Skip to content

Commit

Permalink
Merge in jdk-23.0.1+11 (24.1)
Browse files Browse the repository at this point in the history
PullRequest: labsjdk-ce/115
  • Loading branch information
OracleLabsAutomation authored and marwan-hallaoui committed Oct 1, 2024
2 parents 519b5c1 + 0678524 commit d107ace
Show file tree
Hide file tree
Showing 8 changed files with 109 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ void checkDistrust(String variant, X509Certificate[] chain)

/**
* Distrust TLS Server certificates anchored by an Entrust root CA and
* issued after October 31, 2024. If enabled, this policy is currently
* issued after November 11, 2024. If enabled, this policy is currently
* enforced by the PKIX and SunX509 TrustManager implementations
* of the SunJSSE provider implementation.
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ final class EntrustTLSPolicy {

// Any TLS Server certificate that is anchored by one of the Entrust
// roots above and is issued after this date will be distrusted.
private static final LocalDate OCTOBER_31_2024 =
LocalDate.of(2024, Month.OCTOBER, 31);
private static final LocalDate NOVEMBER_11_2024 =
LocalDate.of(2024, Month.NOVEMBER, 11);

/**
* This method assumes the eeCert is a TLS Server Cert and chains back to
Expand All @@ -111,8 +111,8 @@ static void checkDistrust(X509Certificate[] chain)
Date notBefore = chain[0].getNotBefore();
LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(),
ZoneOffset.UTC);
// reject if certificate is issued after October 31, 2024
checkNotBefore(ldNotBefore, OCTOBER_31_2024, anchor);
// reject if certificate is issued after November 11, 2024
checkNotBefore(ldNotBefore, NOVEMBER_11_2024, anchor);
}
}

