8316138: Add GlobalSign 2 TLS root certificates

[Delawen]

Backport for https://bugs.openjdk.org/browse/JDK-8316138

Related to openjdk/jdk21u-dev#581 and openjdk/jdk17u-dev#2479

Changes since the original commit: the checksum for the certificates and the folder where the certs are stored.

]$ make run-test TEST="test/jdk/sun/security/lib/cacerts/VerifyCACerts.java"
Building target 'run-test' in configuration 'linux-x86_64-normal-server-release'
Skip building of Graal unit tests because 3rd party libraries directory is not specified
Skip building of Graal unit tests because 3rd party libraries directory is not specified
Creating jdk image
Test selection 'test/jdk/sun/security/lib/cacerts/VerifyCACerts.java', will run:
* jtreg:test/jdk/sun/security/lib/cacerts/VerifyCACerts.java

Running test 'jtreg:test/jdk/sun/security/lib/cacerts/VerifyCACerts.java'
Passed: sun/security/lib/cacerts/VerifyCACerts.java
Test results: passed: 1
Report written to /home/delawen/git/jdk11u-dev/build/linux-x86_64-normal-server-release/test-results/jtreg_test_jdk_sun_security_lib_cacerts_VerifyCACerts_java/html/report.html
Results written to /home/delawen/git/jdk11u-dev/build/linux-x86_64-normal-server-release/test-support/jtreg_test_jdk_sun_security_lib_cacerts_VerifyCACerts_java
Finished running test 'jtreg:test/jdk/sun/security/lib/cacerts/VerifyCACerts.java'
Test report is stored in build/linux-x86_64-normal-server-release/test-results/jtreg_test_jdk_sun_security_lib_cacerts_VerifyCACerts_java

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
   jtreg:test/jdk/sun/security/lib/cacerts/VerifyCACerts.java
                                                         1     1     0     0   
==============================
TEST SUCCESS

Finished building target 'run-test' in configuration 'linux-x86_64-normal-server-release'

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• JDK-8316138 needs maintainer approval
• Commit message must refer to an issue

Issue

• JDK-8316138: Add GlobalSign 2 TLS root certificates (Enhancement - P3 - Approved)

Reviewers

• Martin Doerr (@TheRealMDoerr - Reviewer) ⚠️ Review applies to c6325117
• Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/2715/head:pull/2715
$ git checkout pull/2715

Update a local copy of the PR:
$ git checkout pull/2715
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/2715/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2715

View PR using the GUI difftool:
$ git pr show -t 2715

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/2715.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back Delawen! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@Delawen This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8316138: Add GlobalSign 2 TLS root certificates

Reviewed-by: mdoerr, sgehwolf

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 2 new commits pushed to the master branch:

• b8ee2aa: 8326591: New test JmodExcludedFiles.java fails on Windows when --with-external-symbols-in-bundles=public is used
• 1d6965f: 8267796: vmTestbase/nsk/jvmti/scenarios/hotswap/HS201/hs201t002/TestDescription.java fails with NoClassDefFoundError

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@TheRealMDoerr, @gnu-andrew, @jerboaa) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[Delawen]

/approval JDK-8316138 request Fix Request
This is a backport for https://bugs.openjdk.org/browse/JDK-8316138 It includes two new certificates for cacert. The original commit placed them in a different folder, which is not the right one for this JDK version. It also updates the test that checks certificates are in place, updating the checksum.

[openjdk]

@Delawen
JDK-8316138: The approval request has been created successfully.

[mlbridge]

Webrevs

• 03: Full - Incremental (afeeaf66)
• 02: Full - Incremental (c6325117)
• 01: Full - Incremental (c75901fc)
• 00: Full (6804bf3b)

[Delawen]

@jerboaa @TheRealMDoerr Similar to the previous PR now in JDK 11

[jerboaa]

Does this compile? Switch expressions are JDK 14+.

[Delawen]

It did compile for me... maybe I compiled it with the wrong JDK!

