On Fri, 2 Jan 2026 15:04:28 GMT, Sean Mullan <[email protected]> wrote:
>> Mark Powers has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> comment from Mikhail
>
> src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java line
> 89:
>
>> 87:
>> 88: /**
>> 89: * Distrust TLS Server certificates anchored by a Chunghwa ePKI root
>> CA and
>
> s/a Chunghwa ePKI root CA/the Chunghwa ePKI root CA/
fixed
> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java
> line 46:
>
>> 44: private static final Debug debug = Debug.getInstance("certpath");
>> 45:
>> 46: // SHA-256 certificate fingerprints of distrusted root for TLS
>
> s/fingerprints/fingerprint/
fixed
> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java
> line 53:
>
>> 51:
>> "C0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5";
>> 52:
>> 53: // Any TLS Server certificate that is anchored by one of the Chunghwa
>
> s/one of the/the/
fixed
> src/java.base/share/classes/sun/security/validator/ChunghwaTLSPolicy.java
> line 54:
>
>> 52:
>> 53: // Any TLS Server certificate that is anchored by one of the Chunghwa
>> 54: // roots above and is issued after this date will be distrusted.
>
> s/roots/root/
fixed
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 49:
>
>> 47: private static final String CERT_PATH = "chains" + File.separator +
>> "chunghwa";
>> 48:
>> 49: // Each of the roots have a test certificate chain stored in a file
>
> Only one root is distrusted, so change this comment to "The ePKI root has a
> test ..."
fixed
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Chunghwa.java line 63:
>
>> 61: String prop =
>> Security.getProperty("jdk.certpath.disabledAlgorithms");
>> 62: String newProp = prop.replace(", SHA1 jdkCA & usage TLSServer",
>> "");
>> 63: Security.setProperty("jdk.certpath.disabledAlgorithms", newProp);
>
> These lines shouldn't be necessary, the test cert is signed with
> SHA256withRSA.
Good catch. Camerfirma has the same problem but I don't think it's worth the
effort to fix.
> test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/chunghwa/chunghwaepkirootca-chain.pem
> line 1:
>
>> 1: -----BEGIN CERTIFICATE-----
>
> Can you add a header describing the main fields of the certificate similar to
> the camerfirma chain?
fixed
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672750
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672869
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672903
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672924
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672808
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672827
PR Review Comment: https://git.openjdk.org/jdk/pull/28930#discussion_r2658672790