Expand Down
2 changes: 1 addition & 1 deletion src/java.base/share/conf/security/java.security
Original file line number Diff line number Diff line change
Expand Up @@ -1331,7 +1331,7 @@ jdk.sasl.disabledMechanisms=
# Distrust after December 31, 2019.
#
# ENTRUST_TLS : Distrust TLS Server certificates anchored by
# an Entrust root CA and issued after October 31, 2024.
# an Entrust root CA and issued after November 11, 2024.
#
# Leading and trailing whitespace surrounding each value are ignored.
# Unknown values are ignored. If the property is commented out or set to the
Expand Down
21 changes: 21 additions & 0 deletions src/java.base/share/data/cacerts/ssltlsrootecc2022
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
Owner: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
Issuer: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
Serial number: 1403f5abfb378b17405be243b2a5d1c4
Valid from: Thu Aug 25 16:33:48 GMT 2022 until: Sun Aug 19 16:33:47 GMT 2046
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
-----BEGIN CERTIFICATE-----
MIICOjCCAcCgAwIBAgIQFAP1q/s3ixdAW+JDsqXRxDAKBggqhkjOPQQDAzBOMQsw
CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQDDBxT
U0wuY29tIFRMUyBFQ0MgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzM0OFoXDTQ2
MDgxOTE2MzM0N1owTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jwb3Jh
dGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgRUNDIFJvb3QgQ0EgMjAyMjB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABEUpNXP6wrgjzhR9qLFNoFs27iosU8NgCTWyJGYm
acCzldZdkkAZDsalE3D07xJRKF3nzL35PIXBz5SQySvOkkJYWWf9lCcQZIxPBLFN
SeR7T5v15wj4A4j3p8OSSxlUgaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
GDAWgBSJjy+j6CugFFR781a4Jl9nOAuc0DAdBgNVHQ4EFgQUiY8vo+groBRUe/NW
uCZfZzgLnNAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMFXjIlbp
15IkWE8elDIPDAI2wv2sdDJO4fscgIijzPvX6yv/N33w7deedWo1dlJF4AIxAMeN
b0Igj762TVntd00pxCAgRWSGOlDGxK0tk/UYfXLtqc/ErFc2KAhl3zx5Zn6g6g==
-----END CERTIFICATE-----
39 changes: 39 additions & 0 deletions src/java.base/share/data/cacerts/ssltlsrootrsa2022
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
Owner: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
Issuer: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
Serial number: 6fbedaad73bd0840e28b4dbed4f75b91
Valid from: Thu Aug 25 16:34:22 GMT 2022 until: Sun Aug 19 16:34:21 GMT 2046
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
-----BEGIN CERTIFICATE-----
MIIFiTCCA3GgAwIBAgIQb77arXO9CEDii02+1PdbkTANBgkqhkiG9w0BAQsFADBO
MQswCQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQD
DBxTU0wuY29tIFRMUyBSU0EgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzQyMloX
DTQ2MDgxOTE2MzQyMVowTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jw
b3JhdGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgUlNBIFJvb3QgQ0EgMjAyMjCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANCkCXJPQIgSYT41I57u9nTP
L3tYPc48DRAokC+X94xI2KDYJbFMsBFMF3NQ0CJKY7uB0ylu1bUJPiYYf7ISf5OY
t6/wNr/y7hienDtSxUcZXXTzZGbVXcdotL8bHAajvI9AI7YexoS9UcQbOcGV0ins
S657Lb85/bRi3pZ7QcacoOAGcvvwB5cJOYF0r/c0WRFXCsJbwST0MXMwgsadugL3
PnxEX4MN8/HdIGkWCVDi1FW24IBydm5MR7d1VVm0U3TZlMZBrViKMWYPHqIbKUBO
L9975hYsLfy/7PO0+r4Y9ptJ1O4Fbtk085zx7AGL0SDGD6C1vBdOSHtRwvzpXGk3
R2azaPgVKPC506QVzFpPulJwoxJF3ca6TvvC0PeoUidtbnm1jPx7jMEWTO6Af77w
dr5BUxIzrlo4QqvXDz5BjXYHMtWrifZOZ9mxQnUjbvPNQrL8VfVThxc7wDNY8VLS
+YCk8OjwO4s4zKTGkH8PnP2L0aPP2oOnaclQNtVcBdIKQXTbYxE3waWglksejBYS
d66UNHsef8JmAOSqg+qKkK3ONkRN0VHpvB/zagX9wHQfJRlAUW7qglFA35u5CCoG
AtUjHBPW6dvbxrB6y3snm/vg1UYk7RBLY0ulBY+6uB0rpvqR4pJSvezrZ5dtmi2f
gTIFZzL7SAg/2SW4BCUvAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j
BBgwFoAU+y437uOEeicuzRk1sTN8/9REQrkwHQYDVR0OBBYEFPsuN+7jhHonLs0Z
NbEzfP/UREK5MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAjYlt
hEUY8U+zoO9opMAdrDC8Z2awms22qyIZZtM7QbUQnRC6cm4pJCAcAZli05bg4vsM
QtfhWsSWTVTNj8pDU/0quOr4ZcoBwq1gaAafORpR2eCNJvkLTqVTJXojpBzOCBvf
R4iyrT7gJ4eLSYwfqUdYe5byiB0YrrPRpgqU+tvT5TgKa3kSM/tKWTcWQA673vWJ
DPFs0/dRa1419dvAJuoSc06pkZCmF8NsLzjUo3KUQyxi4U5cMj29TH0ZR6LDSeeW
P4+a0zvkEdiLA9z2tmBVGKaBUfPhqBVq6+AL8BQx1rmMRTqoENjwuSfr98t67wVy
lrXEj5ZzxOhWc5y8aVFjvO9nHEMaX3cZHxj4HCUp+UmZKbaSPaKDN7EgkaibMOlq
bLQjk2UEqxHzDh1TJElTHaE/nUiSEeJ9DU/1172iWD54nR4fK/4huxoTtrEoZP2w
AgDHbICivRZQIA9ygV/MlP+7mea6kMvq+cYMwq7FGc4zoWtcu358NFcXrfA/rs3q
r5nsLFR+jM4uElZI7xc7P0peYNLcdDa8pUNjyw9bowJWCZ4kLOGGgYz+qxcs+sji
Mho6/4UIyYOf8kpIEFR3N+2ivEC+5BB09+Rbu7nzifmPQdjH5FCQNYA+HLhNkNPU
98OwoX6EyneSMSy4kLGCenROmxMmtNVQZlR4rmA=
-----END CERTIFICATE-----
Original file line number Diff line number Diff line change
Expand Up @@ -533,6 +533,28 @@
* @run main/othervm/manual -Djava.security.debug=certpath CAInterop globalsigne46 CRL
*/

/*
* @test id=ssltlsrootecc2022
* @bug 8341057
* @summary Interoperability tests with SSL TLS 2022 root CAs
* @library /test/lib
* @build jtreg.SkippedException ValidatePathWithURL CAInterop
* @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop ssltlsrootecc2022 DEFAULT
* @run main/othervm/manual -Djava.security.debug=certpath,ocsp -Dcom.sun.security.ocsp.useget=false CAInterop ssltlsrootecc2022 DEFAULT
* @run main/othervm/manual -Djava.security.debug=certpath CAInterop ssltlsrootecc2022 CRL
*/

/*
* @test id=ssltlsrootrsa2022
* @bug 8341057
* @summary Interoperability tests with SSL TLS 2022 root CAs
* @library /test/lib
* @build jtreg.SkippedException ValidatePathWithURL CAInterop
* @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop ssltlsrootrsa2022 DEFAULT
* @run main/othervm/manual -Djava.security.debug=certpath,ocsp -Dcom.sun.security.ocsp.useget=false CAInterop ssltlsrootrsa2022 DEFAULT
* @run main/othervm/manual -Djava.security.debug=certpath CAInterop ssltlsrootrsa2022 CRL
*/

