-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8307134: Add GTS root CAs #13754
8307134: Add GTS root CAs #13754
Conversation
👋 Welcome back jiangli! A progress list of the required criteria for merging this PR into |
@jianglizhou The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
/contributor add Andy Warner awarner@google.com |
@jianglizhou |
Ideally, an infra test for testing test certs should also be added. @rhalade may be able to contribute this. |
I have infra tests for interop implemented. @jianglizhou, please check https://github.com/openjdk/jdk/compare/master...rhalade:jdk:googletrust-certify?expand=1 |
@@ -1,20 +1,19 @@ | |||
Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 | |||
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 | |||
Serial number: 2a38a41c960a04de42b228a50be8349802 | |||
Serial number: 203e57ef53f93fda50921b2a6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this certificate changed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original R4 did not have the digitalSignature keyUsage set. This root signs OCSP responses, so it needed to be reissued to comply with section 7.1.2.1 of the CA/B Forum baseline requirements. The only change between the two versions aside from the serial number is the addition of the digitalSignature key usage bit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation. Please file a different issue for this change, since it is outside the scope of this issue, which is to specifically add new roots that have been approved by the Java SE CA Root Program processes. Updated roots, even for small changes such as this, should be handled and approved using an equivalent process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverted src/java.base/share/data/cacerts/globalsigneccrootcar4 in this PR. Looks like the update for "globalsigneccrootcar4 [jdk]" in test/jdk/sun/security/lib/cacerts/VerifyCACerts.java also needs to be reverted, otherwise the test fails with the following error. I'll go ahead and revert that as well.
ERROR: wrong checksum72:03:89:C2:7B:BF:87:87:E1:65:44:6E:43:5C:65:FF:B5:E8:F9:4C:8A:D1:63:6D:D1:91:4C:AD:1C:9A:CB:3B
Expected checksum23:6E:7A:1C:37:AD:82:31:FD:32:E8:31:63:4B:1A:88:BA:1A:4D:F6:D3:91:CD:0F:B4:09:EC:55:9A:B2:01:51
ERROR: globalsigneccrootcar4 [jdk] SHA-256 fingerprint is incorrect
java.lang.RuntimeException: At least one cacert test failed
at VerifyCACerts.main(VerifyCACerts.java:380)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:578)
at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
at java.base/java.lang.Thread.run(Thread.java:1592)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Also updated 'CHECKSUM' value in test/jdk/sun/security/lib/cacerts/VerifyCACerts.java reflectively.
Thanks! |
@rhalade, thanks! I have a minor comment below for your test/jdk/security/infra/java/security/cert/CertPathValidator/certification/GoogleCA.java test. I'll defer to @awarner@google.com for detailed review, as I don't have much context. Please fix the bug id,
Could you please also let me know your plan on committing the GoogleCA.java? Do you plan to create a PR? |
You can include this contribution in your PR. Then it will be easier to backport to JDK 20u as one changeset. I updated bug id in the changeset. |
Aside from the bug number @jianglizhou raised, the interop tests look good to me. |
/contributor add rhalade |
@jianglizhou |
Done. Please double check. I ran the GoogleCA.java test with a test JDK binary built with this PR changes included. The test passed. |
…erting src/java.base/share/data/cacerts/globalsigneccrootcar4.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Please also wait for approval from @rhalade before integrating.
@jianglizhou This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 17 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Thanks @seanjmullan. Will wait for @rhalade's approval as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Please don't forget to update the release note and backport to JDK 20u.
Thanks @rhalade. Will do. |
/integrate |
Going to push as commit 03030d4.
Your commit was automatically rebased without conflicts. |
@jianglizhou Pushed as commit 03030d4. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
This PR was requested by awarner@google.com. The updates were provided by awarner@google.com.
Progress
Issue
Reviewers
Contributors
<awarner@google.com>
<rhalade@openjdk.org>
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/13754/head:pull/13754
$ git checkout pull/13754
Update a local copy of the PR:
$ git checkout pull/13754
$ git pull https://git.openjdk.org/jdk.git pull/13754/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 13754
View PR using the GUI difftool:
$ git pr show -t 13754
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/13754.diff
Webrev
Link to Webrev Comment