[Delawen]

Sent another commit that fixed it. I compiled it with --with-boot-jdk= option pointing to a openjdk 11.0.19 2023-04-18 That should have failed, right?

[jerboaa]

Yes. But unless you run the test it won't get compiled.

[jerboaa]

make run-test TEST="test/jdk/sun/security/lib/cacerts/VerifyCACerts.java test/jdk/security/infra/java/security/cert/CertPathValidator"

[Delawen]

Then I don't know what happened, because I make clean make images and make run-test TEST='...file.java'.

[Delawen]

In any case, the code is changed.

[Delawen]

I also had --disable-warnings-as-errors as a flag while building. Maybe that was it. I removed it just in case.

[Delawen]

That was it, it won't happen again :)

After removing the --disable-warnings-as-errors flag, it throws an error:

/home/delawen/git/jdk11u-dev/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java:664: error: illegal start of expression
            case "globalsignr46" ->
                                 ^

[openjdk]

@Delawen Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[Delawen]

My bad, I force pushed the second commit. The review check is lost.

[openjdk]

@Delawen Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[TheRealMDoerr]

This version looks good.

[gnu-andrew]

Current version looks good to me. Matches 17u with the exception of the change to the switch statements.

[gnu-andrew]

The 8u backport makes a good point that -Dcom.sun.security.ocsp.useget=false is of no use here without JDK-8328638. I would thus remove those lines as in the 8u version.

Also, when comparing with 8u, I noticed that the 11u version only is missing a newline between the new case statements and the earlier ones:

17u:

                             "https://revoked.root-e1.certainly.com");

+            case "globalsignr46" ->
+                    new CATestURLs("https://valid.r46.roots.globalsign.com",
+                            "https://revoked.r46.roots.globalsign.com");
+            case "globalsigne46" ->
+                    new CATestURLs("https://valid.e46.roots.globalsign.com",
+                            "https://revoked.e46.roots.globalsign.com");
+
             default -> throw new RuntimeException("No test setup found for: " + alias);

11u:

                             "https://revoked.root-e1.certainly.com");
+            case "globalsignr46":
+                    return new CATestURLs("https://valid.r46.roots.globalsign.com",
+                            "https://revoked.r46.roots.globalsign.com");
+            case "globalsigne46":
+                    return new CATestURLs("https://valid.e46.roots.globalsign.com",
+                            "https://revoked.e46.roots.globalsign.com");

             default: throw new RuntimeException("No test setup found for: " + alias);

It would be good if all three backports matched.

[Delawen]

@gnu-andrew Changes pushed and the test run locally.

[Delawen]

/integrate

[openjdk]

@Delawen This pull request has not yet been marked as ready for integration.

[jerboaa]

@Delawen Please ask for approval using the /approval command before you integrate.

[Delawen]

/approval JDK-8316138 request Fix Request
This is a backport for https://bugs.openjdk.org/browse/JDK-8316138 It includes two new certificates for cacert. It updates the test that checks certificates are in place, updating the checksum.

[openjdk]

@Delawen
JDK-8316138: The approval request has been updated successfully.

[jerboaa]

/approve yes

[openjdk]

@jerboaa
8316138: The approval request has been approved.

[Delawen]

/integrate

[openjdk]

@Delawen
Your change (at version afeeaf6) is now ready to be sponsored by a Committer.

[TheRealMDoerr]

/sponsor

[openjdk]

Going to push as commit b7596f3.
Since your change was applied there have been 2 commits pushed to the master branch:

• b8ee2aa: 8326591: New test JmodExcludedFiles.java fails on Windows when --with-external-symbols-in-bundles=public is used
• 1d6965f: 8267796: vmTestbase/nsk/jvmti/scenarios/hotswap/HS201/hs201t002/TestDescription.java fails with NoClassDefFoundError

Your commit was automatically rebased without conflicts.

[openjdk]

@TheRealMDoerr @Delawen Pushed as commit b7596f3.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.