 49: // Each of the roots have a test certificate chain stored in a file Only one root is distrusted, so change this comment to "The ePKI root has a test ..." test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 63: > 61: String prop = > Security.getProperty("jdk.certpath.disabledAlgorithms"); > 62: String newProp = prop.replace(", SHA1 jdkCA & usage TLSServer", > ""); > 63: Security.setProperty("jdk.certpath.disabledAlgorithms", newProp); These lines shouldn't be necessary, the test cert is signed with SHA256withRSA. test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/chunghwa/chunghwaepkirootca-chain.pem line 1: > 1: -----BEGIN CERTIFICATE----- Can you add a header describing the main fields of the certificate similar to the camerfirma chain? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657870076 PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657894340 PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657895688 PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657896145 PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657887853 PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657890476 PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2657881716
