Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs #627

Open
wants to merge 4 commits into
base: pr/626
Choose a base branch
from

Conversation

jerboaa
Copy link
Contributor

@jerboaa jerboaa commented Feb 25, 2025

Please review this backport of adding distrust for certificates rooted by Camerfirma. The JDK 11u patch didn't apply cleanly due to the following reasons:

  • Set.of() => Collections.unmodifiableSet(new HashSet<>(Arrays.asList())) in CamerfirmaTLSPolicy.java
  • LocalDate.ofInstant() => Date.toInstant().atZone(ZoneOffset.UTC).toLocalDate()
  • java.security-<os> file duplications
  • /test/lib => /lib/security in Camerfirma.java test
  • One copyright hunk didn't apply. Applied manually.

Testing:

  • tests in sun/security/ssl/X509TrustManagerImpl including the new Camerfirma.java test which fails for unpatched and passes with patched JDK 8u.

Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • JDK-8346587 needs maintainer approval
  • Commit message must refer to an issue
  • Change requires CSR request JDK-8347738 to be approved

Integration blocker

 ⚠️ Dependency #626 must be integrated first

Issues

  • JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs (Enhancement - P3 - Requested)
  • JDK-8347738: Distrust TLS server certificates anchored by Camerfirma Root CAs (CSR)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u-dev.git pull/627/head:pull/627
$ git checkout pull/627

Update a local copy of the PR:
$ git checkout pull/627
$ git pull https://git.openjdk.org/jdk8u-dev.git pull/627/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 627

View PR using the GUI difftool:
$ git pr show -t 627

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk8u-dev/pull/627.diff

Using Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Feb 25, 2025

👋 Welcome back sgehwolf! A progress list of the required criteria for merging this PR into pr/626 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@jerboaa
Copy link
Contributor Author

jerboaa commented Feb 25, 2025

Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Camerfirma.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java
Passed: sun/security/ssl/X509TrustManagerImpl/distrust/Symantec.java
Passed: sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java
Passed: sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java
Passed: sun/security/ssl/X509TrustManagerImpl/CertRequestOverflow.java
Passed: sun/security/ssl/X509TrustManagerImpl/CheckNullEntity.java
Passed: sun/security/ssl/X509TrustManagerImpl/ClientServer.java
Passed: sun/security/ssl/X509TrustManagerImpl/ComodoHacker.java
Passed: sun/security/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
Passed: sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java
Passed: sun/security/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
Passed: sun/security/ssl/X509TrustManagerImpl/TooManyCAs.java
Passed: sun/security/ssl/X509TrustManagerImpl/X509ExtendedTMEnabled.java
Test results: passed: 14

@openjdk
Copy link

openjdk bot commented Feb 25, 2025

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

@openjdk openjdk bot changed the title Backport 8322c66efa9da9210eca7d6081d2a8c2d65ba4e0 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs Feb 25, 2025
@openjdk
Copy link

openjdk bot commented Feb 25, 2025

This backport pull request has now been updated with issue from the original commit.

@openjdk openjdk bot added backport rfr Pull request is ready for review labels Feb 25, 2025
@mlbridge
Copy link

mlbridge bot commented Feb 25, 2025

Webrevs

@openjdk
Copy link

openjdk bot commented Feb 25, 2025

⚠️ @jerboaa This pull request contains merges that bring in commits not present in the target repository. Since this is not a "merge style" pull request, these changes will be squashed when this pull request in integrated. If this is your intention, then please ignore this message. If you want to preserve the commit structure, you must change the title of this pull request to Merge <project>:<branch> where <project> is the name of another project in the OpenJDK organization (for example Merge jdk:master).

Copy link
Contributor

@franferrax franferrax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jerboaa: although I'm not a Reviewer, it looks good to me.

I didn't realize you had also submitted this PR, sorry for the minor changes in #626, which required two merges here.

Copy link
Contributor

@martinuy martinuy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for proposing this backport. Looks good to me.

@openjdk openjdk bot added the approval label Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approval backport rfr Pull request is ready for review
Development

Successfully merging this pull request may close these issues.

3 participants