/**
* Collection of certificate validation tests for interoperability with external CAs.
* These tests are marked as manual as they depend on external infrastructure and may fail
Expand Down Expand Up @@ -711,6 +733,13 @@ private CATestURLs getTestURLs(String alias) {
new CATestURLs("https://valid.e46.roots.globalsign.com",
"https://revoked.e46.roots.globalsign.com");

case "ssltlsrootecc2022" ->
new CATestURLs("https://test-root-2022-ecc.ssl.com",
"https://revoked-root-2022-ecc.ssl.com");
case "ssltlsrootrsa2022" ->
new CATestURLs("https://test-root-2022-rsa.ssl.com",
"https://revoked-root-2022-rsa.ssl.com");

default -> throw new RuntimeException("No test setup found for: " + alias);
};
}
Expand Down
13 changes: 8 additions & 5 deletions test/jdk/sun/security/lib/cacerts/VerifyCACerts.java
Original file line number Diff line number Diff line change
Expand Up @@ -19,17 +19,16 @@
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*
*/

/**
/*
* @test
* @bug 8189131 8198240 8191844 8189949 8191031 8196141 8204923 8195774 8199779
* 8209452 8209506 8210432 8195793 8216577 8222089 8222133 8222137 8222136
* 8223499 8225392 8232019 8234245 8233223 8225068 8225069 8243321 8243320
* 8243559 8225072 8258630 8259312 8256421 8225081 8225082 8225083 8245654
* 8305975 8304760 8307134 8295894 8314960 8317373 8317374 8318759 8319187
* 8321408 8316138
* 8321408 8316138 8341057
* @summary Check root CA entries in cacerts file
*/
import java.io.ByteArrayInputStream;
Expand All @@ -48,12 +47,12 @@ public class VerifyCACerts {
+ File.separator + "security" + File.separator + "cacerts";

// The numbers of certs now.
private static final int COUNT = 110;
private static final int COUNT = 112;

// SHA-256 of cacerts, can be generated with
// shasum -a 256 cacerts | sed -e 's/../&:/g' | tr '[:lower:]' '[:upper:]' | cut -c1-95
private static final String CHECKSUM
= "BD:80:65:81:68:E5:6C:51:64:ED:B9:08:53:9F:BB:2F:D9:6C:5D:D4:06:D4:16:59:39:10:8E:F8:24:81:8B:78";
= "21:68:E7:16:5B:94:23:D2:60:5C:BB:F2:AF:C1:66:5C:EC:36:BC:20:FF:5C:54:AF:91:D1:2C:38:AE:55:D3:27";

// Hex formatter to upper case with ":" delimiter
private static final HexFormat HEX = HexFormat.ofDelimiter(":").withUpperCase();
Expand Down Expand Up @@ -282,6 +281,10 @@ public class VerifyCACerts {
"4F:A3:12:6D:8D:3A:11:D1:C4:85:5A:4F:80:7C:BA:D6:CF:91:9D:3A:5A:88:B0:3B:EA:2C:63:72:D9:3C:40:C9");
put("globalsigne46 [jdk]",
"CB:B9:C4:4D:84:B8:04:3E:10:50:EA:31:A6:9F:51:49:55:D7:BF:D2:E2:C6:B4:93:01:01:9A:D6:1D:9F:50:58");
put("ssltlsrootecc2022 [jdk]",
"C3:2F:FD:9F:46:F9:36:D1:6C:36:73:99:09:59:43:4B:9A:D6:0A:AF:BB:9E:7C:F3:36:54:F1:44:CC:1B:A1:43");
put("ssltlsrootrsa2022 [jdk]",
"8F:AF:7D:2E:2C:B4:70:9B:B8:E0:B3:36:66:BF:75:A5:DD:45:B5:DE:48:0F:8E:A8:D4:BF:E6:BE:BC:17:F2:ED");
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@

/**
* @test
* @bug 8337664
* @bug 8337664 8341059
* @summary Check that TLS Server certificates chaining back to distrusted
* Entrust roots are invalid
* @library /test/lib
Expand All @@ -59,14 +59,14 @@ public class Distrust {
"affirmtrustpremiumca", "affirmtrustpremiumeccca" };

// A date that is after the restrictions take effect
private static final Date NOVEMBER_1_2024 =
Date.from(LocalDate.of(2024, 11, 1)
private static final Date NOVEMBER_12_2024 =
Date.from(LocalDate.of(2024, 11, 12)
.atStartOfDay(ZoneOffset.UTC)
.toInstant());

// A date that is a second before the restrictions take effect
private static final Date BEFORE_NOVEMBER_1_2024 =
Date.from(LocalDate.of(2024, 11, 1)
private static final Date BEFORE_NOVEMBER_12_2024 =
Date.from(LocalDate.of(2024, 11, 12)
.atStartOfDay(ZoneOffset.UTC)
.minusSeconds(1)
.toInstant());
Expand All @@ -84,7 +84,7 @@ public static void main(String[] args) throws Exception {
Security.setProperty("jdk.security.caDistrustPolicies", "");
}

Date notBefore = before ? BEFORE_NOVEMBER_1_2024 : NOVEMBER_1_2024;
Date notBefore = before ? BEFORE_NOVEMBER_12_2024 : NOVEMBER_12_2024;

X509TrustManager pkixTM = getTMF("PKIX", null);
X509TrustManager sunX509TM = getTMF("SunX509", null);
Expand Down

0 comments on commit d107ace

Please sign in to comment.